GBase 8a 安全配置
2024-05-17 12:31:08
目录
密码复杂度
修改root的默认密码
登录失败尝试次数
重鉴别
开启审计日志
客户端SSL加密连接
密码复杂度
修改密码策略之前,记得先修改用户密码符合新的规则,不然重启后 旧的用户密码将无法登录使用
修改coordinator 节点的配置文件 gbase_8a_gcluster.cnf(每个节点都需要改,不改的节点密码策略不生效,可以继续使用简单密码)
修改node 节点的配置文件gbase_8a_gbase.cnf(每个节点都需要改,不改的节点密码策略不生效,可以继续使用简单密码)
对相同变量配置相同的值
[gbase@VM-8-10-centos gbase]$ cd $GCLUSTER_BASE/config
[gbase@VM-8-10-centos config]$ vi gbase_8a_gcluster.cnf [gbase@VM-8-10-centos gnode]$ cd $GBASE_BASE/config
[gbase@VM-8-10-centos config]$ vi gbase_8a_gbase.cnf[gbase@VM-8-10-centos config]$ gcluster_services gcluster restartgbase> set password for user_1 = password('111');
ERROR 1809 (HY000): Invalid password format,length should > 8 and contain 'number' 'small letter' 'captital letter' 'special character'.[gbased]
password_format_option = '15' #包含数字大小写其他字符
password_min_length = '8' #最小长度为8
password_life_time = '90' #90天过期
修改root的默认密码
[root@gba01 opt]# su - gbase$ gccli –uroot
GBase client 9.5.3.17.117651. Copyright (c) 2004-2020, GBase. All Rights Reserved.
gbase> SET PASSWORD FOR root = PASSWORD('H133%_h');登录失败尝试次数
达到失败次数后 该用户会被锁定禁止登录,解锁后可正常使用
[gbase@VM-8-10-centos gcluster]$ cd $GCLUSTER_BASE/config
[gbase@VM-8-10-centos config]$ vi gbase_8a_gcluster.cnf
[gbase@VM-8-10-centos config]$ gcluster_services gcluster restart[gbase@VM-8-10-centos config]$ gccli -uroot -p
Enter password:
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
[gbase@VM-8-10-centos config]$ gccli -uroot -p
Enter password:
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
[gbase@VM-8-10-centos config]$ gccli -uroot -p
Enter password:
ERROR 1825 (HY000): Access denied for user 'root'@'%'. Account is locked.[gbased]
login_attempt_max = '3'
用户解锁
[gbase@VM-8-10-centos gbase]$ gccli -ugbase -pgbase> alter user root identified by 'gBase20333333#';
Query OK, 0 rows affected (Elapsed: 00:00:00.01)gbase> alter user root account unlock;
Query OK, 0 rows affected (Elapsed: 00:00:00.00)重鉴别
10分钟空闲需要重新登录
修改每个 coordinator 节点的配置文件 gbase_8a_gcluster.cnf
修改每个 node 节点的配置文件gbase_8a_gbase.cnf
[gbase@VM-8-10-centos gbase]$ cd $GCLUSTER_BASE/config
[gbase@VM-8-10-centos config]$ vi gbase_8a_gcluster.cnf [gbase@VM-8-10-centos gnode]$ cd $GBASE_BASE/config
[gbase@VM-8-10-centos config]$ vi gbase_8a_gbase.cnf[gbase@VM-8-10-centos config]$ gcluster_services gcluster restart[gbased]
interactive_timeout = 600 #单位为秒 这个参数默认是开启的 默认1000000
wait_timeout = 600 #单位为秒 这个参数默认是开启的 默认1000000
开启审计日志
gbase> set global audit_log = 1 ;
gbase> set global log_output = 'table';创建审计策略
gbase> CREATE AUDIT POLICY audit_policy_1 ( Enable = 'Y');
Query OK, 0 rows affected (Elapsed: 00:00:00.01)gbase> \q
Bye
[gbase@VM-8-10-centos gbase]$ gccli -uroot -p
Enter password:
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
[gbase@VM-8-10-centos gbase]$ gccli -uroot -p
Enter password:
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
[gbase@VM-8-10-centos gbase]$ gccli -uroot -p
Enter password:
ERROR 1825 (HY000): Access denied for user 'root'@'%'. Account is locked.
[gbase@VM-8-10-centos gbase]$ gccli -ugbase -p
Enter password: gbase> SELECT start_time,user_host,query_time,rows, LEFT(sql_text, 30), conn_type FROM gbase.audit_log;
gbase> SELECT * FROM gbase.audit_log;
+-----------+--------+---------------------+---------------------+-----------------------------+-----+-------+-----------+-----------------+------+---------+----+--------------------------------------------------------+--------------------------------------------------------------------------+----------+-------------+-----------+---------+-----------+
| thread_id | taskid | start_time | end_time | user_host | uid | user | host_ip | query_time | rows | vc_id | db | table_list | sql_text | sql_type | sql_command | operators | status | conn_type |
+-----------+--------+---------------------+---------------------+-----------------------------+-----+-------+-----------+-----------------+------+---------+----+--------------------------------------------------------+--------------------------------------------------------------------------+----------+-------------+-----------+---------+-----------+
| 95 | 0 | 2022-10-31 22:47:27 | 2022-10-31 22:47:27 | gbase[gbase] @ [10.0.8.10] | 2 | gbase | 10.0.8.10 | 00:00:00.000122 | 0 | vc00003 | | WRITE: ; READ: ; OTHER: ; | CREATE GCLUSTER_LOCAL AUDIT POLICY "audit_policy_1" (Enable='Y',User='') | DDL | OTHERS | | SUCCESS | CAPI |
| 94 | 131152 | 2022-10-31 22:47:27 | 2022-10-31 22:47:27 | gbase[gbase] @ localhost [] | 2 | gbase | | 00:00:00.002588 | 0 | vc00003 | | WRITE: ; READ: ; OTHER: ; | CREATE AUDIT POLICY audit_policy_1 ( Enable = 'Y',User = '' ) | DDL | OTHERS | | SUCCESS | ODBC |
| 94 | 0 | 2022-10-31 22:47:31 | 2022-10-31 22:47:31 | gbase[gbase] @ localhost [] | 2 | gbase | | 00:00:00.000006 | 0 | vc00003 | | | Quit | OTHERS | Quit | | SUCCESS | ODBC |
| 95 | 0 | 2022-10-31 22:47:31 | 2022-10-31 22:47:31 | gbase[gbase] @ [10.0.8.10] | 2 | gbase | 10.0.8.10 | 00:00:00.000003 | 0 | vc00003 | | | Quit | OTHERS | Quit | | SUCCESS | CAPI |
| 97 | 0 | 2022-10-31 22:47:35 | 2022-10-31 22:47:35 | gbase[gbase] @ [10.0.8.10] | 2 | gbase | 10.0.8.10 | 00:00:00.000467 | 0 | | | | Connect | OTHERS | Connect | | SUCCESS | CAPI |
| 98 | 0 | 2022-10-31 22:47:35 | 2022-10-31 22:47:35 | gbase[gbase] @ [10.0.8.10] | 2 | gbase | 10.0.8.10 | 00:00:00.000433 | 0 | | | | Connect | OTHERS | Connect | | SUCCESS | CAPI |
| 98 | 0 | 2022-10-31 22:47:35 | 2022-10-31 22:47:35 | gbase[gbase] @ [10.0.8.10] | 2 | gbase | 10.0.8.10 | 00:00:00.000126 | 0 | vc00003 | | WRITE: ; READ: ; OTHER: ; | set self gcluster_lock_timeout=0, gbase_fast_update=0 | OTHERS | OTHERS | | SUCCESS | CAPI |
| 98 | 131155 | 2022-10-31 22:47:35 | 2022-10-31 22:47:35 | gbase[gbase] @ [10.0.8.10] | 2 | gbase | 10.0.8.10 | 00:00:00.000160 | 0 | vc00003 | | WRITE: ; READ: ; OTHER: ; | SET character_set_results = utf8mb4 | OTHERS | OTHERS | | SUCCESS | CAPI |
| 98 | 0 | 2022-10-31 22:47:35 | 2022-10-31 22:47:35 | gbase[gbase] @ [10.0.8.10] | 2 | gbase | 10.0.8.10 | 00:00:00.000066 | 0 | vc00003 | | WRITE: ; READ: ; OTHER: ; | SET SELF SCN = 0 | OTHERS | OTHERS | | SUCCESS | CAPI |
| 98 | 0 | 2022-10-31 22:47:35 | 2022-10-31 22:47:35 | gbase[gbase] @ [10.0.8.10] | 2 | gbase | 10.0.8.10 | 00:00:00.000154 | 0 | vc00003 | | WRITE: ; READ: ; OTHER: ; | ALTER GCLUSTER_LOCAL USER "root"@"%" ACCOUNT ADD | DDL | OTHERS | | SUCCESS | CAPI |
| 97 | 131154 | 2022-10-31 22:47:35 | 2022-10-31 22:47:35 | gbase[gbase] @ [10.0.8.10] | 2 | gbase | 10.0.8.10 | 00:00:00.007139 | 0 | vc00003 | | WRITE: ; READ: ; OTHER: ; | alter user "root"@"%" account add | DDL | OTHERS | | SUCCESS | CAPI |
| 97 | 0 | 2022-10-31 22:47:35 | 2022-10-31 22:47:35 | gbase[gbase] @ [10.0.8.10] | 2 | gbase | 10.0.8.10 | 00:00:00.000001 | 0 | vc00003 | | | Quit | OTHERS | Quit | | SUCCESS | CAPI |
| 96 | 0 | 2022-10-31 22:47:35 | 2022-10-31 22:47:35 | [root] @ localhost [] | 0 | root | | 00:00:00.013624 | 0 | | | | Connect | OTHERS | Connect | | FAILED | ODBC |
| 98 | 0 | 2022-10-31 22:47:35 | 2022-10-31 22:47:35 | gbase[gbase] @ [10.0.8.10] | 2 | gbase | 10.0.8.10 | 00:00:00.000001 | 0 | vc00003 | | | Quit | OTHERS | Quit | | SUCCESS | CAPI |
| 100 | 0 | 2022-10-31 22:47:39 | 2022-10-31 22:47:39 | gbase[gbase] @ [10.0.8.10] | 2 | gbase | 10.0.8.10 | 00:00:00.000440 | 0 | | | | Connect | OTHERS | Connect | | SUCCESS | CAPI |
| 101 | 0 | 2022-10-31 22:47:39 | 2022-10-31 22:47:39 | gbase[gbase] @ [10.0.8.10] | 2 | gbase | 10.0.8.10 | 00:00:00.000467 | 0 | | | | Connect | OTHERS | Connect | | SUCCESS | CAPI |
| 101 | 0 | 2022-10-31 22:47:39 | 2022-10-31 22:47:39 | gbase[gbase] @ [10.0.8.10] | 2 | gbase | 10.0.8.10 | 00:00:00.000125 | 0 | vc00003 | | WRITE: ; READ: ; OTHER: ; | set self gcluster_lock_timeout=0, gbase_fast_update=0 | OTHERS | OTHERS | | SUCCESS | CAPI |
| 101 | 131157 | 2022-10-31 22:47:39 | 2022-10-31 22:47:39 | gbase[gbase] @ [10.0.8.10] | 2 | gbase | 10.0.8.10 | 00:00:00.000148 | 0 | vc00003 | | WRITE: ; READ: ; OTHER: ; | SET character_set_results = utf8mb4 | OTHERS | OTHERS | | SUCCESS | CAPI |
| 101 | 0 | 2022-10-31 22:47:39 | 2022-10-31 22:47:39 | gbase[gbase] @ [10.0.8.10] | 2 | gbase | 10.0.8.10 | 00:00:00.000080 | 0 | vc00003 | | WRITE: ; READ: ; OTHER: ; | SET SELF SCN = 0 | OTHERS | OTHERS | | SUCCESS | CAPI |
| 101 | 0 | 2022-10-31 22:47:39 | 2022-10-31 22:47:39 | gbase[gbase] @ [10.0.8.10] | 2 | gbase | 10.0.8.10 | 00:00:00.000174 | 0 | vc00003 | | WRITE: ; READ: ; OTHER: ; | ALTER GCLUSTER_LOCAL USER "root"@"%" ACCOUNT ADD | DDL | OTHERS | | SUCCESS | CAPI |
| 100 | 131156 | 2022-10-31 22:47:39 | 2022-10-31 22:47:39 | gbase[gbase] @ [10.0.8.10] | 2 | gbase | 10.0.8.10 | 00:00:00.007594 | 0 | vc00003 | | WRITE: ; READ: ; OTHER: ; | alter user "root"@"%" account add | DDL | OTHERS | | SUCCESS | CAPI |
| 100 | 0 | 2022-10-31 22:47:39 | 2022-10-31 22:47:39 | gbase[gbase] @ [10.0.8.10] | 2 | gbase | 10.0.8.10 | 00:00:00.000001 | 0 | vc00003 | | | Quit | OTHERS | Quit | | SUCCESS | CAPI |
| 99 | 0 | 2022-10-31 22:47:39 | 2022-10-31 22:47:39 | [root] @ localhost [] | 0 | root | | 00:00:00.009110 | 0 | | | | Connect | OTHERS | Connect | | FAILED | ODBC |
| 101 | 0 | 2022-10-31 22:47:39 | 2022-10-31 22:47:39 | gbase[gbase] @ [10.0.8.10] | 2 | gbase | 10.0.8.10 | 00:00:00.000002 | 0 | vc00003 | | | Quit | OTHERS | Quit | | SUCCESS | CAPI |
| 103 | 0 | 2022-10-31 22:47:40 | 2022-10-31 22:47:40 | gbase[gbase] @ [10.0.8.10] | 2 | gbase | 10.0.8.10 | 00:00:00.000436 | 0 | | | | Connect | OTHERS | Connect | | SUCCESS | CAPI |
| 104 | 0 | 2022-10-31 22:47:40 | 2022-10-31 22:47:40 | gbase[gbase] @ [10.0.8.10] | 2 | gbase | 10.0.8.10 | 00:00:00.000443 | 0 | | | | Connect | OTHERS | Connect | | SUCCESS | CAPI |
| 104 | 0 | 2022-10-31 22:47:40 | 2022-10-31 22:47:40 | gbase[gbase] @ [10.0.8.10] | 2 | gbase | 10.0.8.10 | 00:00:00.000125 | 0 | vc00003 | | WRITE: ; READ: ; OTHER: ; | set self gcluster_lock_timeout=0, gbase_fast_update=0 | OTHERS | OTHERS | | SUCCESS | CAPI |
| 104 | 131159 | 2022-10-31 22:47:40 | 2022-10-31 22:47:40 | gbase[gbase] @ [10.0.8.10] | 2 | gbase | 10.0.8.10 | 00:00:00.000137 | 0 | vc00003 | | WRITE: ; READ: ; OTHER: ; | SET character_set_results = utf8mb4 | OTHERS | OTHERS | | SUCCESS | CAPI |
| 104 | 0 | 2022-10-31 22:47:40 | 2022-10-31 22:47:40 | gbase[gbase] @ [10.0.8.10] | 2 | gbase | 10.0.8.10 | 00:00:00.000064 | 0 | vc00003 | | WRITE: ; READ: ; OTHER: ; | SET SELF SCN = 0 | OTHERS | OTHERS | | SUCCESS | CAPI |
| 104 | 0 | 2022-10-31 22:47:40 | 2022-10-31 22:47:40 | gbase[gbase] @ [10.0.8.10] | 2 | gbase | 10.0.8.10 | 00:00:00.000151 | 0 | vc00003 | | WRITE: ; READ: ; OTHER: ; | ALTER GCLUSTER_LOCAL USER "root"@"%" ACCOUNT ADD | DDL | OTHERS | | SUCCESS | CAPI |
| 103 | 131158 | 2022-10-31 22:47:40 | 2022-10-31 22:47:40 | gbase[gbase] @ [10.0.8.10] | 2 | gbase | 10.0.8.10 | 00:00:00.007557 | 0 | vc00003 | | WRITE: ; READ: ; OTHER: ; | alter user "root"@"%" account add | DDL | OTHERS | | SUCCESS | CAPI |
| 103 | 0 | 2022-10-31 22:47:40 | 2022-10-31 22:47:40 | gbase[gbase] @ [10.0.8.10] | 2 | gbase | 10.0.8.10 | 00:00:00.000001 | 0 | vc00003 | | | Quit | OTHERS | Quit | | SUCCESS | CAPI |
| 102 | 0 | 2022-10-31 22:47:40 | 2022-10-31 22:47:40 | [root] @ localhost [] | 0 | root | | 00:00:00.009166 | 0 | | | | Connect | OTHERS | Connect | | FAILED | ODBC |
| 104 | 0 | 2022-10-31 22:47:40 | 2022-10-31 22:47:40 | gbase[gbase] @ [10.0.8.10] | 2 | gbase | 10.0.8.10 | 00:00:00.000002 | 0 | vc00003 | | | Quit | OTHERS | Quit | | SUCCESS | CAPI |
| 105 | 0 | 2022-10-31 22:47:56 | 2022-10-31 22:47:56 | gbase[gbase] @ localhost [] | 2 | gbase | | 00:00:00.000612 | 0 | | | | Connect | OTHERS | Connect | | SUCCESS | ODBC |
| 105 | 131160 | 2022-10-31 22:48:04 | 2022-10-31 22:48:04 | gbase[gbase] @ localhost [] | 2 | gbase | | 00:00:00.006332 | 0 | vc00003 | | WRITE: ; READ: `vc00003`.`gbse`.`audit_log`; OTHER: ; | select * from gbse.audit_log | DQL | SELECT | | FAILED | ODBC |
+-----------+--------+---------------------+---------------------+-----------------------------+-----+-------+-----------+-----------------+------+---------+----+--------------------------------------------------------+--------------------------------------------------------------------------+----------+-------------+-----------+---------+-----------+
36 rows in set (Elapsed: 00:00:00.00)
清空审计日志
gbase> TRUNCATE SELF gbase.audit_log;
Query OK, 0 rows affected (Elapsed: 00:00:00.00)gbase> select * from gbase.audit_log;
+-----------+--------+---------------------+---------------------+-----------------------------+-----+-------+---------+-----------------+------+---------+----+---------------------------------------------------------+-------------------------------+----------+-------------+-----------+---------+-----------+
| thread_id | taskid | start_time | end_time | user_host | uid | user | host_ip | query_time | rows | vc_id | db | table_list | sql_text | sql_type | sql_command | operators | status | conn_type |
+-----------+--------+---------------------+---------------------+-----------------------------+-----+-------+---------+-----------------+------+---------+----+---------------------------------------------------------+-------------------------------+----------+-------------+-----------+---------+-----------+
| 105 | 0 | 2022-10-31 22:52:17 | 2022-10-31 22:52:17 | gbase[gbase] @ localhost [] | 2 | gbase | | 00:00:00.000603 | 0 | vc00003 | | WRITE: ; READ: ; OTHER: `vc00000`.`gbase`.`audit_log`; | TRUNCATE SELF gbase.audit_log | DDL | TRUNCATE | | SUCCESS | ODBC |
+-----------+--------+---------------------+---------------------+-----------------------------+-----+-------+---------+-----------------+------+---------+----+---------------------------------------------------------+-------------------------------+----------+-------------+-----------+---------+-----------+
1 row in set (Elapsed: 00:00:00.00)审计日志高可用
开启审计后,审计日志默认存在audit_log表中, audit_log是当前一段时间的日志,需要定时将一些历史日志转储到audit_log_express 表中,每60分钟转存储一次。
这个event在创建的时候 要在每个gcluster节点都执行一遍,event名字不要相同
gbase> use test;
Query OK, 0 rows affected (Elapsed: 00:00:00.00)gbase> show events \G;
Empty set (Elapsed: 00:00:00.00)[gbase@h4 opt]$ vi /opt/audit.sql
[gbase@h4 opt]$ gccli -uroot -p -D test < /opt/audit.sqldelimiter //
CREATE EVENT import_audit_log
ON SCHEDULE EVERY 60 MINUTE
ON COMPLETION NOT PRESERVE
ENABLE
LOCAL
DO
begindeclare errno int;declare msg text;declare exit handler for sqlexceptionbeginget diagnostics condition 1 errno = gbase_errno, msg = message_text;create table if not exists import_audit_log_errors(err_time datetime,hostname varchar(64),err_no int,msg_txt varchar(1024)) CHARSET=utf8mb4;insert into import_audit_log_errors values (now(), @@hostname, errno, substr(msg, 0, 1024));end;create table if not exists audit_log_express (hostname varchar(64),thread_id int,taskid bigint,start_time datetime,uid bigint, user varchar(16),host_ip varchar(32),query_time time, rows bigint,table_list varchar(4096),sql_text varchar(8191),ql_type varchar(16),sql_command varchar(32),operators varchar(256),status varchar(16),conn_type varchar(16)) CHARSET=utf8mb4;set self sql_mode = '';create self table gbase.audit_log_bak2 like gbase.audit_log;set self sql_mode = default;rename self table gbase.audit_log to gbase.audit_log_bak1, -- 这里不知道为什么 rename之后 数据没有进去,所以在后面又insert了一次gbase.audit_log_bak2 to gbase.audit_log;repair table gbase.audit_log;insert into gbase.audit_log_bak1 select * from gbase.audit_log;set _gbase_query_path = on;insert into audit_log_express select@@hostname as hostname,thread_id,taskid,start_time,uid,user,host_ip,query_time,rows,substr(table_list, 0, 4096),substr(sql_text, 0, 8191),sql_type,sql_command,operators,status,conn_typefrom gbase.audit_log_bak1;drop self table gbase.audit_log_bak1;
end//
delimiter ;[gbase@h4 opt]$ gccli -uroot -p
gbase> use test;
gbase> show events;
+--------------+------------------------------------------------------------------+------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------+-----------+------------+----------------+----------------+---------------------+------+---------+--------------+----------------------+----------------------+--------------------+
| Vc | Db | Name | Definer | Time zone | Type | Execute at | Interval value | Interval field | Starts | Ends | Status | Execute mode | character_set_client | collation_connection | Database Collation |
+--------------+------------------------------------------------------------------+------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------+-----------+------------+----------------+----------------+---------------------+------+---------+--------------+----------------------+----------------------+--------------------+
| vcname000002 | test | import_audit_log | root@% | +08:00 | RECURRING | NULL | 60 | MINUTE | 2022-12-17 00:31:18 | NULL | ENABLED | 0 | utf8 | utf8_general_ci | utf8_general_ci |
+--------------+------------------------------------------------------------------+------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------+-----------+------------+----------------+----------------+---------------------+------+---------+--------------+----------------------+----------------------+--------------------+
1 row in set (Elapsed: 00:00:00.00)客户端SSL加密连接
生成服务端、客户端证书文件
[root@hw-00 gcinstall]# su - root
[root@hw-00 gcinstall]# mkdir -p /usr/local/ssl
[root@hw-00 gcinstall]# cd /usr/local/ssl/
[root@hw-00 ssl]# openssl req -sha1 -new -x509 -nodes -days 3650 -keyout ca-key.pem >ca-cert.pem
[root@hw-00 ssl]# openssl req -sha1 -newkey rsa:2048 -days 730 -nodes -keyout server-key.pem > server-req.pem
[root@hw-00 ssl]# openssl rsa -in server-key.pem -out server-key.pem
[root@hw-00 ssl]# openssl x509 -sha1 -req -in server-req.pem -days 730 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem
Signature ok
subject=/C=11/ST=1/L=1/O=1/OU=1/CN=1/emailAddress=1
Getting CA Private Key
[root@hw-00 ssl]# openssl req -sha1 -newkey rsa:2048 -days 730 -nodes -keyout client-key.pem > client-req.pem
[root@hw-00 ssl]# openssl rsa -in client-key.pem -out client-key.pem
[root@hw-00 ssl]# openssl x509 -sha1 -req -in client-req.pem -days 730 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem
Signature ok
subject=/C=11/ST=1/L=1/O=1/OU=1/CN=1/emailAddress=1
Getting CA Private Key
[root@hw-00 ssl]# ll
-rw-r--r-- 1 root root 1285 Nov 14 18:14 ca-cert.pem
-rw-r--r-- 1 root root 1708 Nov 14 18:14 ca-key.pem
-rw-r--r-- 1 root root 1159 Nov 14 18:22 client-cert.pem
-rw-r--r-- 1 root root 1679 Nov 14 18:21 client-key.pem
-rw-r--r-- 1 root root 1041 Nov 14 18:21 client-req.pem
-rw-r--r-- 1 root root 1159 Nov 14 18:19 server-cert.pem
-rw-r--r-- 1 root root 1679 Nov 14 18:18 server-key.pem
-rw-r--r-- 1 root root 1041 Nov 14 18:16 server-req.pem服务端配置
[root@hw-00 ~]# vi /opt/gbase/192.168.0.92/gcluster/config/gbase_8a_gcluster.cnf[gbased]
ssl-ca=/usr/local/ssl/ca-cert.pem
ssl-cert=/usr/local/ssl/server-cert.pem
ssl-key=/usr/local/ssl/server-key.pem
重启集群验证是否配置成功
[root@hw-00 ~]# su - gbase
Last login: Mon Nov 14 18:10:52 CST 2022 from 192.168.0.92 on pts/2
[gbase@hw-00 ~]$ gcluster_services all restart
[gbase@hw-00 ~]$ gccli -uroot -pgbase> show variables like 'have_%ssl';
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| have_openssl | YES |
| have_ssl | YES |
+---------------+-------+
2 rows in set (Elapsed: 00:00:00.00)
客户端配置
如果有单独的客户端,需要将server 端生成的 ca-cert.pem,client-req.pem,client-key.pem,client-cert.pem 拷贝到 client 端 /usr/local/ssl 路径下,我们的客户端和服务端使用的是同一台机器,就不用拷贝了,直接修改配置文件即可
[gbase@hw-00 ~]$ vi /opt/gbase/192.168.0.92/gcluster/config/gbase_8a_gcluster.cnf[client]
ssl-ca=/usr/local/ssl/ca-cert.pem
ssl-cert=/usr/local/ssl/client-cert.pem
ssl-key=/usr/local/ssl/client-key.pem
使用远程连接验证ssl是否开启
[gbase@hw-00 ~]$ gccli -h 123.249.11.137 -ugbase -pgba20*****
gbase> status
--------------
Connection id: 11
Current database:
Current user: gbase@123.249.11.137
SSL: Cipher in use is DHE-RSA-AES256-SHA
TCP port: 5258
Uptime: Elapsed: 00:16:29.00Threads: 3 Questions: 11 Slow queries: 0 Opens: 28 Flush tables: 1 Open tables: 21 Queries per second avg: 0.11
--------------GBase 8a 安全配置相关推荐
- GBase 8a 监控配置
本次部署用到三个节点: 资源库装在 192.168.1.1 [建议选择mysql做资源库] tomcat监控网站装在 192.168.1.2 [采集中心装在监控节点或 ...
- gbase 8a 配置手册
1配置文件 在成功安装GBase 8a后,在安装路径的/GBase/config目录下, gbase_8a_gbase8a.cnf 是 GBase 8a 的配置参数文件. 通过对参数文件中相关参数的值 ...
- CENTOS 8上部署GBase 8a的环境配置
REDHAT 8/CENTOS 8使用的命令与之前的版本有一些区别,习惯了使用6.7版本的命令在8版本下部署GBase 8a,发现有很多变化.下面是创建虚拟机使用CENTOS 8的ISO安装文件安装环 ...
- GBase 8a 审计策略配置
GBase 8a安全管理之审计策略配置: 1. 创建审计策略 创建审计策略的语法规则如下所示: CREATE AUDIT POLICY <audit_policy_name> [(< ...
- GBase 8a 集群维护工具C3介绍
当集群节点机器很多时,例如 20 个节点时,对于集群的一些维护工作需要在每个节点上都执行一次相同操作,这样十分耗时,而且繁琐. 可使用 C3 工具,可以减少集群节点的维护操作,仅在装有 C3 工具的节 ...
- GBase 8a的产品简介
产品简介 节点类型 Coordinator节点:集群入口节点,gclusterd .gcware.gc_recover等服务所在的节点,实现跨业务关联访问和操作.包括跨业务数据访问和用户权限管理. d ...
- 生态 | 南大通用GBase 8a与Suma完成兼容性互认证
日前,GBASE南大通用分析型集群数据库GBase 8a MPP Cluster集群数据库与中科可控信息产业有限公司的H系列服务器完成兼容性适配.经南大通用与中科可控联合测试,GBase 8a集群与H ...
- Gbase 8a MPP Cluster维护过程中可能遇到的故障管理(五)
管理工具 1 在集群中使用 hint 优化,没有效果 问题现象 在集群中使用 hint 优化,没有效果. 解决方法 在登录数据库时,需要加入-c 参数才能使优化起作用, gccli–uroot–c 即 ...
- GBase 8a MPP使用时 数据库基础问题之管理工具三
5.14Windows 安装 GBaseODBC 选择中文目录,添加数 据源失败 问题现象 安装 GBaseODBC,执行 GBaseODBC_8.3.81.53_build53.11_W64.exe ...
最新文章
- Ubuntu换回Gnome界面
- SHELL基础学习必杀技之十三问
- 阿里淘系程序员“开源”内部年度技术总结,还把P9大佬喊出来教你“打怪升级”...
- PMCAFF今天摆地摊了,然后……
- k8s pod重启策略:Always、OnFailure、Never配置示例
- 真正掌握vuex的使用方法(一)
- 改变idetity的值
- 买了社保,再买农村医保是不是多余?
- Bailian1192 最优连通子集【DFS】
- 知者见于未萌:百度CTO王海峰与中国 AI 三十年
- Keras指定GPU训练模式,设置GPU的使用量
- 【问题解决】c.a.c.n.c.NacosPropertySourceBuilder : parse data from Nacos error,dataId:xxxxxx.yml
- vue ,solt 插值组件新内容
- 4 软件业务分析要点
- MFC 入门介绍和实例操作
- C语言输入一个三位数,并将其逆序
- 斐讯k1刷入Breed以及openwrt的教程
- 你会他乡遇故知?-让自己慢下来(51)
- Encoder-Decoder综述理解(推荐)
- 织梦html的网站地图怎么制作,网站地图如何制作?网站地图的制作与提交方法...