I ka makahiki i hala aku nei, ua nui nā leaks mai nā waihona
E hoʻopaʻa koke mākou i kā mākou hoʻomaʻamaʻa e hoʻohana mākou i ka Elasticsearch e mālama i nā lāʻau a me ka nānā ʻana i nā lāʻau o nā mea hana palekana ʻike, OS a me nā lako polokalamu i kā mākou platform IaaS, e hoʻokō nei i nā koi o 152-FZ, Cloud-152.
Nānā mākou inā "pili" ka waihona i ka Pūnaewele
I ka nui o na hihia i ikeia o ka leaks (
ʻO ka mea mua, e hana kākou i ka paʻi ʻana ma ka Pūnaewele. No ke aha la keia? ʻO ka ʻoiaʻiʻo no ka hana maʻalahi o Elasticsearch
Inā hiki iā ʻoe ke komo i loko, a laila holo e pani.
Ka pale ʻana i ka pilina i ka waihona
I kēia manawa e hana mākou i mea hiki ʻole ke hoʻopili i ka waihona me ka ʻole o ka hōʻoia.
Loaʻa iā Elasticsearch kahi module hōʻoia e kaupalena ana i ke komo ʻana i ka waihona, akā loaʻa wale ia i ka hoʻonohonoho hoʻonohonoho X-Pack i uku ʻia (1 mahina hoʻohana manuahi).
ʻO ka nūhou maikaʻi ʻo ia i ka hāʻule o 2019, ua wehe ʻo Amazon i kāna mau hoʻomohala ʻana, e uhi ana me X-Pack. Ua loaʻa ka hana hōʻoia i ka wā e hoʻopili ai i kahi waihona ma lalo o kahi laikini manuahi no ka mana Elasticsearch 7.3.2, a ua hoʻokuʻu hou ʻia no Elasticsearch 7.4.0 i nā hana.
He mea maʻalahi kēia plugin e hoʻokomo. E hele i ka console server a hoʻohui i ka waihona:
RPM ma muli o:
curl https://d3g5vo6xdbdb9a.cloudfront.net/yum/opendistroforelasticsearch-artifacts.repo -o /etc/yum.repos.d/opendistroforelasticsearch-artifacts.repo
yum update
yum install opendistro-security
Ma muli o DEB:
wget -qO ‐ https://d3g5vo6xdbdb9a.cloudfront.net/GPG-KEY-opendistroforelasticsearch | sudo apt-key add -
Hoʻonohonoho i ka pilina ma waena o nā kikowaena ma o SSL
I ka hoʻouka ʻana i ka plugin, hoʻololi ka hoʻonohonoho o ke awa e pili ana i ka waihona. Hiki iā ia ke hoʻopili SSL. I mea e hoʻomau ai ka hana ʻana o nā kikowaena cluster me kekahi i kekahi, pono ʻoe e hoʻonohonoho i ka pilina ma waena o lākou me ka hoʻohana ʻana i SSL.
Hiki ke hoʻokumu ʻia ka hilinaʻi ma waena o nā pūʻali me ka ʻole o kāna mana palapala ponoʻī. Me ke ala mua, maopopo nā mea āpau: pono ʻoe e hoʻopili i nā loea CA. E neʻe pololei kākou i ka lua.
- E hana i mea hoololi me ka inoa puni honua:
export DOMAIN_CN="example.com"
- E hana i kahi kī pilikino:
openssl genrsa -out root-ca-key.pem 4096
- E kakau inoa i ka palapala kumu. E mālama pono: inā nalowale a hoʻololi ʻia paha, pono e hoʻoponopono hou ʻia ka hilinaʻi ma waena o nā pūʻali āpau.
openssl req -new -x509 -sha256 -subj "/C=RU/ST=Moscow/O=Moscow, Inc./CN=${DOMAIN_CN}" -key root-ca-key.pem -out root-ca.pem
- E hana i kahi kī hoʻoponopono:
openssl genrsa -out admin-key-temp.pem 4096 openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem
- E hana i kahi noi e kau inoa i ka palapala hōʻoia:
openssl req -new -subj "/C=RU/ST=Moscow/O=Moscow Inc./CN=${DOMAIN_CN}/CN=admin " -key admin-key.pem -out admin.csr
- Hana i palapala hoʻoponopono:
openssl x509 -req -extensions usr_cert -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem
- E hana i nā palapala hōʻoia no ka node Elasticsearch:
export NODENAME="node-01" openssl genrsa -out ${NODENAME}-key-temp.pem 4096 openssl pkcs8 -inform PEM -outform PEM -in ${NODENAME}-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out ${NODENAME}-key.pem
- Hana i kahi noi pūlima:
openssl req -new -subj "/C=RU/ST=Moscow/O=Moscow Inc./CN=${NODENAME}.${DOMAIN_CN}" -addext"subjectAltName=DNS:${NODENAME}.${DOMAIN_CN},DNS:www.${NODENAME}.${DOMAIN_CN}" -key ${NODENAME}-key.pem -out ${NODENAME}.csr
- Kau inoa i ka palapala hōʻoia:
openssl x509 -req -in node.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node.pem
- E kau i ka palapala hōʻoia ma waena o nā node Elasticsearch i loko o ka waihona:
/etc/elasticsearch/
pono mākou i nā faila:node-01-key.pem node-01.pem admin-key.pem admin.pem root-ca.pem
- Ke hoʻonohonoho nei /etc/elasticsearch/elasticsearch.yml - hoʻololi i ka inoa o nā faila me nā palapala hōʻoia i nā mea i hana ʻia e mākou:
opendistro_security.ssl.transport.pemcert_filepath: node-01.pem opendistro_security.ssl.transport.pemkey_filepath: node-01-key.pem opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem opendistro_security.ssl.transport.enforce_hostname_verification: false opendistro_security.ssl.http.enabled: true opendistro_security.ssl.http.pemcert_filepath: node-01.pem opendistro_security.ssl.http.pemkey_filepath: node-01-key.pem opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem opendistro_security.allow_unsafe_democertificates: false opendistro_security.allow_default_init_securityindex: true opendistro_security.authcz.admin_dn: − CN=admin,CN=example.com,O=Moscow Inc.,ST=Moscow,C=RU opendistro_security.nodes_dn: − CN=node-01.example.com,O=Moscow Inc.,ST=Moscow,C=RU
Ke hoʻololi nei i nā ʻōlelo huna no nā mea hoʻohana kūloko
- Ke hoʻohana nei i ke kauoha ma lalo nei, hoʻopuka mākou i ka hash password i ka console:
sh ${OD_SEC}/tools/hash.sh -p [пароль]
- E hoʻololi i ka hash i ka faila i ka mea i loaʻa:
/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
Hoʻonohonoho i kahi pā ahi ma ka OS
- E ʻae i ka pā ahi e hoʻomaka:
systemctl enable firewalld
- E hoʻomaka kākou:
systemctl start firewalld
- E ʻae i ka pilina iā Elasticsearch:
firewall-cmd --set-default-zone work firewall-cmd --zone=work --add-port=9200/TCP --permanent
- Hoʻouka hou i nā lula pā ahi:
firewall-cmd --reload
- Eia nā lula hana.
firewall-cmd --list-all
Ke noi nei i kā mākou hoʻololi āpau iā Elasticsearch
- E hana i kahi loli me ke ala piha i ka waihona me ka plugin:
export OD_SEC="/usr/share/elasticsearch/plugins/opendistro_security/"
- E holo kāua i kahi palapala e hoʻohou i nā ʻōlelo huna a nānā i nā hoʻonohonoho:
${OD_SEC}/tools/securityadmin.sh -cd ${OD_SEC}/securityconfig/ -icl -nhnv -cacert /etc/elasticsearch/root-ca.pem -cert /etc/elasticsearch/admin.pem -key /etc/elasticsearch/admin-key.pem
- E nānā inā ua hoʻohana ʻia nā hoʻololi:
curl -XGET https://[IP/Имя Elasticsearch]:9200/_cat/nodes?v -u admin:[пароль] --insecure
ʻO ia wale nō, ʻo ia ka palena liʻiliʻi e pale ai iā Elasticsearch mai nā pilina ʻae ʻole.
Source: www.habr.com