Kulo nyaka uphelileyo, kubekho ukuvuza okuninzi koovimba beenkcukacha (, и ). Kwiimeko ezininzi, idatha yomntu igcinwe kwisiseko sedatha. Oku kuvuza kwakunokuphetshwa ukuba, emva kokuthunyelwa kwedathabheyisi, abalawuli babezikhathaza ngokujonga izicwangciso ezimbalwa ezilula. Namhlanje siza kuthetha ngazo.
Masiyenze ngokukhawuleza ugcino ukuba kwindlela yethu yokusebenza sisebenzisa i-Elasticsearch ukugcina izingodo kunye nokuhlalutya iilogi zezixhobo zokhuseleko lolwazi, i-OS kunye nesofthiwe kwi-platform yethu ye-IaaS, ehambelana neemfuno ze-152-FZ, Cloud-152.
Sijonga ukuba ingaba i-database "iyaphuma" kwi-Intanethi
Kwiimeko ezininzi ezaziwayo zokuvuza (, ) umhlaseli ufumene ukufikelela kwidatha ngokulula nangokungathobekiyo: i-database yapapashwa kwi-Intanethi, kwaye kwakunokwenzeka ukuxhuma kuyo ngaphandle kokuqinisekiswa.
Okokuqala, makhe sijongane nokupapasha kwi-Intanethi. Kutheni le nto isenzeka? Inyani yeyokuba ekusebenzeni okubhetyebhetye ngakumbi kwe-Elasticsearch yenza iqela labancedisi abathathu. Ukuze i-database inxibelelane omnye nomnye, kufuneka uvule amazibuko. Ngenxa yoko, abalawuli abathinteli ukufikelela kwisiseko sedatha nangayiphi na indlela, kwaye unokuxhuma kwisiseko sedatha naphi na. Kulula ukujonga ukuba i-database iyafikeleleka ngaphandle. Ngena nje kwisikhangeli http://[IP/Имя Elasticsearch]:9200/_cat/nodes?v
Ukuba uyakwazi ukungena, baleka ke ukuvala.
Ukukhusela uqhagamshelwano kwisiseko sedatha
Ngoku siza kuyenza ukuba akunakwenzeka ukudibanisa kwi-database ngaphandle kokuqinisekiswa.
I-Elasticsearch inemodyuli yokuqinisekisa enqanda ukufikelela kwisiseko sedatha, kodwa ifumaneka kuphela kwisethi ye-plugin ye-X-Pack ehlawulweyo (inyanga eyi-1 yokusetyenziswa simahla).
Iindaba ezimnandi zezokuba ekwindla ka-2019, iAmazon yavula uphuhliso lwayo, oludibana neX-Pack. Umsebenzi wokuqinisekisa xa uqhagamshela kwisiseko sedatha sele ufumaneka phantsi kwelayisensi yamahhala yenguqulo ye-Elasticsearch 7.3.2, kunye nokukhululwa okutsha kwe-Elasticsearch 7.4.0 sele ikwimisebenzi.
Le plugin kulula ukuyifaka. Yiya kwi-console yomncedisi kwaye uqhagamshele indawo yokugcina:
RPM Ngokusekwe:
curl https://d3g5vo6xdbdb9a.cloudfront.net/yum/opendistroforelasticsearch-artifacts.repo -o /etc/yum.repos.d/opendistroforelasticsearch-artifacts.repo
yum update
yum install opendistro-security
Isekwe kwi-DEB:
wget -qO ‐ https://d3g5vo6xdbdb9a.cloudfront.net/GPG-KEY-opendistroforelasticsearch | sudo apt-key add -Ukumisela intsebenziswano phakathi kweeseva nge-SSL
Xa ufaka i-plugin, ulungelelwaniso lwe-port edibanisa kwi-database iyatshintsha. Yenza uguqulelo oluntsonkothileyo lwe-SSL. Ukuze iiseva zeqela ziqhubeke zisebenza kunye, kufuneka uqwalasele intsebenziswano phakathi kwabo usebenzisa i-SSL.
Ukuthembana phakathi kwababuki zindwendwe kunokumiselwa ngesatifikethi okanye ngaphandle kwegunya laso. Ngendlela yokuqala, yonke into icacile: kufuneka uqhagamshelane neengcali ze-CA. Masihambe siye ngqo kwesesibini.
- Yenza umahluko ngegama elipheleleyo lesizinda:
export DOMAIN_CN="example.com" - Yenza isitshixo sabucala:
openssl genrsa -out root-ca-key.pem 4096 - Sayina isatifikethi esiyingcambu. Yigcine ikhuselekile: ukuba ilahlekile okanye ibekwe esichengeni, ukuthembana phakathi kwayo yonke inginginya kuya kufuneka kuqwalaselwe kwakhona.
openssl req -new -x509 -sha256 -subj "/C=RU/ST=Moscow/O=Moscow, Inc./CN=${DOMAIN_CN}" -key root-ca-key.pem -out root-ca.pem - Yenza isitshixo somlawuli:
openssl genrsa -out admin-key-temp.pem 4096 openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem - Yenza isicelo sokusayina isatifikethi:
openssl req -new -subj "/C=RU/ST=Moscow/O=Moscow Inc./CN=${DOMAIN_CN}/CN=admin " -key admin-key.pem -out admin.csr - Yenza isatifikethi somlawuli:
openssl x509 -req -extensions usr_cert -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem - Yenza izatifikethi ze-Elasticsearch node:
export NODENAME="node-01" openssl genrsa -out ${NODENAME}-key-temp.pem 4096 openssl pkcs8 -inform PEM -outform PEM -in ${NODENAME}-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out ${NODENAME}-key.pem - Yenza isicelo sokutyikitya:
openssl req -new -subj "/C=RU/ST=Moscow/O=Moscow Inc./CN=${NODENAME}.${DOMAIN_CN}" -addext"subjectAltName=DNS:${NODENAME}.${DOMAIN_CN},DNS:www.${NODENAME}.${DOMAIN_CN}" -key ${NODENAME}-key.pem -out ${NODENAME}.csr - Ukutyikitya isatifikethi:
openssl x509 -req -in node.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node.pem - Beka isatifikethi phakathi kweenodi ze-Elasticsearch kule folda ilandelayo:
/etc/elasticsearch/
sifuna iifayile:node-01-key.pem node-01.pem admin-key.pem admin.pem root-ca.pem - Ukuqwalasela /etc/elasticsearch/elasticsearch.yml -tshintsha igama leefayile ezinezatifikethi kwezo zenziwe sithi:
opendistro_security.ssl.transport.pemcert_filepath: node-01.pem opendistro_security.ssl.transport.pemkey_filepath: node-01-key.pem opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem opendistro_security.ssl.transport.enforce_hostname_verification: false opendistro_security.ssl.http.enabled: true opendistro_security.ssl.http.pemcert_filepath: node-01.pem opendistro_security.ssl.http.pemkey_filepath: node-01-key.pem opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem opendistro_security.allow_unsafe_democertificates: false opendistro_security.allow_default_init_securityindex: true opendistro_security.authcz.admin_dn: − CN=admin,CN=example.com,O=Moscow Inc.,ST=Moscow,C=RU opendistro_security.nodes_dn: − CN=node-01.example.com,O=Moscow Inc.,ST=Moscow,C=RU
Ukutshintsha amagama ayimfihlo kubasebenzisi bangaphakathi
- Sisebenzisa lo myalelo ungezantsi, sikhupha igama eliyimfihlo kwi-console:
sh ${OD_SEC}/tools/hash.sh -p [пароль] - Guqula i-hash kwifayile ibe yile ifunyenweyo:
/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
Ukuseta i-firewall kwi-OS
- Vumela i-firewall ukuba iqalise:
systemctl enable firewalld - Masiyiqalise:
systemctl start firewalld - Vumela uqhagamshelo kwi-Elasticsearch:
firewall-cmd --set-default-zone work firewall-cmd --zone=work --add-port=9200/TCP --permanent - Layisha kwakhona imigaqo yomlilo:
firewall-cmd --reload - Nantsi imigaqo yokusebenza:
firewall-cmd --list-all
Ukusebenzisa lonke utshintsho lwethu kwi-Elasticsearch
- Yenza umahluko kunye nomendo opheleleyo kwifolda ngeplagi:
export OD_SEC="/usr/share/elasticsearch/plugins/opendistro_security/" - Masiqhube iskripthi esiza kuhlaziya amagama agqithisiweyo kwaye sijonge iisetingi:
${OD_SEC}/tools/securityadmin.sh -cd ${OD_SEC}/securityconfig/ -icl -nhnv -cacert /etc/elasticsearch/root-ca.pem -cert /etc/elasticsearch/admin.pem -key /etc/elasticsearch/admin-key.pem - Jonga ukuba utshintsho lufakiwe na:
curl -XGET https://[IP/Имя Elasticsearch]:9200/_cat/nodes?v -u admin:[пароль] --insecure
Kuko konke, olu luseto luncinci olukhusela i-Elasticsearch kunxibelelwano olungagunyaziswanga.
umthombo: www.habr.com
