GBase 8a支持数据库用户通过require ssl参数,强制必须使用SSL连接数据库,本文介绍其方法。
创建用户
查看其中的ssl_type, 看到是空的。
gbase> create user ssl_user identified by 'ssl';
Query OK, 0 rows affected (Elapsed: 00:00:00.02)
gbase> select * from gbase.user where user='ssl_user'\G
*************************** 1. row ***************************
Host: %
User: ssl_user
Password:
Select_priv: N
Insert_priv: N
Update_priv: N
Delete_priv: N
Create_priv: N
Drop_priv: N
Reload_priv: N
Shutdown_priv: N
Process_priv: N
File_priv: N
Grant_priv: N
References_priv: N
Index_priv: N
Alter_priv: N
Show_db_priv: N
Super_priv: N
Create_tmp_table_priv: N
Lock_tables_priv: N
Execute_priv: N
Repl_slave_priv: N
Unmask_priv: N
Create_view_priv: N
Show_view_priv: N
Create_routine_priv: N
Alter_routine_priv: N
Create_user_priv: N
Event_priv: N
Trigger_priv: N
ssl_type:
ssl_cipher:
x509_issuer:
x509_subject:
max_questions: 0
max_updates: 0
max_connections: 0
max_user_connections: 0
max_cpus: 0
max_memories: 0
max_tmp_space: 0
resource_group: 0
task_priority: 2
user_limit_storage_size:
user_storage_size: 0
UID: 529422
1 row in set (Elapsed: 00:00:00.00)
设置SSL要求
通过grant 命令,设置权限,require ssl参数要求必须用ssl连接。查看user表的ssl_type变成了ANY,而不是默认的空。
gbase> grant usage on *.* to ssl_user identified by 'ssl' require ssl;
Query OK, 0 rows affected (Elapsed: 00:00:00.01)
gbase> select * from gbase.user where user='ssl_user'\G
*************************** 1. row ***************************
Host: %
User: ssl_user
Password: *035E199C2E188B7300132D5C991D9E002AB5C150
Select_priv: N
Insert_priv: N
Update_priv: N
Delete_priv: N
Create_priv: N
Drop_priv: N
Reload_priv: N
Shutdown_priv: N
Process_priv: N
File_priv: N
Grant_priv: N
References_priv: N
Index_priv: N
Alter_priv: N
Show_db_priv: N
Super_priv: N
Create_tmp_table_priv: N
Lock_tables_priv: N
Execute_priv: N
Repl_slave_priv: N
Unmask_priv: N
Create_view_priv: N
Show_view_priv: N
Create_routine_priv: N
Alter_routine_priv: N
Create_user_priv: N
Event_priv: N
Trigger_priv: N
ssl_type: ANY
ssl_cipher:
x509_issuer:
x509_subject:
max_questions: 0
max_updates: 0
max_connections: 0
max_user_connections: 0
max_cpus: 0
max_memories: 0
max_tmp_space: 0
resource_group: 0
task_priority: 2
user_limit_storage_size:
user_storage_size: 0
UID: 529422
1 row in set (Elapsed: 00:00:00.00)
登录尝试
因为并没有配置ssl,所以直接报错,虽然用户名和密码是对的。
[gbase@rh6-1 gcluster]$ gccli -ussl_user -pssl
ERROR 1045 (28000): Access denied for user 'ssl_user'@'localhost' (using password: YES)
[gbase@rh6-1 gcluster]$
SSL配置
请参考