Kulo nyaka uphelileyo, kubekho ukuvuza okuninzi koovimba beenkcukacha
Masiyenze ngokukhawuleza ugcino ukuba kwindlela yethu yokusebenza sisebenzisa i-Elasticsearch ukugcina izingodo kunye nokuhlalutya iilogi zezixhobo zokhuseleko lolwazi, i-OS kunye nesofthiwe kwi-platform yethu ye-IaaS, ehambelana neemfuno ze-152-FZ, Cloud-152.
Sijonga ukuba ingaba i-database "iyaphuma" kwi-Intanethi
Kwiimeko ezininzi ezaziwayo zokuvuza (
Okokuqala, makhe sijongane nokupapasha kwi-Intanethi. Kutheni le nto isenzeka? Inyani yeyokuba ekusebenzeni okubhetyebhetye ngakumbi kwe-Elasticsearch
Ukuba uyakwazi ukungena, baleka ke ukuvala.
Ukukhusela uqhagamshelwano kwisiseko sedatha
Ngoku siza kuyenza ukuba akunakwenzeka ukudibanisa kwi-database ngaphandle kokuqinisekiswa.
I-Elasticsearch inemodyuli yokuqinisekisa enqanda ukufikelela kwisiseko sedatha, kodwa ifumaneka kuphela kwisethi ye-plugin ye-X-Pack ehlawulweyo (inyanga eyi-1 yokusetyenziswa simahla).
Iindaba ezimnandi zezokuba ekwindla ka-2019, iAmazon yavula uphuhliso lwayo, oludibana neX-Pack. Umsebenzi wokuqinisekisa xa uqhagamshela kwisiseko sedatha sele ufumaneka phantsi kwelayisensi yamahhala yenguqulo ye-Elasticsearch 7.3.2, kunye nokukhululwa okutsha kwe-Elasticsearch 7.4.0 sele ikwimisebenzi.
Le plugin kulula ukuyifaka. Yiya kwi-console yomncedisi kwaye uqhagamshele indawo yokugcina:
RPM Ngokusekwe:
curl https://d3g5vo6xdbdb9a.cloudfront.net/yum/opendistroforelasticsearch-artifacts.repo -o /etc/yum.repos.d/opendistroforelasticsearch-artifacts.repo
yum update
yum install opendistro-security
Isekwe kwi-DEB:
wget -qO β https://d3g5vo6xdbdb9a.cloudfront.net/GPG-KEY-opendistroforelasticsearch | sudo apt-key add -
Ukumisela intsebenziswano phakathi kweeseva nge-SSL
Xa ufaka i-plugin, ulungelelwaniso lwe-port edibanisa kwi-database iyatshintsha. Yenza uguqulelo oluntsonkothileyo lwe-SSL. Ukuze iiseva zeqela ziqhubeke zisebenza kunye, kufuneka uqwalasele intsebenziswano phakathi kwabo usebenzisa i-SSL.
Ukuthembana phakathi kwababuki zindwendwe kunokumiselwa ngesatifikethi okanye ngaphandle kwegunya laso. Ngendlela yokuqala, yonke into icacile: kufuneka uqhagamshelane neengcali ze-CA. Masihambe siye ngqo kwesesibini.
- Yenza umahluko ngegama elipheleleyo lesizinda:
export DOMAIN_CN="example.com"
- Yenza isitshixo sabucala:
openssl genrsa -out root-ca-key.pem 4096
- Sayina isatifikethi esiyingcambu. Yigcine ikhuselekile: ukuba ilahlekile okanye ibekwe esichengeni, ukuthembana phakathi kwayo yonke inginginya kuya kufuneka kuqwalaselwe kwakhona.
openssl req -new -x509 -sha256 -subj "/C=RU/ST=Moscow/O=Moscow, Inc./CN=${DOMAIN_CN}" -key root-ca-key.pem -out root-ca.pem
- Yenza isitshixo somlawuli:
openssl genrsa -out admin-key-temp.pem 4096 openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem
- Yenza isicelo sokusayina isatifikethi:
openssl req -new -subj "/C=RU/ST=Moscow/O=Moscow Inc./CN=${DOMAIN_CN}/CN=admin " -key admin-key.pem -out admin.csr
- Yenza isatifikethi somlawuli:
openssl x509 -req -extensions usr_cert -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem
- Yenza izatifikethi ze-Elasticsearch node:
export NODENAME="node-01" openssl genrsa -out ${NODENAME}-key-temp.pem 4096 openssl pkcs8 -inform PEM -outform PEM -in ${NODENAME}-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out ${NODENAME}-key.pem
- Yenza isicelo sokutyikitya:
openssl req -new -subj "/C=RU/ST=Moscow/O=Moscow Inc./CN=${NODENAME}.${DOMAIN_CN}" -addext"subjectAltName=DNS:${NODENAME}.${DOMAIN_CN},DNS:www.${NODENAME}.${DOMAIN_CN}" -key ${NODENAME}-key.pem -out ${NODENAME}.csr
- Ukutyikitya isatifikethi:
openssl x509 -req -in node.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node.pem
- Beka isatifikethi phakathi kweenodi ze-Elasticsearch kule folda ilandelayo:
/etc/elasticsearch/
sifuna iifayile:node-01-key.pem node-01.pem admin-key.pem admin.pem root-ca.pem
- Ukuqwalasela /etc/elasticsearch/elasticsearch.yml -tshintsha igama leefayile ezinezatifikethi kwezo zenziwe sithi:
opendistro_security.ssl.transport.pemcert_filepath: node-01.pem opendistro_security.ssl.transport.pemkey_filepath: node-01-key.pem opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem opendistro_security.ssl.transport.enforce_hostname_verification: false opendistro_security.ssl.http.enabled: true opendistro_security.ssl.http.pemcert_filepath: node-01.pem opendistro_security.ssl.http.pemkey_filepath: node-01-key.pem opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem opendistro_security.allow_unsafe_democertificates: false opendistro_security.allow_default_init_securityindex: true opendistro_security.authcz.admin_dn: β CN=admin,CN=example.com,O=Moscow Inc.,ST=Moscow,C=RU opendistro_security.nodes_dn: β CN=node-01.example.com,O=Moscow Inc.,ST=Moscow,C=RU
Ukutshintsha amagama ayimfihlo kubasebenzisi bangaphakathi
- Sisebenzisa lo myalelo ungezantsi, sikhupha igama eliyimfihlo kwi-console:
sh ${OD_SEC}/tools/hash.sh -p [ΠΏΠ°ΡΠΎΠ»Ρ]
- Guqula i-hash kwifayile ibe yile ifunyenweyo:
/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
Ukuseta i-firewall kwi-OS
- Vumela i-firewall ukuba iqalise:
systemctl enable firewalld
- Masiyiqalise:
systemctl start firewalld
- Vumela uqhagamshelo kwi-Elasticsearch:
firewall-cmd --set-default-zone work firewall-cmd --zone=work --add-port=9200/TCP --permanent
- Layisha kwakhona imigaqo yomlilo:
firewall-cmd --reload
- Nantsi imigaqo yokusebenza:
firewall-cmd --list-all
Ukusebenzisa lonke utshintsho lwethu kwi-Elasticsearch
- Yenza umahluko kunye nomendo opheleleyo kwifolda ngeplagi:
export OD_SEC="/usr/share/elasticsearch/plugins/opendistro_security/"
- Masiqhube iskripthi esiza kuhlaziya amagama agqithisiweyo kwaye sijonge iisetingi:
${OD_SEC}/tools/securityadmin.sh -cd ${OD_SEC}/securityconfig/ -icl -nhnv -cacert /etc/elasticsearch/root-ca.pem -cert /etc/elasticsearch/admin.pem -key /etc/elasticsearch/admin-key.pem
- Jonga ukuba utshintsho lufakiwe na:
curl -XGET https://[IP/ΠΠΌΡ Elasticsearch]:9200/_cat/nodes?v -u admin:[ΠΏΠ°ΡΠΎΠ»Ρ] --insecure
Kuko konke, olu luseto luncinci olukhusela i-Elasticsearch kunxibelelwano olungagunyaziswanga.
umthombo: www.habr.com