αααα»αβααααααβαα½αβααααΆαβαααααβαα
βααα ααΆαβααΆαβααα
βααααΆαβααΆβα
αααΎαβααΈβααΌαααααΆαβαα·αααααα
ααΌαααααΎααΆαααααα»αααααΆααααΆαα αααα»αααΆαα’αα»ααααααααααΎα ααΎαααααΎ Elasticsearch ααΎααααΈαααααΆαα»ααααααα ααα» αα·ααα·ααΆααααααα ααα»ααα§ααααααα»ααααα·ααΆαααααααΆα ααααααααααααα·ααααα·ααΆα αα·ααααααα·ααΈαα αααα»ααααα·ααΆ IaaS ααααααΎα αααα’αα»αααααΆααααααΌαααΆααα 152-FZ, Cloud-152α
ααΎααα·αα·αααααΎαααΆααΎααΌαααααΆααα·αααααα "αα·α" αα α’ααΈαααΊαα·α
αααα»αααααΈααΆαα
αααΎαααααΆαααα
ααααΆα (
ααΆααααΌα α
αΌαααΎααααααααΆαααΆαα½αααΉαααΆαααααα»αααααααΆαααΆαα’ααΈαααΊαα·αα α ααα»α’αααΈααΆαααΆααΏααααααΎαα‘αΎα? ααΆααα·αααΊααΆαααααΆααααααα·ααααα·ααΆαααΆαααααααααααααα Elasticsearch
ααΎα’αΆα α αΌαααΆα ααααα αα·αα
ααΆαααΆαααΆαααΆααααααΆαααα ααΌαααααΆααα·αααααα
α₯α‘αΌαβααα ααΎαβααΉαβαααααΎαβααΆ ααΎααααΈβαα»αβα±ααβααΆβα’αΆα βαααααΆααβαα βααΌαααααΆαβαα·ααααααβαααβααααΆαβααΆαβαααααααααΆααα
Elasticsearch ααΆααααΌαα»ααααααααααΆααααααααααααΆαα αΌαααααΎααΌαααααΆααα·αααααα ααα»ααααααΆα’αΆα ααααΎααΆααααα αααα»ααααα»ααααααα·ααΈαααα½α X-Pack ααααααααααΆαα (ααΆαααααΎααααΆαα 1 αααααα₯ααα·ααααα)α
ααααΉαααα’ααΊααΆαα αααΌαααααΉαααΎαααα»αααααΆα 2019 αααα»αα αα»α Amazon ααΆαααΎαααααΎαααΆαα’αα·αααααααααααααα½α ααααααα½αααΎααααΆααΆαα½α X-Pack α αα»αααΆαβαααααααααΆααβααΆαβααααΉαααααΌαβαα αααβααααΆααβαα βααΌαααααΆαβαα·ααααααβααΆαβααααΆαβααΆβααΆαβαααααβα’αΆααααΆααααβα₯ααα·αααααβαααααΆααβαααα Elasticsearch 7.3.2 α αΎαβααΆαβα ααβααααΆαβααααΈβαααααΆαα Elasticsearch 7.4.0 ααΆαβααααΎαααΆαβα αΎαα
αααααα·ααΈαααα½ααααααΆααααα½αααα‘αΎαα α αΌααα ααΆαααα»αααΌααααΆαααΈααα α αΎαααααΆααααααΆααα
RPM ααα’ααααΎα
curl https://d3g5vo6xdbdb9a.cloudfront.net/yum/opendistroforelasticsearch-artifacts.repo -o /etc/yum.repos.d/opendistroforelasticsearch-artifacts.repo
yum update
yum install opendistro-security
ααα’ααααΎ DEBα
wget -qO β https://d3g5vo6xdbdb9a.cloudfront.net/GPG-KEY-opendistroforelasticsearch | sudo apt-key add -
ααΆαααα‘αΎαα’αααααααααααΆααααΆαααΈαααααΆαααα SSL
αα αααααα‘αΎααααααα·ααΈαααα½α ααΆαααααααα ααΆααααααααα ααααααααΆαααα ααΌαααααΆααα·ααααααααααΆααααααΌαα ααΆααΎαααΆαα’αα·αααααΈα SSL α ααΎααααΈα±αααααΆαααΈαααα αααααααααααααΎααΆαααΆαα½αααααΆ α’αααααααΌαααααααα ααΆααααααααα’αααααααααααΆααα½αααΆαααααααΎ SSL α
ααΆαααΏαα»αα α·ααααααΆααααΆαααΈαα’αΆα ααααΌαααΆααααααΎαα‘αΎααααααΆα α¬ααααΆααα·αααα·α’αααΆα αα·ααααΆαααααααααααααα½αα ααΆαα½αααΉααα·ααΈααΆαααααααααΌα α’αααΈααααααααΆαααΊα αααΆαα: α’αααααααΆααααααααΌαααΆαααΆααααα’αααα―αααα CA α α αΌαααααΆααααΈααααααα ααΈααΈαα
- αααααΎαα’αααααΆαα½ααααααααααααα
export DOMAIN_CN="example.com"
- αααααΎαααα―αααα
openssl genrsa -out root-ca-key.pem 4096
- α
α»αα αααααααΆααΎαα·ααααΆαααααα root α αααααΆααΆα±ααααΆααα»ααααα·ααΆαα ααααα·αααΎααΆααααΌαααΆαααΆααααα α¬ααΆαααΆααααααααααα½α ααΆαααΏαα»αα
α·ααααααΆααααΆαααΈαααΆααα’ααααΉαααααΌαααααααα
ααΆααααααααα‘αΎααα·αα
openssl req -new -x509 -sha256 -subj "/C=RU/ST=Moscow/O=Moscow, Inc./CN=${DOMAIN_CN}" -key root-ca-key.pem -out root-ca.pem
- αααααΎαααα’ααααααααααααα
openssl genrsa -out admin-key-temp.pem 4096 openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem
- αααααΎαααααΎααΎααααΈα
α»αα αααααααΆααΎαα·ααααΆααααααα
openssl req -new -subj "/C=RU/ST=Moscow/O=Moscow Inc./CN=${DOMAIN_CN}/CN=admin " -key admin-key.pem -out admin.csr
- αααααΎααα·ααααΆααααααα’ααααααααααααα
openssl x509 -req -extensions usr_cert -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem
- αααααΎααα·ααααΆαααααααααααΆααααααΆαα Elasticsearchα
export NODENAME="node-01" openssl genrsa -out ${NODENAME}-key-temp.pem 4096 openssl pkcs8 -inform PEM -outform PEM -in ${NODENAME}-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out ${NODENAME}-key.pem
- αααααΎαααααΎα αααααααΆα
openssl req -new -subj "/C=RU/ST=Moscow/O=Moscow Inc./CN=${NODENAME}.${DOMAIN_CN}" -addext"subjectAltName=DNS:${NODENAME}.${DOMAIN_CN},DNS:www.${NODENAME}.${DOMAIN_CN}" -key ${NODENAME}-key.pem -out ${NODENAME}.csr
- ααΆαα
α»αα αααααααΆααΎαα·ααααΆααααααα
openssl x509 -req -in node.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node.pem
- ααΆαααα·ααααΆαααααααααΆαααααΆαα Elasticsearch αααα»αααααΆααααααα
/etc/elasticsearch/
ααΎαααααΌαααΆαα―αααΆααnode-01-key.pem node-01.pem admin-key.pem admin.pem root-ca.pem
- ααααααα
ααΆαααααααα /etc/elasticsearch/elasticsearch.yml - ααααΌααααααα―αααΆααααααΆααα·ααααΆαααααααα
ααΆα―αααΆαααααααααΎαααααα½αααΎαα
opendistro_security.ssl.transport.pemcert_filepath: node-01.pem opendistro_security.ssl.transport.pemkey_filepath: node-01-key.pem opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem opendistro_security.ssl.transport.enforce_hostname_verification: false opendistro_security.ssl.http.enabled: true opendistro_security.ssl.http.pemcert_filepath: node-01.pem opendistro_security.ssl.http.pemkey_filepath: node-01-key.pem opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem opendistro_security.allow_unsafe_democertificates: false opendistro_security.allow_default_init_securityindex: true opendistro_security.authcz.admin_dn: β CN=admin,CN=example.com,O=Moscow Inc.,ST=Moscow,C=RU opendistro_security.nodes_dn: β CN=node-01.example.com,O=Moscow Inc.,ST=Moscow,C=RU
ααΆαααααΆααααααΌαααΆααααααααΆαααααααΆααα’αααααααΎααααΆααααΆααααα»α
- αααααααΎααΆααααααααΆααΆαααααα ααΎααααα
αααααααΌααααααΆαααα
ααΆαααα»αααΌαα
sh ${OD_SEC}/tools/hash.sh -p [ΠΏΠ°ΡΠΎΠ»Ρ]
- ααααΆααααααΌα hash αα
αααα»αα―αααΆααα
ααΆααααααααα½αααΆαα
/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
ααΆαααα‘αΎααααααΆααααααΎααα αααα»α OS
- α’αα»ααααΆαα±αααααααΆααααααΎαα
αΆααααααΎαα
systemctl enable firewalld
- αααα
αΆααααααΎαααΆα
systemctl start firewalld
- α’αα»ααααΆαα±ααααααΆαααα
Elasticsearchα
firewall-cmd --set-default-zone work firewall-cmd --zone=work --add-port=9200/TCP --permanent
- αααα»αα
αααΆαααααααΆααααααΎαα‘αΎααα·αα
firewall-cmd --reload
- αααααΊααΆα
αααΆααααΆαααΆαα
firewall-cmd --list-all
α’αα»ααααααΆαααααΆααααααΌαααΆααα’ααααααααΎαα αααα Elasticsearch
- αααααΎαα’αααααΆαα½αααααΌαααααα
ααΆααααααΆαα½ααααααα·ααΈαααα½αα
export OD_SEC="/usr/share/elasticsearch/plugins/opendistro_security/"
- αααααααΎαααΆαααααααΈααααααΉαααααΎαα
αα
α»ααααααααΆαααΆααααααααΆαα αα·ααα·αα·αααααΎαααΆααααααα
${OD_SEC}/tools/securityadmin.sh -cd ${OD_SEC}/securityconfig/ -icl -nhnv -cacert /etc/elasticsearch/root-ca.pem -cert /etc/elasticsearch/admin.pem -key /etc/elasticsearch/admin-key.pem
- αα·αα·αααααΎαααΆααΎααΆαααααΆααααααΌαααααΌαααΆαα’αα»αααααααα¬ααα
curl -XGET https://[IP/ΠΠΌΡ Elasticsearch]:9200/_cat/nodes?v -u admin:[ΠΏΠ°ΡΠΎΠ»Ρ] --insecure
αααα αΎαααΆααΆααα’αα ααΆαααααααΊααΆααΆααααααα’αααααααΆαααααΆαααΆα Elasticsearch ααΈααΆαααααΆαααααααααΆαααΆαα’αα»ααααΆαα
ααααα: www.habr.com