0


elasticsearch|大数据|低版本的elasticsearch集群的官方安全插件x-pack的详解

前言:

elasticsearch集群说实话是比较好部署的,也就是从开箱即用这方面来说,是比较简单的,大体步骤就是首先处理好集群的环境,比如时间服务器,域名映射,内核层面的文件打开数这些小问题,然后就是安装目录的赋权(es不让用root用户启动,操作),最后就是主配置文件的修改,把每个节点的信息按自己的部署规划写入主配置文件就可以启动各个节点,然后,es会自动发现其它节点并自己组成一个集群。

在集群启动这个阶段,我们也不需要操心如何选主,哪个是主,哪个是从这些集群方面的问题,es是以最先启动的节点自动为主,不像其它的集群例如zookeeper,还需要在配置文件里写清楚哪个是主,哪个是从,主节点还必须要先启动,然后在启动从节点,而es完全没有这些烦恼。

但是,这些都是es给人的误解,其实,集群设置方面的简化了,但是安全防护方面需要比其它类型的集群下更多的功夫,例如,安全插件的选择,安全插件的设置这些是要比其它集群更加麻烦的。

其次,es的版本众多,每个大版之间的差异是很大的,怎么说呢,就和MySQL一样,MySQL-5.6,MySQL-5.7,MySQL8 就完全不是同一个数据库,虽然是都叫MySQL,同样的,es6,es7,es8之间的差别也是非常大的。

那么,es版本之间的具体差距一个是性能方面,自然是版本越高性能方面可能更高点,其次就是漏洞,越高的版本自然也是漏洞更少,最后就是es的安全插件x-pack和由x-pack引起的证书问题。

一,

**启用 ****trial license **

curl -H "Content-Type:application/json" -XPOST  http://127.0.0.1:19200/_xpack/license/start_trial?acknowledge=true

es的密码设置

es集群密码只需要在一个节点设置一次就可以了,不需要每个节点都执行密码设置,设置密码的时候开不开xpack.security.enabled: true都没有影响,只是需要上面的license激活试用

二,

具体的实施步骤

本例中,我的es是二进制形式安装在/data/目录下的

有两个关键目录libs和modules两个目录

下面是两个java 文件,然后编译出两个class文件,最后两个class文件替换到jar包内,重新打jar 包后,每个节点的jar包都要替换掉。

####注:链接:https://pan.baidu.com/s/1Wj5Q80p9lN7r6uv0xvWHWw?pwd=kkey
提取码:kkey
编译出来的jar包以及安装包什么的都在百度盘里,有需要的自取试用

cd /data/es/modules/x-pack/x-pack-core
cat >/data/es/modules/x-pack/x-pack-core/LicenseVerifier.java<<EOF
package org.elasticsearch.license; 
import java.nio.*; import java.util.*; 
import java.security.*; 
import org.elasticsearch.common.xcontent.*; 
import org.apache.lucene.util.*; 
import org.elasticsearch.common.io.*; 
import java.io.*; 
 
public class LicenseVerifier { 
    public static boolean verifyLicense(final License license, final byte[] encryptedPublicKeyData) {
        return true; 
    } 
    
    public static boolean verifyLicense(final License license)     { 
        return true; 
    } 
}
EOF
cat >/data/es/modules/x-pack/x-pack-core/XPackBuild.java<<EOF
package org.elasticsearch.xpack.core;
import org.elasticsearch.common.io.*;
import java.net.*;
import org.elasticsearch.common.*;
import java.nio.file.*;
import java.io.*; 
import java.util.jar.*; 
public class XPackBuild { 
    public static final XPackBuild CURRENT;
    private String shortHash; 
    private String date; 
    @SuppressForbidden(reason = "looks up path of xpack.jar directly") static Path getElasticsearchCodebase() { 
        final URL url = XPackBuild.class.getProtectionDomain().getCodeSource().getLocation();
        try { return PathUtils.get(url.toURI()); }
        catch (URISyntaxException bogus) { 
            throw new RuntimeException(bogus); } 
        } 
        
    XPackBuild(final String shortHash, final String date) {
            this.shortHash = shortHash; 
            this.date = date; 
            } 
            
    public String shortHash() {
        return this.shortHash;
        } 
    public String date(){ 
        return this.date; 
        }
        
    static { 
        final Path path = getElasticsearchCodebase();
        String shortHash = null; 
        String date = null;
        Label_0157: { shortHash = "Unknown"; date = "Unknown"; 
    } 
    
    CURRENT = new XPackBuild(shortHash, date); 
    }
}
EOF

下面的命令是编译java文件生成class,双引号里的是包依赖,第二个编译比第一个多elasticsearch-core-6.3.2.jar

echo $ES_HOME=/data/es
javac -cp "$ES_HOME/lib/elasticsearch-6.3.2.jar:$ES_HOME/lib/lucene-core-7.3.1.jar:$ES_HOME/modules/x-pack-core/x-pack-core-6.3.2.jar" LicenseVerifier.java 
javac -cp "$ES_HOME/lib/elasticsearch-6.3.2.jar:$ES_HOME/lib/lucene-core-7.3.1.jar:$ES_HOME/modules/x-pack-core/x-pack-core-6.3.2.jar:$ES_HOME/lib/elasticsearch-core-6.3.2.jar" XPackBuild.java

重新生成的jar包可以在其它相同的es6.3.2版本直接使用

mkdir tmp && cd tmp 
cp ../x-pack-core-6.3.2.jar ./ 
jar -xf x-pack-core-6.3.2.jar ##解压 
cp ../LicenseVerifier.class org/elasticsearch/license/ ##替换文件 
cp ../XPackBuild.class org/elasticsearch/xpack/core/ ##替换文件 
jar -cvf x-pack-core-6.3.2.jar * 

##再压缩,将生成的 x-pack-core-6.6.2.jar 发送到所有es,覆盖原来的jar文件

**license文件是我从官网注册的,这个文件谁都可以用 **

cat> license.json <<EOF
{"license":{"uid":"098d64a3-e517-41dd-b353-f505592d2c8b","type":"platinum","issue_date_in_millis":1702771200000,"expiry_date_in_millis":2547615064000,"max_nodes":100,"issued_to":"zsk john (sgcc)","issuer":"Web Form","signature":"AAAAAwAAAA16lsBvPS6swxwXwby8AAABmC9ZN0hjZDBGYnVyRXpCOW5Bb3FjZDAxOWpSbTVoMVZwUzRxVk1PSmkxaktJRVl5MUYvUWh3bHZVUTllbXNPbzBUemtnbWpBbmlWRmRZb25KNFlBR2x0TXc2K2p1Y1VtMG1UQU9TRGZVSGRwaEJGUjE3bXd3LzRqZ05iLzRteWFNekdxRGpIYlFwYkJiNUs0U1hTVlJKNVlXekMrSlVUdFIvV0FNeWdOYnlESDc3MWhlY3hSQmdKSjJ2ZTcvYlBFOHhPQlV3ZHdDQ0tHcG5uOElCaDJ4K1hob29xSG85N0kvTWV3THhlQk9NL01VMFRjNDZpZEVXeUtUMXIyMlIveFpJUkk2WUdveEZaME9XWitGUi9WNTZVQW1FMG1DenhZU0ZmeXlZakVEMjZFT2NvOWxpZGlqVmlHNC8rWVVUYzMwRGVySHpIdURzKzFiRDl4TmM1TUp2VTBOUlJZUlAyV0ZVL2kvVk10L0NsbXNFYVZwT3NSU082dFNNa2prQ0ZsclZ4NTltbU1CVE5lR09Bck93V2J1Y3c9PQAAAQBsh77fra6SPtgkkXCPjs39gSNVwkeO9Brh3ztWUuINJVwHcMGxyTfmb24rHhVJwtTSrTTtjxvWCRvM+0iomOTnuQTZiEnWlnkQxpog0zuftR21mjCZZTcctZtBAKuffmRG3ORWWMq3OyUkeHWPsA11QrnkDky/+dU3MjandI1PLz4GYtHakb1/5j7oaLHda0n3jibNPk9+IsgyVbha+u40vF/wFgsq7UVZguWH1NC+GQfq4GnUDWi1AzpxNKWE5ui9zlMT0E0i5Dlp/MyFsEPsI22HkvxOrI8ZrENKL/NojrkfYn+Um2Z44VNrYLZt38gEka/sGQ27Ut+8UkmGBAkM","start_date_in_millis":1702771200000}}
EOF
  • ** ###注意,是put**
curl -XPUT -u "elastic":"123456" 'http://192.168.123.11:19200/_xpack/license' -H "Content-Type: application/json" -d @license.json

输入如下(如果最后是expires,表示失败,只有valid是成功的):

{"acknowledged":true,"license_status":"valid"}
cat license.json 
{"license":{"uid":"3ca1eb03-3aec-4501-bfe2-1ed23aff0784","type":"basic","issue_date_in_millis":1703116800000,"expiry_date_in_millis":1734825599999,"max_nodes":100,"issued_to":"zsk john (sgcc)","issuer":"Web Form","signature":"AAAAAwAAAA1UntgT2KSUw4ANWrW1AAABmC9ZN0hjZDBGYnVyRXpCOW5Bb3FjZDAxOWpSbTVoMVZwUzRxVk1PSmkxaktJRVl5MUYvUWh3bHZVUTllbXNPbzBUemtnbWpBbmlWRmRZb25KNFlBR2x0TXc2K2p1Y1VtMG1UQU9TRGZVSGRwaEJGUjE3bXd3LzRqZ05iLzRteWFNekdxRGpIYlFwYkJiNUs0U1hTVlJKNVlXekMrSlVUdFIvV0FNeWdOYnlESDc3MWhlY3hSQmdKSjJ2ZTcvYlBFOHhPQlV3ZHdDQ0tHcG5uOElCaDJ4K1hob29xSG85N0kvTWV3THhlQk9NL01VMFRjNDZpZEVXeUtUMXIyMlIveFpJUkk2WUdveEZaME9XWitGUi9WNTZVQW1FMG1DenhZU0ZmeXlZakVEMjZFT2NvOWxpZGlqVmlHNC8rWVVUYzMwRGVySHpIdURzKzFiRDl4TmM1TUp2VTBOUlJZUlAyV0ZVL2kvVk10L0NsbXNFYVZwT3NSU082dFNNa2prQ0ZsclZ4NTltbU1CVE5lR09Bck93V2J1Y3c9PQAAAQB5kJvzYYDBxnSQxmm0f0TIiCxAEg6mdoyjXnz8Agy3lYhAKlCpLetRtFfLKyyVP4Dfxa4ePKHd/Drmz3F5Q4Nas4seyGSSJaqK6KyduUPA7/JV9DqJCwLYykdGXOgkItLRwDhiZhAQz0XqDG0syZVqC9XJH90iHCp8rqQTJoJwrAzSw0iJPC/bAt7u/QkK5mgH/9jwsJ4/Pz6IF9G6aen0VAKys3wYhL7q7PaewsUxjecafN76nhEH1Q+UKGUOLSFN2K/2nB979+Mzk8Zxx5uyzlG4zdBbRGkX0MfAMXZd1YZKzLYephfAZA1Z2/wzeQ6rVc5iqVnWt7t+Q4ToZbEa","start_date_in_millis":1703116800000}}
  • ###注意,是post
curl -XPOST -u "elastic":"123456" 'http://192.168.123.11:19200/_xpack/license/start_basic?acknowledge=true' -H "Content-Type: application/json" -d @license.json

输出如下:

{"acknowledged":true,"basic_was_started":true}

在执行到上面这个命令的时候,es必须要开启以下设置否则报错:

下面的配置见博客:elasticsearch|大数据|elasticsearch的api部分实战操作以及用户和密码的管理-CSDN博客

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /data/es/config/cert/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /data/es/config/cert/elastic-certificates.p12

查看是否更换license:

可以看到过期时间已经更新到了2050年,十来年的时间应该够用了吧!!!!~~

[root@node1 tmp]# curl -uelastic:123456 -XGET http://192.168.123.11:19200/_license
{
  "license" : {
    "status" : "active",
    "uid" : "098d64a3-e517-41dd-b353-f505592d2c8b",
    "type" : "platinum",
    "issue_date" : "2023-12-17T00:00:00.000Z",
    "issue_date_in_millis" : 1702771200000,
    "expiry_date" : "2050-09-24T06:51:04.000Z",
    "expiry_date_in_millis" : 2547615064000,
    "max_nodes" : 100,
    "issued_to" : "zsk john (sgcc)",
    "issuer" : "Web Form",
    "start_date_in_millis" : 1702771200000
  }

日志里的验证:

[2023-12-18T01:34:40,141][INFO ][o.e.x.s.a.TokenService   ] [node-1] refresh keys
[2023-12-18T01:34:40,347][INFO ][o.e.x.s.a.TokenService   ] [node-1] refreshed keys
[2023-12-18T01:34:40,359][INFO ][o.e.l.LicenseService     ] [node-1] license [aab0fece-300e-45b3-8fc8-7c935482b21d] mode [trial] - valid
[2023-12-18T01:34:40,383][INFO ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [node-1] publish_address {192.168.123.11:19200}, bound_addresses {192.168.123.11:19200}
[2023-12-18T01:34:40,383][INFO ][o.e.n.Node               ] [node-1] started
[2023-12-18T01:39:08,635][INFO ][o.e.l.LicenseService     ] [node-1] license [098d64a3-e517-41dd-b353-f505592d2c8b] mode [platinum] - valid

本文转载自: https://blog.csdn.net/alwaysbefine/article/details/135072091
版权归原作者 晚风_END 所有, 如有侵权,请联系我们删除。

“elasticsearch|大数据|低版本的elasticsearch集群的官方安全插件x-pack的详解”的评论:

还没有评论