前面有专门讲解xpack的安装,但介于整个过程比较繁琐,所以本章节简化操作。
1 环境介绍
ip | 软件版本 | 节点属性 | 节点环境 | 操作系统 |
---|---|---|---|---|
192.168.116.2 | elaticsearch6.5.1 | master | java、node | CentOS 7.6.1810 |
192.168.116.3 | elaticsearch6.5.1 | slave | java、node | CentOS 7.6.1810 |
192.168.116.4 | elaticsearch6.5.1 | slave | java、node | CentOS 7.6.1810 |
elaticsearch6.5.1集群安装详见:
安装完之后通过日志和证书类型发现:当前证书类型为basic。
2 修改x-pack-core-6.5.1.jar,反向编译和修改两个验证文件
1)解压jar包
jar包所在路径:elasticsearch-6.5.1/modules/x-pack-core/x-pack-core-6.5.1.jar
LicenseVerifier.class 位于 x-pack-core-6.5.1\org\elasticsearch\license
cd /u01/isi/application/component/elasticsearch-6.5.1/modules/x-pack-core
mkdir /tmp/core #创建临时目录
unzip x-pack-core-6.5.1.jar -d /tmp/core/ #解压jar包,或者通过jar -xf 解压也可以
通过filezilla将两个class文件下载到本地电脑
2)反向编译并编辑两个静态方法的文件
如果不修改这两个文件,直接导入license,则会导入失败
1> 安装反编译软件jd-gui
https://github.com/java-decompiler/jd-gui/releases/download/v1.6.6/jd-gui-windows-1.6.6.zip
打开jd-gui,打开文件
–选择目标文件
(确认后选择打开
)—file
—save
(保存为.java
文件即可)–用notepad++
打开编辑即可—保存
<1> 反编译LicenseVerifier.class文件
notepad++编辑,保存为LicenseVerifier.java
package org.elasticsearch.license;
import java.nio.*;
import java.util.*;
import java.security.*;
import org.elasticsearch.common.xcontent.*;
import org.apache.lucene.util.*;
import org.elasticsearch.common.io.*;
import java.io.*;
public class LicenseVerifier {
public static boolean verifyLicense(final License license, final byte[] encryptedPublicKeyData) {
return true;
}
public static boolean verifyLicense(final License license) {
return true;
}
}
<2> 反编译XPackBuild.class文件
notepad++编辑,保存为XPackPlugin.java
package org.elasticsearch.xpack.core;
import org.elasticsearch.common.io.*;
import java.net.*;
import org.elasticsearch.common.*;
import java.nio.file.*;
import java.io.*;
import java.util.jar.*;
public class XPackBuild {
public static final XPackBuild CURRENT;
private String shortHash;
private String date;
@SuppressForbidden(reason = "looks up path of xpack.jar directly") static Path getElasticsearchCodebase() {
final URL url = XPackBuild.class.getProtectionDomain().getCodeSource().getLocation();
try { return PathUtils.get(url.toURI()); }
catch (URISyntaxException bogus) {
throw new RuntimeException(bogus); }
}
XPackBuild(final String shortHash, final String date) {
this.shortHash = shortHash;
this.date = date;
}
public String shortHash() {
return this.shortHash;
}
public String date(){
return this.date;
}
static {
final Path path = getElasticsearchCodebase();
String shortHash = null;
String date = null;
Label_0157: { shortHash = "Unknown"; date = "Unknown";
}
CURRENT = new XPackBuild(shortHash, date);
}
}
2> 通过filezilla上传编辑好的文件到系统中
3> 编译文件
javac -cp "/u01/isi/application/component/elasticsearch-6.5.1/lib/elasticsearch-6.5.1.jar:/u01/isi/application/component/elasticsearch-6.5.1/lib/lucene-core-7.5.0.jar:/u01/isi/application/component/elasticsearch-6.5.1/modules/x-pack-core/x-pack-core-6.5.1.jar:/u01/isi/application/component/elasticsearch-6.5.1/lib/elasticsearch-core-6.5.1.jar" XPackBuild.java
javac -cp "/u01/isi/application/component/elasticsearch-6.5.1/lib/elasticsearch-6.5.1.jar:/u01/isi/application/component/elasticsearch-6.5.1/lib/lucene-core-7.5.0.jar:/u01/isi/application/component/elasticsearch-6.5.1/modules/x-pack-core/x-pack-core-6.5.1.jar" LicenseVerifier.java
4> 将编译好的文件打包并复制回原目录
cd /tmp/core
mv LicenseVerifier.class org/elasticsearch/license/ #将编译好的class文件移到到原来的路径下
mv XPackBuild.class org/elasticsearch/xpack/core/ #将编译好的class文件移到到原来的路径下
rm -rf XPackBuild.java LicenseVerifier.java #删除java文件
jar -cvf x-pack-core-6.5.1.jar ./* #打包
cp /u01/isi/application/component/elasticsearch-6.5.1/modules/x-pack-core/{x-pack-core-6.5.1.jar,x-pack-core-6.5.1.jar.bak} #备份原有的jar包
mv x-pack-core-6.5.1.jar /u01/isi/application/component/elasticsearch-6.5.1/modules/x-pack-core/ #替换jar包
chown -R isi:isi /u01/isi/application/component/elasticsearch-6.5.1/modules/x-pack-core/ #统一文件的属性
chmod -R 755 /u01/isi/application/component/elasticsearch-6.5.1/modules/x-pack-core/* #统一文件的权限
3 证书申请
1)从官网申请basic授权文件
https://license.elastic.co/registration #其他信息随便写,邮箱必须真实,country写china
2)授权文件修改
"type":"basic" 替换为"platinum" # 基础版变更为铂金版
"expiry_date_in_millis":1561420799999 替换为3107746200000 #1年变为50年
4 开始解密并上传证书
1)将编译好的jar包拷贝到其他节点
scp -p /u01/isi/application/component/elasticsearch-6.5.1/modules/x-pack-core/x-pack-core-6.5.1.jar 192.168.116.3:/u01/isi/application/component/elasticsearch-6.5.1/modules/x-pack-core/
scp -p /u01/isi/application/component/elasticsearch-6.5.1/modules/x-pack-core/x-pack-core-6.5.1.jar 192.168.116.4:/u01/isi/application/component/elasticsearch-6.5.1/modules/x-pack-core/
2)授权(修改配置文件后记得重启)
1> 禁用security,如果不禁用,将不能正常导入授权文件
cat elasticsearch.yml
...
...
xpack.security.enabled: false
2> 上传license证书,通过filezilla上传到elasticsearch的目录下即可
curl -H "Content-Type: application/json" -XPUT '192.168.1.156:9200/_xpack/license?acknowledge=true' -d @license.json
3> 生成xpack证书(主服务器生成,并分发到其他node节点)
cd /u01/isi/application/component/elasticsearch-6.5.1/bin
./elasticsearch-certutil ca #按两次回车即可
./elasticsearch-certutil cert --ca elastic-stack-ca.p12 #按三次回车即可
mv ./elastic-certificates.p12 ../config/ #移动到config目录下
mv ./elastic-stack-ca.p12 ../config/ #移动到config目录下
scp -p ../config/elastic-certificates.p12 192.168.116.3:/u01/isi/application/component/elasticsearch-6.5.1/config/ #分到到116.3节点
scp -p ../config/elastic-certificates.p12 192.168.116.4:/u01/isi/application/component/elasticsearch-6.5.1/config/ #分到到116.4节点
4> 配置文件添加xpack配置并重启(所有节点)
cat elasticsearch.yml
...
#启用security
xpack.security.enabled: true
#开启集群中https传输
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
#解决head无法登录问题
http.cors.enabled: true
http.cors.allow-origin: "*"
http.cors.allow-headers: Authorization,X-Requested-With,Content-Length,Content-Type
5> 修改密码(否则将无法进行数据读取)
安装完成X-Pack之后重启Elasticsearch和Kibana,再次登陆Elasticsearch和Kibana,会提示需要输入用户名和密码,因此还需要修改密码。
cd /u01/isi/application/component/elasticsearch-6.5.1/bin
./elasticsearch-setup-passwords interactive #自定义修改
或(二选一)
./elasticsearch-setup-passwords auto #自动生成密码,默认密码:changeme
也可通过kibana修改 manageement->security->users->change password
注:修改密码后记得在kibana.yml中同步配置用户名密码
6> 查看license是否生效
curl '192.168.116.2:9200/_xpack/license?pretty' -u elastic:password -H "Content-Type: application/json"
7> kibana配置添加
cat kibana.yml
...
elasticsearch.username: elastic
elasticsearch.password: zkwg123
#因为开启了elastic https传输所以要把http改为https
elasticsearch.hosts: ["https://localhost:9200"]
#ssl证书认证为none
elasticsearch.ssl.verificationMode: none
8> 访问head端口方式(url中增加了参数)
http://192.168.116.2:9100/?auth_user=elastic&auth_password=zkwg123