Onyakeni odlule, kube nokuputshuka okuningi okuvela kusizindalwazi
Masibe ngokushesha senze ukubhuka ukuthi ekusebenzeni kwethu sisebenzisa i-Elasticsearch ukuze sigcine amalogi futhi sihlaziye amalogi wamathuluzi okuvikela ulwazi, i-OS nesofthiwe kuplathifomu yethu ye-IaaS, ethobelana nezimfuneko ze-152-FZ, Cloud-152.
Sihlola ukuthi ingabe isizindalwazi “siyanamathela” ku-inthanethi
Ezimweni eziningi ezaziwayo zokuvuza (
Okokuqala, ake sibhekane nokushicilela ku-inthanethi. Kungani lokhu kwenzeka? Iqiniso liwukuthi ekusebenzeni okuguquguqukayo okwengeziwe kwe-Elasticsearch
Uma ukwazi ukungena, bese ugijima ukuyoyivala.
Ukuvikela ukuxhumana kusizindalwazi
Manje sizokwenza ukuthi kungenzeki ukuxhuma ku-database ngaphandle kokuqinisekisa.
I-Elasticsearch inemojula yokuqinisekisa ekhawulela ukufinyelela kusizindalwazi, kodwa itholakala kuphela kusethi ye-plugin ekhokhelwayo ye-X-Pack (inyanga engu-1 ukusetshenziswa mahhala).
Izindaba ezinhle ukuthi ekwindla ka-2019, i-Amazon yavula intuthuko yayo, edlula i-X-Pack. Umsebenzi wokuqinisekisa lapho uxhumeka kusizindalwazi usuyatholakala ngaphansi kwelayisensi yamahhala yenguqulo ye-Elasticsearch 7.3.2, futhi ukukhishwa okusha kwe-Elasticsearch 7.4.0 sekuyasebenza kakade.
Le plugin kulula ukuyifaka. Iya kukhonsoli yeseva bese uxhuma indawo yokugcina:
Isekelwe ku-RPM:
curl https://d3g5vo6xdbdb9a.cloudfront.net/yum/opendistroforelasticsearch-artifacts.repo -o /etc/yum.repos.d/opendistroforelasticsearch-artifacts.repo
yum update
yum install opendistro-security
I-DEB Isekelwe:
wget -qO ‐ https://d3g5vo6xdbdb9a.cloudfront.net/GPG-KEY-opendistroforelasticsearch | sudo apt-key add -
Ukusetha ukuxhumana phakathi kwamaseva nge-SSL
Lapho ufaka i-plugin, ukumiswa kwembobo exhuma kusizindalwazi kuyashintsha. Inika amandla ukubethela kwe-SSL. Ukuze amaseva eqoqo aqhubeke nokusebenza namanye, udinga ukulungisa ukusebenzisana phakathi kwawo usebenzisa i-SSL.
Ukwethembana phakathi kwababungazi kungasungulwa ngegunya lesitifiketi noma ngaphandle kwalo. Ngendlela yokuqala, konke kucacile: udinga nje ukuxhumana nochwepheshe be-CA. Asisuke siqonde kwesesibili.
- Dala okuguquguqukayo ngegama eliphelele lesizinda:
export DOMAIN_CN="example.com"
- Dala ukhiye oyimfihlo:
openssl genrsa -out root-ca-key.pem 4096
- Sayina isitifiketi sempande. Igcine iphephile: uma ilahleka noma ifakwa ebucayini, ukwethembana phakathi kwabo bonke ababungazi kuzodingeka kumiswe kabusha.
openssl req -new -x509 -sha256 -subj "/C=RU/ST=Moscow/O=Moscow, Inc./CN=${DOMAIN_CN}" -key root-ca-key.pem -out root-ca.pem
- Dala ukhiye womlawuli:
openssl genrsa -out admin-key-temp.pem 4096 openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem
- Dala isicelo sokusayina isitifiketi:
openssl req -new -subj "/C=RU/ST=Moscow/O=Moscow Inc./CN=${DOMAIN_CN}/CN=admin " -key admin-key.pem -out admin.csr
- Dala isitifiketi somlawuli:
openssl x509 -req -extensions usr_cert -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem
- Dala izitifiketi ze-Elasticsearch node:
export NODENAME="node-01" openssl genrsa -out ${NODENAME}-key-temp.pem 4096 openssl pkcs8 -inform PEM -outform PEM -in ${NODENAME}-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out ${NODENAME}-key.pem
- Dala isicelo sesiginesha:
openssl req -new -subj "/C=RU/ST=Moscow/O=Moscow Inc./CN=${NODENAME}.${DOMAIN_CN}" -addext"subjectAltName=DNS:${NODENAME}.${DOMAIN_CN},DNS:www.${NODENAME}.${DOMAIN_CN}" -key ${NODENAME}-key.pem -out ${NODENAME}.csr
- Ukusayina isitifiketi:
openssl x509 -req -in node.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node.pem
- Beka isitifiketi phakathi kwamanodi e-Elasticsearch kufolda elandelayo:
/etc/elasticsearch/
sidinga amafayela:node-01-key.pem node-01.pem admin-key.pem admin.pem root-ca.pem
- Iyalungisa /etc/elasticsearch/elasticsearch.yml - shintsha igama lamafayela anezitifiketi kulawo akhiqizwe yithi:
opendistro_security.ssl.transport.pemcert_filepath: node-01.pem opendistro_security.ssl.transport.pemkey_filepath: node-01-key.pem opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem opendistro_security.ssl.transport.enforce_hostname_verification: false opendistro_security.ssl.http.enabled: true opendistro_security.ssl.http.pemcert_filepath: node-01.pem opendistro_security.ssl.http.pemkey_filepath: node-01-key.pem opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem opendistro_security.allow_unsafe_democertificates: false opendistro_security.allow_default_init_securityindex: true opendistro_security.authcz.admin_dn: − CN=admin,CN=example.com,O=Moscow Inc.,ST=Moscow,C=RU opendistro_security.nodes_dn: − CN=node-01.example.com,O=Moscow Inc.,ST=Moscow,C=RU
Ukushintsha amaphasiwedi kubasebenzisi bangaphakathi
- Sisebenzisa umyalo ongezansi, sikhipha igama le-password ku-console:
sh ${OD_SEC}/tools/hash.sh -p [пароль]
- Shintsha i-hash efayelini ibe kwelitholiwe:
/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
Ukusetha i-firewall ku-OS
- Vumela i-firewall ukuthi iqale:
systemctl enable firewalld
- Masiyiqalise:
systemctl start firewalld
- Vumela ukuxhumeka ku-Elasticsearch:
firewall-cmd --set-default-zone work firewall-cmd --zone=work --add-port=9200/TCP --permanent
- Layisha kabusha imithetho ye-firewall:
firewall-cmd --reload
- Nansi imithetho yokusebenza:
firewall-cmd --list-all
Sisebenzisa zonke izinguquko zethu ku-Elasticsearch
- Dala okuhlukile ngendlela egcwele eya kufolda nge-plugin:
export OD_SEC="/usr/share/elasticsearch/plugins/opendistro_security/"
- Masiqalise iskripthi esizobuyekeza amaphasiwedi futhi sihlole izilungiselelo:
${OD_SEC}/tools/securityadmin.sh -cd ${OD_SEC}/securityconfig/ -icl -nhnv -cacert /etc/elasticsearch/root-ca.pem -cert /etc/elasticsearch/admin.pem -key /etc/elasticsearch/admin-key.pem
- Hlola ukuthi izinguquko zisetshenzisiwe yini:
curl -XGET https://[IP/Имя Elasticsearch]:9200/_cat/nodes?v -u admin:[пароль] --insecure
Yilokho kuphela, lezi izilungiselelo ezincane ezivikela i-Elasticsearch ekuxhumekeni okungagunyaziwe.
Source: www.habr.com