南大通用GBase 8a集群SSL配置-强制用户用SSL

GBase 8a支持数据库用户通过require ssl参数,强制必须使用SSL连接数据库,本文介绍其方法。

创建用户

查看其中的ssl_type, 看到是空的。

gbase> create user ssl_user identified by 'ssl';
Query OK, 0 rows affected (Elapsed: 00:00:00.02)


gbase> select * from gbase.user where user='ssl_user'\G
*************************** 1. row ***************************
                   Host: %
                   User: ssl_user
               Password:
            Select_priv: N
            Insert_priv: N
            Update_priv: N
            Delete_priv: N
            Create_priv: N
              Drop_priv: N
            Reload_priv: N
          Shutdown_priv: N
           Process_priv: N
              File_priv: N
             Grant_priv: N
        References_priv: N
             Index_priv: N
             Alter_priv: N
           Show_db_priv: N
             Super_priv: N
  Create_tmp_table_priv: N
       Lock_tables_priv: N
           Execute_priv: N
        Repl_slave_priv: N
            Unmask_priv: N
       Create_view_priv: N
         Show_view_priv: N
    Create_routine_priv: N
     Alter_routine_priv: N
       Create_user_priv: N
             Event_priv: N
           Trigger_priv: N
               ssl_type:
             ssl_cipher:
            x509_issuer:
           x509_subject:
          max_questions: 0
            max_updates: 0
        max_connections: 0
   max_user_connections: 0
               max_cpus: 0
           max_memories: 0
          max_tmp_space: 0
         resource_group: 0
          task_priority: 2
user_limit_storage_size:
      user_storage_size: 0
                    UID: 529422
1 row in set (Elapsed: 00:00:00.00)

设置SSL要求

通过grant 命令,设置权限,require ssl参数要求必须用ssl连接。查看user表的ssl_type变成了ANY,而不是默认的空。

gbase> grant usage on *.* to ssl_user identified by 'ssl' require ssl;

Query OK, 0 rows affected (Elapsed: 00:00:00.01)

gbase> select * from gbase.user where user='ssl_user'\G
*************************** 1. row ***************************
                   Host: %
                   User: ssl_user
               Password: *035E199C2E188B7300132D5C991D9E002AB5C150
            Select_priv: N
            Insert_priv: N
            Update_priv: N
            Delete_priv: N
            Create_priv: N
              Drop_priv: N
            Reload_priv: N
          Shutdown_priv: N
           Process_priv: N
              File_priv: N
             Grant_priv: N
        References_priv: N
             Index_priv: N
             Alter_priv: N
           Show_db_priv: N
             Super_priv: N
  Create_tmp_table_priv: N
       Lock_tables_priv: N
           Execute_priv: N
        Repl_slave_priv: N
            Unmask_priv: N
       Create_view_priv: N
         Show_view_priv: N
    Create_routine_priv: N
     Alter_routine_priv: N
       Create_user_priv: N
             Event_priv: N
           Trigger_priv: N
               ssl_type: ANY
             ssl_cipher:
            x509_issuer:
           x509_subject:
          max_questions: 0
            max_updates: 0
        max_connections: 0
   max_user_connections: 0
               max_cpus: 0
           max_memories: 0
          max_tmp_space: 0
         resource_group: 0
          task_priority: 2
user_limit_storage_size:
      user_storage_size: 0
                    UID: 529422
1 row in set (Elapsed: 00:00:00.00)

登录尝试

因为并没有配置ssl,所以直接报错,虽然用户名和密码是对的。

[gbase@rh6-1 gcluster]$ gccli -ussl_user -pssl
ERROR 1045 (28000): Access denied for user 'ssl_user'@'localhost' (using password: YES)
[gbase@rh6-1 gcluster]$

查看当前用户SSL登录情况status

gbase> status;
--------------
/opt/gccli_install/gcluster/server/bin/gbase ver 9.5.3.27.88ef4e28, for redhat-linux (x86_64) using readline 6.3

Connection id:          3525
Current database:       gbase
Current user:           root@60.30.204.30
SSL:                    Cipher in use is DHE-RSA-AES256-SHA
Current pager:          stdout
Using outfile:          ''
Using delimiter:        ;
Server version:         9.5.3.15.122811
Protocol version:       10
Connection:             101.200.58.199 via TCP/IP
Server characterset:    utf8
Db     characterset:    utf8
Client characterset:    utf8
Conn.  characterset:    utf8
TCP port:               5258
Uptime:                 Elapsed: 422:36:52.00

Threads: 10  Questions: 5779  Slow queries: 0  Opens: 42  Flush tables: 1  Open tables: 26  Queries per second avg: 0.3
--------------

SSL配置

请参考

GBase 8a集群SSL配置-集群配置部分
GBase 8a集群SSL配置-客户端gccli