GBase 8a集群SSL配置-强制用户用SSL

GBase 8a支持数据库用户通过require ssl参数,强制必须使用SSL连接数据库,本文介绍其方法。

创建用户

查看其中的ssl_type, 看到是空的。

gbase> create user ssl_user identified by 'ssl';
Query OK, 0 rows affected (Elapsed: 00:00:00.02)


gbase> select * from gbase.user where user='ssl_user'\G
*************************** 1. row ***************************
                   Host: %
                   User: ssl_user
               Password:
            Select_priv: N
            Insert_priv: N
            Update_priv: N
            Delete_priv: N
            Create_priv: N
              Drop_priv: N
            Reload_priv: N
          Shutdown_priv: N
           Process_priv: N
              File_priv: N
             Grant_priv: N
        References_priv: N
             Index_priv: N
             Alter_priv: N
           Show_db_priv: N
             Super_priv: N
  Create_tmp_table_priv: N
       Lock_tables_priv: N
           Execute_priv: N
        Repl_slave_priv: N
            Unmask_priv: N
       Create_view_priv: N
         Show_view_priv: N
    Create_routine_priv: N
     Alter_routine_priv: N
       Create_user_priv: N
             Event_priv: N
           Trigger_priv: N
               ssl_type:
             ssl_cipher:
            x509_issuer:
           x509_subject:
          max_questions: 0
            max_updates: 0
        max_connections: 0
   max_user_connections: 0
               max_cpus: 0
           max_memories: 0
          max_tmp_space: 0
         resource_group: 0
          task_priority: 2
user_limit_storage_size:
      user_storage_size: 0
                    UID: 529422
1 row in set (Elapsed: 00:00:00.00)

设置SSL要求

通过grant 命令,设置权限,require ssl参数要求必须用ssl连接。查看user表的ssl_type变成了ANY,而不是默认的空。

gbase> grant usage on *.* to ssl_user identified by 'ssl' require ssl;

Query OK, 0 rows affected (Elapsed: 00:00:00.01)

gbase> select * from gbase.user where user='ssl_user'\G
*************************** 1. row ***************************
                   Host: %
                   User: ssl_user
               Password: *035E199C2E188B7300132D5C991D9E002AB5C150
            Select_priv: N
            Insert_priv: N
            Update_priv: N
            Delete_priv: N
            Create_priv: N
              Drop_priv: N
            Reload_priv: N
          Shutdown_priv: N
           Process_priv: N
              File_priv: N
             Grant_priv: N
        References_priv: N
             Index_priv: N
             Alter_priv: N
           Show_db_priv: N
             Super_priv: N
  Create_tmp_table_priv: N
       Lock_tables_priv: N
           Execute_priv: N
        Repl_slave_priv: N
            Unmask_priv: N
       Create_view_priv: N
         Show_view_priv: N
    Create_routine_priv: N
     Alter_routine_priv: N
       Create_user_priv: N
             Event_priv: N
           Trigger_priv: N
               ssl_type: ANY
             ssl_cipher:
            x509_issuer:
           x509_subject:
          max_questions: 0
            max_updates: 0
        max_connections: 0
   max_user_connections: 0
               max_cpus: 0
           max_memories: 0
          max_tmp_space: 0
         resource_group: 0
          task_priority: 2
user_limit_storage_size:
      user_storage_size: 0
                    UID: 529422
1 row in set (Elapsed: 00:00:00.00)

登录尝试

因为并没有配置ssl,所以直接报错,虽然用户名和密码是对的。

[gbase@rh6-1 gcluster]$ gccli -ussl_user -pssl
ERROR 1045 (28000): Access denied for user 'ssl_user'@'localhost' (using password: YES)
[gbase@rh6-1 gcluster]$

SSL配置

请参考

GBase 8a集群SSL配置-集群配置部分
GBase 8a集群SSL配置-客户端gccli