Mugore rapfuura, kwave nekuburitswa kwakawanda kubva mumadhatabhesi
Ngatitangei nekukasira kuti mukuita kwedu tinoshandisa Elasticsearch kuchengeta matanda uye kuongorora matanda ezvekuchengetedza ruzivo maturusi, OS uye software papuratifomu yedu yeIaaS, iyo inoenderana nezvinodiwa zve152-FZ, Cloud-152.
Isu tinotarisa kana dhatabhesi "inonamatira" kuInternet
Muzviitiko zvakawanda zvinozivikanwa zvekubuda (
Kutanga, ngatitarisei nezvekushambadzira paInternet. Sei izvi zvichiitika? Icho chokwadi ndechekuti kune inoshanduka-shanduka kushanda kweElasticsearch
Kana uchigona kupinda, womhanya kunovhara.
Kuchengetedza kubatana kune database
Iye zvino tichazviita kuitira kuti zvisakwanise kubatana kune database pasina kuvimbiswa.
Elasticsearch ine module yekusimbisa iyo inomisa kupinda kune dhatabhesi, asi inongowanikwa mune yakabhadharwa X-Pack plugin set (1 mwedzi kushandiswa kwemahara).
Nhau dzakanaka ndedzekuti mukudonha kwe2019, Amazon yakavhura budiriro yayo, iyo inopindirana neX-Pack. Basa rechokwadi kana uchibatanidza kudhatabhesi rave kuwanikwa pasi perezinesi remahara revhezheni Elasticsearch 7.3.2, uye kuburitswa kutsva kweElasticsearch 7.4.0 kwatova mumabasa.
Iyi plugin iri nyore kuisa. Enda kune server console uye ubatanidze repository:
RPM Kubva:
curl https://d3g5vo6xdbdb9a.cloudfront.net/yum/opendistroforelasticsearch-artifacts.repo -o /etc/yum.repos.d/opendistroforelasticsearch-artifacts.repo
yum update
yum install opendistro-security
DEB Kubva:
wget -qO ‐ https://d3g5vo6xdbdb9a.cloudfront.net/GPG-KEY-opendistroforelasticsearch | sudo apt-key add -
Kumisikidza kudyidzana pakati pemaseva kuburikidza neSSL
Paunenge uchiisa plugin, iyo gadziriso yechiteshi inobatanidza kune database inoshanduka. Inogonesa SSL encryption. Kuti maseva emasumbu arambe achishanda pamwe chete, unofanirwa kugadzirisa kupindirana pakati pavo uchishandisa SSL.
Kuvimbika pakati pevaenzi kunogona kusimbiswa ne kana pasina yayo chetifiketi chiremera. Neyokutanga nzira, zvese zvakajeka: iwe unongoda kubata CA nyanzvi. Ngatifambei takananga kune yechipiri.
- Gadzira shanduko ine zita rakazara rezita:
export DOMAIN_CN="example.com"
- Gadzira kiyi yakavanzika:
openssl genrsa -out root-ca-key.pem 4096
- Saina chitupa chemidzi. Chengetedza zvakachengeteka: kana yakarasika kana kukanganisa, kuvimba pakati pevaenzi vese kunoda kugadziridzwa zvakare.
openssl req -new -x509 -sha256 -subj "/C=RU/ST=Moscow/O=Moscow, Inc./CN=${DOMAIN_CN}" -key root-ca-key.pem -out root-ca.pem
- Gadzira kiyi yemutungamiriri:
openssl genrsa -out admin-key-temp.pem 4096 openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem
- Gadzira chikumbiro chekusaina chitupa:
openssl req -new -subj "/C=RU/ST=Moscow/O=Moscow Inc./CN=${DOMAIN_CN}/CN=admin " -key admin-key.pem -out admin.csr
- Gadzira chitupa chemutungamiri:
openssl x509 -req -extensions usr_cert -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem
- Gadzira zvitupa zveElasticsearch node:
export NODENAME="node-01" openssl genrsa -out ${NODENAME}-key-temp.pem 4096 openssl pkcs8 -inform PEM -outform PEM -in ${NODENAME}-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out ${NODENAME}-key.pem
- Gadzira chikumbiro chekusaina:
openssl req -new -subj "/C=RU/ST=Moscow/O=Moscow Inc./CN=${NODENAME}.${DOMAIN_CN}" -addext"subjectAltName=DNS:${NODENAME}.${DOMAIN_CN},DNS:www.${NODENAME}.${DOMAIN_CN}" -key ${NODENAME}-key.pem -out ${NODENAME}.csr
- Kusaina chitupa:
openssl x509 -req -in node.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node.pem
- Isa chitupa pakati peElasticsearch node mune inotevera folda:
/etc/elasticsearch/
tinoda mafaira:node-01-key.pem node-01.pem admin-key.pem admin.pem root-ca.pem
- Tsika /etc/elasticsearch/elasticsearch.yml - shandura zita remafaira ane zvitupa kune anogadzirwa nesu:
opendistro_security.ssl.transport.pemcert_filepath: node-01.pem opendistro_security.ssl.transport.pemkey_filepath: node-01-key.pem opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem opendistro_security.ssl.transport.enforce_hostname_verification: false opendistro_security.ssl.http.enabled: true opendistro_security.ssl.http.pemcert_filepath: node-01.pem opendistro_security.ssl.http.pemkey_filepath: node-01-key.pem opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem opendistro_security.allow_unsafe_democertificates: false opendistro_security.allow_default_init_securityindex: true opendistro_security.authcz.admin_dn: − CN=admin,CN=example.com,O=Moscow Inc.,ST=Moscow,C=RU opendistro_security.nodes_dn: − CN=node-01.example.com,O=Moscow Inc.,ST=Moscow,C=RU
Kuchinja mapassword evashandisi vemukati
- Tichishandisa murairo uri pazasi, tinoburitsa password hash kune console:
sh ${OD_SEC}/tools/hash.sh -p [пароль]
- Chinja hashi mufaira kune yakagamuchirwa:
/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
Kugadzira firewall muOS
- Bvumira firewall kuti itange:
systemctl enable firewalld
- Ngatitangei:
systemctl start firewalld
- Bvumira kubatana kuElasticsearch:
firewall-cmd --set-default-zone work firewall-cmd --zone=work --add-port=9200/TCP --permanent
- Dzokorora zvakare mitemo ye firewall:
firewall-cmd --reload
- Heino mitemo yekushanda:
firewall-cmd --list-all
Kushandisa shanduko dzedu dzese kuElasticsearch
- Gadzira shanduko ine nzira yakazara kune folda ine plugin:
export OD_SEC="/usr/share/elasticsearch/plugins/opendistro_security/"
- Ngatimhanyei script inovandudza mapassword uye kutarisa marongero:
${OD_SEC}/tools/securityadmin.sh -cd ${OD_SEC}/securityconfig/ -icl -nhnv -cacert /etc/elasticsearch/root-ca.pem -cert /etc/elasticsearch/admin.pem -key /etc/elasticsearch/admin-key.pem
- Tarisa kana shanduko dzashandiswa:
curl -XGET https://[IP/Имя Elasticsearch]:9200/_cat/nodes?v -u admin:[пароль] --insecure
Ndizvo zvese, aya ndiwo mashoma marongero anodzivirira Elasticsearch kubva kune zvisina mvumo yekubatanidza.
Source: www.habr.com