N'ime afọ gara aga, enweela ọtụtụ ntapu site na ọdụ data
Ka anyị mee ndoputa ozugbo na na omume anyị, anyị na-eji Elasticsearch chekwaa ndekọ ma nyochaa ndekọ nke ngwaọrụ nchekwa ozi, OS na sọftụwia n'elu ikpo okwu IaaS anyị, nke kwekọrọ n'ihe achọrọ 152-FZ, Cloud-152.
Anyị na-elele ma nchekwa data ahụ “dịgidere” na ịntanetị
N'ihe kacha mara amara nke ntapu (
Nke mbụ, ka anyị leba anya n'ihe gbasara mbipụta na ịntanetị. Gịnị mere nke a ji eme? Nke bụ eziokwu bụ na maka ọrụ Elasticsearch na-agbanwe agbanwe
Ọ bụrụ na ị nwere ike ịbanye, gbaa ọsọ mechie ya.
Chebe njikọ na nchekwa data
Ugbu a, anyị ga-eme ya ka ọ ghara ikwe omume ijikọ na nchekwa data na-enweghị nkwenye.
Elasticsearch nwere modul nyocha nke na-egbochi ohere ịnweta nchekwa data, mana ọ dị naanị na ngwa mgbakwunye X-Pack a na-akwụ ụgwọ (1 ọnwa efu).
Ozi ọma ahụ bụ na n'oge mgbụsị akwụkwọ nke 2019, Amazon mepere mmepe ya, nke jikọtara na X-Pack. Ọrụ nyocha mgbe ijikọ na nchekwa data adịla n'okpuru ikikere efu maka ụdị Elasticsearch 7.3.2, yana ntọhapụ ọhụrụ maka Elasticsearch 7.4.0 adịlarị n'ọrụ.
Ngwa mgbakwunye a dị mfe ịwụnye. Gaa na njikwa ihe nkesa wee jikọọ ebe nchekwa ahụ:
Dabere na RPM:
curl https://d3g5vo6xdbdb9a.cloudfront.net/yum/opendistroforelasticsearch-artifacts.repo -o /etc/yum.repos.d/opendistroforelasticsearch-artifacts.repo
yum update
yum install opendistro-security
Dabere na DEB:
wget -qO ‐ https://d3g5vo6xdbdb9a.cloudfront.net/GPG-KEY-opendistroforelasticsearch | sudo apt-key add -
Ịtọlite mmekọrịta n'etiti sava site na SSL
Mgbe ị na-etinye ngwa mgbakwunye, nhazi nke ọdụ ụgbọ mmiri na-ejikọta na nchekwa data na-agbanwe. Ọ na-enyere ezoro ezo SSL aka. Ka sava ụyọkọ wee gaa n'ihu na-arụkọ ọrụ na ibe ha, ịkwesịrị ịhazi mmekọrịta n'etiti ha site na iji SSL.
Enwere ike ịkwado ntụkwasị obi n'etiti ndị ọbịa yana ma ọ bụ na-enweghị ikike asambodo nke ya. Na usoro mbụ, ihe niile doro anya: naanị ị ga-akpọtụrụ ndị ọkachamara CA. Ka anyị gaa n'ihu na nke abụọ.
- Mepụta mgbanwe nwere aha ngalaba zuru ezu:
export DOMAIN_CN="example.com"
- Mepụta igodo nzuzo:
openssl genrsa -out root-ca-key.pem 4096
- Banye akwụkwọ ikike mgbọrọgwụ. Debe ya: ọ bụrụ na ọ furu efu ma ọ bụ mebie ya, ntụkwasị obi n'etiti ndị ọbịa niile ga-adị mkpa ka ahazigharịa ya.
openssl req -new -x509 -sha256 -subj "/C=RU/ST=Moscow/O=Moscow, Inc./CN=${DOMAIN_CN}" -key root-ca-key.pem -out root-ca.pem
- Mepụta igodo nchịkwa:
openssl genrsa -out admin-key-temp.pem 4096 openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem
- Mepụta arịrịọ ka ị bịanye aka na asambodo:
openssl req -new -subj "/C=RU/ST=Moscow/O=Moscow Inc./CN=${DOMAIN_CN}/CN=admin " -key admin-key.pem -out admin.csr
- Mepụta asambodo nchịkwa:
openssl x509 -req -extensions usr_cert -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem
- Mepụta asambodo maka ọnụ Elasticsearch:
export NODENAME="node-01" openssl genrsa -out ${NODENAME}-key-temp.pem 4096 openssl pkcs8 -inform PEM -outform PEM -in ${NODENAME}-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out ${NODENAME}-key.pem
- Mepụta arịrịọ mbinye aka:
openssl req -new -subj "/C=RU/ST=Moscow/O=Moscow Inc./CN=${NODENAME}.${DOMAIN_CN}" -addext"subjectAltName=DNS:${NODENAME}.${DOMAIN_CN},DNS:www.${NODENAME}.${DOMAIN_CN}" -key ${NODENAME}-key.pem -out ${NODENAME}.csr
- Ịbinye aka na asambodo:
openssl x509 -req -in node.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node.pem
- Debe asambodo n'etiti ọnụ Elasticsearch na folda a:
/etc/elasticsearch/
anyị chọrọ faịlụ ndị a:node-01-key.pem node-01.pem admin-key.pem admin.pem root-ca.pem
- Confhazi /etc/elasticsearch/elasticsearch.yml - gbanwee aha faịlụ ndị nwere asambodo na ndị anyị mepụtara:
opendistro_security.ssl.transport.pemcert_filepath: node-01.pem opendistro_security.ssl.transport.pemkey_filepath: node-01-key.pem opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem opendistro_security.ssl.transport.enforce_hostname_verification: false opendistro_security.ssl.http.enabled: true opendistro_security.ssl.http.pemcert_filepath: node-01.pem opendistro_security.ssl.http.pemkey_filepath: node-01-key.pem opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem opendistro_security.allow_unsafe_democertificates: false opendistro_security.allow_default_init_securityindex: true opendistro_security.authcz.admin_dn: − CN=admin,CN=example.com,O=Moscow Inc.,ST=Moscow,C=RU opendistro_security.nodes_dn: − CN=node-01.example.com,O=Moscow Inc.,ST=Moscow,C=RU
Ịgbanwe okwuntughe maka ndị ọrụ ime
- Iji iwu dị n'okpuru, anyị na-ewepụta hash paswọọdụ na njikwa:
sh ${OD_SEC}/tools/hash.sh -p [пароль]
- Gbanwee hash na faịlụ ka ọ bụrụ nke enwetara:
/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
Ịtọlite firewall na OS
- Kwe ka firewall malite:
systemctl enable firewalld
- Ka anyị malite ya:
systemctl start firewalld
- Kwe ka njikọ na Elasticsearch:
firewall-cmd --set-default-zone work firewall-cmd --zone=work --add-port=9200/TCP --permanent
- Bugharịa iwu firewall:
firewall-cmd --reload
- Nke a bụ iwu ọrụ:
firewall-cmd --list-all
Itinye mgbanwe anyị niile na Elasticsearch
- Mepụta mgbanwe na ụzọ zuru oke na folda na ngwa mgbakwunye:
export OD_SEC="/usr/share/elasticsearch/plugins/opendistro_security/"
- Ka anyị mee edemede ga-emelite okwuntughe wee lelee ntọala:
${OD_SEC}/tools/securityadmin.sh -cd ${OD_SEC}/securityconfig/ -icl -nhnv -cacert /etc/elasticsearch/root-ca.pem -cert /etc/elasticsearch/admin.pem -key /etc/elasticsearch/admin-key.pem
- Lelee ma etinyere mgbanwe ndị a:
curl -XGET https://[IP/Имя Elasticsearch]:9200/_cat/nodes?v -u admin:[пароль] --insecure
Nke ahụ bụ naanị, ndị a bụ ntọala kacha nta na-echebe Elasticsearch na njikọ na-akwadoghị.
isi: www.habr.com