elasticsearch x-pack启用及破解

声明：此教程只用于学习，如有商业用途请购买收费版。

elasticsearch版本6.4.2

简要的启用破解过程请直接看最后一部分。

一步步尝试的启用破解过程，比较麻烦啰嗦

启用x-apck

安装elasticsearch后启动服务。

[2018-10-29T19:07:09,614][INFO ][o.e.t.TransportService   ] [es-wk-node-1] publish_address {127.0.0.1:19300}, bound_addresses {127.0.0.1:19300}
[2018-10-29T19:07:12,713][INFO ][o.e.c.s.MasterService    ] [es-wk-node-1] zen-disco-elected-as-master ([0] nodes joined)[, ], reason: new_master {es-wk-node-1}{WnMQ7jr9RFeL1TUzFAwPow}{yVqOosHpTLCxtR4NCYao8Q}{127.0.0.1}{127.0.0.1:19300}{ml.machine_memory=33567985664, xpack.installed=true, ml.max_open_jobs=20, ml.enabled=true}
[2018-10-29T19:07:12,720][INFO ][o.e.c.s.ClusterApplierService] [es-wk-node-1] new_master {es-wk-node-1}{WnMQ7jr9RFeL1TUzFAwPow}{yVqOosHpTLCxtR4NCYao8Q}{127.0.0.1}{127.0.0.1:19300}{ml.machine_memory=33567985664, xpack.installed=true, ml.max_open_jobs=20, ml.enabled=true}, reason: apply cluster state (from master [master {es-wk-node-1}{WnMQ7jr9RFeL1TUzFAwPow}{yVqOosHpTLCxtR4NCYao8Q}{127.0.0.1}{127.0.0.1:19300}{ml.machine_memory=33567985664, xpack.installed=true, ml.max_open_jobs=20, ml.enabled=true} committed version [1] source [zen-disco-elected-as-master ([0] nodes joined)[, ]]])
[2018-10-29T19:07:12,740][INFO ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [es-wk-node-1] publish_address {127.0.0.1:19200}, bound_addresses {127.0.0.1:19200}
[2018-10-29T19:07:12,741][INFO ][o.e.n.Node               ] [es-wk-node-1] started
[2018-10-29T19:07:13,022][WARN ][o.e.x.s.a.s.m.NativeRoleMappingStore] [es-wk-node-1] Failed to clear cache for realms [[]]
[2018-10-29T19:07:13,070][INFO ][o.e.l.LicenseService     ] [es-wk-node-1] license [fc52e380-ef5a-4d4e-bdd4-1a924e42440e] mode [basic] - valid

启动trial license（30天试用）

curl -H "Content-Type:application/json" -XPOST  http://127.0.0.1:19200/_xpack/license/start_trial?acknowledge=true

可以看到日志多了两行输出：

[2018-10-29T19:07:13,084][INFO ][o.e.g.GatewayService     ] [es-wk-node-1] recovered [0] indices into cluster_state
[2018-10-29T19:07:42,982][INFO ][o.e.l.LicenseService     ] [es-wk-node-1] license [090aec7f-46b1-464e-8c66-a795e938b831] mode [trial] - valid

设置用户名密码

bin/elasticsearch-setup-passwords interactive

发现如下错误提示：

org.elasticsearch.ElasticsearchException: Security must be explicitly enabled when using a trial license. Enable security by setting [xpack.security.enabled] to [true] in the elasticsearch.yml file and restart the node.

需要在配置文件开启x-pack验证：

# 配置文件增加如下参数
 xpack.security.enabled: true

再次执行设置用户名密码的命令:

Initiating the setup of passwords for reserved users elastic,kibana,logstash_system,beats_system.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y


Enter password for [elastic]: 
passwords must be at least [6] characters long
Try again.
Enter password for [elastic]: 
Reenter password for [elastic]: 
Passwords do not match.
Try again.
Enter password for [elastic]: 
Reenter password for [elastic]: 
Enter password for [kibana]: 
Reenter password for [kibana]: 
Enter password for [logstash_system]: 
Reenter password for [logstash_system]: 
Enter password for [beats_system]: 
Reenter password for [beats_system]: 
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [elastic]

完成密码设置。(用户名elastic，密码为输入)

修改密码命令：

curl -H "Content-Type:application/json" -XPOST -u elastic 'http://127.0.0.1:9200/_xpack/security/user/elastic/_password' -d '{ "password" : "123456" }'

修改kibana配置文件，设置用户名密码：

elasticsearch.username: "elastic"
elasticsearch.password: "123456"

启动kibana，访问web页面，发现需要输入密码才能访问，说明x-pack使用成功。

破解

方式：修改的x-pack-core-6.4.2.jar的LicenseVerifier.java和XPackBuild.java，然后编译打包。

修改后的jar包（6.4.2版本，亲测可用）：
https://download.csdn.net/download/qq_36666651/10752660

使用修改后的x-pack-core-6.4.2.jar替换原本的jar包。
jar包路径：

# es的安装目录下
./modules/x-pack-core/

更新license

license.json内容（直接用的网友处理好的）：

{
	"license": {
		"uid": "9gfhf46-5g78-4f1e-b5a4-afet359bc3a3",
		"type": "platinum",
		"issue_date_in_millis": 1534723200000,
		"expiry_date_in_millis": 2544271999999,
		"max_nodes": 100,
		"issued_to": "www.plaza4me.com",
		"issuer": "Web Form",
		"signature": "AAAAAwAAAA3lQFlr4GED3cGRsdfgrDDFEWGN0hjZDBGYnVyRXpCOsdfasdfsgEfghgdg3423MVZwUzRxVk1PSmkxagfsdf3242UWh3bHZVUTllbXNPbzBUemtnbWpBbmlWRmRZb25KNFlBR2x0TXc2K2p1Y1VtMG1UQU9TRGZVSGRwaEJGUjE3bXd3LzRqZ05iLzRteWFNekdxRGpIYlFwYkJiNUs0U1hTVlJKNVlXekMrSlVUdFIvV0FNeWdOYnlESDc3MWhlY3hSQmdKSjJ2ZTcvYlBFOHhPQlV3ZHdDQ0tHcG5uOElCaDJ4K1hob29xSG85N0kvTWV3THhlQk9NL01VMFRjNDZpZEVXeUtUMXIyMlIveFpJUkk2WUdveEZaME9XWitGUi9WNTZVQW1FMG1DenhZU0ZmeXlZakVEMjZFT2NvOWxpZGlqVmlHNC8rWVVUYzMwRGVySHpIdURzKzFiRDl4TmM1TUp2VTBOUlJZUlAyV0ZVL2kvVk10L0NsbXNFYVZwT3NSU082dFNNa2prQ0ZsclZ4NTltbU1CVE5lR09Bck93V2J1Y3c9PQAAAQCGcZtOlZwj0Rnl2MUjERG94a+xcifpVAurIA+z4rroxaqaewpb2MJLZVJt1ZCGeKB0KIWRAm2pkPjM2JigjaPIUBhpW4/yUzbdRtRuQB4loEKd7/p9EbHDh5GzeI8qfkMh3j7QaAlz4Bk+eett+ZNqNXHEdkr+Re9psdnqfUESz1uROhMoYWbn/Bdd0AJLKzhRnEOE972xdnAar8bCP1DIDljI9IOnYhEc6O6CboKCMJY4AWOvJY83bud4FO25hrKf6bMy0F2oO2yUkVV0UiFMX19JbhcC+WIAgxMk/KG7e/MqR8bJ1jNu2usMlgkvV97BxiPogTujFnTQxoHdpNdR",
		"start_date_in_millis": 1534723200000
	}
}

直接更新license会发现报错，因为elasticsearch 6.4.2，更新license文件时，要么配置SSL\TLS，要么就禁用security。

修改之前配置的elasticsearch.yml，加入：

xpack.security.enabled: false

重启elasticsearch，然后更新license：

curl -XPUT -u elastic:123456 -H "Content-Type:application/json" -v "http://127.0.0.1:19200/_xpack/license?acknowledge=true" -d @license.json

上传完成后，在kibana的license management查看可以发现有效期已经到了2050年，破解成功。

也可以使用请求查看：

curl -XGET -u elastic:123456 -H "Content-Type: application/json" -v "http://127.0.0.1:9200/_license"

重启elasticsearch，发现又报错了，按照提示再修改配置文件：

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true

重启elasticsearch即可。

集群破解步骤简要描述：

集群配置文件参考：https://blog.csdn.net/qq_36666651/article/details/84998267

启用单节点x-pack及密码访问

• 1、下载解压elasticsearch6.4.2的安装包，替换elasticsearch包内的modules/x-pack-core/的x-pack-core-6.4.2.jar，jar包下载地址 https://download.csdn.net/download/qq_36666651/10752660

• 2、elasticsearch配置文件启用两行配置

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true

• 3、启动elasticsearch，启用30天的测试license，通过日志可以发现license由basic变成了trail

curl -H "Content-Type:application/json" -XPOST  http://127.0.0.1:9200/_xpack/license/start_trial?acknowledge=true

• 4、设置用户名密码(超级管理员用户名为elastic，这里密码设置为123456)

./elasticsearch-6.4.2/bin/elasticsearch-setup-passwords interactive

• 5、将license更新完白金license，通过log可以发现license由trail变为platinum，license内容（网友处理好的,到2050年）：

{
	"license": {
		"uid": "9gfhf46-5g78-4f1e-b5a4-afet359bc3a3",
		"type": "platinum",
		"issue_date_in_millis": 1534723200000,
		"expiry_date_in_millis": 2544271999999,
		"max_nodes": 100,
		"issued_to": "www.plaza4me.com",
		"issuer": "Web Form",
		"signature": "AAAAAwAAAA3lQFlr4GED3cGRsdfgrDDFEWGN0hjZDBGYnVyRXpCOsdfasdfsgEfghgdg3423MVZwUzRxVk1PSmkxagfsdf3242UWh3bHZVUTllbXNPbzBUemtnbWpBbmlWRmRZb25KNFlBR2x0TXc2K2p1Y1VtMG1UQU9TRGZVSGRwaEJGUjE3bXd3LzRqZ05iLzRteWFNekdxRGpIYlFwYkJiNUs0U1hTVlJKNVlXekMrSlVUdFIvV0FNeWdOYnlESDc3MWhlY3hSQmdKSjJ2ZTcvYlBFOHhPQlV3ZHdDQ0tHcG5uOElCaDJ4K1hob29xSG85N0kvTWV3THhlQk9NL01VMFRjNDZpZEVXeUtUMXIyMlIveFpJUkk2WUdveEZaME9XWitGUi9WNTZVQW1FMG1DenhZU0ZmeXlZakVEMjZFT2NvOWxpZGlqVmlHNC8rWVVUYzMwRGVySHpIdURzKzFiRDl4TmM1TUp2VTBOUlJZUlAyV0ZVL2kvVk10L0NsbXNFYVZwT3NSU082dFNNa2prQ0ZsclZ4NTltbU1CVE5lR09Bck93V2J1Y3c9PQAAAQCGcZtOlZwj0Rnl2MUjERG94a+xcifpVAurIA+z4rroxaqaewpb2MJLZVJt1ZCGeKB0KIWRAm2pkPjM2JigjaPIUBhpW4/yUzbdRtRuQB4loEKd7/p9EbHDh5GzeI8qfkMh3j7QaAlz4Bk+eett+ZNqNXHEdkr+Re9psdnqfUESz1uROhMoYWbn/Bdd0AJLKzhRnEOE972xdnAar8bCP1DIDljI9IOnYhEc6O6CboKCMJY4AWOvJY83bud4FO25hrKf6bMy0F2oO2yUkVV0UiFMX19JbhcC+WIAgxMk/KG7e/MqR8bJ1jNu2usMlgkvV97BxiPogTujFnTQxoHdpNdR",
		"start_date_in_millis": 1534723200000
	}
}

更新license命令：

curl -XPUT -u "elastic:123456" -H "Content-Type:application/json" -v "http://127.0.0.1:9200/_xpack/license?acknowledge=true" -d @license.json

• 6、查看elasticsearch的license有效期

curl -XGET -u elastic:123456 -H "Content-Type: application/json" -v "http://127.0.0.1:9200/_license"

可以看到过期时间为2050年：

{
  "license" : {
    "status" : "active",
    "uid" : "9gfhf46-5g78-4f1e-b5a4-afet359bc3a3",
    "type" : "platinum",
    "issue_date" : "2018-08-20T00:00:00.000Z",
    "issue_date_in_millis" : 1534723200000,
    "expiry_date" : "2050-08-16T14:13:19.999Z",
    "expiry_date_in_millis" : 2544271999999,
    "max_nodes" : 100,
    "issued_to" : "www.plaza4me.com",
    "issuer" : "Web Form",
    "start_date_in_millis" : 1534723200000
  }
}

然后x-pack就启用破解成功了，访问elasticsearch，kibana时就需要密码验证了。

启用集群ssl（6.4.2集群使用x-pack必须使用TLS/SSL加密）

• 1、关闭所有节点

• 2、启用集群安全选项，将配置文件开头关于安全部分的配置启用即可

• 3、启动ssl配置，以下操作证书相关密码皆为空，非空的具体操作请参考官方文档
  官方文档：https://www.elastic.co/guide/en/elasticsearch/reference/6.4/configuring-tls.html#enable-ssl

# 为es集群创建证书颁发机构，这一步会生成elastic-stack-ca.p12文件
./elasticsearch-6.4.2/bin/elasticsearch-certutil ca
# 为每个节点生成证书和私钥，这一步会生成elastic-certificates.p12文件
./elasticsearch-6.4.2/bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 
mkdir -pv ./elasticsearch-6.4.2/config/certs
mv elastic-certificates.p12 ./elasticsearch-6.4.2/config/certs/

• 4、将第三步生成的elastic-certificates.p12放到每个节点的./elasticsearch-6.4.2/config/certs/目录下

• 5、启动集群，这时外部访问就是https，同时也需要用户名密码