• es配置x-pack使用账号密码验证(last单机和集群模式)


    环境:
    ES:6.5.0(6.8版本x-pack已经免费使用,不需要破解)
    OS:Centos 7

    -----------------------------------------------------------------------------------------单节点配置--------------------------------------------------------------
    1.创建目录
    [esuser@localhost ~]$ cd /home/esuser
    [esuser@localhost ~]$ mkdir xpach

     

    2.准备如下2个java文件
    LicenseVerifier.java

    package org.elasticsearch.license;
    import java.nio.*; import java.util.*;
    import java.security.*;
    import org.elasticsearch.common.xcontent.*;
    import org.apache.lucene.util.*;
    import org.elasticsearch.common.io.*;
    import java.io.*;
    
    public class LicenseVerifier {
        public static boolean verifyLicense(final License license, final byte[] encryptedPublicKeyData) {
            return true;
        }
        
        public static boolean verifyLicense(final License license) {
            return true;
        }
    }

     

    XPackBuild.java

    package org.elasticsearch.xpack.core;
    import org.elasticsearch.common.io.*;
     import java.net.*;
     import org.elasticsearch.common.*;
     import java.nio.file.*;
     import java.io.*;
     import java.util.jar.*;
     public class XPackBuild {
        public static final XPackBuild CURRENT;
        private String shortHash;
        private String date;
        @SuppressForbidden(reason = "looks up path of xpack.jar directly") static Path getElasticsearchCodebase() {
            final URL url = XPackBuild.class.getProtectionDomain().getCodeSource().getLocation();
            try { return PathUtils.get(url.toURI()); }
            catch (URISyntaxException bogus) {
                throw new RuntimeException(bogus); }
            }
            
        XPackBuild(final String shortHash, final String date) {
                this.shortHash = shortHash;
                this.date = date;
                }
                
        public String shortHash() {
            return this.shortHash;
            }
        public String date(){
            return this.date;
            }
            
        static {
            final Path path = getElasticsearchCodebase();
            String shortHash = null;
            String date = null;
            Label_0157: { shortHash = "Unknown"; date = "Unknown";
        }
        
        CURRENT = new XPackBuild(shortHash, date);
        }
    }

     

    将以上两个文件放到步骤1创建的目录下面
    [esuser@localhost xpach]$ pwd
    /home/esuser/xpach
    [esuser@localhost xpach]$ ls -1
    LicenseVerifier.java
    XPackBuild.java


    3.重新生成打包
    将刚创建的两个java包打包成class文件,我们需要做的就是替换这两个class文件(因里面需要引用到其他的jar,故需要用到javac -cp命令)

    [esuser@localhost xpach]$ cd /home/esuser/xpach
    javac -cp "/home/esuser/single_elasticsearch/lib/elasticsearch-6.5.0.jar:/home/esuser/single_elasticsearch/lib/lucene-core-7.5.0.jar:/home/esuser/single_elasticsearch/modules/x-pack-core/x-pack-core-6.5.0.jar" LicenseVerifier.java
    javac -cp "/home/esuser/single_elasticsearch/lib/elasticsearch-6.5.0.jar:/home/esuser/single_elasticsearch/lib/lucene-core-7.5.0.jar:/home/esuser/single_elasticsearch/modules/x-pack-core/x-pack-core-6.5.0.jar:/home/esuser/single_elasticsearch/lib/elasticsearch-core-6.5.0.jar" XPackBuild.java

    执行以上两个命令可以看出已经生产了2个class文件
    [esuser@localhost xpach]$ ls -1
    LicenseVerifier.class
    LicenseVerifier.java
    XPackBuild.class
    XPackBuild.java

    4.将原来的文件给解压出来,然后覆盖
    下面操作所在目录为:/home/esuser/xpach
    [esuser]$cd /home/esuser/xpach
    将原来的包拷贝到当前目录
    [esuser]$cp -a /home/esuser/single_elasticsearch/modules/x-pack-core/x-pack-core-6.5.0.jar .
    解压原来的包
    [esuser]$jar -xf x-pack-core-6.5.0.jar
    删除之前的java文件和拷贝过来的包
    [esuser]$rm -rf LicenseVerifier.java XPackBuild.java x-pack-core-6.5.0.jar
    将class文件拷贝到相应目录
    [esuser]$cp -a LicenseVerifier.class org/elasticsearch/license/
    [esuser]$cp -a XPackBuild.class org/elasticsearch/xpack/core/
    删除class文件
    [esuser]$rm -rf LicenseVerifier.class XPackBuild.class
    重新生成jar包
    [esuser]$jar -cvf x-pack-core-6.5.0.jar *
    将生成的java包覆盖原来的
    [esuser]$cp -a x-pack-core-6.5.0.jar /home/esuser/single_elasticsearch/modules/x-pack-core/

    5.添加如下参数后进行重启
    xpack.security.enabled: true
    xpack.security.transport.ssl.enabled: true



    6.License申请
    申请地址
    https://license.elastic.co/registration
    填写信息后,会有一个邮件发到注册的邮箱,然后安装提示点击链接进行下载
    下载后上传服务器,修改过期时间expiry_date_in_millis,我这里修改为 4102416000000,即2100-01-01 00:00:00,type修改为platinum
    我这里下载的文件名为my.json,内容如下
    {"license":{"uid":"1e9a1465-3398-44e8-aa06-c76062dcfedf","type":"platinum","issue_date_in_millis":1544659200000,"expiry_date_in_millis":4102416000000,"max_nodes":100,"issued_to":"xueliang huang (richinfo)","issuer":"Web Form","signature":"AAAAAwAAAA0CkXSNg+Yl6jgouxuAAAABmC9ZN0hjZDBGYnVyRXpCOW5Bb3FjZDAxOWpSbTVoMVZwUzRxVk1PSmkxaktJRVl5MUYvUWh3bHZVUTllbXNPbzBUemtnbWpBbmlWRmRZb25KNFlBR2x0TXc2K2p1Y1VtMG1UQU9TRGZVSGRwaEJGUjE3bXd3LzRqZ05iLzRteWFNekdxRGpIYlFwYkJiNUs0U1hTVlJKNVlXekMrSlVUdFIvV0FNeWdOYnlESDc3MWhlY3hSQmdKSjJ2ZTcvYlBFOHhPQlV3ZHdDQ0tHcG5uOElCaDJ4K1hob29xSG85N0kvTWV3THhlQk9NL01VMFRjNDZpZEVXeUtUMXIyMlIveFpJUkk2WUdveEZaME9XWitGUi9WNTZVQW1FMG1DenhZU0ZmeXlZakVEMjZFT2NvOWxpZGlqVmlHNC8rWVVUYzMwRGVySHpIdURzKzFiRDl4TmM1TUp2VTBOUlJZUlAyV0ZVL2kvVk10L0NsbXNFYVZwT3NSU082dFNNa2prQ0ZsclZ4NTltbU1CVE5lR09Bck93V2J1Y3c9PQAAAQBbRJOy1WgeFasn9hkqXcUu4jbVTH5B51CpsbpQTIukDJUeyo9z0DW1DzXzgUn1y0LQ62VDVcjiJvi0Xci5w9ZYDQPPVwf8PN0Pg8rOkawcJpr4ZmCiBgh/dFmgcOsjOjro1EcVOp3rm9zil89FsACMUcgRiYf//Ejahsx7giFEyYnUNOqfy4umh3aHj+awlg76P1OVxnyu74IjJdWGXluMw+hTJ0EKXcaUEfJpJgBLtPUmyD6jd/LtzV8ysKL6JQTxkUzdlWVdzipskQ8MWt5Nn6ClddwJFVb5lTAOJvLy6jyEmro4Fho5LJ6eRW2NvsWS4Y1Yu6lHVoWBVW4v++Wx","start_date_in_millis":1544659200000}}

    将该文件上传到服务器指定的目录,我这里上传到/home/esuser目录下


    7.将license进行导入
    cd /home/esuser (my.json文件在该目录下)
    curl -XPUT 'http://192.168.1.135:19200/_xpack/license' -H "Content-Type: application/json" -d @my.json

    这个时候已经导入证书并启用了认证,下面的登陆都必须使用账号密码,否则没法使用,但是我们这里还没有设置密码,下面通过elasticsearch-setup-passwords设置各账号的密码
    查看证书状态

    8.交互式设置各账号的密码

    [esuser@localhost bin]$ cd /home/esuser/single_elasticsearch/bin
    [esuser@localhost bin]$ ./elasticsearch-setup-passwords interactive
    Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
    You will be prompted to enter passwords as the process progresses.
    Please confirm that you would like to continue [y/N]y  

    Enter password for [elastic]:
    Reenter password for [elastic]:
    Enter password for [apm_system]:
    Reenter password for [apm_system]:
    Enter password for [kibana]:
    Reenter password for [kibana]:
    Enter password for [logstash_system]:
    Reenter password for [logstash_system]:
    Enter password for [beats_system]:
    Reenter password for [beats_system]:
    Enter password for [remote_monitoring_user]:
    Reenter password for [remote_monitoring_user]:
    Changed password for user [apm_system]
    Changed password for user [kibana]
    Changed password for user [logstash_system]
    Changed password for user [beats_system]
    Changed password for user [remote_monitoring_user]
    Changed password for user [elastic]


    9.使用账号密码访问
    [esuser@localhost bin]$ curl -u elastic:elastic "http://192.168.1.135:19200/_license"
    {
      "license" : {
        "status" : "active",
        "uid" : "1e9a1465-3398-44e8-aa06-c76062dcfedf",
        "type" : "platinum",
        "issue_date" : "2018-12-13T00:00:00.000Z",
        "issue_date_in_millis" : 1544659200000,
        "expiry_date" : "2049-12-31T16:00:00.000Z",
        "expiry_date_in_millis" : 2524579200000,
        "max_nodes" : 100,
        "issued_to" : "xueliang huang (richinfo)",
        "issuer" : "Web Form",
        "start_date_in_millis" : 1544659200000
      }
    }


    10.证书可以修改后重新导入,比如我想修改下过期时间
    curl -u elastic:elastic -XPUT 'http://192.168.1.135:19200/_xpack/license' -H "Content-Type: application/json" -d @my.json


    11.修改密码
    curl -H "Content-Type:application/json" -XPUT -u elastic:elastic 'http://192.168.1.135:19200/_xpack/security/user/elastic/_password' -d '{ "password" : "elastic123" }'

    到这里单节点的配置已经完成,下面是集群的多节点配置,配置方法跟单节点类似,为了操作方便,先在一个节点配置好,然后把相应的jar文件和license文件拷贝到另外的节点



    ------------------------------------------------------------集群模式配置使用xpack-------------------------------------------------------

    1.拷贝相关文件到另外的节点
    将已经配置好节点所在的jar包和license拷贝到另外一个节点
    [esuser@localhost xpach]$ scp x-pack-core-6.5.0.jar esuser@192.168.1.134:/home/esuser/
    [esuser@localhost ~]$ scp my.json esuser@192.168.1.134:/home/esuser/


    2.将jar文件覆盖当前的(要做备份)
    [esuser@localhost ~]$ cd /home/esuser
    [esuser@localhost ~]$ cp x-pack-core-6.5.0.jar /home/esuser/single_elasticsearch/modules/x-pack-core/

    3.修改配置重启动es
    添加如下两项配置后重启动
    xpack.security.enabled: true
    xpack.security.transport.ssl.enabled: true

    4.导入license
    cd /home/esuser (my.json文件在该目录下)
    curl -XPUT 'http://192.168.1.134:19200/_xpack/license' -H "Content-Type: application/json" -d @my.json


    5.交互式设置各账号的密码
    [esuser@localhost bin]$ cd /home/esuser/single_elasticsearch/bin
    [esuser@localhost bin]$ ./elasticsearch-setup-passwords interactive

    这里所有账号设置密码为 elastic123,这里设置密码可以跟其他的节点不一致,为了方便维护,建议设置成一致


    6.使用账号密码访问
    curl -u elastic:elastic123 -X GET 'http://192.168.1.134:19200/_cat/indices?v'

    7.修改密码
    curl -H "Content-Type:application/json" -XPUT -u elastic:elastic123 'http://192.168.1.134:19200/_xpack/security/user/elastic/_password' -d '{ "password" : "elastic" }'

     -----------------------------------------------集群内部通信认证----------------------------------------------------------------
    要是启用了xpack的话
    xpack.security.enabled: true
    xpack.security.transport.ssl.enabled: true
    要是没有配置内部通信认证,集群启动会报如下的错误:
    SSLHandshakeException: no cipher suites in common
    需要进行如下配置才能解决问题,可以参考官网文档:

    https://www.elastic.co/guide/en/elasticsearch/reference/6.5/configuring-tls.html#node-certificates



    1.生成ca证书(该步骤在其中一台节点上操作即可)
    [esuser@localhost ~]$ mkdir esca
    [esuser@localhost ~]$ cd esca
    [esuser@localhost esca]$ pwd
    /home/esuser/esca
    [esuser@localhost esca]$ /home/esuser/single_elasticsearch/bin/elasticsearch-certutil ca
    This tool assists you in the generation of X.509 certificates and certificate
    signing requests for use with SSL/TLS in the Elastic stack.

    The 'ca' mode generates a new 'certificate authority'
    This will create a new X.509 certificate and private key that can be used
    to sign certificate when running in 'cert' mode.

    Use the 'ca-dn' option if you wish to configure the 'distinguished name'
    of the certificate authority

    By default the 'ca' mode produces a single PKCS#12 output file which holds:
        * The CA certificate
        * The CA's private key

    If you elect to generate PEM format certificates (the -pem option), then the output will
    be a zip file containing individual files for the CA certificate and private key

    Please enter the desired output file [elastic-stack-ca.p12]:
    Enter password for elastic-stack-ca.p12 :
    我这里输入的密码为oracle,这个密码需要牢记,以后有新节点加入的话,需要输入该密码

    这里会生成一个文件
    [esuser@localhost esca]$ ls  -1
    elastic-stack-ca.p12


    2.配置证书
    [esuser@localhost esca]$ /home/esuser/single_elasticsearch/bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
    This tool assists you in the generation of X.509 certificates and certificate
    signing requests for use with SSL/TLS in the Elastic stack.

    The 'cert' mode generates X.509 certificate and private keys.
        * By default, this generates a single certificate and key for use
           on a single instance.
        * The '-multiple' option will prompt you to enter details for multiple
           instances and will generate a certificate and key for each one
        * The '-in' option allows for the certificate generation to be automated by describing
           the details of each instance in a YAML file

        * An instance is any piece of the Elastic Stack that requires a SSL certificate.
          Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beats
          may all require a certificate and private key.
        * The minimum required value for each instance is a name. This can simply be the
          hostname, which will be used as the Common Name of the certificate. A full
          distinguished name may also be used.
        * A filename value may be required for each instance. This is necessary when the
          name would result in an invalid file or directory name. The name provided here
          is used as the directory name (within the zip) and the prefix for the key and
          certificate files. The filename is required if you are prompted and the name
          is not displayed in the prompt.
        * IP addresses and DNS names are optional. Multiple values can be specified as a
          comma separated string. If no IP addresses or DNS names are provided, you may
          disable hostname verification in your SSL configuration.

        * All certificates generated by this tool will be signed by a certificate authority (CA).
        * The tool can automatically generate a new CA for you, or you can provide your own with the
             -ca or -ca-cert command line options.

    By default the 'cert' mode produces a single PKCS#12 output file which holds:
        * The instance certificate
        * The private key for the instance certificate
        * The CA certificate

    If you specify any of the following options:
        * -pem (PEM formatted output)
        * -keep-ca-key (retain generated CA key)
        * -multiple (generate multiple certificates)
        * -in (generate certificates from an input file)
    then the output will be be a zip file containing individual certificate/key files

    Enter password for CA (elastic-stack-ca.p12) : ##这里输入的密码是oracle
    Please enter the desired output file [elastic-certificates.p12]:
    Enter password for elastic-certificates.p12 :  ##这里输入的密码是oracle

    Certificates written to /home/esuser/esca/elastic-certificates.p12

    This file should be properly secured as it contains the private key for
    your instance.

    This file is a self contained file and can be copied and used 'as is'
    For each Elastic product that you wish to configure, you should copy
    this '.p12' file to the relevant configuration directory
    and then follow the SSL configuration instructions in the product guide.

    For client applications, you may only need to copy the CA certificate and
    configure the client to trust this certificate.

    这个时候生成的文件如下:
    [esuser@localhost esca]$ ls -1
    elastic-certificates.p12
    elastic-stack-ca.p12


    3.拷贝生成的p12结尾的文件到每个节点
    可以先创建存放这些文件的目录
    [esuser@localhost esca]$mkdir -p /home/esuser/single_elasticsearch/config/certs
    [esuser@localhost esca]$ cp elastic-certificates.p12 /home/esuser/single_elasticsearch/config/certs/
    [esuser@localhost esca]$ cp elastic-stack-ca.p12 /home/esuser/single_elasticsearch/config/certs/

    同样的在其他节点也拷贝到对应的路径


    4.修改每个节点的配置,添加如下项
    xpack.security.transport.ssl.enabled: true
    xpack.security.transport.ssl.verification_mode: certificate
    xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
    xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12


    5.输入认证密码
    在每个节点执行如下命令
    /home/esuser/single_elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password ##这里输入之前配置的密码 为oracle
    /home/esuser/single_elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password ##这里输入之前配置的密码 为oracle

    6.重新启动集群
    查看集群情况
    curl -u elastic:elastic 'http://192.168.1.134:19200/_cat/nodes?v'
    curl -u elastic:elastic 'http://192.168.1.134:19200/_cat/master?v'

  • 相关阅读:
    [Win32]一个调试器的实现(十)显示变量
    [Win32]一个调试器的实现(九)符号模型
    [Win32]一个调试器的实现(八)单步执行
    [Win32]一个调试器的实现(七)断点
    [Win32]一个调试器的实现(六)显示源代码
    [Win32]一个调试器的实现(五)调试符号
    [Win32]一个调试器的实现(四)读取寄存器和内存
    将博客搬至CSDN
    AndroidManifest.xml解析和五大布局介绍
    十六进制颜色
  • 原文地址:https://www.cnblogs.com/hxlasky/p/11725339.html
Copyright © 2020-2023  润新知