KingbaseES V8R6集群运维案例之---sys_hba.conf限制客户端访问数据库
案例说明:
客户端访问KingbaseES数据库,需要建立身份的认证,sys_hba.conf相当于认证的黑白名单,可以通过配置sys_hba.conf允许或拒绝客户端对数据库服务器的访问。本案例通过配置sys_hba.conf描述在常见的生产案例中如何限制对集群的访问。
sys_hba.conf原理:
- 客户端认证是由一个配置文件(通常名为sys_hba.conf并被存放在数据库集簇目录中)控制(HBA表示基于主机的认证)。
- 在initdb初始化数据目录时,它会安装一个默认的sys_hba.conf文件。
- sys_hba.conf文件的常用格式是一组记录,每行一条。空白行将被忽略, #注释字符后面的任何文本也被忽略。记录不能跨行。
- 每条记录指定一种连接类型、一个客户端 IP 地址范围(如果和连接类型相关)、一个数据库名、一个用户名
- 以及对匹配这些参数的连接使用的认证方法。第一条匹配连接类型、客户端地址、连接请求的数据库和用户名的记录将被用于执行认证。
- 如果选择了一条记录而且认证失败,那么将不再考虑后面的记录。如果没有匹配的记录,那么访问将被拒绝。
适用版本:
KingbaseES V8R6
集群节点信息:
[kingbase@node101 bin]$ cat /etc/hosts
192.168.1.101 node101
192.168.1.102 node102
192.168.1.103 node103
ID | Name | Role | Status | Upstream | repmgrd | PID | Paused? | Upstream last seen
----+-------+---------+-----------+----------+---------+-------+---------+--------------------
1 | node1 | primary | * running | | running | 25483 | no | n/a
2 | node2 | standby | running | node1 | running | 21974 | no | 1 second(s) ago
案例一:
拒绝客户端本地socket和127.0.0.1连接登录,只能通过本机ip以TCP/IP连接方式登录:
1)sys_hba.conf配置
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all reject
# IPv4 local connections:
host all all 127.0.0.1/32 reject
host all all 192.168.1.101/32 scram-sha-256
host all all 0.0.0.0/0 scram-sha-256
2)数据库服务reload后登录
如下所示,本地socket和127.0.0.1连接被拒绝,通过本地ip连接登录成功。
[kingbase@node101 bin]$ ./ksql -h 192.168.1.101 -U system test
ksql (V8.0)
Type "help" for help.
[kingbase@node101 bin]$ ./ksql -h 127.0.0.1 -U system test
ksql: error: could not connect to server: FATAL: no sys_hba.conf entry for host "127.0.0.1", user "system", database "test", SSL off
[kingbase@node101 bin]$ ./ksql -U system test
ksql: error: could not connect to server: FATAL: no sys_hba.conf entry for host "[local]", user "system", database "test", SSL off
案例二:
只允许主备节点访问数据库服务:
1)sys_hba.conf配置
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all scram-sha-256
# IPv4 local connections:
host all all 127.0.0.1/32 scram-sha-256
host all all 192.168.1.101/32 scram-sha-256
host all all 192.168.1.102/32 scram-sha-256
#host all all 0.0.0.0/0 scram-sha-256
---如上所示:指定ip(192.168.1.101/32,192.168.1.102/32)可以访问本地数据库服务,注释(
0.0.0.0/0)记录,默认将拒绝其他客户端访问本地数据库服务。
2)数据库服务reload后登录
如下所示,本地ip访问和远程客户端访问数据库成功:
# 本节点连接数据库访问
[kingbase@node101 bin]$ ./ksql -h 192.168.1.101 -U system test
ksql (V8.0)
Type "help" for help.
test=#
# 远程节点连接数据库访问
[kingbase@node102 bin]$ ./ksql -h 192.168.1.101 -U system test
ksql (V8.0)
Type "help" for help.
test=#
案例三:
拒绝所有的客户端通过TCP/IP连接数据库访问:
1)sys_hba.conf配置
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all scram-sha-256
# IPv4 local connections:
host all all 127.0.0.1/32 scram-sha-256
#host all all 0.0.0.0/0 scram-sha-256
host all all 192.168.1.0/24 scram-sha-256
host all all 0.0.0.0/0 reject
---如上所示,增加(0.0.0.0/0)的reject条目。
虽然在拒绝所有客户端访问前,有允许访问的客户端ip。
2)数据库服务reload后登录
如下所示,本地socket连接登录成功,TCP/IP连接访问失败:(包括在sys_hba.conf中允许访问的客户端)
[kingbase@node101 bin]$ ./ksql -U system test
ksql (V8.0)
Type "help" for help.
test=#
[kingbase@node101 bin]$ ./ksql -h 127.0.0.1 -U system test
ksql: error: could not connect to server: FATAL: no sys_hba.conf entry for host "127.0.0.1", user "system", database "test", SSL off
[kingbase@node101 bin
[kingbase@node101 bin]$ ./ksql -h 192.168.1.101 -U system test
ksql: error: could not connect to server: FATAL: no sys_hba.conf entry for host "192.168.1.101", user "system", database "test", SSL off
远程节点访问:(192.168.1.102/24)
[kingbase@node102 bin]$ ./ksql -h 192.168.1.101 -U system test
ksql: error: could not connect to server: FATAL: no sys_hba.conf entry for host "192.168.1.102", user "system", database "test", SSL off
案例四:指定节点通过system用户访问
案例说明:允许指定节点system用户可以访问,其余节点不允许system用户访问:
1)数据库用户信息
test=# \du+
List of roles
Role name | Attributes | Member of | Description
-----------+------------------------------------------------------------+-----------+-------------
kcluster | Cannot login | {} |
rose | | {} |
sao | No inheritance | {} |
sso | No inheritance | {} |
system | Superuser, Create role, Create DB, Replication, Bypass RLS | {} |
tom | | {} |
2)sys_hba.conf配置
# TYPE DATABASE USER ADDRESS METHOD
# "local" 只能用于UNIX域套接字
local all all trust
# IPv4 本地连接:
host all all 127.0.0.1/32 scram-sha-256
host all system 192.168.1.202/32 scram-sha-256
host all tom,rose 0.0.0.0/0 scram-sha-256
# IPv6 本地连接:
host all all ::1/128 scram-sha-256
host all all ::0/0 scram-sha-256
# 允许具有流复制权限的用户使用localhost进行流复制连接
local replication all trust
host replication all 127.0.0.1/32 scram-sha-256
host replication all ::1/128 scram-sha-256
如下所示,指定节点通过system用户访问:
3)测试
节点: 192.168.1.202通过system用户访问
[kingbase@node202 bin]$ ./ksql -h 192.168.1.201 -U system test -p 64325
Type "help" for help.
test=#
[kingbase@node202 bin]$ ./ksql -h 192.168.1.201 -U tom test -p 64325
Password for user tom:
Type "help" for help.
test=>
节点: 192.168.1.203(拒绝system用户访问)
# 拒绝system用户访问
[kingbase@node203 bin]$ ./ksql -h 192.168.1.201 -U system test -p 64325
ksql: error: could not connect to server: FATAL: no sys_hba.conf entry for host "192.168.1.203", user "system", database "test", SSL off
# 其余用户可以访问
[kingbase@node203 bin]$ ./ksql -h 192.168.1.201 -U tom test -p 64325
Password for user tom:
Type "help" for help.
test=>
案例五:
PostgreSQL pg_hba.conf下配置(0.0.0.0/0)reject:
1)pg_hba.conf配置
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all trust
# IPv4 local connections:
host all all 127.0.0.1/32 trust
host all all 192.168.1.101/32 trust
host all all 0.0.0.0/0 reject
#host all all 0.0.0.0/0 trust
2)数据库服务reload后登录
如下所示,本地ip连接访问数据库成功,远程节点访问数据库被拒绝(pg_hba.conf中没有远程客户端对应的条目)。
# 本地节点访问数据库(192.168.1.101/24)
[postgres@node101 bin]$ ./psql -h 127.0.0.1
psql (14.2)
Type "help" for help.
[postgres@node101 bin]$ ./psql -h 192.168.1.101
Password for user postgres:
psql (14.2)
Type "help" for help.
# 远程节点访问数据库(192.168.1.102/24)
[postgres@node102 bin]$ ./psql -h 192.168.1.101
psql: error: connection to server at "192.168.1.101", port 5432 failed: FATAL: pg_hba.conf rejects connection for host "192.168.1.102", user "postgres", database "postgres", no encryption
总结:
1、可以通过sys_hba.conf建立客户端访问数据库服务的黑白名单。
2、在sys_hba.conf中的条目,从上到下按顺序匹配,如果有匹配记录,按照匹配记录处理;如果没有匹配记录,在没有配置( 0.0.0.0/0 )允许所有客户端时,则默认拒绝访问数据库服务。
3、在sys_hba.conf中不支持(0.0.0.0/0)reject的配置项,将会拒绝所有的tcp/ip的连接,包括已经匹配的条目。
4、在PostgreSQL下的pg_hba.conf支持(0.0.0.0/0)reject的配置项,可以将此配置放置到文件最后,但是默认就是拒绝所有,此配置可以不用。
