🥇 Bii o ṣe le tunto Elasticsearch lati yago fun awọn n jo

Ni ọdun to kọja, ọpọlọpọ awọn n jo lati awọn apoti isura infomesonu Elasticsearch (wo o, wo o и wo o). Ni ọpọlọpọ igba, data ti ara ẹni ti wa ni ipamọ ni ibi ipamọ data. Awọn n jo wọnyi le ti yago fun ti, lẹhin fifi data data ranṣẹ, awọn alabojuto ti ni wahala lati ṣayẹwo awọn eto irọrun diẹ. Loni a yoo sọrọ nipa wọn.

Jẹ ki a ṣe ifiṣura lẹsẹkẹsẹ pe ninu iṣe wa a lo Elasticsearch lati tọju awọn akọọlẹ ati itupalẹ awọn akọọlẹ ti awọn irinṣẹ aabo alaye, OS ati sọfitiwia ninu pẹpẹ IaaS wa, eyiti o ni ibamu pẹlu awọn ibeere ti 152-FZ, Cloud-152.

A ṣayẹwo boya ibi ipamọ data "duro jade" si Intanẹẹti

Ni awọn ọran ti a mọ julọ ti awọn n jo (wo o, wo o) Olukọni naa ni iraye si data ni irọrun ati lainidi: data ti a tẹjade lori Intanẹẹti, ati pe o ṣee ṣe lati sopọ si laisi ijẹrisi.

Ni akọkọ, jẹ ki a ṣe pẹlu titẹ sita lori Intanẹẹti. Kini idi ti eyi fi ṣẹlẹ? Otitọ ni pe fun iṣẹ irọrun diẹ sii ti Elasticsearch niyanju ṣẹda akojọpọ awọn olupin mẹta. Ni ibere fun awọn apoti isura infomesonu lati ṣe ibaraẹnisọrọ pẹlu ara wọn, o nilo lati ṣii awọn ibudo. Bi abajade, awọn alakoso ko ni ihamọ wiwọle si ibi ipamọ data ni ọna eyikeyi, ati pe o le sopọ si aaye data lati ibikibi. O rọrun lati ṣayẹwo boya aaye data wa lati ita. Kan tẹ sinu ẹrọ aṣawakiri http://[IP/Имя Elasticsearch]:9200/_cat/nodes?v

Ti o ba le wọle, lẹhinna sare lati pa a.

Idabobo asopọ si database

Bayi a yoo jẹ ki o ko ṣee ṣe lati sopọ si ibi ipamọ data laisi ijẹrisi.

Elasticsearch ni module ìfàṣẹsí ti o fi opin si iraye si ibi ipamọ data, ṣugbọn o wa nikan ni eto itanna X-Pack ti o san (lilo ọfẹ oṣu 1).

Irohin ti o dara ni pe ni isubu ti 2019, Amazon ṣii awọn idagbasoke rẹ, eyiti o ni lqkan pẹlu X-Pack. Iṣẹ ijẹrisi nigbati o ba sopọ si data data ti di wa labẹ iwe-aṣẹ ọfẹ fun ẹya Elasticsearch 7.3.2, ati itusilẹ tuntun fun Elasticsearch 7.4.0 ti wa tẹlẹ ninu awọn iṣẹ.

Ohun itanna yii rọrun lati fi sori ẹrọ. Lọ si console olupin ki o so ibi ipamọ naa pọ:

RPM Da:

curl https://d3g5vo6xdbdb9a.cloudfront.net/yum/opendistroforelasticsearch-artifacts.repo -o /etc/yum.repos.d/opendistroforelasticsearch-artifacts.repo yum update yum install opendistro-security

DEB Da:

wget -qO ‐ https://d3g5vo6xdbdb9a.cloudfront.net/GPG-KEY-opendistroforelasticsearch | sudo apt-key add -

Ṣiṣeto ibaraenisepo laarin awọn olupin nipasẹ SSL

Nigbati o ba nfi ohun itanna sii, iṣeto ti ibudo ti o so pọ si aaye data yipada. O jeki SSL ìsekóòdù. Ni ibere fun awọn olupin iṣupọ lati tẹsiwaju lati ṣiṣẹ pẹlu ara wọn, o nilo lati tunto ibaraenisepo laarin wọn nipa lilo SSL.

Igbẹkẹle laarin awọn ọmọ-ogun le jẹ idasilẹ pẹlu tabi laisi aṣẹ ijẹrisi tirẹ. Pẹlu ọna akọkọ, ohun gbogbo jẹ kedere: o kan nilo lati kan si awọn alamọja CA. Jẹ ki a gbe taara si keji.

Ṣẹda oniyipada pẹlu orukọ ìkápá kikun:

export DOMAIN_CN="example.com"

Ṣẹda bọtini ikọkọ:

openssl genrsa -out root-ca-key.pem 4096

Wole ijẹrisi root. Jeki o ni aabo: ti o ba sọnu tabi ti bajẹ, igbẹkẹle laarin gbogbo awọn ọmọ-ogun yoo nilo lati tunto.

openssl req -new -x509 -sha256 -subj "/C=RU/ST=Moscow/O=Moscow, Inc./CN=${DOMAIN_CN}" -key root-ca-key.pem -out root-ca.pem

Ṣẹda bọtini alakoso:

openssl genrsa -out admin-key-temp.pem 4096 openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem

Ṣẹda ibeere lati fowo si iwe-ẹri naa:

openssl req -new -subj "/C=RU/ST=Moscow/O=Moscow Inc./CN=${DOMAIN_CN}/CN=admin " -key admin-key.pem -out admin.csr

Ṣẹda ijẹrisi alakoso:

openssl x509 -req -extensions usr_cert -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem

Ṣẹda awọn iwe-ẹri fun ipade Elasticsearch:

export NODENAME="node-01" openssl genrsa -out ${NODENAME}-key-temp.pem 4096 openssl pkcs8 -inform PEM -outform PEM -in ${NODENAME}-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out ${NODENAME}-key.pem

Ṣẹda ibeere ibuwọlu kan:

openssl req -new -subj "/C=RU/ST=Moscow/O=Moscow Inc./CN=${NODENAME}.${DOMAIN_CN}" -addext"subjectAltName=DNS:${NODENAME}.${DOMAIN_CN},DNS:www.${NODENAME}.${DOMAIN_CN}" -key ${NODENAME}-key.pem -out ${NODENAME}.csr

Fọwọsi iwe-ẹri naa:

openssl x509 -req -in node.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node.pem

Fi ijẹrisi sii laarin awọn apa Elasticsearch ninu folda atẹle:

/etc/elasticsearch/

a nilo awọn faili:

node-01-key.pem node-01.pem admin-key.pem admin.pem root-ca.pem

Tito leto /etc/elasticsearch/elasticsearch.yml - yi orukọ awọn faili pada pẹlu awọn iwe-ẹri si awọn ti ipilẹṣẹ nipasẹ wa:

opendistro_security.ssl.transport.pemcert_filepath: node-01.pem opendistro_security.ssl.transport.pemkey_filepath: node-01-key.pem opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem opendistro_security.ssl.transport.enforce_hostname_verification: false opendistro_security.ssl.http.enabled: true opendistro_security.ssl.http.pemcert_filepath: node-01.pem opendistro_security.ssl.http.pemkey_filepath: node-01-key.pem opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem opendistro_security.allow_unsafe_democertificates: false opendistro_security.allow_default_init_securityindex: true opendistro_security.authcz.admin_dn: − CN=admin,CN=example.com,O=Moscow Inc.,ST=Moscow,C=RU opendistro_security.nodes_dn: − CN=node-01.example.com,O=Moscow Inc.,ST=Moscow,C=RU

Yiyipada awọn ọrọigbaniwọle fun awọn olumulo inu

Lilo aṣẹ ti o wa ni isalẹ, a gbejade hash ọrọ igbaniwọle si console:

sh ${OD_SEC}/tools/hash.sh -p [пароль]

Yi hash ninu faili pada si ọkan ti o gba:

/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml

Ṣiṣeto ogiriina ni OS

Gba ogiriina laaye lati bẹrẹ:

systemctl enable firewalld
Jẹ ki a ṣe ifilọlẹ:

systemctl start firewalld

Gba asopọ laaye si Elasticsearch:

firewall-cmd --set-default-zone work firewall-cmd --zone=work --add-port=9200/TCP --permanent

Tun gbee si awọn ofin ogiriina:

firewall-cmd --reload
Eyi ni awọn ofin iṣẹ:

firewall-cmd --list-all

Nfi gbogbo awọn ayipada wa si Elasticsearch

Ṣẹda oniyipada pẹlu ọna kikun si folda pẹlu ohun itanna:

export OD_SEC="/usr/share/elasticsearch/plugins/opendistro_security/"

Jẹ ki a ṣiṣẹ iwe afọwọkọ kan ti yoo ṣe imudojuiwọn awọn ọrọ igbaniwọle ati ṣayẹwo awọn eto:

${OD_SEC}/tools/securityadmin.sh -cd ${OD_SEC}/securityconfig/ -icl -nhnv -cacert /etc/elasticsearch/root-ca.pem -cert /etc/elasticsearch/admin.pem -key /etc/elasticsearch/admin-key.pem

Ṣayẹwo boya awọn ayipada ti wa ni lilo:

curl -XGET https://[IP/Имя Elasticsearch]:9200/_cat/nodes?v -u admin:[пароль] --insecure

Iyẹn ni gbogbo rẹ, iwọnyi ni awọn eto to kere julọ ti o daabobo Elasticsearch lati awọn asopọ laigba aṣẹ.

orisun: www.habr.com

Bii o ṣe le tunto Elasticsearch lati yago fun awọn n jo