Elasticsearch 7.x 白金版

在之前的文章中我们分享了安装Elasticsearch 7.4集群（开启集群Auth + Transport SSL）以及 Kibana & Keystore中，我们已经安装了安全的Elasticsearch，可以在实际的生产环境进行部署了，但是我们可能需要体验一下白金版的其他的特性（LDAP统一认证等）怎么办呢，推荐去官网申请Licence，有效期三十天进行测试，测试符合你的要求后再去购买对应的版本，版本对比。

这里呢我们介绍另外一种方式，去除Elastic的License认证，当然仅仅用于研究测试，生产使用请购买License。

环境说明：

Amazon Linux 2 AMI
Windows 10
Elasticsearch 7.4.2
Luyten v0.5.4 GitHub
WinRAR

下载Elasticsearch 7.4.2

$ wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.4.2-linux-x86_64.tar.gz
$ tar xf elasticsearch-7.4.2-linux-x86_64.tar.gz

我们提取出x-pack-core这个jar包，拷贝到windows上，位置如下：

$ES_HOME/modules/x-pack-core/x-pack-core-7.4.2.jar

获取Jar包查看工具Luyten，你可以可以使用其他的工具，GitHub，下载Windows版本的exe文件。

然后打开x-pack-core-7.4.2.jar这个文件：

定位到两个文件：然后点击File–Save As 另存为java源码文件：

org.elasticsearch.license/LicenseVerifier.class

org.elasticsearch.xpack.core/XPackBuild.class

这里拿到两个Java源码文件，如下：

LicenseVerifier.java
XPackBuild.java

下面分别进行修改：

LicenseVerifier.java 修改

package org.elasticsearch.license;

import java.nio.*;
import org.elasticsearch.common.bytes.*;
import java.security.*;
import java.util.*;
import org.elasticsearch.common.xcontent.*;
import org.apache.lucene.util.*;
import org.elasticsearch.core.internal.io.*;
import java.io.*;

public class LicenseVerifier
{
    public static boolean verifyLicense(final License license, final byte[] publicKeyData) {
        /* 注释掉这一大段
        byte[] signedContent = null;
        byte[] publicKeyFingerprint = null;
        try {
            final byte[] signatureBytes = Base64.getDecoder().decode(license.signature());
            final ByteBuffer byteBuffer = ByteBuffer.wrap(signatureBytes);
            final int version = byteBuffer.getInt();
            final int magicLen = byteBuffer.getInt();
            final byte[] magic = new byte[magicLen];
            byteBuffer.get(magic);
            final int hashLen = byteBuffer.getInt();
            publicKeyFingerprint = new byte[hashLen];
            byteBuffer.get(publicKeyFingerprint);
            final int signedContentLen = byteBuffer.getInt();
            signedContent = new byte[signedContentLen];
            byteBuffer.get(signedContent);
            final XContentBuilder contentBuilder = XContentFactory.contentBuilder(XContentType.JSON);
            license.toXContent(contentBuilder, (ToXContent.Params)new ToXContent.MapParams((Map)Collections.singletonMap("license_spec_view", "true")));
            final Signature rsa = Signature.getInstance("SHA512withRSA");
            rsa.initVerify(CryptUtils.readPublicKey(publicKeyData));
            final BytesRefIterator iterator = BytesReference.bytes(contentBuilder).iterator();
            BytesRef ref;
            while ((ref = iterator.next()) != null) {
                rsa.update(ref.bytes, ref.offset, ref.length);
            }
            return rsa.verify(signedContent);
        }
        catch (IOException ex) {}
        catch (NoSuchAlgorithmException ex2) {}
        catch (SignatureException ex3) {}
        catch (InvalidKeyException e) {
            throw new IllegalStateException(e);
        }
        finally {
            if (signedContent != null) {
                Arrays.fill(signedContent, (byte)0);
            }
        }
         */
        return true; // 增加这行
    }
    
    public static boolean verifyLicense(final License license) {
        /* 注释掉这一大段
        byte[] publicKeyBytes;
        try {
            final InputStream is = LicenseVerifier.class.getResourceAsStream("/public.key");
            try {
                final ByteArrayOutputStream out = new ByteArrayOutputStream();
                Streams.copy(is, (OutputStream)out);
                publicKeyBytes = out.toByteArray();
                if (is != null) {
                    is.close();
                }
            }
            catch (Throwable t) {
                if (is != null) {
                    try {
                        is.close();
                    }
                    catch (Throwable t2) {
                        t.addSuppressed(t2);
                    }
                }
                throw t;
            }
        }
        catch (IOException ex) {
            throw new IllegalStateException(ex);
        }
        return verifyLicense(license, publicKeyBytes);
        */
        return true; // 增加这行
    }
}

XPackBuild.java 修改

package org.elasticsearch.xpack.core;

import org.elasticsearch.common.io.*;
import java.net.*;
import org.elasticsearch.common.*;
import java.nio.file.*;
import java.io.*;
import java.util.jar.*;

public class XPackBuild
{
    public static final XPackBuild CURRENT;
    private String shortHash;
    private String date;
    
    @SuppressForbidden(reason = "looks up path of xpack.jar directly")
    static Path getElasticsearchCodebase() {
        final URL url = XPackBuild.class.getProtectionDomain().getCodeSource().getLocation();
        try {
            return PathUtils.get(url.toURI());
        }
        catch (URISyntaxException bogus) {
            throw new RuntimeException(bogus);
        }
    }
    
    XPackBuild(final String shortHash, final String date) {
        this.shortHash = shortHash;
        this.date = date;
    }
    
    public String shortHash() {
        return this.shortHash;
    }
    
    public String date() {
        return this.date;
    }
    
    static {
        final Path path = getElasticsearchCodebase();
        String shortHash = null;
        String date = null;
        Label_0109: {
            /* 注释掉这一大段即可
            if (path.toString().endsWith(".jar")) {
                try {
                    final JarInputStream jar = new JarInputStream(Files.newInputStream(path, new OpenOption[0]));
                    try {
                        final Manifest manifest = jar.getManifest();
                        shortHash = manifest.getMainAttributes().getValue("Change");
                        date = manifest.getMainAttributes().getValue("Build-Date");
                        jar.close();
                    }
                    catch (Throwable t) {
                        try {
                            jar.close();
                        }
                        catch (Throwable t2) {
                            t.addSuppressed(t2);
                        }
                        throw t;
                    }
                    break Label_0109;
                }
                catch (IOException e) {
                    throw new RuntimeException(e);
                }
            }
             */
            shortHash = "Unknown";
            date = "Unknown";
        }
        CURRENT = new XPackBuild(shortHash, date);
    }
}

源代码已经更改完毕，下面就是生成class文件，然后替换源class文件即可：

生成Class文件

将两个修改好后的文件：LicenseVerifier.java，XPackBuild.java上传到Elasticsearch所在的Linux服务上，将如下脚本放到和这两个java文件同级目录：

java2class.sh

$ cat java2class.sh
#!/bin/sh

ES_HOME="/opt/elk74/es01" # 指定Elasticsearch的目录
ES_JAR=$(cd $ES_HOME && ls lib/elasticsearch-[0-9]*.jar)
ESCORE_JAR=$(cd $ES_HOME && ls lib/elasticsearch-core-*.jar)
LUCENE_JAR=$(cd $ES_HOME && ls lib/lucene-core-*.jar)
XPACK_JAR=$(cd $ES_HOME && ls modules/x-pack-core/x-pack-core-*.jar)

javac -cp "${ES_HOME}/${ES_JAR}:${ES_HOME}/${LUCENE_JAR}:${ES_HOME}/${XPACK_JAR}:${ES_HOME}/${ESCORE_JAR}" LicenseVerifier.java

javac -cp "${ES_HOME}/${ES_JAR}:${ES_HOME}/${LUCENE_JAR}:${ES_HOME}/${XPACK_JAR}:${ES_HOME}/${ESCORE_JAR}" XPackBuild.java

# 目录结构如下：
[ec2-user@test01 es74-test]$ ll
total 2732
-rw-rw-r-- 1 ec2-user ec2-user     528 Nov 29 11:03 java2class.sh
-rw-r--r-- 1 ec2-user ec2-user     531 Nov 25 21:58 LicenseVerifier.java
-rw-r--r-- 1 ec2-user ec2-user    1275 Nov 25 22:06 XPackBuild.java

说明：

这个脚本的主要作用是，方便对于不同版本的ES、不同目录的ES进行快速的生成class文件，免的再去修改路径啊，版本啊，其实上面的脚本就是执行两条语句如下：

$ javac -cp /opt/wanghk/es01/lib/elasticsearch-7.4.2.jar:/opt/wanghk/es01/lib/lucene-core-8.2.0.jar:/opt/wanghk/es01/modules/x-pack-core/x-pack-core-7.4.2.jar:/opt/wanghk/es01/lib/elasticsearch-core-7.4.2.jar LicenseVerifier.java

$ javac -cp /opt/wanghk/es01/lib/elasticsearch-7.4.2.jar:/opt/wanghk/es01/lib/lucene-core-8.2.0.jar:/opt/wanghk/es01/modules/x-pack-core/x-pack-core-7.4.2.jar:/opt/wanghk/es01/lib/elasticsearch-core-7.4.2.jar XPackBuild.java

然后执行这个脚本：

$ sh java2class.sh

# 可以看到生成了两个class文件：
[ec2-user@test01 es74-test]$ ll
total 2732
-rw-rw-r-- 1 ec2-user ec2-user     528 Nov 29 11:03 java2class.sh
-rw-rw-r-- 1 ec2-user ec2-user     410 Nov 29 11:04 LicenseVerifier.class
-rw-r--r-- 1 ec2-user ec2-user     531 Nov 25 21:58 LicenseVerifier.java
-rw-rw-r-- 1 ec2-user ec2-user    1512 Nov 29 11:04 XPackBuild.class
-rw-r--r-- 1 ec2-user ec2-user    1275 Nov 25 22:06 XPackBuild.java

好了两个Class文件已经生成了，下面就是把jar包中对应的这两个class给替换掉我们生成的，有两种方式：

替换掉`x-pack-core-7.4.2.jar`中的两个class文件

第一种方式

相对简单，将这两个class下载到windows上，然后使用Winrar打开x-pack-core-7.4.2.jar，定位到：org\elasticsearch\license，然后将我们生成的LicenseVerifier.class拖入到这里。

定位到org\elasticsearch\xpack\core，将XPackBuild.class拖入到这里。

第二种方式

这里在linux上操作：

我们把$ES_HOME/modules/x-pack-core/x-pack-core-7.4.2.jar提取出来，放到一个临时的/elk/x-pack目录中。

$ export ES_HOME="/opt/elk74/es01"
$ cp $ES_HOME/modules/x-pack-core/x-pack-core-7.4.2.jar /elk/x-pack
$ cd /elk/x-pack
# 解压x-pack-core-7.4.2.jar
$ jar -xvf x-pack-core-7.4.2.jar

# 替换.class文件
$ cp /root/XPackBuild.class /elk/x-pack/org/elasticsearch/xpack/core/
$ cp /root/LicenseVerifier.class /elk/x-pack/org/elasticsearch/license/

# 重新打包生成x-pack-core-7.4.2.jar文件
$ cd /elk/x-pack
$ rm -rf x-pack-core-7.0.1.jar   # 删除临时拷贝过来的源文件
$ jar cvf x-pack-core-7.0.1.jar .

采用上面任意一种方式，这个jar包就是我们修改后的了，然后替换$ES_HOME/modules/x-pack-core/x-pack-core-7.4.2.jar即可。

注意：对于ES集群，需要把每个node的节点的x-pack-core-7.4.2.jar都替换成我们修改后的才可的。

申请License

去官网申请License。

我们将申请下来的License中的type改为platinum，将expiry_date_in_millis延长N年时间：

{"license":
  {
    "uid":"13370dd7-23e4-4470-ad2a-ccacb620f60a",
    "type":"platinum",
    "issue_date_in_millis":1563235200000,
    "expiry_date_in_millis":3107746200000,
    "max_nodes":100,"issued_to":"l l (juzj)",
    "issuer":"Web Form",
    "signature":"AAAAAwAAAA3uiNJR7B8rdgnwFZItAAABmC9ZN0hjZDBGYnVyRXpCOW5Bb3FjZDAxOWpSbTVoMVZwUzRxVk1PSmkxaktJRVl5MUYvUWh3bHZVUTllbXNPbzBUemtnbWpBbmlWRmRZb25KNFlBR2x0TXc2K2p1Y1VtMG1UQU9TRGZVSGRwaEJGUjE3bXd3LzRqZ05iLzRteWFNekdxRGpIYlFwYkJiNUs0U1hTVlJKNVlXekMrSlVUdFIvV0FNeWdOYnlESDc3MWhlY3hSQmdKSjJ2ZTcvYlBFOHhPQlV3ZHdDQ0tHcG5uOElCaDJ4K1hob29xSG85N0kvTWV3THhlQk9NL01VMFRjNDZpZEVXeUtUMXIyMlIveFpJUkk2WUdveEZaME9XWitGUi9WNTZVQW1FMG1DenhZU0ZmeXlZakVEMjZFT2NvOWxpZGlqVmlHNC8rWVVUYzMwRGVySHpIdURzKzFiRDl4TmM1TUp2VTBOUlJZUlAyV0ZVL2kvVk10L0NsbXNFYVZwT3NSU082dFNNa2prQ0ZsclZ4NTltbU1CVE5lR09Bck93V2J1Y3c9PQAAAQCyhef7hVFMq4orIbwULz0c1dX+Ng4sva5RTmWxKYLnJAyXmMRLp2Pvk9YE5G9JoI4gaSB4mIUtVyPzNGJpHLQCPS/kQ8y0B+mc0aXbBKZgbDTqE6p9E+kk1j8myN9GU+JR8QnYd8GiP4ziBUc2zOyx4hskiGE++Kx1KbD4862GbZwLCo9pIIHoxnpt44OytDB9lb7rYr2JBwc07flaR8ndkHlOL7AhuV2OMwDNw978l4OK/O4qxdthxc/XVo6l03IkVoy17coeJ9Oi4YIpOBXrIAYRgjPa68SvnnM8Ykb0KvNvJ7Y8GJ7x+l2q5qMu8QrBeJQ6U0fH/2ATgUy9EiwA",
    "start_date_in_millis":1563235200000
  }
}

好了license.json文件已经OK了，根据安装Elasticsearch 7.4集群（开启集群Auth + Transport SSL）以及 Kibana & Keystore来安装ES高安全集群。

然后加载License到ES中：

$ curl -XPUT -u elastic 'http://localhost:9200/_xpack/license' -H "Content-Type: application/json" -d @license.json
Enter host password for user 'elastic':           # 输入elastic用户密码
{"acknowledged":true,"license_status":"valid"}    # license写入成功

查看License：

$ curl -XGET -uelastic http://localhost:9200/_license
Enter host password for user 'elastic': 
{
  "license" : {
    "status" : "active",
    "uid" : "537458c7-c1dd-43ea-ab69-68es09d80c98",
    "type" : "platinum",
    "issue_date" : "2019-11-29T00:00:00.000Z",
    "issue_date_in_millis" : 1558051200000,
    "expiry_date" : "2068-06-24T14:50:00.999Z",
    "expiry_date_in_millis" : 2524579200999,
    "max_nodes" : 1000,
    "issued_to" : "pyker",
    "issuer" : "Web Form",
    "start_date_in_millis" : 1558051200000
  }
}

登陆Kibana查看一下吧：

参考：

https://www.ipyker.com/2019/03/13/elastic-x-pack

本文到这里就结束了，欢迎期待后面的文章。您可以关注下方的公众号二维码，在第一时间查看新文章。