Sanadkii la soo dhaafay, waxaa jiray daadadyo badan oo ka soo baxay keydka macluumaadka (, и ). Xaalado badan, xogta shakhsi ahaaneed ayaa lagu kaydiyay kaydka xogta. Daadisyadan waa laga fogaan lahaa haddii, ka dib la geeyo xogta xogta, maamulayaashu waxay ku dhibeen inay hubiyaan goobo fudud. Maanta waxaan ka hadli doonaa iyaga.
Aynu isla markiiba sameyno boos celin ah in dhaqankeena aan u isticmaalno Elasticsearch si aan u kaydiyo diiwaannada oo aan u falanqeyno diiwaannada aaladaha amniga macluumaadka, OS iyo softiweerka aaladdayada IaaS, kaas oo u hoggaansamaya shuruudaha 152-FZ, Cloud-152.
Waxaan hubineynaa in keydka keydku "ku dheggan yahay" internetka iyo in kale
Inta badan kiisaska la yaqaan ee dheecaan, ) Weeraryahanku wuxuu helay xogta si fudud oo aan macquul ahayn: kaydka xogta ayaa lagu daabacay internetka, waxaana suurtagal ah in lagu xiro iyada oo aan la xaqiijin.
Marka hore, aan wax ka qabanno daabacaadda internetka. Maxay tani u dhacdaa? Xaqiiqdu waxay tahay in hawlgalka dabacsan ee Elasticsearch abuur koox ka kooban saddex server. Si xog-ururintu ay midba midka kale ula xiriirto, waxaad u baahan tahay inaad furto dekedaha. Natiijo ahaan, maamulayaashu sinaba uma xaddidaan gelitaanka xogta, waxaadna ku xidhi kartaa kaydka xogta meel kasta. Way fududahay in la hubiyo in kaydka xogta laga heli karo dibadda. Kaliya gali browserka http://[IP/Имя Elasticsearch]:9200/_cat/nodes?v
Haddii aad geli karto, dabadeed orod si aad u xidho.
Ilaalinta xidhiidhka xogta xogta
Hadda waxaan ka dhigi doonaa si aysan suurtagal ahayn in lagu xiro xogta xogta iyada oo aan la xaqiijin.
Elasticsearch waxa ay leedahay qayb xaqiijin ah oo xaddidaysa gelitaanka xogta xogta, laakiin waxa kaliya oo lagu heli karaa gunnada X-Pack ee lacagta lagu bixiyo (isticmaalka bilaashka ah 1 bil).
Akhbaarta wanaagsan ayaa ah in deyrta 2019, Amazon ay furtay horumarkeeda, kaas oo la jaan qaadaya X-Pack. Shaqada xaqiijinta marka lagu xidho xogta xogta waxay noqotay mid la heli karo iyada oo hoos timaada shatiga bilaashka ah ee nooca Elasticsearch 7.3.2, iyo sii dayn cusub oo Elasticsearch 7.4.0 ah ayaa durba ku jirta shaqada.
Plugin Tani waa sahlan tahay in la rakibo. Tag console-ka serverka oo ku xidh kaydka:
RPM Ku Salaysan:
curl https://d3g5vo6xdbdb9a.cloudfront.net/yum/opendistroforelasticsearch-artifacts.repo -o /etc/yum.repos.d/opendistroforelasticsearch-artifacts.repo
yum update
yum install opendistro-security
Ku Salaysan DEB:
wget -qO ‐ https://d3g5vo6xdbdb9a.cloudfront.net/GPG-KEY-opendistroforelasticsearch | sudo apt-key add -
Dejinta isdhexgalka ka dhexeeya server-yada iyada oo loo marayo SSL
Marka la rakibo plugin, qaabaynta dekedda ku xidha kaydka xogta ayaa isbedelaysa. Waxay awood sirta SSL. Si ay kooxuhu u sii wadaan wada shaqaynta midba midka kale, waxaad u baahan tahay inaad habayso isdhexgalka iyaga oo isticmaalaya SSL.
Kalsoonida ka dhaxaysa martigeliyayaasha waxaa lagu dhisi karaa iyada oo leh ama la'aanteed awooddeeda shahaadada. Habka ugu horreeya, wax walba waa cad yihiin: kaliya waxaad u baahan tahay inaad la xiriirto khabiirada CA. Aynu si toos ah ugu dhaqaaqno ta labaad.
- Samee doorsoome leh magac domain oo buuxa:
export DOMAIN_CN="example.com" - Samee fure gaar ah:
openssl genrsa -out root-ca-key.pem 4096 - Saxeex shahaadada xididka Si nabad ah u ilaali: haddii ay lunto ama la jabiyo, kalsoonida ka dhaxaysa dhammaan martigaliyayaasha waxay u baahan doontaa in dib loo habeeyo.
openssl req -new -x509 -sha256 -subj "/C=RU/ST=Moscow/O=Moscow, Inc./CN=${DOMAIN_CN}" -key root-ca-key.pem -out root-ca.pem - Samee furaha maamulka:
openssl genrsa -out admin-key-temp.pem 4096 openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem - Abuur codsi si aad u saxiixdo shahaadada:
openssl req -new -subj "/C=RU/ST=Moscow/O=Moscow Inc./CN=${DOMAIN_CN}/CN=admin " -key admin-key.pem -out admin.csr - Samee shahaado maamul:
openssl x509 -req -extensions usr_cert -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem - U samee shahaadooyin noodka Elasticsearch:
export NODENAME="node-01" openssl genrsa -out ${NODENAME}-key-temp.pem 4096 openssl pkcs8 -inform PEM -outform PEM -in ${NODENAME}-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out ${NODENAME}-key.pem - Samee codsi saxeex:
openssl req -new -subj "/C=RU/ST=Moscow/O=Moscow Inc./CN=${NODENAME}.${DOMAIN_CN}" -addext"subjectAltName=DNS:${NODENAME}.${DOMAIN_CN},DNS:www.${NODENAME}.${DOMAIN_CN}" -key ${NODENAME}-key.pem -out ${NODENAME}.csr - Saxeexa shahaadada:
openssl x509 -req -in node.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node.pem - Dhig shahaadada inta u dhaxaysa noodhka Elasticsearch galka soo socda:
/etc/elasticsearch/
waxaan u baahanahay faylasha:node-01-key.pem node-01.pem admin-key.pem admin.pem root-ca.pem - Habayn /etc/elasticsearch/elasticsearch.yml - Magaca faylalka shahaadooyinka ku beddelo kuwa annagu soo saaray:
opendistro_security.ssl.transport.pemcert_filepath: node-01.pem opendistro_security.ssl.transport.pemkey_filepath: node-01-key.pem opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem opendistro_security.ssl.transport.enforce_hostname_verification: false opendistro_security.ssl.http.enabled: true opendistro_security.ssl.http.pemcert_filepath: node-01.pem opendistro_security.ssl.http.pemkey_filepath: node-01-key.pem opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem opendistro_security.allow_unsafe_democertificates: false opendistro_security.allow_default_init_securityindex: true opendistro_security.authcz.admin_dn: − CN=admin,CN=example.com,O=Moscow Inc.,ST=Moscow,C=RU opendistro_security.nodes_dn: − CN=node-01.example.com,O=Moscow Inc.,ST=Moscow,C=RU
Beddelka furaha sirta ah ee isticmaalayaasha gudaha
- Isticmaalka amarka hoose, waxaan u soo saareynaa hash-ka sirta ah console-ka:
sh ${OD_SEC}/tools/hash.sh -p [пароль] - U beddel xashiishka faylka oo u beddel midka la helay:
/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
Dejinta firewall-ka OS-ka
- Oggolow in dabku bilaabo:
systemctl enable firewalld - Aan bilowno:
systemctl start firewalld - Oggolow xidhiidhka Elasticsearch:
firewall-cmd --set-default-zone work firewall-cmd --zone=work --add-port=9200/TCP --permanent - Dib u soo rar sharciyada firewall:
firewall-cmd --reload - Waa kuwan xeerarka shaqada:
firewall-cmd --list-all
Ku dabaqida dhammaan isbeddeladayada Elasticsearch
- Samee doorsoome leh dariiqa buuxda ee gal galka leh plugin:
export OD_SEC="/usr/share/elasticsearch/plugins/opendistro_security/" - Aynu samayno qoraal cusboonaysiin doona furaha sirta ah oo hubin doona dejinta:
${OD_SEC}/tools/securityadmin.sh -cd ${OD_SEC}/securityconfig/ -icl -nhnv -cacert /etc/elasticsearch/root-ca.pem -cert /etc/elasticsearch/admin.pem -key /etc/elasticsearch/admin-key.pem - Hubi haddii isbeddelada la dabaqay:
curl -XGET https://[IP/Имя Elasticsearch]:9200/_cat/nodes?v -u admin:[пароль] --insecure
Taasi waa dhammaan, kuwani waa dejinta ugu yar ee ka ilaaliya Elasticsearch xidhiidhada aan la ogolayn.
Source: www.habr.com