Java中配置ElasticSearch集群环境账号密码问题怎么解决

在使用ElasticSearch（简称ES）时，尤其是在生产环境中，安全性是一个不可忽视的问题。默认情况下，ElasticSearch是没有启用身份验证的，这意味着任何人都可以访问你的ES集群。为了提高安全性，我们可以为ES集群配置账号密码，确保只有经过授权的用户才能访问集群。本文将详细介绍如何在Java中配置ElasticSearch集群环境的账号密码。

1. 启用ElasticSearch的安全功能

首先，我们需要在ElasticSearch中启用安全功能。从ElasticSearch 6.8.0和7.1.0版本开始，X-Pack安全功能已经内置在ElasticSearch中，无需额外安装。

1.1 修改ElasticSearch配置文件

在ElasticSearch的配置文件elasticsearch.yml中，添加以下配置以启用安全功能：

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true

1.2 生成证书

为了启用SSL/TLS加密通信，我们需要生成证书。可以使用ElasticSearch自带的工具elasticsearch-certutil来生成证书：

bin/elasticsearch-certutil ca
bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12

将生成的证书文件放到ElasticSearch的配置目录中，并在elasticsearch.yml中配置证书路径：

xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12

1.3 设置内置用户的密码

ElasticSearch内置了一些用户，如elastic、kibana等。我们可以使用elasticsearch-setup-passwords工具为这些用户设置密码：

bin/elasticsearch-setup-passwords auto

该命令会自动为内置用户生成随机密码。你也可以选择手动设置密码：

bin/elasticsearch-setup-passwords interactive

2. 在Java中配置ElasticSearch客户端

在Java应用中，我们通常使用ElasticSearch的Java客户端来与ES集群进行交互。为了在Java中配置账号密码，我们需要使用RestHighLevelClient或RestClient，并在客户端配置中添加认证信息。

2.1 使用RestHighLevelClient

RestHighLevelClient是ElasticSearch官方推荐的高级Java客户端。我们可以通过以下方式配置账号密码：

import org.apache.http.HttpHost;
import org.apache.http.auth.AuthScope;
import org.apache.http.auth.UsernamePasswordCredentials;
import org.apache.http.client.CredentialsProvider;
import org.apache.http.impl.client.BasicCredentialsProvider;
import org.elasticsearch.client.RestClient;
import org.elasticsearch.client.RestHighLevelClient;

public class ElasticsearchClient {

    public static RestHighLevelClient createClient() {
        final CredentialsProvider credentialsProvider = new BasicCredentialsProvider();
        credentialsProvider.setCredentials(AuthScope.ANY,
                new UsernamePasswordCredentials("elastic", "your_password"));

        RestHighLevelClient client = new RestHighLevelClient(
                RestClient.builder(
                        new HttpHost("localhost", 9200, "http"))
                .setHttpClientConfigCallback(httpClientBuilder -> httpClientBuilder
                        .setDefaultCredentialsProvider(credentialsProvider));

        return client;
    }
}

在上面的代码中，我们创建了一个BasicCredentialsProvider对象，并设置了用户名和密码。然后，我们将这个CredentialsProvider配置到RestHighLevelClient中。

2.2 使用RestClient

如果你使用的是RestClient，配置方式类似：

import org.apache.http.HttpHost;
import org.apache.http.auth.AuthScope;
import org.apache.http.auth.UsernamePasswordCredentials;
import org.apache.http.client.CredentialsProvider;
import org.apache.http.impl.client.BasicCredentialsProvider;
import org.elasticsearch.client.RestClient;

public class ElasticsearchClient {

    public static RestClient createClient() {
        final CredentialsProvider credentialsProvider = new BasicCredentialsProvider();
        credentialsProvider.setCredentials(AuthScope.ANY,
                new UsernamePasswordCredentials("elastic", "your_password"));

        RestClient client = RestClient.builder(
                new HttpHost("localhost", 9200, "http"))
                .setHttpClientConfigCallback(httpClientBuilder -> httpClientBuilder
                        .setDefaultCredentialsProvider(credentialsProvider))
                .build();

        return client;
    }
}

2.3 使用Elasticsearch Java Client (8.x版本)

在ElasticSearch 8.x版本中，官方推荐使用新的Java客户端ElasticsearchClient。配置方式如下：

import co.elastic.clients.elasticsearch.ElasticsearchClient;
import co.elastic.clients.json.jackson.JacksonJsonpMapper;
import co.elastic.clients.transport.ElasticsearchTransport;
import co.elastic.clients.transport.rest_client.RestClientTransport;
import org.apache.http.HttpHost;
import org.apache.http.auth.AuthScope;
import org.apache.http.auth.UsernamePasswordCredentials;
import org.apache.http.client.CredentialsProvider;
import org.apache.http.impl.client.BasicCredentialsProvider;
import org.elasticsearch.client.RestClient;

public class ElasticsearchClient {

    public static ElasticsearchClient createClient() {
        final CredentialsProvider credentialsProvider = new BasicCredentialsProvider();
        credentialsProvider.setCredentials(AuthScope.ANY,
                new UsernamePasswordCredentials("elastic", "your_password"));

        RestClient restClient = RestClient.builder(
                new HttpHost("localhost", 9200, "http"))
                .setHttpClientConfigCallback(httpClientBuilder -> httpClientBuilder
                        .setDefaultCredentialsProvider(credentialsProvider))
                .build();

        ElasticsearchTransport transport = new RestClientTransport(
                restClient, new JacksonJsonpMapper());

        return new ElasticsearchClient(transport);
    }
}

3. 测试连接

在配置好客户端后，我们可以通过以下代码测试是否能够成功连接到ElasticSearch集群：

import org.elasticsearch.action.admin.cluster.health.ClusterHealthRequest;
import org.elasticsearch.action.admin.cluster.health.ClusterHealthResponse;
import org.elasticsearch.client.RequestOptions;
import org.elasticsearch.client.RestHighLevelClient;
import org.elasticsearch.cluster.health.ClusterHealthStatus;

public class TestConnection {

    public static void main(String[] args) {
        try (RestHighLevelClient client = ElasticsearchClient.createClient()) {
            ClusterHealthRequest request = new ClusterHealthRequest();
            ClusterHealthResponse response = client.cluster().health(request, RequestOptions.DEFAULT);
            ClusterHealthStatus status = response.getStatus();
            System.out.println("Cluster health status: " + status);
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

如果输出结果为Cluster health status: GREEN，则表示连接成功。

4. 总结

通过以上步骤，我们成功地在Java中配置了ElasticSearch集群环境的账号密码。这不仅提高了ElasticSearch集群的安全性，还确保了只有经过授权的用户才能访问集群。在实际生产环境中，建议定期更换密码，并严格控制用户的权限，以进一步保障数据安全。