GBase 8a支持数据库用户通过require ssl参数,强制必须使用SSL连接数据库,本文介绍其方法。
创建用户
查看其中的ssl_type, 看到是空的。
gbase> create user ssl_user identified by 'ssl';
Query OK, 0 rows affected (Elapsed: 00:00:00.02)
gbase> select * from gbase.user where user='ssl_user'\G
*************************** 1. row ***************************
Host: %
User: ssl_user
Password:
Select_priv: N
Insert_priv: N
Update_priv: N
Delete_priv: N
Create_priv: N
Drop_priv: N
Reload_priv: N
Shutdown_priv: N
Process_priv: N
File_priv: N
Grant_priv: N
References_priv: N
Index_priv: N
Alter_priv: N
Show_db_priv: N
Super_priv: N
Create_tmp_table_priv: N
Lock_tables_priv: N
Execute_priv: N
Repl_slave_priv: N
Unmask_priv: N
Create_view_priv: N
Show_view_priv: N
Create_routine_priv: N
Alter_routine_priv: N
Create_user_priv: N
Event_priv: N
Trigger_priv: N
ssl_type:
ssl_cipher:
x509_issuer:
x509_subject:
max_questions: 0
max_updates: 0
max_connections: 0
max_user_connections: 0
max_cpus: 0
max_memories: 0
max_tmp_space: 0
resource_group: 0
task_priority: 2
user_limit_storage_size:
user_storage_size: 0
UID: 529422
1 row in set (Elapsed: 00:00:00.00)设置SSL要求
通过grant 命令,设置权限,require ssl参数要求必须用ssl连接。查看user表的ssl_type变成了ANY,而不是默认的空。
gbase> grant usage on *.* to ssl_user identified by 'ssl' require ssl;
Query OK, 0 rows affected (Elapsed: 00:00:00.01)
gbase> select * from gbase.user where user='ssl_user'\G
*************************** 1. row ***************************
Host: %
User: ssl_user
Password: *035E199C2E188B7300132D5C991D9E002AB5C150
Select_priv: N
Insert_priv: N
Update_priv: N
Delete_priv: N
Create_priv: N
Drop_priv: N
Reload_priv: N
Shutdown_priv: N
Process_priv: N
File_priv: N
Grant_priv: N
References_priv: N
Index_priv: N
Alter_priv: N
Show_db_priv: N
Super_priv: N
Create_tmp_table_priv: N
Lock_tables_priv: N
Execute_priv: N
Repl_slave_priv: N
Unmask_priv: N
Create_view_priv: N
Show_view_priv: N
Create_routine_priv: N
Alter_routine_priv: N
Create_user_priv: N
Event_priv: N
Trigger_priv: N
ssl_type: ANY
ssl_cipher:
x509_issuer:
x509_subject:
max_questions: 0
max_updates: 0
max_connections: 0
max_user_connections: 0
max_cpus: 0
max_memories: 0
max_tmp_space: 0
resource_group: 0
task_priority: 2
user_limit_storage_size:
user_storage_size: 0
UID: 529422
1 row in set (Elapsed: 00:00:00.00)
登录尝试
因为并没有配置ssl,所以直接报错,虽然用户名和密码是对的。
[gbase@rh6-1 gcluster]$ gccli -ussl_user -pssl
ERROR 1045 (28000): Access denied for user 'ssl_user'@'localhost' (using password: YES)
[gbase@rh6-1 gcluster]$
查看当前用户SSL登录情况status
gbase> status;
--------------
/opt/gccli_install/gcluster/server/bin/gbase ver 9.5.3.27.88ef4e28, for redhat-linux (x86_64) using readline 6.3
Connection id: 3525
Current database: gbase
Current user: root@60.30.204.30
SSL: Cipher in use is DHE-RSA-AES256-SHA
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 9.5.3.15.122811
Protocol version: 10
Connection: 101.200.58.199 via TCP/IP
Server characterset: utf8
Db characterset: utf8
Client characterset: utf8
Conn. characterset: utf8
TCP port: 5258
Uptime: Elapsed: 422:36:52.00
Threads: 10 Questions: 5779 Slow queries: 0 Opens: 42 Flush tables: 1 Open tables: 26 Queries per second avg: 0.3
--------------
SSL配置
请参考
