ProHoster > Блог > Kev tswj hwm > Kev ruaj ntseg thiab DBMS: yam koj yuav tsum nco ntsoov thaum xaiv cov cuab yeej ruaj ntseg

Kev ruaj ntseg thiab DBMS: yam koj yuav tsum nco ntsoov thaum xaiv cov cuab yeej ruaj ntseg

Kev ruaj ntseg thiab DBMS: yam koj yuav tsum nco ntsoov thaum xaiv cov cuab yeej ruaj ntseg

Kuv lub npe yog Denis Rozhkov, Kuv yog lub taub hau ntawm kev txhim kho software ntawm lub tuam txhab Gazinformservice, hauv pab pawg khoom Jatoba. Txoj cai lij choj thiab kev tswj hwm kev tswj hwm tswj hwm qee yam kev cai rau kev ruaj ntseg ntawm cov ntaub ntawv khaws cia. Tsis muaj leej twg xav tau cov neeg thib peb kom nkag mus rau cov ntaub ntawv tsis pub lwm tus paub, yog li cov teeb meem hauv qab no yog qhov tseem ceeb rau txhua qhov haujlwm: kev txheeb xyuas thiab kev lees paub, tswj kev nkag mus rau cov ntaub ntawv, ua kom muaj kev ncaj ncees ntawm cov ntaub ntawv hauv qhov system, nkag mus rau cov xwm txheej ruaj ntseg. Yog li ntawd, kuv xav tham txog qee cov ntsiab lus nthuav txog DBMS kev ruaj ntseg.

Kab lus tau npaj raws li kev hais lus ntawm @DatabasesMeetup, koom Mail.ru Huab Solutions. Yog tias koj tsis xav nyeem, koj tuaj yeem saib:


Kab lus yuav muaj peb ntu:

  • Yuav ua li cas kom ruaj ntseg kev sib txuas.
  • Dab tsi yog kev soj ntsuam ntawm kev ua thiab yuav sau dab tsi tshwm sim ntawm sab database thiab txuas rau nws.
  • Yuav ua li cas tiv thaiv cov ntaub ntawv hauv database nws tus kheej thiab dab tsi technologies muaj rau qhov no.

Kev ruaj ntseg thiab DBMS: yam koj yuav tsum nco ntsoov thaum xaiv cov cuab yeej ruaj ntseg
Peb lub hauv paus ntawm DBMS kev ruaj ntseg: kev tiv thaiv kev sib txuas, kev tshuaj xyuas kev ua haujlwm thiab kev tiv thaiv cov ntaub ntawv

Kev ruaj ntseg koj cov kev sib txuas

Koj tuaj yeem txuas mus rau cov ntaub ntawv ncaj qha lossis ncaj qha los ntawm kev siv web. Raws li txoj cai, tus neeg siv kev lag luam, uas yog, tus neeg ua haujlwm nrog DBMS, cuam tshuam nrog nws ncaj qha.

Ua ntej tham txog kev tiv thaiv kev sib txuas, koj yuav tsum teb cov lus nug tseem ceeb uas txiav txim siab seb yuav ntsuas kev ruaj ntseg li cas:

  • Puas yog ib tus neeg siv lag luam sib npaug rau ib tus neeg siv DBMS?
  • Txawm hais tias nkag mus rau DBMS cov ntaub ntawv tsuas yog muab los ntawm API uas koj tswj hwm, lossis seb cov rooj nkag ncaj qha;
  • seb DBMS puas tau faib rau ib ntu kev tiv thaiv, leej twg cuam tshuam nrog nws thiab yuav ua li cas;
  • seb puas siv cov pooling/proxy thiab intermediate khaubncaws sab nraud povtseg, uas yuav hloov tau cov ntaub ntawv hais txog yuav ua li cas cov kev twb kev txuas yog tsim thiab leej twg yog siv database.

Tam sim no cia saib dab tsi cov cuab yeej siv tau los tiv thaiv kev sib txuas:

  1. Siv cov kev daws teeb meem hauv chav kawm firewall. Ib txheej ntxiv ntawm kev tiv thaiv yuav, qhov tsawg kawg nkaus, nce qhov pom tseeb ntawm qhov tshwm sim hauv DBMS, thiab qhov siab tshaj plaws, koj yuav muaj peev xwm muab cov ntaub ntawv tiv thaiv ntxiv.
  2. Siv tus password txoj cai. Lawv txoj kev siv nyob ntawm seb koj qhov architecture tsim li cas. Txawm li cas los xij, ib lo lus zais hauv cov ntaub ntawv teeb tsa ntawm daim ntawv thov web uas txuas rau DBMS tsis txaus rau kev tiv thaiv. Muaj ntau cov cuab yeej DBMS uas tso cai rau koj los tswj tus neeg siv thiab tus password kom hloov kho.

    Koj tuaj yeem nyeem ntxiv txog cov neeg siv kev ntsuas kev ua haujlwm no, koj tuaj yeem paub txog MS SQL Vulnerability Assessmen S, SѓS,

  3. Txhim kho cov ntsiab lus ntawm kev sib kho nrog cov ntaub ntawv tsim nyog. Yog tias qhov kev sib tham tsis meej, koj tsis nkag siab tias leej twg ua haujlwm hauv DBMS hauv nws lub moj khaum, koj tuaj yeem, nyob rau hauv lub moj khaum ntawm kev ua haujlwm, ntxiv cov ntaub ntawv hais txog leej twg ua dab tsi thiab vim li cas. Cov ntaub ntawv no tuaj yeem pom hauv kev tshuaj xyuas.
  4. Configure SSL yog tias koj tsis muaj kev sib cais network ntawm DBMS thiab cov neeg siv kawg; nws tsis nyob hauv VLAN cais. Nyob rau hauv xws li mob, nws yog ib qho tseem ceeb los tiv thaiv cov channel ntawm cov neeg siv khoom thiab DBMS nws tus kheej. Cov cuab yeej ruaj ntseg kuj muaj nyob rau hauv qhov chaw qhib.

Qhov no yuav cuam tshuam li cas rau kev ua haujlwm ntawm DBMS?

Cia peb saib ntawm qhov piv txwv ntawm PostgreSQL kom pom tias SSL cuam tshuam li cas rau CPU load, nce lub sijhawm thiab txo TPS, thiab seb nws puas yuav haus ntau cov peev txheej yog tias koj qhib nws.

Loading PostgreSQL siv pgbench yog qhov kev pab cuam yooj yim rau kev khiav kev xeem ua haujlwm. Nws ua tiav ib ntu ntawm cov lus txib dua, tejzaum nws nyob rau hauv qhov sib piv cov ntaub ntawv sib tham, thiab tom qab ntawd suav cov nqi nruab nrab ntawm kev sib pauv.

Kuaj 1 yam tsis muaj SSL thiab siv SSL - Kev sib txuas yog tsim los rau txhua qhov kev sib pauv:

pgbench.exe --connect -c 10 -t 5000 "host=192.168.220.129 dbname=taskdb user=postgres sslmode=require 
sslrootcert=rootCA.crt sslcert=client.crt sslkey=client.key"

vs

pgbench.exe --connect -c 10 -t 5000 "host=192.168.220.129 dbname=taskdb user=postgres"

Kuaj 2 yam tsis muaj SSL thiab siv SSL - Txhua qhov kev hloov pauv tau ua hauv ib qho kev sib txuas:

pgbench.exe -c 10 -t 5000 "host=192.168.220.129 dbname=taskdb user=postgres sslmode=require
sslrootcert=rootCA.crt sslcert=client.crt sslkey=client.key"

vs

pgbench.exe -c 10 -t 5000 "host=192.168.220.129 dbname=taskdb user=postgres"

Lwm qhov chaw:

scaling factor: 1
query mode: simple
number of clients: 10
number of threads: 1
number of transactions per client: 5000
number of transactions actually processed: 50000/50000

Cov qhabnias xeem:

 
Tsis muaj SSL
SSL

Kev sib txuas yog tsim los rau txhua qhov kev sib pauv

latency nruab nrab
171.915 ms
187.695 ms

tps suav nrog kev sib txuas tsim
58.168112
53.278062

tps tsis suav nrog kev sib txuas tsim
64.084546
58.725846

CPU
24%
28%

Txhua qhov kev hloov pauv tau ua nyob rau hauv ib qho kev sib txuas

latency nruab nrab
6.722 ms
6.342 ms

tps suav nrog kev sib txuas tsim
1587.657278
1576.792883

tps tsis suav nrog kev sib txuas tsim
1588.380574
1577.694766

CPU
17%
21%

Thaum lub teeb loads, qhov cuam tshuam ntawm SSL yog piv rau kev ntsuas qhov yuam kev. Yog hais tias tus nqi ntawm cov ntaub ntawv pauv loj heev, qhov xwm txheej yuav txawv. Yog tias peb tsim ib qho kev sib txuas rau ib qho kev sib pauv (qhov no tsis tshua muaj, feem ntau yog kev sib txuas ntawm cov neeg siv), koj muaj ntau qhov kev sib txuas / kev sib txuas, qhov cuam tshuam yuav loj me ntsis. Ntawd yog, tej zaum yuav muaj kev pheej hmoo ntawm kev poob qis, txawm li cas los xij, qhov sib txawv tsis loj npaum li tsis siv kev tiv thaiv.

Thov nco ntsoov tias muaj qhov sib txawv muaj zog yog tias koj sib piv cov qauv kev ua haujlwm: koj ua haujlwm hauv tib qhov kev sib tham lossis sib txawv. Qhov no yog to taub: cov peev txheej yog siv los tsim txhua qhov kev sib txuas.

Peb muaj rooj plaub thaum peb txuas Zabbix hauv kev ntseeg siab, uas yog, md5 tsis tau kuaj xyuas, tsis tas yuav muaj kev lees paub. Tom qab ntawd tus neeg siv khoom thov kom qhib md5 authentication hom. Qhov no ua rau lub zog hnyav ntawm CPU, thiab kev ua haujlwm poob qis. Peb pib nrhiav txoj hauv kev los ua kom zoo. Ib qho kev daws teeb meem rau qhov teeb meem yog siv cov kev txwv hauv network, ua kom VLANs cais rau DBMS, ntxiv cov chaw kom paub meej tias leej twg txuas los ntawm qhov twg thiab tshem tawm cov ntawv pov thawj. Feem ntau, kev siv cov kev sib txawv authentication cuam tshuam rau kev ua tau zoo thiab yuav tsum tau noj cov ntsiab lus no rau hauv tus account thaum tsim lub tshuab xam zauv ntawm cov servers (hardware) rau DBMS.

Xaus: nyob rau hauv ib tug xov tooj ntawm cov kev daws teeb meem, txawm me me nuances nyob rau hauv authentication tuaj yeem cuam tshuam rau qhov project thiab nws tsis zoo thaum qhov no yuav pom tseeb tsuas yog thaum siv hauv kev tsim khoom.

Action audit

Kev tshuaj xyuas tuaj yeem tsis yog DBMS nkaus xwb. Kev tshawb xyuas yog hais txog kev tau txais cov ntaub ntawv hais txog dab tsi tshwm sim hauv ntau ntu. Qhov no tuaj yeem yog cov ntaub ntawv firewall lossis lub operating system uas DBMS tau tsim.

Hauv kev lag luam qib lag luam DBMSs txhua yam zoo nrog kev tshawb xyuas, tab sis hauv qhov qhib - tsis tas li. Nov yog qhov PostgreSQL muaj:

  • default log - built-in logging;
  • extensions: pgaudit - yog tias kev txiav txim siab tsis txaus rau koj, koj tuaj yeem siv cov chaw sib cais uas daws qee qhov teeb meem.

Ntxiv rau daim ntawv tshaj tawm hauv video:

"Cov lus qhia yooj yim nkag tau tuaj yeem muab los ntawm qhov chaw nkag tus qauv nrog log_statement = tag nrho.

Qhov no siv tau rau kev saib xyuas thiab lwm yam kev siv, tab sis tsis muab cov ntsiab lus nthuav dav feem ntau xav tau rau kev tshuaj xyuas.

Nws tsis txaus kom muaj ib daim ntawv teev npe ntawm tag nrho cov haujlwm ua haujlwm ntawm cov ntaub ntawv.

Nws kuj tseem tuaj yeem nrhiav tau cov nqe lus tshwj xeeb uas txaus siab rau tus kws tshuaj xyuas.

Standard logging qhia tau hais tias tus neeg siv tau thov dab tsi, thaum pgAudit tsom rau cov ntsiab lus ntawm qhov tshwm sim thaum lub database tau ua tiav cov lus nug.

Piv txwv li, tus kws tshuaj ntsuam xyuas yuav xav paub tseeb tias ib lub rooj tshwj xeeb tau tsim nyob rau hauv lub qhov rais saib xyuas cov ntaub ntawv.

Qhov no yuav zoo li ib txoj haujlwm yooj yim nrog kev tshawb xyuas yooj yim thiab grep, tab sis yuav ua li cas yog tias koj tau nthuav tawm nrog qee yam zoo li no (xav tsis meej pem) piv txwv:

UA $$
MUAB
EXECUTE 'CREATE TABLE import' || 'ant_table(id int)';
END$$;

Standard logging yuav muab rau koj:

LOG: nqe lus: UA $$
MUAB
EXECUTE 'CREATE TABLE import' || 'ant_table(id int)';
END$$;

Nws zoo nkaus li tias kev nrhiav lub rooj ntawm kev txaus siab yuav xav tau qee qhov kev paub txog lej nyob rau hauv rooj plaub uas cov ntxhuav tau tsim dynamically.

Qhov no tsis yog qhov zoo tagnrho, vim nws yuav zoo dua los tshawb nrhiav los ntawm lub npe lub rooj.

Qhov no yog qhov uas pgAudit los ua ke.

Rau tib lub tswv yim, nws yuav tsim cov zis no hauv lub cav:

QHIA: SESSION,33,1,FUNCTION,DO,,,"DO $$
MUAB
EXECUTE 'CREATE TABLE import' || 'ant_table(id int)';
END$$;"
AUDIT: SESSION,33,2,DDL,CREATE TABLE,TABLE,public.important_table,CREATE TABLE important_table (id INT)

Tsis tsuas yog DO block tau nkag mus, tab sis kuj tseem muaj cov ntawv sau tag nrho ntawm CREATE TABLE nrog cov lus qhia hom, hom khoom, thiab lub npe tag nrho, ua rau kev tshawb nrhiav yooj yim dua.

Thaum nkag mus rau SELECT thiab DML nqe lus, pgAudit tuaj yeem teeb tsa los sau ib qho kev nkag mus rau txhua qhov kev sib raug zoo uas tau hais hauv nqe lus.

Tsis muaj parsing yuav tsum nrhiav txhua nqe lus uas kov ib lub rooj (*) ».

Qhov no yuav cuam tshuam li cas rau kev ua haujlwm ntawm DBMS?

Cia peb khiav cov kev ntsuam xyuas nrog kev tshawb xyuas tag nrho thiab pom dab tsi tshwm sim rau PostgreSQL kev ua tau zoo. Cia peb qhib qhov siab tshaj plaws database logging rau tag nrho cov tsis.

Peb hloov yuav luag tsis muaj dab tsi hauv cov ntaub ntawv teeb tsa, qhov tseem ceeb tshaj plaws yog qhib hom kev debug5 kom tau txais cov ntaub ntawv siab tshaj plaws.

postgresql.conf

log_destination = 'stderr'
logging_collector = rau
log_truncate_on_rotation = rau
log_rotation_age = 1d
log_rotation_size = 10 MB
log_min_messages = debug 5
log_min_error_statement = debug 5
log_min_duration_statement = 0
debug_print_parse = rau
debug_print_rewritten = rau
debug_print_plan = rau
debug_pretty_print = rau
log_checkpoints = rau
log_connections = rau
log_disconnections = rau
log_duration = rau
log_hostname = rau
log_lock_wait = rau
log_replication_commands = rau
log_temp_files = 0
log_timezone = 'Europe/Moscow'

Ntawm PostgreSQL DBMS nrog qhov tsis muaj 1 CPU, 2,8 GHz, 2 GB RAM, 40 GB HDD, peb ua peb qhov kev xeem thauj khoom siv cov lus txib:

$ pgbench -p 3389 -U postgres -i -s 150 benchmark
$ pgbench -p 3389 -U postgres -c 50 -j 2 -P 60 -T 600 benchmark
$ pgbench -p 3389 -U postgres -c 150 -j 2 -P 60 -T 600 benchmark

Cov qhabnias xeem:

Tsis muaj log
Nrog kev sau npe

Tag nrho cov ntaub ntawv sau lub sijhawm
43,74 sec
53,23 sec

RAM
24%
40%

CPU
72%
91%

Test 1 (50 txuas)

Tus lej ntawm kev hloov pauv hauv 10 feeb
74169
32445

Kev lag luam / sec
123
54

Nruab nrab latency
405 ms
925 ms

Test 2 (150 kev sib txuas nrog 100 ua tau)

Tus lej ntawm kev hloov pauv hauv 10 feeb
81727
31429

Kev lag luam / sec
136
52

Nruab nrab latency
550 ms
1432 ms

Hais txog qhov ntau thiab tsawg

DB size
2251 MB
2262 MB

Database log loj
0 MB
4587 MB

Cov kab hauv qab: kev tshawb xyuas tag nrho tsis zoo heev. Cov ntaub ntawv los ntawm kev tshuaj xyuas yuav loj npaum li cov ntaub ntawv hauv cov ntaub ntawv nws tus kheej, lossis ntau dua. Tus nqi ntawm kev txiav tawm uas tau tsim thaum ua haujlwm nrog DBMS yog ib qho teeb meem tshwm sim hauv kev tsim khoom.

Cia peb saib lwm yam parameter:

  • Qhov ceev tsis hloov ntau: tsis muaj kev nkag - 43,74 vib nas this, nrog rau kev txiav - 53,23 vib nas this.
  • RAM thiab CPU kev ua tau zoo yuav raug kev txom nyem vim koj xav tau tsim cov ntaub ntawv tshawb xyuas. Qhov no tseem ceeb heev nyob rau hauv productivity.

Raws li tus naj npawb ntawm kev sib txuas nce, ib txwm, qhov kev ua tau zoo yuav deteriorate me ntsis.

Hauv kev lag luam nrog kev tshuaj xyuas nws tseem nyuaj dua:

  • muaj ntau cov ntaub ntawv;
  • Kev tshawb xyuas yog xav tau tsis yog los ntawm syslog hauv SIEM nkaus xwb, tab sis kuj tseem nyob hauv cov ntaub ntawv: yog tias muaj qee yam tshwm sim rau syslog, yuav tsum muaj cov ntaub ntawv ze rau cov ntaub ntawv uas cov ntaub ntawv tau txais kev cawmdim;
  • ib lub txee cais yog xav tau rau kev tshuaj xyuas kom tsis txhob nkim I / O disks, vim nws siv ntau qhov chaw;
  • Nws tshwm sim tias cov neeg ua haujlwm kev ruaj ntseg cov ntaub ntawv xav tau GOST cov qauv nyob txhua qhov chaw, lawv xav tau kev txheeb xyuas lub xeev.

Txwv tsis pub nkag mus rau cov ntaub ntawv

Cia peb saib cov thev naus laus zis uas siv los tiv thaiv cov ntaub ntawv thiab nkag mus rau hauv kev lag luam DBMSs thiab qhib qhov chaw.

Koj tuaj yeem siv dab tsi:

  1. Encryption thiab obfuscation ntawm cov txheej txheem thiab kev ua haujlwm (Wrapping) - uas yog, cais cov cuab yeej thiab cov khoom siv hluav taws xob uas ua rau cov lej nyeem tsis tau. Muaj tseeb, ces nws tsis tuaj yeem hloov pauv lossis rov ua dua rov qab. Txoj hauv kev no qee zaum yuav tsum muaj tsawg kawg ntawm DBMS sab - lub logic ntawm daim ntawv tso cai txwv lossis kev tso cai logic yog encrypted meej ntawm cov txheej txheem thiab kev ua haujlwm.
  2. Kev txwv qhov pom ntawm cov ntaub ntawv los ntawm kab (RLS) yog thaum cov neeg siv sib txawv pom ib lub rooj, tab sis ib qho sib txawv ntawm cov kab hauv nws, uas yog, ib yam dab tsi tsis tuaj yeem pom rau ib tus neeg ntawm qib kab.
  3. Kev kho cov ntaub ntawv tso tawm (Masking) yog thaum cov neeg siv nyob rau hauv ib kem ntawm lub rooj pom cov ntaub ntawv lossis tsuas yog hnub qub, uas yog, rau qee cov neeg siv cov ntaub ntawv yuav raug kaw. Cov thev naus laus zis txiav txim siab tus neeg siv twg yog qhov qhia tau raws li lawv cov qib nkag.
  4. Kev Ruaj Ntseg DBA / Daim Ntawv Thov DBA / DBA nkag mus tswj yog, theej, hais txog kev txwv tsis pub nkag mus rau DBMS nws tus kheej, uas yog, cov ntaub ntawv kev ruaj ntseg cov neeg ua haujlwm tuaj yeem raug cais tawm ntawm cov thawj tswj hwm cov ntaub ntawv thiab cov thawj coj hauv daim ntawv thov. Muaj ob peb yam thev naus laus zis hauv qhov qhib, tab sis muaj ntau ntawm lawv hauv kev lag luam DBMSs. Lawv xav tau thaum muaj ntau tus neeg siv nkag mus rau cov servers lawv tus kheej.
  5. Txwv tsis pub nkag mus rau cov ntaub ntawv ntawm cov ntaub ntawv kaw lus. Koj tuaj yeem tso cai thiab nkag tau cov cai rau cov npe kom txhua tus thawj coj tau nkag mus rau cov ntaub ntawv tsim nyog nkaus xwb.
  6. Yuav tsum nkag mus thiab nco tshem tawm - cov thev naus laus zis no tsis tshua siv.
  7. Xaus-rau-kawg encryption ncaj qha los ntawm DBMS yog tus neeg siv khoom-sab encryption nrog kev tswj hwm ntawm tus neeg rau zaub mov sab.
  8. Cov ntaub ntawv encryption. Piv txwv li, columnar encryption yog thaum koj siv lub tshuab uas encrypts ib kem ntawm database.

Qhov no cuam tshuam li cas rau kev ua haujlwm ntawm DBMS?

Cia peb saib cov piv txwv ntawm columnar encryption hauv PostgreSQL. Muaj pgcrypto module, nws tso cai rau koj khaws cov teb xaiv hauv daim ntawv encrypted. Qhov no muaj txiaj ntsig thaum tsuas yog qee cov ntaub ntawv tseem ceeb. Txhawm rau nyeem cov ntawv encrypted, tus neeg siv yuav xa tus yuam sij decryption, tus neeg rau zaub mov decrypts cov ntaub ntawv thiab xa rov qab rau tus neeg siv khoom. Yog tsis muaj tus yuam sij, tsis muaj leej twg tuaj yeem ua dab tsi nrog koj cov ntaub ntawv.

Cia peb sim nrog pgcrypto. Cia peb tsim ib lub rooj nrog cov ntaub ntawv encrypted thiab cov ntaub ntawv tsis tu ncua. Hauv qab no yog cov lus txib rau kev tsim cov ntxhuav, hauv thawj kab muaj cov lus txib muaj txiaj ntsig - tsim qhov txuas ntxiv nws tus kheej nrog rau npe DBMS:

CREATE EXTENSION pgcrypto;
CREATE TABLE t1 (id integer, text1 text, text2 text);
CREATE TABLE t2 (id integer, text1 bytea, text2 bytea);
INSERT INTO t1 (id, text1, text2)
VALUES (generate_series(1,10000000), generate_series(1,10000000)::text, generate_series(1,10000000)::text);
INSERT INTO t2 (id, text1, text2) VALUES (
generate_series(1,10000000),
encrypt(cast(generate_series(1,10000000) AS text)::bytea, 'key'::bytea, 'bf'),
encrypt(cast(generate_series(1,10000000) AS text)::bytea, 'key'::bytea, 'bf'));

Tom ntej no, cia peb sim ua ib qho piv txwv ntawm txhua lub rooj thiab saib lub sijhawm ua tiav.

Xaiv los ntawm lub rooj uas tsis muaj encryption muaj nuj nqi:

psql -c "timing" -c "select * from t1 limit 1000;" "host=192.168.220.129 dbname=taskdb
user=postgres sslmode=disable" > 1.txt

Lub stopwatch yog nyob rau.

  id | text1 | ntawv 2
———————————————— +
1 | 1 | 1
2 | 2 | 2
3 | 3 | 3
...
997 | 997 | 997 ib
998 | 998 | 998 ib
999 | 999 | 999 ib
1000 | 1000 | 1000
(1000 kab)

Sijhawm: 1,386ms

Xaiv los ntawm lub rooj nrog encryption muaj nuj nqi:

psql -c "timing" -c "select id, decrypt(text1, 'key'::bytea, 'bf'),
decrypt(text2, 'key'::bytea, 'bf') from t2 limit 1000;"
"host=192.168.220.129 dbname=taskdb user=postgres sslmode=disable" > 2.txt

Lub stopwatch yog nyob rau.

  id | decryption | decryption
———————————————————— +
1 | x31 | x31 ua
2 | x32 | x32 ua
3 | x 33 | x33 ua
...
999 | x393939 | x393939 ua
1000 | x 31303030 | x31303030 ua
(1000 kab)

Sijhawm: 50,203ms

Cov qhabnias xeem:

 
Tsis muaj encryption
Pgcrypto (decrypt)

Qauv 1000 kab
1,386 ms
50,203 ms

CPU
15%
35%

RAM
 
+ 5%

Encryption muaj kev cuam tshuam loj rau kev ua haujlwm. Nws tuaj yeem pom tau tias lub sijhawm tau nce ntxiv, txij li kev ua haujlwm decryption ntawm cov ntaub ntawv encrypted (thiab decryption feem ntau tseem qhwv hauv koj lub logic) xav tau cov peev txheej tseem ceeb. Uas yog, lub tswv yim ntawm encrypting tag nrho cov kab uas muaj ib co ntaub ntawv yog fraught nrog ib tug txo nyob rau hauv kev ua tau zoo.

Txawm li cas los xij, encryption tsis yog ib lub mos txwv nyiaj uas daws txhua yam teeb meem. Cov ntaub ntawv decrypted thiab tus yuam sij decryption thaum lub sij hawm tus txheej txheem ntawm decrypting thiab xa cov ntaub ntawv nyob rau hauv lub server. Yog li ntawd, cov yuam sij tuaj yeem cuam tshuam los ntawm ib tus neeg uas muaj kev nkag mus rau hauv database server, xws li tus thawj tswj hwm.

Thaum muaj ib qho tseem ceeb rau tag nrho kem rau txhua tus neeg siv (txawm tias tsis yog rau txhua tus, tab sis rau cov neeg siv khoom siv tsawg), qhov no tsis yog ib txwm zoo thiab raug. Tias yog vim li cas lawv pib ua qhov kawg-rau-kawg encryption, hauv DBMS lawv pib xav txog kev xaiv rau encrypting cov ntaub ntawv ntawm tus neeg siv khoom thiab cov neeg rau zaub mov sab, thiab cov tib qhov tseem ceeb-vault khaws cia tau tshwm sim - cais cov khoom uas muab kev tswj hwm ntawm DBMS. sab.

Kev ruaj ntseg thiab DBMS: yam koj yuav tsum nco ntsoov thaum xaiv cov cuab yeej ruaj ntseg
Ib qho piv txwv ntawm xws li encryption hauv MongoDB

Kev ruaj ntseg nta hauv kev lag luam thiab qhib qhov chaw DBMS

Zog
Hom
Txoj Cai Password
Tshawb xyuas
Tiv thaiv cov cai ntawm cov txheej txheem thiab kev ua haujlwm
RLS
encryption

Oracle
coj mus muag
+
+
+
+
+

MsSql
coj mus muag
+
+
+
+
+

Jatoba
coj mus muag
+
+
+
+
extensions

PostgreSQL
dawb
extensions
extensions
-
+
extensions

MongoDb
dawb
-
+
-
-
Muaj nyob hauv MongoDB Enterprise nkaus xwb

Lub rooj nyob deb ntawm kev ua tiav, tab sis qhov xwm txheej yog qhov no: hauv cov khoom lag luam, cov teeb meem kev nyab xeeb tau raug daws tau ntev, nyob rau hauv qhov chaw qhib, raws li txoj cai, qee yam add-ons yog siv rau kev ruaj ntseg, ntau lub zog ploj lawm. , tej zaum koj yuav tsum tau ntxiv ib yam dab tsi. Piv txwv li, tus password txoj cai - PostgreSQL muaj ntau yam sib txawv (1, 2, 3, 4, 5), uas siv cov cai password, tab sis, hauv kuv lub tswv yim, tsis muaj leej twg them tag nrho cov kev xav tau ntawm cov tuam txhab lag luam hauv tsev.

Yuav ua li cas yog tias koj tsis muaj yam koj xav tau nyob qhov twg? Piv txwv li, koj xav siv DBMS tshwj xeeb uas tsis muaj cov haujlwm uas tus neeg siv khoom xav tau.

Tom qab ntawd koj tuaj yeem siv cov kev daws teeb meem thib peb uas ua haujlwm nrog DBMSs sib txawv, piv txwv li, Crypto DB lossis Garda DB. Yog tias peb tab tom tham txog kev daws teeb meem los ntawm ntu hauv tsev, ces lawv paub txog GOSTs zoo dua hauv qhov qhib.

Qhov kev xaiv thib ob yog sau qhov koj xav tau koj tus kheej, siv cov ntaub ntawv nkag mus thiab encryption hauv daim ntawv thov ntawm qib txheej txheem. Muaj tseeb, nws yuav nyuaj dua nrog GOST. Tab sis feem ntau, koj tuaj yeem nkaum cov ntaub ntawv raws li xav tau, muab tso rau hauv DBMS, tom qab ntawd muab nws thiab decrypt nws raws li xav tau, txoj cai ntawm daim ntawv thov. Nyob rau tib lub sijhawm, xav tam sim ntawd seb koj yuav tiv thaiv cov algorithms li cas hauv daim ntawv thov. Hauv peb lub tswv yim, qhov no yuav tsum ua tiav ntawm qib DBMS, vim tias nws yuav ua haujlwm sai dua.

Daim ntawv tshaj tawm no tau nthuav tawm thawj zaug ntawm @Databases Meetup los ntawm Mail.ru Huab Solutions. Saib video lwm yam kev ua yeeb yam thiab sau npe rau cov lus tshaj tawm ntawm Telegram Nyob ib ncig ntawm Kubernetes ntawm Mail.ru Group.

Dab tsi ntxiv los nyeem ntawm lub ncauj lus:

  1. Ntau tshaj Ceph: MCS huab thaiv cia.
  2. Yuav ua li cas xaiv ib lub database rau ib qhov project yog li koj tsis tas yuav xaiv dua.

Tau qhov twg los: www.hab.com

Ntxiv ib saib