🥇Momwe mungasinthire Elasticsearch kuti mupewe kutayikira

M'chaka chathachi, pakhala pali zotayikira zambiri kuchokera ku database Elasticsearch (tawonani, tawonani и tawonani). Nthawi zambiri, deta yaumwini idasungidwa mu database. Kutulutsa uku kukanapewedwa ngati, atatumiza database, oyang'anira adavutikira kuyang'ana zosintha zingapo zosavuta. Lero tikambirana za iwo.

Tiyeni tisungitse nthawi yomweyo kuti muzochita zathu timagwiritsa ntchito Elasticsearch kusunga zipika ndi kusanthula zipika za zida zotetezera chidziwitso, OS ndi mapulogalamu papulatifomu yathu ya IaaS, yomwe imagwirizana ndi zofunikira za 152-FZ, Cloud-152.

Timayang'ana ngati nkhokwe "yokhazikika" pa intaneti

Nthawi zambiri zodziwika za kutayikira (tawonani, tawonani) wowukirayo adapeza chidziwitso mosavuta komanso mopanda ulemu: nkhokweyo idasindikizidwa pa intaneti, ndipo zinali zotheka kulumikizana nazo popanda kutsimikizika.

Choyamba, tiyeni tithane ndi kufalitsa pa intaneti. Chifukwa chiyani izi zimachitika? Chowonadi ndi chakuti pakugwira ntchito kosavuta kwa Elasticsearch analimbikitsa pangani gulu la ma seva atatu. Kuti ma database azitha kulumikizana wina ndi mnzake, muyenera kutsegula madoko. Zotsatira zake, olamulira samaletsa mwayi wopezeka ku database mwanjira iliyonse, ndipo mutha kulumikizana ndi database kuchokera kulikonse. Ndikosavuta kuyang'ana ngati database ikupezeka kuchokera kunja. Ingolowetsani mu msakatuli http://[IP/Имя Elasticsearch]:9200/_cat/nodes?v

Ngati mungathe kulowa, thamangani kuti mutseke.

Kuteteza kulumikizana ndi database

Tsopano tipanga kotero kuti sizingatheke kulumikiza ku database popanda kutsimikizika.

Elasticsearch ili ndi gawo lotsimikizira lomwe limaletsa mwayi wopezeka pankhokwe, koma limapezeka kokha mu pulogalamu yowonjezera ya X-Pack yolipira (mwezi umodzi waulere).

Nkhani yabwino ndiyakuti kumapeto kwa chaka cha 2019, Amazon idatsegula zochitika zake, zomwe zimadutsana ndi X-Pack. Ntchito yotsimikizira mukalumikiza ku database yapezeka pansi pa laisensi yaulere ya mtundu wa Elasticsearch 7.3.2, ndipo kutulutsidwa kwatsopano kwa Elasticsearch 7.4.0 kuli kale m'ntchito.

Pulogalamu yowonjezerayi ndiyosavuta kukhazikitsa. Pitani ku seva ya seva ndikulumikiza chosungira:

Kutengera RPM:

curl https://d3g5vo6xdbdb9a.cloudfront.net/yum/opendistroforelasticsearch-artifacts.repo -o /etc/yum.repos.d/opendistroforelasticsearch-artifacts.repo yum update yum install opendistro-security

DEB Kutengera:

wget -qO ‐ https://d3g5vo6xdbdb9a.cloudfront.net/GPG-KEY-opendistroforelasticsearch | sudo apt-key add -

Kukhazikitsa kulumikizana pakati pa seva kudzera pa SSL

Mukayika pulogalamu yowonjezera, kasinthidwe ka doko lolumikizana ndi database amasintha. Imathandizira kubisa kwa SSL. Kuti ma seva a magulu apitirize kugwira ntchito wina ndi mzake, muyenera kukonza kuyanjana pakati pawo pogwiritsa ntchito SSL.

Chikhulupiliro pakati pa olandira alendo chikhoza kukhazikitsidwa ndi kapena popanda chiphaso chake cha satifiketi. Ndi njira yoyamba, zonse zimamveka bwino: muyenera kungolumikizana ndi akatswiri a CA. Tiyeni tiyende molunjika ku chachiwiri.

Pangani kusintha ndi dzina lonse la domain:

export DOMAIN_CN="example.com"

Pangani kiyi yachinsinsi:

openssl genrsa -out root-ca-key.pem 4096

Saina satifiketi ya mizu. Isungeni motetezeka: ngati itatayika kapena kusokonezedwa, chikhulupiliro pakati pa olandira alendo chiyenera kukonzedwanso.

openssl req -new -x509 -sha256 -subj "/C=RU/ST=Moscow/O=Moscow, Inc./CN=${DOMAIN_CN}" -key root-ca-key.pem -out root-ca.pem

Pangani kiyi ya woyang'anira:

openssl genrsa -out admin-key-temp.pem 4096 openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem

Pangani pempho losaina satifiketi:

openssl req -new -subj "/C=RU/ST=Moscow/O=Moscow Inc./CN=${DOMAIN_CN}/CN=admin " -key admin-key.pem -out admin.csr

Pangani satifiketi ya woyang'anira:

openssl x509 -req -extensions usr_cert -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem

Pangani ziphaso za Elasticsearch node:

export NODENAME="node-01" openssl genrsa -out ${NODENAME}-key-temp.pem 4096 openssl pkcs8 -inform PEM -outform PEM -in ${NODENAME}-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out ${NODENAME}-key.pem

Pangani pempho losayina:

openssl req -new -subj "/C=RU/ST=Moscow/O=Moscow Inc./CN=${NODENAME}.${DOMAIN_CN}" -addext"subjectAltName=DNS:${NODENAME}.${DOMAIN_CN},DNS:www.${NODENAME}.${DOMAIN_CN}" -key ${NODENAME}-key.pem -out ${NODENAME}.csr

Kusaina satifiketi:

openssl x509 -req -in node.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node.pem

Ikani satifiketi pakati pa Elasticsearch node mufoda iyi:

/etc/elasticsearch/

tikufuna mafayilo:

node-01-key.pem node-01.pem admin-key.pem admin.pem root-ca.pem

Kukhazikitsa /etc/elasticsearch/elasticsearch.yml - sinthani dzina la mafayilo omwe ali ndi satifiketi kukhala omwe amapangidwa ndi ife:

opendistro_security.ssl.transport.pemcert_filepath: node-01.pem opendistro_security.ssl.transport.pemkey_filepath: node-01-key.pem opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem opendistro_security.ssl.transport.enforce_hostname_verification: false opendistro_security.ssl.http.enabled: true opendistro_security.ssl.http.pemcert_filepath: node-01.pem opendistro_security.ssl.http.pemkey_filepath: node-01-key.pem opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem opendistro_security.allow_unsafe_democertificates: false opendistro_security.allow_default_init_securityindex: true opendistro_security.authcz.admin_dn: − CN=admin,CN=example.com,O=Moscow Inc.,ST=Moscow,C=RU opendistro_security.nodes_dn: − CN=node-01.example.com,O=Moscow Inc.,ST=Moscow,C=RU

Kusintha mawu achinsinsi kwa ogwiritsa ntchito mkati

Pogwiritsa ntchito lamulo ili pansipa, timatulutsa mawu achinsinsi ku console:

sh ${OD_SEC}/tools/hash.sh -p [пароль]

Sinthani ma hashi mufayilo kukhala yolandila:

/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml

Kukhazikitsa firewall mu OS

Lolani firewall kuyamba:

systemctl enable firewalld
Tiyeni tiyiyambitse:

systemctl start firewalld

Lolani kulumikizana ndi Elasticsearch:

firewall-cmd --set-default-zone work firewall-cmd --zone=work --add-port=9200/TCP --permanent

Tsegulaninso malamulo a firewall:

firewall-cmd --reload
Nawa malamulo ogwira ntchito:

firewall-cmd --list-all

Kugwiritsa ntchito zosintha zathu zonse ku Elasticsearch

Pangani chosinthika ndi njira yonse yopita kufoda ndi pulogalamu yowonjezera:

export OD_SEC="/usr/share/elasticsearch/plugins/opendistro_security/"

Tiyeni tiyendetse script yomwe idzasinthire mawu achinsinsi ndikuwunika zoikamo:

${OD_SEC}/tools/securityadmin.sh -cd ${OD_SEC}/securityconfig/ -icl -nhnv -cacert /etc/elasticsearch/root-ca.pem -cert /etc/elasticsearch/admin.pem -key /etc/elasticsearch/admin-key.pem

Onani ngati zosinthazo zagwiritsidwa ntchito:

curl -XGET https://[IP/Имя Elasticsearch]:9200/_cat/nodes?v -u admin:[пароль] --insecure

Ndizo zonse, awa ndi makonda ochepa omwe amateteza Elasticsearch kumalumikizidwe osaloleka.

Source: www.habr.com

Momwe mungasinthire Elasticsearch kuti mupewe kutayikira