全文检索--ES--X-Pack(五)

一、安全框架x-pack

  X-Pack是一个Elastic Stack扩展，将安全性，警报，监控，报告，机器学习和图形功能捆绑到一个易于安装的软件包中。要访问此功能，您必须 在Elasticsearch中安装X-Pack,要安装x-pack必须要和Elasticsearch的版本相匹配,如果您是在现有群集上首次安装X-Pack，则必须执行完整群集重新启动。安装X-Pack后，必须在群集中的所有节点上启用安全性和安全性才能使群集正常运行。
elasticsearch7 .1版本：基础安全免费。
官网：https://www.elastic.co/cn/downloads/x-pack

（一）安装配置

1. 安装

[root@localhost elasticsearch-6.4.3]# ./bin/elasticsearch-plugin install x-pack

常见问题：
ERROR: this distribution of Elasticsearch contains X-Pack by default
默认已包含，无需安装。

2. 启动x-pack功能

 # 注意修改elastic等账号的密码，elastic是登录es的最高权限账号
[root@localhost elasticsearch-6.4.3]# ./bin/elasticsearch-setup-passwords interactive  
 # 修改elasticsearch.yml配置：
[root@localhost elasticsearch-6.4.3]# vi config/elasticsearch.yml

# 添加如下2行，打开安全配置功能
xpack.security.enabled: true
# 启动SSH
# xpack.security.transport.ssl.enabled: true

查看序号: http://192.168.77.132:9200/_xpack/license

查看序号

ES安装x-pack后，默认的账户有三个，如下：

账户名	默认密码	权限
elastic	changeme
kibana	changeme
logstash_system	changeme

curl -XPUT -u elastic 'http://localhost:9200/_xpack/security/user/elastic/_password' -d '{
  "password" : "yourpasswd"
}'s
curl -XPUT -u elastic 'http://localhost:9200/_xpack/security/user/kibana/_password' -d '{
  "password" : "yourpasswd"
}'

3. 破解x-pack 否则报错：

[root@localhost elasticsearch-6.4.3]# ./bin/elasticsearch-setup-passwords auto

Unexpected response code [403] from calling GET http://192.168.77.130:9200/_xpack/security/_authenticate?pretty
It doesn't look like the X-Pack security feature is available on this Elasticsearch node.
Please check if you have installed a license that allows access to X-Pack Security feature.

ERROR: X-Pack Security is not available.

4. 密码设置

# 自动设置
[root@localhost elasticsearch-6.4.3]# ./bin/elasticsearch-setup-passwords auto
Initiating the setup of passwords for reserved users elastic,kibana,logstash_system,beats_system.
The passwords will be randomly generated and printed to the console.
Please confirm that you would like to continue [y/N]y


Changed password for user kibana
PASSWORD kibana = NVZBlTIlH7eb1gh0ldNO

Changed password for user logstash_system
PASSWORD logstash_system = UlGoGeLMoauElcK1Je9b

Changed password for user beats_system
PASSWORD beats_system = aVxjV7JcvZdZ8qRuTsgg

Changed password for user elastic
PASSWORD elastic = xW9dqAxThD5U4ShQV1JT

# 修改密码（注意：这个只能修改一次密码，同一个集群的ES节点修改其中一个就行）
[root@localhost elasticsearch-6.4.3]# ./bin/elasticsearch-setup-passwords interactive

注意：设置密码进需要在集群中任意一个elasticsearch节点执行完成即可，如果执行第二次，将会给出如下错误提示，如果需要更新密码，则可以通过kibana上的Management > Users进行更新。

访问测试

访问测试

5. elasticsearch-head访问
   elasticsearch.yml添加配置

http.cors.allow-headers: Authorization,X-Requested-With,Content-Length,Content-Type

地址：http://192.168.77.132:9100/?auth_user=elastic&auth_password=xW9dqAxThD5U4ShQV1JT

elasticsearch-head访问

没有安装kibana时配置了，也不可，安装后好了，配置试用就可以了。
常见问题：

1. Failed to authenticate user 'elastic' against http://192.168.77.132:9200/_xpack/security/_authenticate?pretty
   原因：已设置过密码，如果再次设置，请在kibana上的Management > Users进行更新。

Failed to authenticate user 'elastic' against http://192.168.77.132:9200/_xpack/security/_authenticate?pretty
Possible causes include:
 * The password for the 'elastic' user has already been changed on this cluster
 * Your elasticsearch node is running against a different keystore
   This tool used the keystore at /usr/elasticsearch/elasticsearch-6.4.3/config/elasticsearch.keystore

（二）破解

1. 创建Java文件
   LicenseVerifier.java

package org.elasticsearch.license; 
import java.nio.*; 
import java.util.*; 
import java.security.*; 
import org.elasticsearch.common.xcontent.*; 
import org.apache.lucene.util.*; 
import org.elasticsearch.common.io.*; 
import java.io.*; 

public class LicenseVerifier { 
    public static boolean verifyLicense(final License license, final byte[] encryptedPublicKeyData) {
        return true; 
    } 
    
    public static boolean verifyLicense(final License license)     { 
        return true; 
    } 
}

XPackBuild.java

package org.elasticsearch.xpack.core;
import org.elasticsearch.common.io.*;
 import java.net.*;
 import org.elasticsearch.common.*;
 import java.nio.file.*;
 import java.io.*; 
 import java.util.jar.*; 
 public class XPackBuild { 
    public static final XPackBuild CURRENT;
    private String shortHash; 
    private String date; 
    @SuppressForbidden(reason = "looks up path of xpack.jar directly") static Path getElasticsearchCodebase() { 
        final URL url = XPackBuild.class.getProtectionDomain().getCodeSource().getLocation();
        try { return PathUtils.get(url.toURI()); }
        catch (URISyntaxException bogus) { 
            throw new RuntimeException(bogus); } 
        } 
        
    XPackBuild(final String shortHash, final String date) {
            this.shortHash = shortHash; 
            this.date = date; 
            } 
            
    public String shortHash() {
        return this.shortHash;
        } 
    public String date(){ 
        return this.date; 
        }
        
    static { 
        final Path path = getElasticsearchCodebase();
        String shortHash = null; 
        String date = null;
        Label_0157: { shortHash = "Unknown"; date = "Unknown"; 
    } 
    
    CURRENT = new XPackBuild(shortHash, date); 
    }
}

2. 打包成class文件
   将刚创建的两个java包打包成class文件，我们需要做的就是替换这两个class文件（因里面需要引用到其他的jar，故需要用到javac -cp命令）
   elasticsearch安装目录为：
   /usr/elasticsearch/elasticsearch-6.4.3/lib/

[root@localhost new-x-pack]#  javac -cp "/usr/local/elasticsearch-6.4.3/lib/elasticsearch-6.4.3.jar:/usr/local/elasticsearch-6.4.3/lib/lucene-core-7.4.0.jar:/usr/local/elasticsearch-6.4.3/modules/x-pack-core/x-pack-core-6.4.3.jar:/usr/local/elasticsearch-6.4.3/lib/elasticsearch-core-6.4.3.jar" LicenseVerifier.java 

[root@localhost new-x-pack]#   javac -cp "/usr/local/elasticsearch-6.4.3/lib/elasticsearch-6.4.3.jar:/usr/local/elasticsearch-6.4.3/lib/lucene-core-7.4.0.jar:/usr/local/elasticsearch-6.4.3/modules/x-pack-core/x-pack-core-6.4.3.jar:/usr/local/elasticsearch-6.4.3/lib/elasticsearch-core-6.4.3.jar"  XPackBuild.java

# 查看生成
[root@localhost new-x-pack]#  ls *.class
LicenseVerifier.class  XPackBuild.class

3. 解压覆盖

# 拷贝/x-pack-core/x-pack-core-6.4.3.jar 到当前目录
[root@localhost new-x-pack]#  cp -a /usr/local/elasticsearch-6.4.3/modules/x-pack-core/x-pack-core-6.4.3.jar .
# 解压文件（解压后在org 目录中）
[root@localhost new-x-pack]#  jar -xvf x-pack-core-6.4.3.jar 
# 拷贝文件到目录，为了打包
[root@localhost new-x-pack]#  cp -a LicenseVerifier.class org/elasticsearch/license/
cp：是否覆盖"org/elasticsearch/license/LicenseVerifier.class"？ y
[root@localhost new-x-pack]# cp -a XPackBuild.class org/elasticsearch/xpack/core/
cp：是否覆盖"org/elasticsearch/xpack/core/XPackBuild.class"？ y
# 删除旧包
[root@localhost elasticsearch-6.4.3]# rm x-pack-core-6.4.3.jar 
rm：是否删除普通文件 "x-pack-core-6.4.3.jar"？y
# 删除文件
[root@localhost new-x-pack]# rm LicenseVerifier.java XPackBuild.java 
rm：是否删除普通文件 "LicenseVerifier.java"？y
rm：是否删除普通文件 "XPackBuild.java"？y

# 在新目录中重新打包
[root@localhost new-x-pack]# jar -cvf x-pack-core-6.4.3.jar *

# 覆盖旧包
[root@localhost new-x-pack]# cp -a x-pack-core-6.4.3.jar /usr/local/elasticsearch-6.4.3/modules/x-pack-core/
cp：是否覆盖"/usr/elasticsearch/elasticsearch-6.4.3/modules/x-pack-core/x-pack-core-6.4.3.jar"？ y
# 使用es用户重启elasticsearch（启动校验）
[root@localhost elasticsearch-6.4.3]# sudo -u es ./bin/elasticsearch
[root@localhost elasticsearch-6.4.3]# sudo -u es ./bin/elasticsearch -d

4. 查询版本license
   http://192.168.77.130:9200/_xpack/license

查询版本

去官网申请license证书：
地址：https://license.elastic.co/registration

主要修改这几个地方
1.“type”:“basic” 替换为 “type”:"platinum" # 基础版变更为铂金版
2.“expiry_date_in_millis”:1561420799999 替换为 “expiry_date_in_millis”:3107746200000# 1年变为50年

5. 上传许可：
   新建一个license.json文件，加入以下内容：

{"license":{"uid":"280afc36-d654-4b04-884a-e51da9afb978","type":"platinum","issue_date_in_millis":1526083200000,"expiry_date_in_millis":2524579200999,"max_nodes":1000,"issued_to":"shi zhenzhou (czbk)","issuer":"Web Form","signature":"AAAAAwAAAA0aa2PBU7OqnL8KuGncAAABmC9ZN0hjZDBGYnVyRXpCOW5Bb3FjZDAxOWpSbTVoMVZwUzRxVk1PSmkxaktJRVl5MUYvUWh3bHZVUTllbXNPbzBUemtnbWpBbmlWRmRZb25KNFlBR2x0TXc2K2p1Y1VtMG1UQU9TRGZVSGRwaEJGUjE3bXd3LzRqZ05iLzRteWFNekdxRGpIYlFwYkJiNUs0U1hTVlJKNVlXekMrSlVUdFIvV0FNeWdOYnlESDc3MWhlY3hSQmdKSjJ2ZTcvYlBFOHhPQlV3ZHdDQ0tHcG5uOElCaDJ4K1hob29xSG85N0kvTWV3THhlQk9NL01VMFRjNDZpZEVXeUtUMXIyMlIveFpJUkk2WUdveEZaME9XWitGUi9WNTZVQW1FMG1DenhZU0ZmeXlZakVEMjZFT2NvOWxpZGlqVmlHNC8rWVVUYzMwRGVySHpIdURzKzFiRDl4TmM1TUp2VTBOUlJZUlAyV0ZVL2kvVk10L0NsbXNFYVZwT3NSU082dFNNa2prQ0ZsclZ4NTltbU1CVE5lR09Bck93V2J1Y3c9PQAAAQAdqCi5COi5J2pKpGQUrKDVGZ3xixzTW3KTImsYnnP5yAlObcgfvVYsmYZlDGv2AmSrUCV5iUAzWABLRMo7rnQwfvlPIs8XvKIzPaND0i+Uc5SkT1+oA56PzRFrufZwY/H4yqOaKe4JvE5bVUqwngQD07FHyM2o1i3lOc3NaR1GPR0AoCGQKUQr2NXWf6YwUi/scQh+JzHbWEiIzwYgSOAnIU7wg8kK9uF5bTuEK4LiCWGX8PDYQdoJp4Qm1PUH3l7YdWbfwGWSqe/N/S4iKbUKesogHkiVRc0A0sIaAM6rZZ6Go9ozKWjZ4n0Rd2hFs21wF80GTrQPU6T8/oTXMQJL","start_date_in_millis":1526083200000}}

# 生成证书
[root@localhost elasticsearch-6.4.3]# ./bin/elasticsearch-certutil ca

 # 默认直接点击进行下一步，密码也可以不输，全部回车
[root@localhost elasticsearch-6.4.3]# ./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12

# 创建目录：
[root@localhost elasticsearch-6.4.3]# mkdir config/certs/
# 拷贝证书
[root@localhost elasticsearch-6.4.3]# mv elastic-certificates.p12 config/certs/
# 授权给es用户
[root@localhost elasticsearch-6.4.3]# chown -R es:es /usr/local/elasticsearch-6.4.3/
# 添加配置
[root@localhost  elasticsearch-6.4.3]$ vi config/elasticsearch.yml 
# 开启x-pack验证
xpack.security.enabled: true
# 开启ssl
xpack.security.transport.ssl.enabled: true
# 配置证书
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12

# 重新启动es
[root@localhost elasticsearch-6.4.3]# sudo -u es ./bin/elasticsearch

# 上传许可
[root@localhost elasticsearch-6.4.3]# curl -XPUT 'http://192.168.77.130:9200/_license' -H "Content-Type: application/json" -d @license.json

# 生成密码
[root@localhost elasticsearch-6.4.3]# ./bin/elasticsearch-setup-passwords auto

查看许可：
http://192.168.77.130:9200/_xpack/license

查看许可

设置	描述	适用组件
xpack.graph.enabled	设置为false以禁用X-Pack图形功能。	只使用于kibana组件
xpack.ml.enabled	设置为false以禁用X-Pack设备资源分配。	适用于elasticsearch和kibana组件
xpack.monitoring.enabled	设置为false以禁用X-Pack监视功能。	只使用于kibana组件
xpack.reporting.enabled	设置为false以禁用X-Pack报告功能。	只使用于kibana组件
xpack.security.enabled	设置为false以禁用X-Pack安全功能。	适用于elk的三个组件
xpack.watcher.enabled	设置为false以禁用Watcher。	只适用于elasticsearch组件

二、常见错误

1. io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: no cipher suites in common
   如果是6.x 的版本安装 xpack 强制要 SSL 加密传输。
   配置证书：
   1）生成证书

 # 默认直接点击进行下一步，密码也可以不输，全部回车
[root@localhost elasticsearch-6.4.3]# ./bin/elasticsearch-certutil ca

 # 默认直接点击进行下一步，密码也可以不输，全部回车
[root@localhost elasticsearch-6.4.3]# ./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12

这时在es目录下会生成elastic-certificates.p12、elastic-stack-ca.p12

证书

2）证书配置

# 创建目录：
[root@localhost elasticsearch-6.4.3]# mkdir config/certs/
# 拷贝证书
[root@localhost elasticsearch-6.4.3]# mv elastic-certificates.p12 config/certs/
# 授权给es用户
[root@localhost elasticsearch-6.4.3]# chown -R es:es /usr/local/elasticsearch-6.4.3/

# 开启x-pack验证
xpack.security.enabled: true
# 开启ssl
xpack.security.transport.ssl.enabled: true
# 配置证书
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12
 # 设置内置用户elastic的密码（会提示输入密码，这个就是elastic用户的密码）
[root@localhost elasticsearch-6.4.3]# ./bin/elasticsearch-keystore add bootstrap.password
Enter value for bootstrap.password: 
# 重新启动es，设置内置用户密码