Elasticsearch+X-pack和Java Transport方式連接配接
- 一. 軟體及依賴包版本
- 二. 修改X-pack-core.jar
-
-
- 1. 通過idea插件(java-decompiler)将x-pack-core-6.8.11.jar進行反編譯
- 2. 修改源碼檔案LicenseVerifier.java和XPackBuild.java
- 3. 編譯修改後的LicenseVerifier.java和XPackBuild.java
- 4. 替換LicenseVerifier.class和XPackBuild.class檔案
-
- 三. 添加Elasticsearch安全驗證配置
- 四. Java用戶端Transport連接配接配置
- 五. 結尾
本文隻對整個加密過程和連接配接配置過程進行描述記錄,如對相關名詞不清楚,請自行百度。
一. 軟體及依賴包版本
名稱 | 版本号 |
---|---|
Elasticsearch | 6.8.11 |
X-pack | 6.8.11 |
jdk | 1.8.0_191 |
spring-boot-starter-data-elasticsearch | 2.1.1.RELEASE |
x-pack-transport | 6.8.11 |
二. 修改X-pack-core.jar
X-pack監控元件本身需要收費,本文隻進行個人研究練習使用,推薦使用正版。
通過下面步驟反編譯x-pack-core-6.8.11.jar,并将修改後的x-pack-core-6.8.11.jar替換Elasticsearch目錄中的x-pack-core-6.8.11.jar
x-pack-core-6.8.11.jar包位址目錄:elasticsearch-6.8.11/modules/x-pack-core/x-pack-core-6.8.11.jar
1. 通過idea插件(java-decompiler)将x-pack-core-6.8.11.jar進行反編譯
java-decompiler插件在idea安裝目錄的plugins下面如:D:\Program Files\JetBrains\IntelliJ IDEA 2019.1.3\plugins\java-decompiler\lib\java-decompiler.jar
通過下面的指令将jar包進行反編譯,反編譯完成後會在指定的目錄下生成源碼jar包,利用解壓檔案解壓即可
# ./x-pack-core-6.8.11 目錄可自定義,但必須提前手動建立,否則反編譯報錯
java -cp "D:\Program Files\JetBrains\IntelliJ IDEA 2019.1.3\plugins\java-decompiler\lib\java-decompiler.jar" org.jetbrains.java.decompiler.main.decompiler.ConsoleDecompiler -dhs=true ./x-pack-core-6.8.11.jar ./x-pack-core-6.8.11
2. 修改源碼檔案LicenseVerifier.java和XPackBuild.java
LicenseVerifier.java目錄:x-pack-core-6.8.11/org/elasticsearch/license/LicenseVerifier.java
XPackBuild.java目錄:x-pack-core-6.8.11/org/elasticsearch/xpack/core/XPackBuild.java
修改結果如下:
LicenseVerifier.java
package org.elasticsearch.license;
import java.nio.*;
import java.util.*;
import java.security.*;
import org.elasticsearch.common.xcontent.*;
import org.apache.lucene.util.*;
import org.elasticsearch.common.io.*;
import java.io.*;
public class LicenseVerifier {
public static boolean verifyLicense(License license, byte[] publicKeyData) {
return true;
}
public static boolean verifyLicense(License license) {
return true;
}
}
XPackBuild.java
package org.elasticsearch.xpack.core;
import org.elasticsearch.common.io.*;
import java.net.*;
import org.elasticsearch.common.*;
import java.nio.file.*;
import java.io.*;
import java.util.jar.*;
public class XPackBuild {
public static final XPackBuild CURRENT;
private String shortHash;
private String date;
@SuppressForbidden(
reason = "looks up path of xpack.jar directly"
)
static Path getElasticsearchCodebase() {
URL url = XPackBuild.class.getProtectionDomain().getCodeSource().getLocation();
try {
return PathUtils.get(url.toURI());
} catch (URISyntaxException var2) {
throw new RuntimeException(var2);
}
}
XPackBuild(String shortHash, String date) {
this.shortHash = shortHash;
this.date = date;
}
public String shortHash() {
return this.shortHash;
}
public String date() {
return this.date;
}
static {
final Path path = getElasticsearchCodebase();
String shortHash = null;
String date = null;
Label_0157: {
shortHash = "Unknown";
date = "Unknown";
}
CURRENT = new XPackBuild(shortHash, date);
}
}
3. 編譯修改後的LicenseVerifier.java和XPackBuild.java
編譯所在的環境在Elasticsearch服務Linux環境上
所需的依賴包:
名稱 | 依賴包位址 |
---|---|
elasticsearch-6.8.11.jar | elasticsearch-6.8.11/lib/elasticsearch-6.8.11.jar |
elasticsearch-core-6.8.11.jar | elasticsearch-6.8.11/lib/elasticsearch-core-6.8.11.jar |
lucene-core-7.7.3.jar | elasticsearch-6.8.11/lib/lucene-core-7.7.3.jar |
x-pack-core-6.8.11.jar | elasticsearch-6.8.11/modules/x-pack-core/x-pack-core-6.8.11.jar |
将依賴包和修改後的LicenseVerifier.java,XPackBuild.java放置同一個目錄,執行以下指令進行編譯
javac -cp "lucene-core-7.7.3.jar:elasticsearch-6.8.11.jar:x-pack-core-6.8.11.jar" LicenseVerifier.java
javac -cp "lucene-core-7.7.3.jar:elasticsearch-6.8.11.jar:x-pack-core-6.8.11.jar:elasticsearch-core-6.8.11.jar" XPackBuild.java
編譯完成後在目前目錄會生成LicenseVerifier.class和XPackBuild.class檔案
4. 替換LicenseVerifier.class和XPackBuild.class檔案
利用壓縮軟體打開原依賴包x-pack-core-6.8.11.jar,并将修改編譯後的LicenseVerifier.class和XPackBuild.class檔案替換到jar包中對應的位置。
三. 添加Elasticsearch安全驗證配置
1.将下面配置添加至elasticsearch.yml配置檔案末尾,然後重新開機elasticsearch服務
xpack.security.enabled: false
2.将下面證書資訊儲存至伺服器,下面給出的證書有效期至2050年,type: platinum辨別白金會員,expiry_date_in_millis标示結束的日期,檔案名稱為license.json
或者通過官網申請license(https://license.elastic.co/registration)
{“license”:{“uid”:“864c20ea-b26f-4f1d-bfe5-4f02a26f90a9”,“type”:“platinum”,“issue_date_in_millis”:1570752000000,“expiry_date_in_millis”:2524579200999,“max_nodes”:100,“issued_to”:“deng pang (yiren)”,“issuer”:“Web Form”,“signature”:“AAAAAwAAAA3m1fB/yRfUho18V4FpAAABmC9ZN0hjZDBGYnVyRXpCOW5Bb3FjZDAxOWpSbTVoMVZwUzRxVk1PSmkxaktJRVl5MUYvUWh3bHZVUTllbXNPbzBUemtnbWpBbmlWRmRZb25KNFlBR2x0TXc2K2p1Y1VtMG1UQU9TRGZVSGRwaEJGUjE3bXd3LzRqZ05iLzRteWFNekdxRGpIYlFwYkJiNUs0U1hTVlJKNVlXekMrSlVUdFIvV0FNeWdOYnlESDc3MWhlY3hSQmdKSjJ2ZTcvYlBFOHhPQlV3ZHdDQ0tHcG5uOElCaDJ4K1hob29xSG85N0kvTWV3THhlQk9NL01VMFRjNDZpZEVXeUtUMXIyMlIveFpJUkk2WUdveEZaME9XWitGUi9WNTZVQW1FMG1DenhZU0ZmeXlZakVEMjZFT2NvOWxpZGlqVmlHNC8rWVVUYzMwRGVySHpIdURzKzFiRDl4TmM1TUp2VTBOUlJZUlAyV0ZVL2kvVk10L0NsbXNFYVZwT3NSU082dFNNa2prQ0ZsclZ4NTltbU1CVE5lR09Bck93V2J1Y3c9PQAAAQB4zgpe5lluBbJYaQBWNDxrK0J9V4fnb8KWMmgIGj7ymw++bvV9rkmNtjDixWZkdSbWVQr0WLBpZoye+yQCqWB559BTqinUmIazgRpVFtaggN4RXgJA6V/N9NgOv0Vw0DvN9FI2aU5iRv7nXaNmpkMPlaCngI+2F3FoBuF9GyHsXYaOqDYkMdazT3W757QnP58ZCQT9S98gIcU75yqyWlKZek8UlUtUxSCSTtOyMtWrwag238/OgXv8BlmtQcH9A/XQBmAQlkzbgBVBkWoS0w2aqCM4Q3X7qTOH/Ea+xT/IJVhZgeTXh947kW1unEBEfwF6GZQkQQW+4pH6GEtCGTO/”,“start_date_in_millis”:1570752000000}}
3.導入license
在license.json存放的目錄執行下面導入指令,elastic為認證使用者名
curl -XPUT -u elastic 'http://192.168.1.100:9200/_xpack/license' -H "Content-Type: application/json" -d @license.json
4.導入成功後,修改elasticsearch.yml配置檔案打開xpack安全認證,并重新開機Elasticsearch,添加内容如下:
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
5.重新開機後,在Elasticsearch服務目錄下執行下面指令,初始化認證密碼
./bin/elasticsearch-setup-passwords interactive
6.用浏覽器通路9200,根據提示輸入認證使用者名和密碼即可檢視Elasticsearch資訊;
下面的步驟用于用戶端連接配接認證或叢集連接配接認證
7.在Elasticsearch程式目錄執行下面指令生成為證書頒發機構,生成過程會提示輸入密碼,作用是通路證書的安全性,可以不設定;
elasticsearch-certutil ca
8.在Elasticsearch程式目錄執行下面指令生成證書和秘鑰,同上會提示輸入密碼,根據上面可以不設定;
elasticsearch-certutil cert --ca elastic-stack-ca.p12
9.将生成的證書檔案elastic-certificates.p12,放置Elasticsearch服務目錄conf/certs下,certs目錄不存在,用mkdir指令建立即可;
# 在elasticsearch服務目錄下執行
mkdir -p conf/certs
10.修改elasticsearch.yml配置檔案,添加TLS/SSL加密Transport通信配置或加密https通路,根據需要添加,這裡我隻用TLS/SSL加密Transport通信配置,修改完後重新開機Elasticsearch服務;
TLS/SSL加密Transport通信配置:
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: certs\elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: certs\elastic-certificates.p12
加密https通路配置:
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: certs\elastic-certificates.p12
xpack.security.http.ssl.truststore.path: certs\elastic-certificates.p12
四. Java用戶端Transport連接配接配置
1.pom.xml檔案Elasticsearch配置
<properties>
<elastic.version>6.8.11</elastic.version>
</properties>
<dependencies>
<!-- Elasticsearch相關配置開始 -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-elasticsearch</artifactId>
<exclusions>
<exclusion>
<groupId>org.elasticsearch.client</groupId>
<artifactId>x-pack-transport</artifactId>
</exclusion>
<exclusion>
<groupId>org.elasticsearch.plugin</groupId>
<artifactId>transport-netty4-client</artifactId>
</exclusion>
<exclusion>
<groupId>org.elasticsearch.client</groupId>
<artifactId>transport</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.elasticsearch.client</groupId>
<artifactId>x-pack-transport</artifactId>
<version>${elastic.version}</version>
<exclusions>
<exclusion>
<groupId>org.elasticsearch.client</groupId>
<artifactId>transport</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.elasticsearch.plugin</groupId>
<artifactId>transport-netty4-client</artifactId>
<version>${elastic.version}</version>
</dependency>
<dependency>
<groupId>org.elasticsearch.client</groupId>
<artifactId>transport</artifactId>
<version>${elastic.version}</version>
<exclusions>
<exclusion>
<groupId>org.elasticsearch</groupId>
<artifactId>elasticsearch</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.elasticsearch</groupId>
<artifactId>elasticsearch</artifactId>
<version>${elastic.version}</version>
</dependency>
<!-- Elasticsearch相關配置結束 -->
</dependencies>
2.applicatoin.properties配置,删除原有spring.data.elasticsearch配置
# 節點名稱
elasticsearch.cluster-name=192.168.1.100
# 節點位址
elasticsearch.cluster-nodes=192.168.1.100:9300
# 認證密鑰
elasticsearch.cluster-password=elastic:123456
# 證書檔案路徑,證書檔案需和elasticsearch.yml配置的證書一緻,否則驗證不成功
elasticsearch.cert-path=/data/certs/elastic-certificates.p12
# ssl認證是否開啟
elasticsearch.ssl-enabled=true
3.Elasticsearch配置注入
import org.elasticsearch.client.transport.TransportClient;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.transport.TransportAddress;
import org.elasticsearch.xpack.client.PreBuiltXPackTransportClient;
import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import java.io.FileNotFoundException;
import java.net.InetAddress;
import java.net.UnknownHostException;
/**
* Elasticsearch配置
*
* @author allen
* @version 1.0
* @className ElasticsearchConfiguration
* @description Elasticsearch配置
* @date 2021-01-21 0021 下午 16:48
**/
@Configuration
@ConfigurationProperties(prefix = "elasticsearch")
public class ElasticsearchConfiguration {
private String clusterName;
private String clusterNodes;
private String clusterPassword;
private String certPath;
private boolean sslEnabled;
/**
* elasticsearch用戶端注入(配置)
*
* @return
* @throws FileNotFoundException
*/
@Bean
public TransportClient transportClient() {
try {
PreBuiltXPackTransportClient packTransportClient = new PreBuiltXPackTransportClient(settings());
String[] split = clusterNodes.split(",");
for (String s : split) {
String[] split1 = s.split(":");
int port = Integer.parseInt(split1[1]);
packTransportClient.addTransportAddress(new TransportAddress(InetAddress.getByName(split1[0]), port));
}
return packTransportClient;
} catch (UnknownHostException e) {
e.printStackTrace();
return null;
}
}
private Settings settings() {
if (sslEnabled) {
Settings.Builder builder = Settings.builder();
builder.put("cluster.name", clusterName);
builder.put("xpack.security.user", clusterPassword);
builder.put("xpack.security.enabled", sslEnabled);
builder.put("xpack.security.transport.ssl.keystore.path", certPath);
builder.put("xpack.security.transport.ssl.truststore.path", certPath);
builder.put("xpack.security.transport.ssl.verification_mode", "certificate");
builder.put("xpack.security.transport.ssl.enabled", sslEnabled);
builder.put("client.transport.sniff", true);
builder.put("thread_pool.search.size", 10);
return builder.build();
} else {
Settings.Builder builder = Settings.builder();
return builder.build();
}
}
public void setClusterName(String clusterName){
this.clusterName = clusterName;
}
public void setClusterNodes(String clusterNodes){
this.clusterNodes = clusterNodes;
}
public void setClusterPassword(String clusterPassword){
this.clusterPassword = clusterPassword;
}
public void setCertPath(String certPath){
this.certPath = certPath;
}
public void setSslEnabled(boolean sslEnabled){
this.sslEnabled = sslEnabled;
}
}
五. 結尾
僅此所有的配置已完成,在配置過程中java的elasticsearch對應版本依賴步驟和證書認證步驟需多注意,不僅elasticsearch服務需要配置證書,java也需要配置證書,沒有證書是認證不成功的。
該文章也是對這次的配置做以記錄,也是技術成長的過程,歡迎各位給出意見。