I roto i te tau kua pahure ake nei, he maha nga riipapa mai i nga papaa raraunga
Me rahui tonu i roto i a maatau mahi ka whakamahi matou i te Elasticsearch ki te penapena i nga raarangi me te tātari i nga raarangi o nga taputapu haumaru korero, OS me nga raupaparorohiko i roto i to maatau papaahi IaaS, e tutuki ana ki nga whakaritenga o 152-FZ, Cloud-152.
Ka tirohia e maatau mehemea ka "piri" ki te Ipurangi
I te nuinga o nga wa e mohiotia ana mo te turuturu (
Tuatahi, me mahi taatau ki te whakaputa i runga ipurangi. He aha i penei ai? Ko te meka mo te mahi ngawari ake o Elasticsearch
Mena ka taea e koe te kuhu, ka oma ki te kati.
Te tiaki i te hononga ki te papaunga raraunga
Inaianei ka mahia e matou kia kore e taea te hono atu ki te papaaarangi me te kore motuhēhēnga.
He kōwae whakamotuhēhēnga a Elasticsearch e whakawhāiti ana i te uru ki te pātengi raraunga, engari kei te waatea noa i te huinga mono X-Pack utu (1 marama te whakamahi kore utu).
Ko te rongo pai ko te ngahuru o te tau 2019, i whakatuwherahia e Amazon ana whanaketanga, e īnaki ana ki te X-Pack. Ko te mahi motuhēhēnga i te wā e tūhono ana ki tētahi pātengi raraunga kua wātea i raro i te raihana kore utu mō te putanga Elasticsearch 7.3.2, ā, kei te mahi kē he tukunga hou mo Elasticsearch 7.4.0.
He ngawari tenei mono ki te whakauru. Haere ki te papatohu tūmau ka hono i te putunga:
RPM I runga:
curl https://d3g5vo6xdbdb9a.cloudfront.net/yum/opendistroforelasticsearch-artifacts.repo -o /etc/yum.repos.d/opendistroforelasticsearch-artifacts.repo
yum update
yum install opendistro-security
DEB I runga:
wget -qO ‐ https://d3g5vo6xdbdb9a.cloudfront.net/GPG-KEY-opendistroforelasticsearch | sudo apt-key add -
Te whakarite i te taunekeneke i waenga i nga kaitoro ma te SSL
I te wa e whakauru ana i te mono, ka huri te whirihoranga o te tauranga e hono ana ki te papanga raraunga. Ka taea te whakamunatanga SSL. Kia mau tonu te mahi tahi o nga kaitoro kahui, me whirihora e koe te taunekeneke i waenganui ia ratou ma te whakamahi SSL.
Ka taea te whakapumau i te whakawhirinaki ki waenga i nga kaihautu me te kore ranei o tana ake mana tiwhikete. Ma te tikanga tuatahi, he maamaa nga mea katoa: me whakapiri atu koe ki nga tohunga tohunga CA. Me neke tika ki te tuarua.
- Waihangahia he taurangi me te ingoa rohe katoa:
export DOMAIN_CN="example.com"
- Waihangahia he kī tūmataiti:
openssl genrsa -out root-ca-key.pem 4096
- Waitohutia te tiwhikete pakiaka. Kia noho haumaru: mena ka ngaro, ka taupatupatu ranei, me whirihora ano te whakawhirinaki i waenga i nga kaihautu katoa.
openssl req -new -x509 -sha256 -subj "/C=RU/ST=Moscow/O=Moscow, Inc./CN=${DOMAIN_CN}" -key root-ca-key.pem -out root-ca.pem
- Waihangahia he kī kaiwhakahaere:
openssl genrsa -out admin-key-temp.pem 4096 openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem
- Waihangahia he tono kia hainatia te tiwhikete:
openssl req -new -subj "/C=RU/ST=Moscow/O=Moscow Inc./CN=${DOMAIN_CN}/CN=admin " -key admin-key.pem -out admin.csr
- Waihangatia he tiwhikete kaiwhakahaere:
openssl x509 -req -extensions usr_cert -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem
- Waihanga tiwhikete mo te node Elasticsearch:
export NODENAME="node-01" openssl genrsa -out ${NODENAME}-key-temp.pem 4096 openssl pkcs8 -inform PEM -outform PEM -in ${NODENAME}-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out ${NODENAME}-key.pem
- Waihangahia he tono hainatanga:
openssl req -new -subj "/C=RU/ST=Moscow/O=Moscow Inc./CN=${NODENAME}.${DOMAIN_CN}" -addext"subjectAltName=DNS:${NODENAME}.${DOMAIN_CN},DNS:www.${NODENAME}.${DOMAIN_CN}" -key ${NODENAME}-key.pem -out ${NODENAME}.csr
- Te hainatanga i te tiwhikete:
openssl x509 -req -in node.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node.pem
- Whakanohoia te tiwhikete ki waenga i nga kopuku Elasticsearch ki te kōpaki e whai ake nei:
/etc/elasticsearch/
e hiahia ana matou ki nga konae:node-01-key.pem node-01.pem admin-key.pem admin.pem root-ca.pem
- Te whakarite /etc/elasticsearch/elasticsearch.yml – Hurihia te ingoa o nga konae me nga tiwhikete ki nga mea i hangaia e matou:
opendistro_security.ssl.transport.pemcert_filepath: node-01.pem opendistro_security.ssl.transport.pemkey_filepath: node-01-key.pem opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem opendistro_security.ssl.transport.enforce_hostname_verification: false opendistro_security.ssl.http.enabled: true opendistro_security.ssl.http.pemcert_filepath: node-01.pem opendistro_security.ssl.http.pemkey_filepath: node-01-key.pem opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem opendistro_security.allow_unsafe_democertificates: false opendistro_security.allow_default_init_securityindex: true opendistro_security.authcz.admin_dn: − CN=admin,CN=example.com,O=Moscow Inc.,ST=Moscow,C=RU opendistro_security.nodes_dn: − CN=node-01.example.com,O=Moscow Inc.,ST=Moscow,C=RU
Te huri i nga kupuhipa mo nga kaiwhakamahi o roto
- Ma te whakamahi i te whakahau i raro nei, ka whakaputahia e matou te hash kupuhipa ki te papatohu:
sh ${OD_SEC}/tools/hash.sh -p [пароль]
- Hurihia te hash i te konae ki te mea kua riro:
/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
Te whakatu i te papangaahi i roto i te OS
- Tukua te pātūahi kia timata:
systemctl enable firewalld
- Kia whakarewahia e tatou:
systemctl start firewalld
- Whakaaetia te hononga ki Elasticsearch:
firewall-cmd --set-default-zone work firewall-cmd --zone=work --add-port=9200/TCP --permanent
- Utaina ano nga ture papaahi:
firewall-cmd --reload
- Anei nga ture mahi:
firewall-cmd --list-all
Te tono i a maatau huringa katoa ki te Elasticsearch
- Waihangahia he taurangi me te ara katoa ki te kōpaki me te mono:
export OD_SEC="/usr/share/elasticsearch/plugins/opendistro_security/"
- Me whakahaere he tuhinga hei whakahou i nga kupuhipa me te tirotiro i nga tautuhinga:
${OD_SEC}/tools/securityadmin.sh -cd ${OD_SEC}/securityconfig/ -icl -nhnv -cacert /etc/elasticsearch/root-ca.pem -cert /etc/elasticsearch/admin.pem -key /etc/elasticsearch/admin-key.pem
- Tirohia mehemea kua tukuna nga huringa:
curl -XGET https://[IP/Имя Elasticsearch]:9200/_cat/nodes?v -u admin:[пароль] --insecure
Heoi ano, koinei nga waahanga iti rawa e tiaki ana i a Elasticsearch mai i nga hononga kore mana.
Source: will.com