Selemong se fetileng, ho bile le lintho tse ngata tse lutlileng ho tsoa ho database
Ha re etseng hang-hang pehelo ea hore ts'ebetsong ea rona re sebelisa Elasticsearch ho boloka lits'oants'o le ho sekaseka lintlha tsa lisebelisoa tsa ts'ireletso ea tlhahisoleseling, OS le software sethaleng sa rona sa IaaS, se lumellanang le litlhoko tsa 152-FZ, Cloud-152.
Re hlahloba hore na database "e khomarela" Marang-rang
Maemong a mangata a tsebahalang a ho lutla (
Taba ea pele, a re sebetsanang le ho hatisa ho Internet. Ke hobane'ng ha see se etsahala? Taba ke hore bakeng sa ts'ebetso e bonolo haholoanyane ea Elasticsearch
Ha o ka kena, matha ho e kwala.
Ho sireletsa khokahano ho database
Hona joale re tla e etsa hore ho se khonehe ho hokahanya le database ntle le bopaki.
Elasticsearch e na le mojule oa netefatso e thibelang phihlello ea polokelo ea litaba, empa e fumaneha feela ho sete ea X-Pack e lefuoang (ts'ebeliso ea mahala ea khoeli e 1).
Litaba tse monate ke hore hoetla ha 2019, Amazon e ile ea bula tsoelo-pele ea eona, e kopanang le X-Pack. Mosebetsi oa netefatso ha o hokela ho database o se o fumaneha tlasa laesense ea mahala bakeng sa mofuta oa Elasticsearch 7.3.2, mme tokollo e ncha ea Elasticsearch 7.4.0 e se e ntse e sebetsa.
Ho bonolo ho kenya plugin ena. E-ea ho console ea seva 'me u kopanye polokelo:
RPM E Thehiloe:
curl https://d3g5vo6xdbdb9a.cloudfront.net/yum/opendistroforelasticsearch-artifacts.repo -o /etc/yum.repos.d/opendistroforelasticsearch-artifacts.repo
yum update
yum install opendistro-security
DEB E Thehiloe:
wget -qO ‐ https://d3g5vo6xdbdb9a.cloudfront.net/GPG-KEY-opendistroforelasticsearch | sudo apt-key add -
Ho theha tšebelisano lipakeng tsa li-server ka SSL
Ha o kenya plugin, tlhophiso ea boema-kepe e hokahantsoeng le database e fetoha. E nolofalletsa SSL encryption. E le hore li-server tsa lihlopha li tsoele pele ho sebetsa hammoho, u lokela ho lokisa tšebelisano pakeng tsa tsona u sebelisa SSL.
Ho tšepana lipakeng tsa baamoheli ho ka theoa ka matla kapa ntle le matla a eona a setifikeiti. Ka mokhoa oa pele, ntho e 'ngoe le e' ngoe e hlakile: o hloka feela ho ikopanya le litsebi tsa CA. Ha re feteleng ka kotloloho ho ea bobeli.
- Etsa phetoho e nang le lebitso le felletseng la domain:
export DOMAIN_CN="example.com"
- Etsa senotlolo sa lekunutu:
openssl genrsa -out root-ca-key.pem 4096
- Saena setifikeiti sa motso. E boloke e bolokehile: haeba e lahlehile kapa e sekiselitsoe, tšepo pakeng tsa baamoheli bohle e tla hloka ho hlophisoa bocha.
openssl req -new -x509 -sha256 -subj "/C=RU/ST=Moscow/O=Moscow, Inc./CN=${DOMAIN_CN}" -key root-ca-key.pem -out root-ca.pem
- Theha senotlolo sa motsamaisi:
openssl genrsa -out admin-key-temp.pem 4096 openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem
- Etsa kopo ea ho saena setifikeiti:
openssl req -new -subj "/C=RU/ST=Moscow/O=Moscow Inc./CN=${DOMAIN_CN}/CN=admin " -key admin-key.pem -out admin.csr
- Etsa setifikeiti sa molaoli:
openssl x509 -req -extensions usr_cert -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem
- Theha litifikeiti bakeng sa node ea Elasticsearch:
export NODENAME="node-01" openssl genrsa -out ${NODENAME}-key-temp.pem 4096 openssl pkcs8 -inform PEM -outform PEM -in ${NODENAME}-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out ${NODENAME}-key.pem
- Etsa kopo ea ho saena:
openssl req -new -subj "/C=RU/ST=Moscow/O=Moscow Inc./CN=${NODENAME}.${DOMAIN_CN}" -addext"subjectAltName=DNS:${NODENAME}.${DOMAIN_CN},DNS:www.${NODENAME}.${DOMAIN_CN}" -key ${NODENAME}-key.pem -out ${NODENAME}.csr
- Ho saena setifikeiti:
openssl x509 -req -in node.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node.pem
- Beha setifikeiti lipakeng tsa li-node tsa Elasticsearch foldareng e latelang:
/etc/elasticsearch/
re hloka lifaele:node-01-key.pem node-01.pem admin-key.pem admin.pem root-ca.pem
- Ho a hlophisa /etc/elasticsearch/elasticsearch.yml - fetola lebitso la lifaele tse nang le litifikeiti ho tse hlahisoang ke rona:
opendistro_security.ssl.transport.pemcert_filepath: node-01.pem opendistro_security.ssl.transport.pemkey_filepath: node-01-key.pem opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem opendistro_security.ssl.transport.enforce_hostname_verification: false opendistro_security.ssl.http.enabled: true opendistro_security.ssl.http.pemcert_filepath: node-01.pem opendistro_security.ssl.http.pemkey_filepath: node-01-key.pem opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem opendistro_security.allow_unsafe_democertificates: false opendistro_security.allow_default_init_securityindex: true opendistro_security.authcz.admin_dn: − CN=admin,CN=example.com,O=Moscow Inc.,ST=Moscow,C=RU opendistro_security.nodes_dn: − CN=node-01.example.com,O=Moscow Inc.,ST=Moscow,C=RU
Ho fetola li-passwords bakeng sa basebelisi ba ka hare
- Re sebelisa taelo e ka tlase, re ntša password hash ho console:
sh ${OD_SEC}/tools/hash.sh -p [пароль]
- Fetola hash faeleng ho e amoheloang:
/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
Ho theha firewall ho OS
- Lumella firewall ho qala:
systemctl enable firewalld
- Ha re e thakhoseng:
systemctl start firewalld
- Lumella khokahano ho Elasticsearch:
firewall-cmd --set-default-zone work firewall-cmd --zone=work --add-port=9200/TCP --permanent
- Khutlisetsa melao ea firewall hape:
firewall-cmd --reload
- Mona ke melao ea ts'ebetso:
firewall-cmd --list-all
Ho sebelisa liphetoho tsohle tsa rona ho Elasticsearch
- Etsa phetoho ka tsela e felletseng ea foldara ka plugin:
export OD_SEC="/usr/share/elasticsearch/plugins/opendistro_security/"
- Ha re tsamaise sengoloa se tla nchafatsa li-password le ho hlahloba litlhophiso:
${OD_SEC}/tools/securityadmin.sh -cd ${OD_SEC}/securityconfig/ -icl -nhnv -cacert /etc/elasticsearch/root-ca.pem -cert /etc/elasticsearch/admin.pem -key /etc/elasticsearch/admin-key.pem
- Sheba hore na liphetoho li sebelisitsoe:
curl -XGET https://[IP/Имя Elasticsearch]:9200/_cat/nodes?v -u admin:[пароль] --insecure
Ke tsohle, tsena ke litlhophiso tse fokolang tse sireletsang Elasticsearch likhokahanong tse sa lumelloeng.
Source: www.habr.com