Onyakeni odlule, kube nokuputshuka okuningi okuvela kusizindalwazi (, и ). Ezimweni eziningi, idatha yomuntu siqu yayigcinwa kusizindalwazi. Lokhu kuvuza bekungagwenywa uma, ngemva kokuthunyelwa kwedathabhesi, abalawuli bazihluphe ngokubheka izilungiselelo ezimbalwa ezilula. Namuhla sizokhuluma ngabo.
Masibe ngokushesha senze ukubhuka ukuthi ekusebenzeni kwethu sisebenzisa i-Elasticsearch ukuze sigcine amalogi futhi sihlaziye amalogi wamathuluzi okuvikela ulwazi, i-OS nesofthiwe kuplathifomu yethu ye-IaaS, ethobelana nezimfuneko ze-152-FZ, Cloud-152.
Sihlola ukuthi ingabe isizindalwazi “siyanamathela” ku-inthanethi
Ezimweni eziningi ezaziwayo zokuvuza (, ) umhlaseli uthole ukufinyelela kudatha kalula nangokuzithoba: isizindalwazi sanyatheliswa ku-inthanethi, futhi kwakungenzeka ukuxhuma kuso ngaphandle kokuqinisekisa.
Okokuqala, ake sibhekane nokushicilela ku-inthanethi. Kungani lokhu kwenzeka? Iqiniso liwukuthi ekusebenzeni okuguquguqukayo okwengeziwe kwe-Elasticsearch dala iqoqo lamaseva amathathu. Ukuze isizindalwazi sixhumane, udinga ukuvula izimbobo. Ngenxa yalokho, abalawuli abavimbeli ukufinyelela kusizindalwazi nganoma iyiphi indlela, futhi ungakwazi ukuxhuma kusizindalwazi noma yikuphi. Kulula ukuhlola ukuthi isizindalwazi siyafinyeleleka yini ngaphandle. Vele ufake isiphequluli http://[IP/Имя Elasticsearch]:9200/_cat/nodes?v
Uma ukwazi ukungena, bese ugijima ukuyoyivala.
Ukuvikela ukuxhumana kusizindalwazi
Manje sizokwenza ukuthi kungenzeki ukuxhuma ku-database ngaphandle kokuqinisekisa.
I-Elasticsearch inemojula yokuqinisekisa ekhawulela ukufinyelela kusizindalwazi, kodwa itholakala kuphela kusethi ye-plugin ekhokhelwayo ye-X-Pack (inyanga engu-1 ukusetshenziswa mahhala).
Izindaba ezinhle ukuthi ekwindla ka-2019, i-Amazon yavula intuthuko yayo, edlula i-X-Pack. Umsebenzi wokuqinisekisa lapho uxhumeka kusizindalwazi usuyatholakala ngaphansi kwelayisensi yamahhala yenguqulo ye-Elasticsearch 7.3.2, futhi ukukhishwa okusha kwe-Elasticsearch 7.4.0 sekuyasebenza kakade.
Le plugin kulula ukuyifaka. Iya kukhonsoli yeseva bese uxhuma indawo yokugcina:
Isekelwe ku-RPM:
curl https://d3g5vo6xdbdb9a.cloudfront.net/yum/opendistroforelasticsearch-artifacts.repo -o /etc/yum.repos.d/opendistroforelasticsearch-artifacts.repo
yum update
yum install opendistro-security
I-DEB Isekelwe:
wget -qO ‐ https://d3g5vo6xdbdb9a.cloudfront.net/GPG-KEY-opendistroforelasticsearch | sudo apt-key add -
Ukusetha ukuxhumana phakathi kwamaseva nge-SSL
Lapho ufaka i-plugin, ukumiswa kwembobo exhuma kusizindalwazi kuyashintsha. Inika amandla ukubethela kwe-SSL. Ukuze amaseva eqoqo aqhubeke nokusebenza namanye, udinga ukulungisa ukusebenzisana phakathi kwawo usebenzisa i-SSL.
Ukwethembana phakathi kwababungazi kungasungulwa ngegunya lesitifiketi noma ngaphandle kwalo. Ngendlela yokuqala, konke kucacile: udinga nje ukuxhumana nochwepheshe be-CA. Asisuke siqonde kwesesibili.
- Dala okuguquguqukayo ngegama eliphelele lesizinda:
export DOMAIN_CN="example.com" - Dala ukhiye oyimfihlo:
openssl genrsa -out root-ca-key.pem 4096 - Sayina isitifiketi sempande. Igcine iphephile: uma ilahleka noma ifakwa ebucayini, ukwethembana phakathi kwabo bonke ababungazi kuzodingeka kumiswe kabusha.
openssl req -new -x509 -sha256 -subj "/C=RU/ST=Moscow/O=Moscow, Inc./CN=${DOMAIN_CN}" -key root-ca-key.pem -out root-ca.pem - Dala ukhiye womlawuli:
openssl genrsa -out admin-key-temp.pem 4096 openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem - Dala isicelo sokusayina isitifiketi:
openssl req -new -subj "/C=RU/ST=Moscow/O=Moscow Inc./CN=${DOMAIN_CN}/CN=admin " -key admin-key.pem -out admin.csr - Dala isitifiketi somlawuli:
openssl x509 -req -extensions usr_cert -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem - Dala izitifiketi ze-Elasticsearch node:
export NODENAME="node-01" openssl genrsa -out ${NODENAME}-key-temp.pem 4096 openssl pkcs8 -inform PEM -outform PEM -in ${NODENAME}-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out ${NODENAME}-key.pem - Dala isicelo sesiginesha:
openssl req -new -subj "/C=RU/ST=Moscow/O=Moscow Inc./CN=${NODENAME}.${DOMAIN_CN}" -addext"subjectAltName=DNS:${NODENAME}.${DOMAIN_CN},DNS:www.${NODENAME}.${DOMAIN_CN}" -key ${NODENAME}-key.pem -out ${NODENAME}.csr - Ukusayina isitifiketi:
openssl x509 -req -in node.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node.pem - Beka isitifiketi phakathi kwamanodi e-Elasticsearch kufolda elandelayo:
/etc/elasticsearch/
sidinga amafayela:node-01-key.pem node-01.pem admin-key.pem admin.pem root-ca.pem - Iyalungisa /etc/elasticsearch/elasticsearch.yml - shintsha igama lamafayela anezitifiketi kulawo akhiqizwe yithi:
opendistro_security.ssl.transport.pemcert_filepath: node-01.pem opendistro_security.ssl.transport.pemkey_filepath: node-01-key.pem opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem opendistro_security.ssl.transport.enforce_hostname_verification: false opendistro_security.ssl.http.enabled: true opendistro_security.ssl.http.pemcert_filepath: node-01.pem opendistro_security.ssl.http.pemkey_filepath: node-01-key.pem opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem opendistro_security.allow_unsafe_democertificates: false opendistro_security.allow_default_init_securityindex: true opendistro_security.authcz.admin_dn: − CN=admin,CN=example.com,O=Moscow Inc.,ST=Moscow,C=RU opendistro_security.nodes_dn: − CN=node-01.example.com,O=Moscow Inc.,ST=Moscow,C=RU
Ukushintsha amaphasiwedi kubasebenzisi bangaphakathi
- Sisebenzisa umyalo ongezansi, sikhipha igama le-password ku-console:
sh ${OD_SEC}/tools/hash.sh -p [пароль] - Shintsha i-hash efayelini ibe kwelitholiwe:
/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
Ukusetha i-firewall ku-OS
- Vumela i-firewall ukuthi iqale:
systemctl enable firewalld - Masiyiqalise:
systemctl start firewalld - Vumela ukuxhumeka ku-Elasticsearch:
firewall-cmd --set-default-zone work firewall-cmd --zone=work --add-port=9200/TCP --permanent - Layisha kabusha imithetho ye-firewall:
firewall-cmd --reload - Nansi imithetho yokusebenza:
firewall-cmd --list-all
Sisebenzisa zonke izinguquko zethu ku-Elasticsearch
- Dala okuhlukile ngendlela egcwele eya kufolda nge-plugin:
export OD_SEC="/usr/share/elasticsearch/plugins/opendistro_security/" - Masiqalise iskripthi esizobuyekeza amaphasiwedi futhi sihlole izilungiselelo:
${OD_SEC}/tools/securityadmin.sh -cd ${OD_SEC}/securityconfig/ -icl -nhnv -cacert /etc/elasticsearch/root-ca.pem -cert /etc/elasticsearch/admin.pem -key /etc/elasticsearch/admin-key.pem - Hlola ukuthi izinguquko zisetshenzisiwe yini:
curl -XGET https://[IP/Имя Elasticsearch]:9200/_cat/nodes?v -u admin:[пароль] --insecure
Yilokho kuphela, lezi izilungiselelo ezincane ezivikela i-Elasticsearch ekuxhumekeni okungagunyaziwe.
Source: www.habr.com