🥇Uyiqwalasela njani i-Elasticsearch ukunqanda ukuvuza

Kulo nyaka uphelileyo, kubekho ukuvuza okuninzi koovimba beenkcukacha Elasticsearch (bonani, bonani и bonani). Kwiimeko ezininzi, idatha yomntu igcinwe kwisiseko sedatha. Oku kuvuza kwakunokuphetshwa ukuba, emva kokuthunyelwa kwedathabheyisi, abalawuli babezikhathaza ngokujonga izicwangciso ezimbalwa ezilula. Namhlanje siza kuthetha ngazo.

Masiyenze ngokukhawuleza ugcino ukuba kwindlela yethu yokusebenza sisebenzisa i-Elasticsearch ukugcina izingodo kunye nokuhlalutya iilogi zezixhobo zokhuseleko lolwazi, i-OS kunye nesofthiwe kwi-platform yethu ye-IaaS, ehambelana neemfuno ze-152-FZ, Cloud-152.

Sijonga ukuba ingaba i-database "iyaphuma" kwi-Intanethi

Kwiimeko ezininzi ezaziwayo zokuvuza (bonani, bonani) umhlaseli ufumene ukufikelela kwidatha ngokulula nangokungathobekiyo: i-database yapapashwa kwi-Intanethi, kwaye kwakunokwenzeka ukuxhuma kuyo ngaphandle kokuqinisekiswa.

Okokuqala, makhe sijongane nokupapasha kwi-Intanethi. Kutheni le nto isenzeka? Inyani yeyokuba ekusebenzeni okubhetyebhetye ngakumbi kwe-Elasticsearch icetyisiwe yenza iqela labancedisi abathathu. Ukuze i-database inxibelelane omnye nomnye, kufuneka uvule amazibuko. Ngenxa yoko, abalawuli abathinteli ukufikelela kwisiseko sedatha nangayiphi na indlela, kwaye unokuxhuma kwisiseko sedatha naphi na. Kulula ukujonga ukuba i-database iyafikeleleka ngaphandle. Ngena nje kwisikhangeli http://[IP/Имя Elasticsearch]:9200/_cat/nodes?v

Ukuba uyakwazi ukungena, baleka ke ukuvala.

Ukukhusela uqhagamshelwano kwisiseko sedatha

Ngoku siza kuyenza ukuba akunakwenzeka ukudibanisa kwi-database ngaphandle kokuqinisekiswa.

I-Elasticsearch inemodyuli yokuqinisekisa enqanda ukufikelela kwisiseko sedatha, kodwa ifumaneka kuphela kwisethi ye-plugin ye-X-Pack ehlawulweyo (inyanga eyi-1 yokusetyenziswa simahla).

Iindaba ezimnandi zezokuba ekwindla ka-2019, iAmazon yavula uphuhliso lwayo, oludibana neX-Pack. Umsebenzi wokuqinisekisa xa uqhagamshela kwisiseko sedatha sele ufumaneka phantsi kwelayisensi yamahhala yenguqulo ye-Elasticsearch 7.3.2, kunye nokukhululwa okutsha kwe-Elasticsearch 7.4.0 sele ikwimisebenzi.

Le plugin kulula ukuyifaka. Yiya kwi-console yomncedisi kwaye uqhagamshele indawo yokugcina:

RPM Ngokusekwe:

curl https://d3g5vo6xdbdb9a.cloudfront.net/yum/opendistroforelasticsearch-artifacts.repo -o /etc/yum.repos.d/opendistroforelasticsearch-artifacts.repo yum update yum install opendistro-security

Isekwe kwi-DEB:

wget -qO ‐ https://d3g5vo6xdbdb9a.cloudfront.net/GPG-KEY-opendistroforelasticsearch | sudo apt-key add -

Ukumisela intsebenziswano phakathi kweeseva nge-SSL

Xa ufaka i-plugin, ulungelelwaniso lwe-port edibanisa kwi-database iyatshintsha. Yenza uguqulelo oluntsonkothileyo lwe-SSL. Ukuze iiseva zeqela ziqhubeke zisebenza kunye, kufuneka uqwalasele intsebenziswano phakathi kwabo usebenzisa i-SSL.

Ukuthembana phakathi kwababuki zindwendwe kunokumiselwa ngesatifikethi okanye ngaphandle kwegunya laso. Ngendlela yokuqala, yonke into icacile: kufuneka uqhagamshelane neengcali ze-CA. Masihambe siye ngqo kwesesibini.

Yenza umahluko ngegama elipheleleyo lesizinda:

export DOMAIN_CN="example.com"

Yenza isitshixo sabucala:

openssl genrsa -out root-ca-key.pem 4096

Sayina isatifikethi esiyingcambu. Yigcine ikhuselekile: ukuba ilahlekile okanye ibekwe esichengeni, ukuthembana phakathi kwayo yonke inginginya kuya kufuneka kuqwalaselwe kwakhona.

openssl req -new -x509 -sha256 -subj "/C=RU/ST=Moscow/O=Moscow, Inc./CN=${DOMAIN_CN}" -key root-ca-key.pem -out root-ca.pem

Yenza isitshixo somlawuli:

openssl genrsa -out admin-key-temp.pem 4096 openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem

Yenza isicelo sokusayina isatifikethi:

openssl req -new -subj "/C=RU/ST=Moscow/O=Moscow Inc./CN=${DOMAIN_CN}/CN=admin " -key admin-key.pem -out admin.csr

Yenza isatifikethi somlawuli:

openssl x509 -req -extensions usr_cert -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem

Yenza izatifikethi ze-Elasticsearch node:

export NODENAME="node-01" openssl genrsa -out ${NODENAME}-key-temp.pem 4096 openssl pkcs8 -inform PEM -outform PEM -in ${NODENAME}-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out ${NODENAME}-key.pem

Yenza isicelo sokutyikitya:

openssl req -new -subj "/C=RU/ST=Moscow/O=Moscow Inc./CN=${NODENAME}.${DOMAIN_CN}" -addext"subjectAltName=DNS:${NODENAME}.${DOMAIN_CN},DNS:www.${NODENAME}.${DOMAIN_CN}" -key ${NODENAME}-key.pem -out ${NODENAME}.csr

Ukutyikitya isatifikethi:

openssl x509 -req -in node.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node.pem

Beka isatifikethi phakathi kweenodi ze-Elasticsearch kule folda ilandelayo:

/etc/elasticsearch/

sifuna iifayile:

node-01-key.pem node-01.pem admin-key.pem admin.pem root-ca.pem

Ukuqwalasela /etc/elasticsearch/elasticsearch.yml -tshintsha igama leefayile ezinezatifikethi kwezo zenziwe sithi:

opendistro_security.ssl.transport.pemcert_filepath: node-01.pem opendistro_security.ssl.transport.pemkey_filepath: node-01-key.pem opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem opendistro_security.ssl.transport.enforce_hostname_verification: false opendistro_security.ssl.http.enabled: true opendistro_security.ssl.http.pemcert_filepath: node-01.pem opendistro_security.ssl.http.pemkey_filepath: node-01-key.pem opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem opendistro_security.allow_unsafe_democertificates: false opendistro_security.allow_default_init_securityindex: true opendistro_security.authcz.admin_dn: − CN=admin,CN=example.com,O=Moscow Inc.,ST=Moscow,C=RU opendistro_security.nodes_dn: − CN=node-01.example.com,O=Moscow Inc.,ST=Moscow,C=RU

Ukutshintsha amagama ayimfihlo kubasebenzisi bangaphakathi

Sisebenzisa lo myalelo ungezantsi, sikhupha igama eliyimfihlo kwi-console:

sh ${OD_SEC}/tools/hash.sh -p [пароль]

Guqula i-hash kwifayile ibe yile ifunyenweyo:

/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml

Ukuseta i-firewall kwi-OS

Vumela i-firewall ukuba iqalise:

systemctl enable firewalld
Masiyiqalise:

systemctl start firewalld

Vumela uqhagamshelo kwi-Elasticsearch:

firewall-cmd --set-default-zone work firewall-cmd --zone=work --add-port=9200/TCP --permanent

Layisha kwakhona imigaqo yomlilo:

firewall-cmd --reload
Nantsi imigaqo yokusebenza:

firewall-cmd --list-all

Ukusebenzisa lonke utshintsho lwethu kwi-Elasticsearch

Yenza umahluko kunye nomendo opheleleyo kwifolda ngeplagi:

export OD_SEC="/usr/share/elasticsearch/plugins/opendistro_security/"

Masiqhube iskripthi esiza kuhlaziya amagama agqithisiweyo kwaye sijonge iisetingi:

${OD_SEC}/tools/securityadmin.sh -cd ${OD_SEC}/securityconfig/ -icl -nhnv -cacert /etc/elasticsearch/root-ca.pem -cert /etc/elasticsearch/admin.pem -key /etc/elasticsearch/admin-key.pem

Jonga ukuba utshintsho lufakiwe na:

curl -XGET https://[IP/Имя Elasticsearch]:9200/_cat/nodes?v -u admin:[пароль] --insecure

Kuko konke, olu luseto luncinci olukhusela i-Elasticsearch kunxibelelwano olungagunyaziswanga.

umthombo: www.habr.com

Uyiqwalasela njani i-Elasticsearch ukunqanda ukuvuza