Ni ọdun to kọja, ọpọlọpọ awọn n jo lati awọn apoti isura infomesonu
Jẹ ki a ṣe ifiṣura lẹsẹkẹsẹ pe ninu iṣe wa a lo Elasticsearch lati tọju awọn akọọlẹ ati itupalẹ awọn akọọlẹ ti awọn irinṣẹ aabo alaye, OS ati sọfitiwia ninu pẹpẹ IaaS wa, eyiti o ni ibamu pẹlu awọn ibeere ti 152-FZ, Cloud-152.
A ṣayẹwo boya ibi ipamọ data "duro jade" si Intanẹẹti
Ni awọn ọran ti a mọ julọ ti awọn n jo (
Ni akọkọ, jẹ ki a ṣe pẹlu titẹ sita lori Intanẹẹti. Kini idi ti eyi fi ṣẹlẹ? Otitọ ni pe fun iṣẹ irọrun diẹ sii ti Elasticsearch
Ti o ba le wọle, lẹhinna sare lati pa a.
Idabobo asopọ si database
Bayi a yoo jẹ ki o ko ṣee ṣe lati sopọ si ibi ipamọ data laisi ijẹrisi.
Elasticsearch ni module ìfàṣẹsí ti o fi opin si iraye si ibi ipamọ data, ṣugbọn o wa nikan ni eto itanna X-Pack ti o san (lilo ọfẹ oṣu 1).
Irohin ti o dara ni pe ni isubu ti 2019, Amazon ṣii awọn idagbasoke rẹ, eyiti o ni lqkan pẹlu X-Pack. Iṣẹ ijẹrisi nigbati o ba sopọ si data data ti di wa labẹ iwe-aṣẹ ọfẹ fun ẹya Elasticsearch 7.3.2, ati itusilẹ tuntun fun Elasticsearch 7.4.0 ti wa tẹlẹ ninu awọn iṣẹ.
Ohun itanna yii rọrun lati fi sori ẹrọ. Lọ si console olupin ki o so ibi ipamọ naa pọ:
RPM Da:
curl https://d3g5vo6xdbdb9a.cloudfront.net/yum/opendistroforelasticsearch-artifacts.repo -o /etc/yum.repos.d/opendistroforelasticsearch-artifacts.repo
yum update
yum install opendistro-security
DEB Da:
wget -qO ‐ https://d3g5vo6xdbdb9a.cloudfront.net/GPG-KEY-opendistroforelasticsearch | sudo apt-key add -
Ṣiṣeto ibaraenisepo laarin awọn olupin nipasẹ SSL
Nigbati o ba nfi ohun itanna sii, iṣeto ti ibudo ti o so pọ si aaye data yipada. O jeki SSL ìsekóòdù. Ni ibere fun awọn olupin iṣupọ lati tẹsiwaju lati ṣiṣẹ pẹlu ara wọn, o nilo lati tunto ibaraenisepo laarin wọn nipa lilo SSL.
Igbẹkẹle laarin awọn ọmọ-ogun le jẹ idasilẹ pẹlu tabi laisi aṣẹ ijẹrisi tirẹ. Pẹlu ọna akọkọ, ohun gbogbo jẹ kedere: o kan nilo lati kan si awọn alamọja CA. Jẹ ki a gbe taara si keji.
- Ṣẹda oniyipada pẹlu orukọ ìkápá kikun:
export DOMAIN_CN="example.com"
- Ṣẹda bọtini ikọkọ:
openssl genrsa -out root-ca-key.pem 4096
- Wole ijẹrisi root. Jeki o ni aabo: ti o ba sọnu tabi ti bajẹ, igbẹkẹle laarin gbogbo awọn ọmọ-ogun yoo nilo lati tunto.
openssl req -new -x509 -sha256 -subj "/C=RU/ST=Moscow/O=Moscow, Inc./CN=${DOMAIN_CN}" -key root-ca-key.pem -out root-ca.pem
- Ṣẹda bọtini alakoso:
openssl genrsa -out admin-key-temp.pem 4096 openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem
- Ṣẹda ibeere lati fowo si iwe-ẹri naa:
openssl req -new -subj "/C=RU/ST=Moscow/O=Moscow Inc./CN=${DOMAIN_CN}/CN=admin " -key admin-key.pem -out admin.csr
- Ṣẹda ijẹrisi alakoso:
openssl x509 -req -extensions usr_cert -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem
- Ṣẹda awọn iwe-ẹri fun ipade Elasticsearch:
export NODENAME="node-01" openssl genrsa -out ${NODENAME}-key-temp.pem 4096 openssl pkcs8 -inform PEM -outform PEM -in ${NODENAME}-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out ${NODENAME}-key.pem
- Ṣẹda ibeere ibuwọlu kan:
openssl req -new -subj "/C=RU/ST=Moscow/O=Moscow Inc./CN=${NODENAME}.${DOMAIN_CN}" -addext"subjectAltName=DNS:${NODENAME}.${DOMAIN_CN},DNS:www.${NODENAME}.${DOMAIN_CN}" -key ${NODENAME}-key.pem -out ${NODENAME}.csr
- Fọwọsi iwe-ẹri naa:
openssl x509 -req -in node.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node.pem
- Fi ijẹrisi sii laarin awọn apa Elasticsearch ninu folda atẹle:
/etc/elasticsearch/
a nilo awọn faili:node-01-key.pem node-01.pem admin-key.pem admin.pem root-ca.pem
- Tito leto /etc/elasticsearch/elasticsearch.yml - yi orukọ awọn faili pada pẹlu awọn iwe-ẹri si awọn ti ipilẹṣẹ nipasẹ wa:
opendistro_security.ssl.transport.pemcert_filepath: node-01.pem opendistro_security.ssl.transport.pemkey_filepath: node-01-key.pem opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem opendistro_security.ssl.transport.enforce_hostname_verification: false opendistro_security.ssl.http.enabled: true opendistro_security.ssl.http.pemcert_filepath: node-01.pem opendistro_security.ssl.http.pemkey_filepath: node-01-key.pem opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem opendistro_security.allow_unsafe_democertificates: false opendistro_security.allow_default_init_securityindex: true opendistro_security.authcz.admin_dn: − CN=admin,CN=example.com,O=Moscow Inc.,ST=Moscow,C=RU opendistro_security.nodes_dn: − CN=node-01.example.com,O=Moscow Inc.,ST=Moscow,C=RU
Yiyipada awọn ọrọigbaniwọle fun awọn olumulo inu
- Lilo aṣẹ ti o wa ni isalẹ, a gbejade hash ọrọ igbaniwọle si console:
sh ${OD_SEC}/tools/hash.sh -p [пароль]
- Yi hash ninu faili pada si ọkan ti o gba:
/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
Ṣiṣeto ogiriina ni OS
- Gba ogiriina laaye lati bẹrẹ:
systemctl enable firewalld
- Jẹ ki a ṣe ifilọlẹ:
systemctl start firewalld
- Gba asopọ laaye si Elasticsearch:
firewall-cmd --set-default-zone work firewall-cmd --zone=work --add-port=9200/TCP --permanent
- Tun gbee si awọn ofin ogiriina:
firewall-cmd --reload
- Eyi ni awọn ofin iṣẹ:
firewall-cmd --list-all
Nfi gbogbo awọn ayipada wa si Elasticsearch
- Ṣẹda oniyipada pẹlu ọna kikun si folda pẹlu ohun itanna:
export OD_SEC="/usr/share/elasticsearch/plugins/opendistro_security/"
- Jẹ ki a ṣiṣẹ iwe afọwọkọ kan ti yoo ṣe imudojuiwọn awọn ọrọ igbaniwọle ati ṣayẹwo awọn eto:
${OD_SEC}/tools/securityadmin.sh -cd ${OD_SEC}/securityconfig/ -icl -nhnv -cacert /etc/elasticsearch/root-ca.pem -cert /etc/elasticsearch/admin.pem -key /etc/elasticsearch/admin-key.pem
- Ṣayẹwo boya awọn ayipada ti wa ni lilo:
curl -XGET https://[IP/Имя Elasticsearch]:9200/_cat/nodes?v -u admin:[пароль] --insecure
Iyẹn ni gbogbo rẹ, iwọnyi ni awọn eto to kere julọ ti o daabobo Elasticsearch lati awọn asopọ laigba aṣẹ.
orisun: www.habr.com