🥇Me pehea te whirihora i te Elasticsearch hei karo i nga turuturu

I roto i te tau kua pahure ake nei, he maha nga riipapa mai i nga papaa raraunga Te rangahau elastic (nana, nana и nana). I te nuinga o nga wa, i penapenahia nga raraunga whaiaro i roto i te paataka raraunga. Ka taea te karohia enei turuturu mena, i muri i te tukunga o te putunga korero, i raru nga kaiwhakahaere ki te tirotiro i etahi waahanga ngawari. I tenei ra ka korero tatou mo ratou.

Me rahui tonu i roto i a maatau mahi ka whakamahi matou i te Elasticsearch ki te penapena i nga raarangi me te tātari i nga raarangi o nga taputapu haumaru korero, OS me nga raupaparorohiko i roto i to maatau papaahi IaaS, e tutuki ana ki nga whakaritenga o 152-FZ, Cloud-152.

Ka tirohia e maatau mehemea ka "piri" ki te Ipurangi

I te nuinga o nga wa e mohiotia ana mo te turuturu (nana, nana) ka uru atu te kaiwhaiwhai ki nga raraunga ma te ngawari me te koretake: i whakaputahia te paataka korero i runga i te Ipurangi, a ka taea te hono atu ki a ia me te kore e whakamotuhēhēhia.

Tuatahi, me mahi taatau ki te whakaputa i runga ipurangi. He aha i penei ai? Ko te meka mo te mahi ngawari ake o Elasticsearch tūtohutia hanga he tautau o nga tūmau e toru. Kia taea ai e nga papa korero te whakawhitiwhiti korero ki a raatau ano, me whakatuwhera koe i nga tauranga. Ko te mutunga mai, karekau nga kaiwhakahaere e aukati i te urunga ki te papaaarangi ahakoa he aha, ka taea e koe te hono atu ki te patengi raraunga mai i hea. He ngawari ki te tirotiro mena kei te waatea te paataka korero mai i waho. Whakauru noa i roto i te tirotiro http://[IP/Имя Elasticsearch]:9200/_cat/nodes?v

Mena ka taea e koe te kuhu, ka oma ki te kati.

Te tiaki i te hononga ki te papaunga raraunga

Inaianei ka mahia e matou kia kore e taea te hono atu ki te papaaarangi me te kore motuhēhēnga.

He kōwae whakamotuhēhēnga a Elasticsearch e whakawhāiti ana i te uru ki te pātengi raraunga, engari kei te waatea noa i te huinga mono X-Pack utu (1 marama te whakamahi kore utu).

Ko te rongo pai ko te ngahuru o te tau 2019, i whakatuwherahia e Amazon ana whanaketanga, e īnaki ana ki te X-Pack. Ko te mahi motuhēhēnga i te wā e tūhono ana ki tētahi pātengi raraunga kua wātea i raro i te raihana kore utu mō te putanga Elasticsearch 7.3.2, ā, kei te mahi kē he tukunga hou mo Elasticsearch 7.4.0.

He ngawari tenei mono ki te whakauru. Haere ki te papatohu tūmau ka hono i te putunga:

RPM I runga:

curl https://d3g5vo6xdbdb9a.cloudfront.net/yum/opendistroforelasticsearch-artifacts.repo -o /etc/yum.repos.d/opendistroforelasticsearch-artifacts.repo yum update yum install opendistro-security

DEB I runga:

wget -qO ‐ https://d3g5vo6xdbdb9a.cloudfront.net/GPG-KEY-opendistroforelasticsearch | sudo apt-key add -

Te whakarite i te taunekeneke i waenga i nga kaitoro ma te SSL

I te wa e whakauru ana i te mono, ka huri te whirihoranga o te tauranga e hono ana ki te papanga raraunga. Ka taea te whakamunatanga SSL. Kia mau tonu te mahi tahi o nga kaitoro kahui, me whirihora e koe te taunekeneke i waenganui ia ratou ma te whakamahi SSL.

Ka taea te whakapumau i te whakawhirinaki ki waenga i nga kaihautu me te kore ranei o tana ake mana tiwhikete. Ma te tikanga tuatahi, he maamaa nga mea katoa: me whakapiri atu koe ki nga tohunga tohunga CA. Me neke tika ki te tuarua.

Waihangahia he taurangi me te ingoa rohe katoa:

export DOMAIN_CN="example.com"

Waihangahia he kī tūmataiti:

openssl genrsa -out root-ca-key.pem 4096

Waitohutia te tiwhikete pakiaka. Kia noho haumaru: mena ka ngaro, ka taupatupatu ranei, me whirihora ano te whakawhirinaki i waenga i nga kaihautu katoa.

openssl req -new -x509 -sha256 -subj "/C=RU/ST=Moscow/O=Moscow, Inc./CN=${DOMAIN_CN}" -key root-ca-key.pem -out root-ca.pem

Waihangahia he kī kaiwhakahaere:

openssl genrsa -out admin-key-temp.pem 4096 openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem

Waihangahia he tono kia hainatia te tiwhikete:

openssl req -new -subj "/C=RU/ST=Moscow/O=Moscow Inc./CN=${DOMAIN_CN}/CN=admin " -key admin-key.pem -out admin.csr

Waihangatia he tiwhikete kaiwhakahaere:

openssl x509 -req -extensions usr_cert -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem

Waihanga tiwhikete mo te node Elasticsearch:

export NODENAME="node-01" openssl genrsa -out ${NODENAME}-key-temp.pem 4096 openssl pkcs8 -inform PEM -outform PEM -in ${NODENAME}-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out ${NODENAME}-key.pem

Waihangahia he tono hainatanga:

openssl req -new -subj "/C=RU/ST=Moscow/O=Moscow Inc./CN=${NODENAME}.${DOMAIN_CN}" -addext"subjectAltName=DNS:${NODENAME}.${DOMAIN_CN},DNS:www.${NODENAME}.${DOMAIN_CN}" -key ${NODENAME}-key.pem -out ${NODENAME}.csr

Te hainatanga i te tiwhikete:

openssl x509 -req -in node.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node.pem

Whakanohoia te tiwhikete ki waenga i nga kopuku Elasticsearch ki te kōpaki e whai ake nei:

/etc/elasticsearch/

e hiahia ana matou ki nga konae:

node-01-key.pem node-01.pem admin-key.pem admin.pem root-ca.pem

Te whakarite /etc/elasticsearch/elasticsearch.yml – Hurihia te ingoa o nga konae me nga tiwhikete ki nga mea i hangaia e matou:

opendistro_security.ssl.transport.pemcert_filepath: node-01.pem opendistro_security.ssl.transport.pemkey_filepath: node-01-key.pem opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem opendistro_security.ssl.transport.enforce_hostname_verification: false opendistro_security.ssl.http.enabled: true opendistro_security.ssl.http.pemcert_filepath: node-01.pem opendistro_security.ssl.http.pemkey_filepath: node-01-key.pem opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem opendistro_security.allow_unsafe_democertificates: false opendistro_security.allow_default_init_securityindex: true opendistro_security.authcz.admin_dn: − CN=admin,CN=example.com,O=Moscow Inc.,ST=Moscow,C=RU opendistro_security.nodes_dn: − CN=node-01.example.com,O=Moscow Inc.,ST=Moscow,C=RU

Te huri i nga kupuhipa mo nga kaiwhakamahi o roto

Ma te whakamahi i te whakahau i raro nei, ka whakaputahia e matou te hash kupuhipa ki te papatohu:

sh ${OD_SEC}/tools/hash.sh -p [пароль]

Hurihia te hash i te konae ki te mea kua riro:

/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml

Te whakatu i te papangaahi i roto i te OS

Tukua te pātūahi kia timata:

systemctl enable firewalld
Kia whakarewahia e tatou:

systemctl start firewalld

Whakaaetia te hononga ki Elasticsearch:

firewall-cmd --set-default-zone work firewall-cmd --zone=work --add-port=9200/TCP --permanent

Utaina ano nga ture papaahi:

firewall-cmd --reload
Anei nga ture mahi:

firewall-cmd --list-all

Te tono i a maatau huringa katoa ki te Elasticsearch

Waihangahia he taurangi me te ara katoa ki te kōpaki me te mono:

export OD_SEC="/usr/share/elasticsearch/plugins/opendistro_security/"

Me whakahaere he tuhinga hei whakahou i nga kupuhipa me te tirotiro i nga tautuhinga:

${OD_SEC}/tools/securityadmin.sh -cd ${OD_SEC}/securityconfig/ -icl -nhnv -cacert /etc/elasticsearch/root-ca.pem -cert /etc/elasticsearch/admin.pem -key /etc/elasticsearch/admin-key.pem

Tirohia mehemea kua tukuna nga huringa:

curl -XGET https://[IP/Имя Elasticsearch]:9200/_cat/nodes?v -u admin:[пароль] --insecure

Heoi ano, koinei nga waahanga iti rawa e tiaki ana i a Elasticsearch mai i nga hononga kore mana.

Source: will.com

Me pehea te whirihora i te Elasticsearch hei karo i nga turuturu