#沒有許可證的es無法持久的設置密碼,而且使用一段時間后會過期,過期后,一些功能無法被使用,例如head插件無法看到es狀態。
下圖是過期的es的狀態,可通過此url查看:http://ip:port_xpack/license
使用es-head插件連接提示403,無法直接連接已過期的es
#elasticsearch通過x-pack模塊來提供密碼認證等功能,不過我們無需額外安裝x-pack插件,x-pack包在6.3版本后已經集成在es安裝包內
#此文章應該不僅限於6.5.1版本,沒有驗證過,不過直覺告訴我只要是6.3+的版本參照這個也能成功破解,畢竟步驟差不多,什么,為什么這么自信?因為早上用了飄柔(因為我也是參照了其他高手的文章的,人家6.3.2可行:https://blog.csdn.net/qq_25475209/article/details/81906701)
下面開始破解es,步驟大致如下,准備開干。
取出es中的x-pack包jar文件,解壓后用破解后的代碼替換掉原有的類文件,后將更改后的文件 || 重新打成jar包 || 上傳許可證 || 創建證書文件 || 調整es配置文件后啟動即可
環境信息
es版本:6.5.1 安裝路徑:/home/admin/elasticsearch-6.5.1 使用端口:9200 #配置文件 cluster.name: test node.name: es-node-1 path.data: /home/admin/elasticsearch-6.5.1/data path.logs: /home/admin/elasticsearch-6.5.1/logs bootstrap.memory_lock: false bootstrap.system_call_filter: false network.host: 0.0.0.0 http.port: 9200
1.先把之前代碼取出來,然后把破解后的代碼替換進去
#破解后的類文件(百度網盤)
鏈接:https://pan.baidu.com/s/1GTCwQfcLBpDc8QStoMPlKA 提取碼:1swg
#創建個零時目錄,我們在這里動手術,不能誤傷友軍。
#如果是其他版本的es,cp的時候將下圖表紅的版本號,記得換成你那個版本的,不然完全按照我這兒步驟可是行不通的。
[admin@es-node-1 ~]$ pwd /home/admin [admin@es-node-1 ~]$ mkdir jartmp [admin@es-node-1 ~]$ cd jartmp/ [admin@es-node-1 jartmp]$ cp /home/admin/elasticsearch-6.5.1/modules/x-pack-core/x-pack-core-6.5.1.jar ./ [admin@es-node-1 jartmp]$ jar -xf x-pack-core-6.5.1.jar #解壓jar包 [admin@es-node-1 jartmp]$ cp /tmp/XPackBuild.class org/elasticsearch/xpack/core/ #將百度盤上面的文件替換掉現有文件 [admin@es-node-1 jartmp]$ cp /tmp/LicenseVerifier.class org/elasticsearch/license/
[admin@es-node-1 jartmp]$ rm -rf x-pack-core-6.5.1.jar #刪除原有jar包
[admin@es-node-1 jartmp]$ jar -cfv x-pack-core-6.5.1.jar * #用咋們剛改過的代碼生成新的jar包(名稱不要變)
[admin@es-node-1 jartmp]$ cp x-pack-core-6.5.1.jar /home/admin/elasticsearch-6.5.1/modules/x-pack-core/ #將手術完成的模塊放回去
2.手術完了,改改配置,試試改完后的es好不好使,還好使的話,繼續望下執行,要是不好使,都啟動不起來,那么這個教程可能不適合你,可能因為版本原因把。
#調整下配置文件后重新啟動es,啟動一下xpack模塊
cluster.name: test node.name: es-node-1 path.data: /home/admin/elasticsearch-6.5.1/data path.logs: /home/admin/elasticsearch-6.5.1/logs bootstrap.memory_lock: false bootstrap.system_call_filter: false network.host: 0.0.0.0 http.port: 9200 http.cors.enabled: true http.cors.allow-origin: "*" xpack.security.enabled: true
#開啟密碼功能(返回如下格式json代表成功)(如果沒有繼續按照步驟執行,上傳許可證,這個密碼也就能用30天)
[admin@es-node-1 elasticsearch-6.5.1]$ curl -H "Content-Type:application/json" -XPOST http://10.0.1.103:9200/_xpack/license/start_trial?acknowledge=true
[2019-12-10T19:58:37,751][INFO ][o.e.l.LicenseService ] [es-node-1] license [bd5aaeb7-a213-4696-8e53-865884e51ebc] mode [trial] - valid
{"acknowledged":true,"trial_was_started":true,"type":"trial"}
#試一下,發現es要密碼了,TNN的還沒設置,咋知道密碼是啥。
#再設置也不遲。
[admin@es-node-1 elasticsearch-6.5.1]$ /home/admin/elasticsearch-6.5.1/bin/elasticsearch-setup-passwords auto # auto|interactive 模式二選一,正如字面意思,可以自動生成密碼也可以手動輸入要設置的密碼 Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user. The passwords will be randomly generated and printed to the console. Please confirm that you would like to continue [y/N]y [2019-12-10T20:01:51,091][INFO ][o.e.c.m.MetaDataCreateIndexService] [es-node-1] [.security-6] creating index, cause [api], templates [security-index-template], shards [1]/[0], mappings [doc] [2019-12-10T20:01:51,273][INFO ][o.e.c.r.a.AllocationService] [es-node-1] Cluster health status changed from [YELLOW] to [GREEN] (reason: [shards started [[.security-6][0]] ...]). Changed password for user apm_system PASSWORD apm_system = ZMLYeAwXynEECiPY8KuV Changed password for user kibana PASSWORD kibana = SR0BAPhVXLYUCqERsm2W Changed password for user logstash_system PASSWORD logstash_system = RxUBjW4Wq1coYqvXRZKa Changed password for user beats_system PASSWORD beats_system = pA9SMgXzFTU4hslSQSnf Changed password for user remote_monitoring_user PASSWORD remote_monitoring_user = 7G5mm9QZBCJECA8yXAwm Changed password for user elastic PASSWORD elastic = HPlwGuzgQsG712KymGyY
#這時候,輸入剛才生成的密碼就可以進來啦
#看下許可證情況,一個月就又到期了很尷尬,接下來讓他。。。永不過期有點太狂了,讓他晚點過期把。。
3.上傳許可證,因為我們已經破解了x-pack,許可證上傳的時候可以狂一點,比如搞個高端版本的es,實際上,第二個步驟的操作不用破解都能干,破解的作用主要就是為了這步開始,為了永恆的使用~。
#創建許可證文件(許可證文件為官方申請https://register.elastic.co/marvel_register,申請下來后自己改點東西,也可以自行申請,信息填寫准確)
#紅標處為改動過的內容,分別為白金版和過期時間(時間戳)
[admin@es-node-1 elasticsearch-6.5.1]$ cat license.json {"license":{"uid":"640fd711-1234-4ccf-8cd3-737396ed3597","type":"platinum","issue_date_in_millis":1564963200000,"expiry_date_in_millis":2544271999999,"max_nodes":100,"issued_to":"? ?? (?)","issuer":"Web Form","signature":"AAAAAwAAAA2CzEVG2T4xrY3F7fi0AAABmC9ZN0hjZDBGYnVyRXpCOW5Bb3FjZDAxOWpSbTVoMVZwUzRxVk1PSmkxaktJRVl5MUYvUWh3bHZVUTllbXNPbzBUemtnbWpBbmlWRmRZb25KNFlBR2x0TXc2K2p1Y1VtMG1UQU9TRGZVSGRwaEJGUjE3bXd3LzRqZ05iLzRteWFNekdxRGpIYlFwYkJiNUs0U1hTVlJKNVlXekMrSlVUdFIvV0FNeWdOYnlESDc3MWhlY3hSQmdKSjJ2ZTcvYlBFOHhPQlV3ZHdDQ0tHcG5uOElCaDJ4K1hob29xSG85N0kvTWV3THhlQk9NL01VMFRjNDZpZEVXeUtUMXIyMlIveFpJUkk2WUdveEZaME9XWitGUi9WNTZVQW1FMG1DenhZU0ZmeXlZakVEMjZFT2NvOWxpZGlqVmlHNC8rWVVUYzMwRGVySHpIdURzKzFiRDl4TmM1TUp2VTBOUlJZUlAyV0ZVL2kvVk10L0NsbXNFYVZwT3NSU082dFNNa2prQ0ZsclZ4NTltbU1CVE5lR09Bck93V2J1Y3c9PQAAAQAURfLHTfnsxhRKDusn05L7HpgN2Fbc8XHRJNNWQ6WgeMoSUcF9uyA39/TYti6wAdXLbq6z18Jgd0uj6JgDv9W5r/Lm1P0ca7xeIeoHnjCkT/EW95nM6HrQVbkRT5ofLWu0ZqD9s/leiPAMorjBkVHe2AwefE+LYbK1JhGhkRINESGx0Lva0Cxx/QvZNY86/dCWQ3e1PfgSlBpDYN2d6bzsdXivumfGdMv15McoYMNFGy9WsivhD/S3AfuN/6e8LfNZCTjAXrYawKcFlXoPIX9oZe/doAxpACOVmDoC5cdSGDfLMZ/Y6e0sXYZuSgiL68udLilJHRR6iqXeMgxkC3qZ","start_date_in_millis":1564963200000}} [admin@es-node-1 elasticsearch-6.5.1]$ curl -XPUT -u elastic 'http://10.0.1.103:9200/_xpack/license' -H "Content-Type: application/json" -d @license.json Enter host password for user 'elastic': [2019-12-10T20:18:11,703][WARN ][r.suppressed ] [es-node-1] path: /_xpack/license, params: {} java.lang.IllegalStateException: Cannot install a [PLATINUM] license unless TLS is configured or security is disabled at org.elasticsearch.license.LicenseService.registerLicense(LicenseService.java:220) ~[?:?] at org.elasticsearch.license.TransportPutLicenseAction.masterOperation(TransportPutLicenseAction.java:54) ~[?:?] at org.elasticsearch.license.TransportPutLicenseAction.masterOperation(TransportPutLicenseAction.java:23) ~[?:?] at org.elasticsearch.action.support.master.TransportMasterNodeAction.masterOperation(TransportMasterNodeAction.java:108) ~[elasticsearch-6.5.1.jar:6.5.1] at org.elasticsearch.action.support.master.TransportMasterNodeAction$AsyncSingleAction$2.doRun(TransportMasterNodeAction.java:195)~[elasticsearch-6.5.1.jar:6.5.1] at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:723) [elasticsearch-6.5.1.jar:6.5.1] at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) [elasticsearch-6.5.1.jar:6.5.1] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_201] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_201] at java.lang.Thread.run(Thread.java:748) [?:1.8.0_201] {"error":{"root_cause":[{"type":"illegal_state_exception","reason":"Cannot install a [PLATINUM] license unless TLS is configured or security is disabled"}],"type":"illegal_state_exception","reason":"Cannot install a [PLATINUM] license unless TLS is configured or security is disabled"},"status":500}[admin@es-node-1 elasticsearch-6.5.1]$
#不允許安全模式下上傳許可證,先改配置文件把x-pack關了,注意不是注釋,是將配置定為false,重啟后再試
cluster.name: test node.name: es-node-1 path.data: /home/admin/elasticsearch-6.5.1/data path.logs: /home/admin/elasticsearch-6.5.1/logs bootstrap.memory_lock: false bootstrap.system_call_filter: false network.host: 0.0.0.0 http.port: 9200 http.cors.enabled: true http.cors.allow-origin: "*" xpack.security.enabled: false
#這次就成功了
[admin@es-node-1 elasticsearch-6.5.1]$ curl -XPUT -u elastic 'http://10.0.1.103:9200/_xpack/license' -H "Content-Type: application/json" -d @license.json Enter host password for user 'elastic': [2019-12-10T20:25:54,368][INFO ][o.e.l.LicenseService ] [es-node-1] license [640fd711-1234-4ccf-8cd3-737396ed3597] mode [platinum] - valid {"acknowledged":true,"license_status":"valid"}
#再次將x-pack開啟,這次是true,再重啟
cluster.name: test node.name: es-node-1 path.data: /home/admin/elasticsearch-6.5.1/data path.logs: /home/admin/elasticsearch-6.5.1/logs bootstrap.memory_lock: false bootstrap.system_call_filter: false network.host: 0.0.0.0 http.port: 9200 http.cors.enabled: true http.cors.allow-origin: "*" xpack.security.enabled: true
#啟動會報錯,因為沒有搞證書,進入下一個階段。
ERROR: [1] bootstrap checks failed
[1]: Transport SSL must be enabled for setups with production licenses. Please set [xpack.security.transport.ssl.enabled] to [true] or disable security by setting [xpack.security.enabled] to [false]
4.私有證書申請,配置使用。
#按照下方步驟申請證書,第一個需要填寫的是文件名,這個直接默認,回車,接下來標紅處分別是,es集群名稱:test,證書文件存放的目錄:es_ca,節點ip:10.0.1.103(我這只有一台所以就寫一台,如果是集群環境,又多台那么按照格式填寫節點ip:1.1.1.1,2.2.2.2,3.3.3.3逗號分隔),節點名稱:es-node-1(es配置文件中的node.name,同主機名,跟ip同理,如果是集群的話,那就用逗號隔開)
[admin@es-node-1 elasticsearch-6.5.1]$ /home/admin/elasticsearch-6.5.1/bin/elasticsearch-certgen ****************************************************************************** Note: The 'elasticsearch-certgen' tool has been deprecated in favour of the 'elasticsearch-certutil' tool. This command will be removed in a future release. ****************************************************************************** This tool assists you in the generation of X.509 certificates and certificate signing requests for use with SSL in the Elastic stack. Depending on the command line option specified, you may be prompted for the following: * The path to the output file * The output file is a zip file containing the signed certificates and private keys for each instance. If a Certificate Authority was generated, the certificate and private key will also be included in the output file. * Information about each instance * An instance is any piece of the Elastic Stack that requires a SSL certificate. Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beats may all require a certificate and private key. * The minimum required value for each instance is a name. This can simply be the hostname, which will be used as the Common Name of the certificate. A full distinguished name may also be used. * A filename value may be required for each instance. This is necessary when the name would result in an invalid file or directory name. The name provided here is used as the directory name (within the zip) and the prefix for the key and certificate files. The filename is required if you are prompted and the name is not displayed in the prompt. * IP addresses and DNS names are optional. Multiple values can be specified as a comma separated string. If no IP addresses or DNS names are provided, you may disable hostname verification in your SSL configuration. * Certificate Authority private key password * The password may be left empty if desired. Let's get started... Please enter the desired output file [certificate-bundle.zip]: Enter instance name: test Enter name for directories and files [test]: es_ca Enter IP Addresses for instance (comma-separated if more than one) []: 10.0.1.103 Enter DNS names for instance (comma-separated if more than one) []: es-node-1 Would you like to specify another instance? Press 'y' to continue entering instance information: #此處直接回車 Certificates written to /home/admin/elasticsearch-6.5.1/certificate-bundle.zip This file should be properly secured as it contains the private keys for all instances and the certificate authority. After unzipping the file, there will be a directory for each instance containing the certificate and private key. Copy the certificate, key, and CA certificate to the configuration directory of the Elastic product that they will be used for and follow the SSL configuration instructions in the product guide. For client applications, you may only need to copy the CA certificate and configure the client to trust this certificate.
#解壓ca壓縮包並取出證書文件后放置到config目錄下
[admin@es-node-1 elasticsearch-6.5.1]$ unzip certificate-bundle.zip Archive: certificate-bundle.zip creating: ca/ inflating: ca/ca.crt inflating: ca/ca.key creating: es_ca/ inflating: es_ca/es_ca.crt inflating: es_ca/es_ca.key [admin@es-node-1 elasticsearch-6.5.1]$ cp ca/* es_ca/* config/
#調整配置文件引入ca配置后重啟
cluster.name: test node.name: es-node-1 path.data: /home/admin/elasticsearch-6.5.1/data path.logs: /home/admin/elasticsearch-6.5.1/logs bootstrap.memory_lock: false bootstrap.system_call_filter: false network.host: 0.0.0.0 http.port: 9200 http.cors.enabled: true http.cors.allow-origin: "*" xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.ssl.key: es_ca.key xpack.ssl.certificate: es_ca.crt xpack.ssl.certificate_authorities: ca.crt
#啟動會報一些ca的問題,因為這個ca是私有的肯定是不受信任的不管,總之啟動了,接下來訪問es看到期時間。
大功告成!!不過用head插件連接時,傳入賬號密碼參數,總是連不上呢
5.head插件連接es
#head傳入賬號密碼參數:http://172.16.169.211:9100/?auth_user=elastic&auth_password=HPlwGuzgQsG712KymGyY
#head訪問es時會報跨域問題,但是我們的es已經配置了允許跨域訪問了:http.cors.allow-origin: "*"
Access to XMLHttpRequest at 'http://*.*.*.*:60004/_all' from origin 'http://172.16.169.211:9100' has been blocked by CORS policy: Request header field authorization is not allowed by Access-Control-Allow-Headers in preflight response. app.js:1307 {XHR Error: "error", message: ""}
#解決方案-還是得動配置文件,允許一些頭部的請求
cluster.name: test node.name: es-node-1 path.data: /home/admin/elasticsearch-6.5.1/data path.logs: /home/admin/elasticsearch-6.5.1/logs bootstrap.memory_lock: false bootstrap.system_call_filter: false network.host: 0.0.0.0 http.port: 9200 http.cors.enabled: true http.cors.allow-origin: "*" xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.ssl.key: es_ca.key xpack.ssl.certificate: es_ca.crt xpack.ssl.certificate_authorities: ca.crt http.cors.allow-headers: Authorization,X-Requested-With,Content-Type,Content-Length
#改完后重啟es,搞定。
