🥇U ka hlophisa Elasticsearch joang ho qoba ho lutla

Selemong se fetileng, ho bile le lintho tse ngata tse lutlileng ho tsoa ho database Elasticsearch (bonang, bonang и bonang). Maemong a mangata, data ea botho e ne e bolokiloe polokelong ea litaba. Lits'oants'o tsena li ka be li ile tsa qojoa haeba, ka mor'a ho kenya database, batsamaisi ba ne ba itšoenye ho hlahloba litlhophiso tse 'maloa tse bonolo. Kajeno re tla bua ka bona.

Ha re etseng hang-hang pehelo ea hore ts'ebetsong ea rona re sebelisa Elasticsearch ho boloka lits'oants'o le ho sekaseka lintlha tsa lisebelisoa tsa ts'ireletso ea tlhahisoleseling, OS le software sethaleng sa rona sa IaaS, se lumellanang le litlhoko tsa 152-FZ, Cloud-152.

Re hlahloba hore na database "e khomarela" Marang-rang

Maemong a mangata a tsebahalang a ho lutla (bonang, bonang) mohlaseli o ile a fumana boitsebiso ka mokhoa o bonolo le ka mokhoa o bonolo: database e ile ea hatisoa Inthaneteng, 'me ho ne ho ka khoneha ho hokahanya le eona ntle le bopaki.

Taba ea pele, a re sebetsanang le ho hatisa ho Internet. Ke hobane'ng ha see se etsahala? Taba ke hore bakeng sa ts'ebetso e bonolo haholoanyane ea Elasticsearch khothalletsoa theha sehlopha sa li-server tse tharo. E le hore li-database li buisane, u lokela ho bula likou. Ka lebaka leo, batsamaisi ha ba thibele ho fihlella database ka tsela leha e le efe, 'me u ka hokela ho database ho tloha kae kapa kae. Ho bonolo ho lekola hore na database ea fumaneha ho tsoa kantle. Kenya feela ho sebatli http://[IP/Имя Elasticsearch]:9200/_cat/nodes?v

Ha o ka kena, matha ho e kwala.

Ho sireletsa khokahano ho database

Hona joale re tla e etsa hore ho se khonehe ho hokahanya le database ntle le bopaki.

Elasticsearch e na le mojule oa netefatso e thibelang phihlello ea polokelo ea litaba, empa e fumaneha feela ho sete ea X-Pack e lefuoang (ts'ebeliso ea mahala ea khoeli e 1).

Litaba tse monate ke hore hoetla ha 2019, Amazon e ile ea bula tsoelo-pele ea eona, e kopanang le X-Pack. Mosebetsi oa netefatso ha o hokela ho database o se o fumaneha tlasa laesense ea mahala bakeng sa mofuta oa Elasticsearch 7.3.2, mme tokollo e ncha ea Elasticsearch 7.4.0 e se e ntse e sebetsa.

Ho bonolo ho kenya plugin ena. E-ea ho console ea seva 'me u kopanye polokelo:

RPM E Thehiloe:

curl https://d3g5vo6xdbdb9a.cloudfront.net/yum/opendistroforelasticsearch-artifacts.repo -o /etc/yum.repos.d/opendistroforelasticsearch-artifacts.repo yum update yum install opendistro-security

DEB E Thehiloe:

wget -qO ‐ https://d3g5vo6xdbdb9a.cloudfront.net/GPG-KEY-opendistroforelasticsearch | sudo apt-key add -

Ho theha tšebelisano lipakeng tsa li-server ka SSL

Ha o kenya plugin, tlhophiso ea boema-kepe e hokahantsoeng le database e fetoha. E nolofalletsa SSL encryption. E le hore li-server tsa lihlopha li tsoele pele ho sebetsa hammoho, u lokela ho lokisa tšebelisano pakeng tsa tsona u sebelisa SSL.

Ho tšepana lipakeng tsa baamoheli ho ka theoa ka matla kapa ntle le matla a eona a setifikeiti. Ka mokhoa oa pele, ntho e 'ngoe le e' ngoe e hlakile: o hloka feela ho ikopanya le litsebi tsa CA. Ha re feteleng ka kotloloho ho ea bobeli.

Etsa phetoho e nang le lebitso le felletseng la domain:

export DOMAIN_CN="example.com"

Etsa senotlolo sa lekunutu:

openssl genrsa -out root-ca-key.pem 4096

Saena setifikeiti sa motso. E boloke e bolokehile: haeba e lahlehile kapa e sekiselitsoe, tšepo pakeng tsa baamoheli bohle e tla hloka ho hlophisoa bocha.

openssl req -new -x509 -sha256 -subj "/C=RU/ST=Moscow/O=Moscow, Inc./CN=${DOMAIN_CN}" -key root-ca-key.pem -out root-ca.pem

Theha senotlolo sa motsamaisi:

openssl genrsa -out admin-key-temp.pem 4096 openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem

Etsa kopo ea ho saena setifikeiti:

openssl req -new -subj "/C=RU/ST=Moscow/O=Moscow Inc./CN=${DOMAIN_CN}/CN=admin " -key admin-key.pem -out admin.csr

Etsa setifikeiti sa molaoli:

openssl x509 -req -extensions usr_cert -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem

Theha litifikeiti bakeng sa node ea Elasticsearch:

export NODENAME="node-01" openssl genrsa -out ${NODENAME}-key-temp.pem 4096 openssl pkcs8 -inform PEM -outform PEM -in ${NODENAME}-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out ${NODENAME}-key.pem

Etsa kopo ea ho saena:

openssl req -new -subj "/C=RU/ST=Moscow/O=Moscow Inc./CN=${NODENAME}.${DOMAIN_CN}" -addext"subjectAltName=DNS:${NODENAME}.${DOMAIN_CN},DNS:www.${NODENAME}.${DOMAIN_CN}" -key ${NODENAME}-key.pem -out ${NODENAME}.csr

Ho saena setifikeiti:

openssl x509 -req -in node.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node.pem

Beha setifikeiti lipakeng tsa li-node tsa Elasticsearch foldareng e latelang:

/etc/elasticsearch/

re hloka lifaele:

node-01-key.pem node-01.pem admin-key.pem admin.pem root-ca.pem

Ho a hlophisa /etc/elasticsearch/elasticsearch.yml - fetola lebitso la lifaele tse nang le litifikeiti ho tse hlahisoang ke rona:

opendistro_security.ssl.transport.pemcert_filepath: node-01.pem opendistro_security.ssl.transport.pemkey_filepath: node-01-key.pem opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem opendistro_security.ssl.transport.enforce_hostname_verification: false opendistro_security.ssl.http.enabled: true opendistro_security.ssl.http.pemcert_filepath: node-01.pem opendistro_security.ssl.http.pemkey_filepath: node-01-key.pem opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem opendistro_security.allow_unsafe_democertificates: false opendistro_security.allow_default_init_securityindex: true opendistro_security.authcz.admin_dn: − CN=admin,CN=example.com,O=Moscow Inc.,ST=Moscow,C=RU opendistro_security.nodes_dn: − CN=node-01.example.com,O=Moscow Inc.,ST=Moscow,C=RU

Ho fetola li-passwords bakeng sa basebelisi ba ka hare

Re sebelisa taelo e ka tlase, re ntša password hash ho console:

sh ${OD_SEC}/tools/hash.sh -p [пароль]

Fetola hash faeleng ho e amoheloang:

/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml

Ho theha firewall ho OS

Lumella firewall ho qala:

systemctl enable firewalld
Ha re e thakhoseng:

systemctl start firewalld

Lumella khokahano ho Elasticsearch:

firewall-cmd --set-default-zone work firewall-cmd --zone=work --add-port=9200/TCP --permanent

Khutlisetsa melao ea firewall hape:

firewall-cmd --reload
Mona ke melao ea ts'ebetso:

firewall-cmd --list-all

Ho sebelisa liphetoho tsohle tsa rona ho Elasticsearch

Etsa phetoho ka tsela e felletseng ea foldara ka plugin:

export OD_SEC="/usr/share/elasticsearch/plugins/opendistro_security/"

Ha re tsamaise sengoloa se tla nchafatsa li-password le ho hlahloba litlhophiso:

${OD_SEC}/tools/securityadmin.sh -cd ${OD_SEC}/securityconfig/ -icl -nhnv -cacert /etc/elasticsearch/root-ca.pem -cert /etc/elasticsearch/admin.pem -key /etc/elasticsearch/admin-key.pem

Sheba hore na liphetoho li sebelisitsoe:

curl -XGET https://[IP/Имя Elasticsearch]:9200/_cat/nodes?v -u admin:[пароль] --insecure

Ke tsohle, tsena ke litlhophiso tse fokolang tse sireletsang Elasticsearch likhokahanong tse sa lumelloeng.

Source: www.habr.com

Mokhoa oa ho hlophisa Elasticsearch ho qoba ho lutla