Sanadkii la soo dhaafay, waxaa jiray daadadyo badan oo ka soo baxay keydka macluumaadka
Aynu isla markiiba sameyno boos celin ah in dhaqankeena aan u isticmaalno Elasticsearch si aan u kaydiyo diiwaannada oo aan u falanqeyno diiwaannada aaladaha amniga macluumaadka, OS iyo softiweerka aaladdayada IaaS, kaas oo u hoggaansamaya shuruudaha 152-FZ, Cloud-152.
Waxaan hubineynaa in keydka keydku "ku dheggan yahay" internetka iyo in kale
Inta badan kiisaska la yaqaan ee dheecaan
Marka hore, aan wax ka qabanno daabacaadda internetka. Maxay tani u dhacdaa? Xaqiiqdu waxay tahay in hawlgalka dabacsan ee Elasticsearch
Haddii aad geli karto, dabadeed orod si aad u xidho.
Ilaalinta xidhiidhka xogta xogta
Hadda waxaan ka dhigi doonaa si aysan suurtagal ahayn in lagu xiro xogta xogta iyada oo aan la xaqiijin.
Elasticsearch waxa ay leedahay qayb xaqiijin ah oo xaddidaysa gelitaanka xogta xogta, laakiin waxa kaliya oo lagu heli karaa gunnada X-Pack ee lacagta lagu bixiyo (isticmaalka bilaashka ah 1 bil).
Akhbaarta wanaagsan ayaa ah in deyrta 2019, Amazon ay furtay horumarkeeda, kaas oo la jaan qaadaya X-Pack. Shaqada xaqiijinta marka lagu xidho xogta xogta waxay noqotay mid la heli karo iyada oo hoos timaada shatiga bilaashka ah ee nooca Elasticsearch 7.3.2, iyo sii dayn cusub oo Elasticsearch 7.4.0 ah ayaa durba ku jirta shaqada.
Plugin Tani waa sahlan tahay in la rakibo. Tag console-ka serverka oo ku xidh kaydka:
RPM Ku Salaysan:
curl https://d3g5vo6xdbdb9a.cloudfront.net/yum/opendistroforelasticsearch-artifacts.repo -o /etc/yum.repos.d/opendistroforelasticsearch-artifacts.repo
yum update
yum install opendistro-security
Ku Salaysan DEB:
wget -qO ‐ https://d3g5vo6xdbdb9a.cloudfront.net/GPG-KEY-opendistroforelasticsearch | sudo apt-key add -
Dejinta isdhexgalka ka dhexeeya server-yada iyada oo loo marayo SSL
Marka la rakibo plugin, qaabaynta dekedda ku xidha kaydka xogta ayaa isbedelaysa. Waxay awood sirta SSL. Si ay kooxuhu u sii wadaan wada shaqaynta midba midka kale, waxaad u baahan tahay inaad habayso isdhexgalka iyaga oo isticmaalaya SSL.
Kalsoonida ka dhaxaysa martigeliyayaasha waxaa lagu dhisi karaa iyada oo leh ama la'aanteed awooddeeda shahaadada. Habka ugu horreeya, wax walba waa cad yihiin: kaliya waxaad u baahan tahay inaad la xiriirto khabiirada CA. Aynu si toos ah ugu dhaqaaqno ta labaad.
- Samee doorsoome leh magac domain oo buuxa:
export DOMAIN_CN="example.com"
- Samee fure gaar ah:
openssl genrsa -out root-ca-key.pem 4096
- Saxeex shahaadada xididka Si nabad ah u ilaali: haddii ay lunto ama la jabiyo, kalsoonida ka dhaxaysa dhammaan martigaliyayaasha waxay u baahan doontaa in dib loo habeeyo.
openssl req -new -x509 -sha256 -subj "/C=RU/ST=Moscow/O=Moscow, Inc./CN=${DOMAIN_CN}" -key root-ca-key.pem -out root-ca.pem
- Samee furaha maamulka:
openssl genrsa -out admin-key-temp.pem 4096 openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem
- Abuur codsi si aad u saxiixdo shahaadada:
openssl req -new -subj "/C=RU/ST=Moscow/O=Moscow Inc./CN=${DOMAIN_CN}/CN=admin " -key admin-key.pem -out admin.csr
- Samee shahaado maamul:
openssl x509 -req -extensions usr_cert -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem
- U samee shahaadooyin noodka Elasticsearch:
export NODENAME="node-01" openssl genrsa -out ${NODENAME}-key-temp.pem 4096 openssl pkcs8 -inform PEM -outform PEM -in ${NODENAME}-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out ${NODENAME}-key.pem
- Samee codsi saxeex:
openssl req -new -subj "/C=RU/ST=Moscow/O=Moscow Inc./CN=${NODENAME}.${DOMAIN_CN}" -addext"subjectAltName=DNS:${NODENAME}.${DOMAIN_CN},DNS:www.${NODENAME}.${DOMAIN_CN}" -key ${NODENAME}-key.pem -out ${NODENAME}.csr
- Saxeexa shahaadada:
openssl x509 -req -in node.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node.pem
- Dhig shahaadada inta u dhaxaysa noodhka Elasticsearch galka soo socda:
/etc/elasticsearch/
waxaan u baahanahay faylasha:node-01-key.pem node-01.pem admin-key.pem admin.pem root-ca.pem
- Habayn /etc/elasticsearch/elasticsearch.yml - Magaca faylalka shahaadooyinka ku beddelo kuwa annagu soo saaray:
opendistro_security.ssl.transport.pemcert_filepath: node-01.pem opendistro_security.ssl.transport.pemkey_filepath: node-01-key.pem opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem opendistro_security.ssl.transport.enforce_hostname_verification: false opendistro_security.ssl.http.enabled: true opendistro_security.ssl.http.pemcert_filepath: node-01.pem opendistro_security.ssl.http.pemkey_filepath: node-01-key.pem opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem opendistro_security.allow_unsafe_democertificates: false opendistro_security.allow_default_init_securityindex: true opendistro_security.authcz.admin_dn: − CN=admin,CN=example.com,O=Moscow Inc.,ST=Moscow,C=RU opendistro_security.nodes_dn: − CN=node-01.example.com,O=Moscow Inc.,ST=Moscow,C=RU
Beddelka furaha sirta ah ee isticmaalayaasha gudaha
- Isticmaalka amarka hoose, waxaan u soo saareynaa hash-ka sirta ah console-ka:
sh ${OD_SEC}/tools/hash.sh -p [пароль]
- U beddel xashiishka faylka oo u beddel midka la helay:
/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
Dejinta firewall-ka OS-ka
- Oggolow in dabku bilaabo:
systemctl enable firewalld
- Aan bilowno:
systemctl start firewalld
- Oggolow xidhiidhka Elasticsearch:
firewall-cmd --set-default-zone work firewall-cmd --zone=work --add-port=9200/TCP --permanent
- Dib u soo rar sharciyada firewall:
firewall-cmd --reload
- Waa kuwan xeerarka shaqada:
firewall-cmd --list-all
Ku dabaqida dhammaan isbeddeladayada Elasticsearch
- Samee doorsoome leh dariiqa buuxda ee gal galka leh plugin:
export OD_SEC="/usr/share/elasticsearch/plugins/opendistro_security/"
- Aynu samayno qoraal cusboonaysiin doona furaha sirta ah oo hubin doona dejinta:
${OD_SEC}/tools/securityadmin.sh -cd ${OD_SEC}/securityconfig/ -icl -nhnv -cacert /etc/elasticsearch/root-ca.pem -cert /etc/elasticsearch/admin.pem -key /etc/elasticsearch/admin-key.pem
- Hubi haddii isbeddelada la dabaqay:
curl -XGET https://[IP/Имя Elasticsearch]:9200/_cat/nodes?v -u admin:[пароль] --insecure
Taasi waa dhammaan, kuwani waa dejinta ugu yar ee ka ilaaliya Elasticsearch xidhiidhada aan la ogolayn.
Source: www.habr.com