Poyembekezera kuyamba kwa kulembetsa kwatsopano kwa maphunzirowa Takukonzerani kumasulira kwa nkhani yothandiza kwa inu.
Transparent Data Encryption (TDE) idawonekera ndi MySQL kwa nthawi ndithu. Koma kodi mudaganizapo za momwe zimagwirira ntchito pansi pa hood komanso momwe TDE ingakhale nayo pa seva yanu? M'nkhani ino tiwona momwe TDE imagwirira ntchito mkati. Tiyeni tiyambe ndi kusungirako makiyi, popeza izi ndizofunikira kuti kubisa kulikonse kugwire ntchito. Kenako tiwona momwe kubisa kumagwirira ntchito mu Percona Server ya MySQL/MySQL ndi zina zomwe Percona Server ya MySQL ili nazo.
MySQL Keyring
Keyring ndi mapulagini omwe amalola seva kufunsa, kupanga, ndi kuchotsa makiyi mu fayilo yapafupi (keyring_file) kapena pa seva yakutali (monga HashiCorp Vault). Makiyi nthawi zonse amasungidwa kwanuko kuti afulumizitse kubweza.
Mapulagini atha kugawidwa m'magulu awiri:
- Kusungirako komweko. Mwachitsanzo, fayilo yam'deralo (imene timayitcha kuti fayilo-based keyring).
- Kusungirako kutali. Mwachitsanzo, Vault Server (timayitcha iyi keyring yochokera pa seva).
Kulekanitsa kumeneku n'kofunika chifukwa mitundu yosiyanasiyana yosungiramo zinthu imakhala yosiyana pang'ono, osati posunga ndi kubwezeretsa makiyi, komanso powayendetsa.
Mukamagwiritsa ntchito kusungirako mafayilo, poyambira, zonse zomwe zasungidwa zimayikidwa mu cache: id key, key user, key type, ndi key yokha.
Pankhani ya sitolo yam'mbali ya seva (monga Vault Server), makiyi achinsinsi okha ndi wogwiritsa ntchito makiyi amatsitsidwa poyambira, kotero kupeza makiyi onse sikuchepetsa kuyambitsa. Makiyi amapakidwa mwaulesi. Ndiye kuti, fungulo lokha limakwezedwa kuchokera ku Vault pokhapokha ngati likufunika. Ikatsitsidwa, fungulo limasungidwa m'makumbukidwe kotero kuti siliyenera kupezeka kudzera mu kulumikizana kwa TLS ku Vault Server mtsogolomo. Kenako, tiyeni tiwone zomwe zili mu sitolo yamakiyi.
Zofunikira zili ndi izi:
- key id - chizindikiritso chofunikira, mwachitsanzo:
INNODBKey-764d382a-7324-11e9-ad8f-9cb6d0d5dc99-1 - mtundu wachinsinsi - mtundu wofunikira potengera ma algorithm obisika omwe amagwiritsidwa ntchito, zotheka: "AES", "RSA" kapena "DSA".
- kutalika kiyi - makiyi atali mu ma byte, AES: 16, 24 kapena 32, RSA 128, 256, 512 ndi DSA 128, 256 kapena 384.
- wosuta - mwini wa kiyi. Ngati fungulo ndi dongosolo, mwachitsanzo, Master Key, ndiye kuti gawoli liribe kanthu. Ngati kiyi idapangidwa pogwiritsa ntchito keyring_udf, ndiye kuti gawoli likuwonetsa mwini wake.
- fungulo lokha
Chinsinsichi chimadziwika mwapadera ndi awiriwa: key_id, user.
Palinso kusiyana kwa kusunga ndi kufufuta makiyi.
Kusungira mafayilo ndikofulumira. Mutha kuganiza kuti sitolo yamakiyi ikungolemba makiyi a fayilo kamodzi, koma ayi, pali zambiri zomwe zikuchitika pano. Nthawi zonse kusungidwa kwa fayilo kupangidwa, kopi yosunga zosunga zobwezeretsera zonse imapangidwa koyamba. Tinene kuti fayiloyo imatchedwa my_biggest_secrets, ndiye kuti zosunga zobwezeretsera zidzakhala my_biggest_secrets.backup. Kenako, cache imasinthidwa (makiyi amawonjezedwa kapena kuchotsedwa) ndipo, ngati zonse zikuyenda bwino, cache imasinthidwa kukhala fayilo. Nthawi zina, monga kulephera kwa seva, mutha kuwona fayilo yosunga iyi. Fayilo yosunga zobwezeretsera imachotsedwa nthawi ina pamene makiyi adzakwezedwa (nthawi zambiri seva itayambiranso).
Mukasunga kapena kuchotsa kiyi mu yosungirako seva, chosungiracho chiyenera kugwirizanitsa ndi seva ya MySQL ndi malamulo "tumizani fungulo" / "pempho lochotsa makiyi".
Tiyeni tibwerere ku liwiro loyambitsa seva. Kuphatikiza pa mfundo yakuti liwiro lotsegulira limakhudzidwa ndi chipindacho chokha, palinso nkhani ya makiyi angati kuchokera ku chipinda chosungiramo zinthu zomwe ziyenera kubwezeredwa poyambira. Inde, izi ndizofunikira makamaka pakusungirako seva. Poyambitsa, seva imayang'ana fungulo lomwe likufunika pamatebulo / malo otetezedwa ndikufunsa makiyi kuchokera kosungirako. Pa seva "yoyera" yokhala ndi Master Key encryption, payenera kukhala Master Key imodzi, yomwe iyenera kubwezedwa kuchokera ku yosungirako. Komabe, makiyi ochulukirapo angafunike, mwachitsanzo, seva yosunga zobwezeretsera ikabwezeretsa zosunga zobwezeretsera kuchokera ku seva yoyamba. Zikatero, kuzungulira kwa Master Key kuyenera kuperekedwa. Izi zidzafotokozedwa mwatsatanetsatane m'nkhani zamtsogolo, ngakhale pano ndikufuna kudziwa kuti seva yogwiritsira ntchito Master Keys angapo ingatengere nthawi kuti iyambe, makamaka pogwiritsa ntchito sitolo yachinsinsi ya seva.
Tsopano tiyeni tikambirane zambiri za keyring_file. Pamene ndinali kupanga keyring_file, ndinalinso ndi nkhawa za momwe ndingayang'anire kusintha kwa keyring_file pamene seva ikuyenda. Mu 5.7, chekecho chidachitika potengera ziwerengero zamafayilo, zomwe sizinali yankho labwino, ndipo mu 8.0 zidasinthidwa ndi SHA256 checksum.
Nthawi yoyamba mukathamangitsa keyring_file, ziwerengero zamafayilo ndi cheke zimawerengedwa, zomwe zimakumbukiridwa ndi seva, ndipo zosintha zimangogwiritsidwa ntchito ngati zikugwirizana. Fayilo ikasintha, checksum imasinthidwa.
Tayankha kale mafunso ambiri okhudza ma vaults ofunikira. Komabe, pali mutu wina wofunikira womwe nthawi zambiri umayiwalika kapena kusamvetsetseka: kugawana makiyi pama seva.
Kodi ndikutanthauza chiyani? Seva iliyonse (mwachitsanzo, Percona Server) mgululi iyenera kukhala ndi malo osiyana pa Vault Server momwe Percona Server iyenera kusunga makiyi ake. Master Key iliyonse yosungidwa mosungiramo imakhala ndi GUID ya Percona Server mkati mwachizindikiritso chake. Nβchifukwa chiyani kuli kofunikira? Tangoganizani kuti muli ndi Vault Server imodzi yokha ndi ma Server onse a Percona pagulu amagwiritsa ntchito Vault Server imodzi. Vuto likuwoneka lodziwikiratu. Ngati Ma Server onse a Percona atagwiritsa ntchito Key Key popanda zozindikiritsa zapadera, monga id = 1, id = 2, ndi zina zotero, ndiye kuti ma seva onse omwe ali mgululi angagwiritse ntchito Master Key yomweyo. Zomwe GUID imapereka ndikusiyanitsa pakati pa ma seva. Bwanji nanga zogawana makiyi pakati pa maseva ngati GUID yapadera ilipo kale? Palinso pulogalamu yowonjezera - keyring_udf. Ndi pulogalamu yowonjezera iyi, wogwiritsa ntchito seva yanu amatha kusunga makiyi awo pa seva ya Vault. Vutoli limachitika wogwiritsa ntchito akapanga kiyi pa seva1, mwachitsanzo, ndikuyesa kupanga kiyi ndi ID yomweyo pa seva2, mwachitsanzo:
--server1:
select keyring_key_store('ROB_1','AES',"123456789012345");
1
--1 Π·Π½Π°ΡΠΈΡ ΡΡΠΏΠ΅ΡΠ½ΠΎΠ΅ Π·Π°Π²Π΅ΡΡΠ΅Π½ΠΈΠ΅
--server2:
select keyring_key_store('ROB_1','AES',"543210987654321");
1Dikirani. Ma seva onsewa akugwiritsa ntchito Vault Server yomweyo, kodi keyring_key_store ntchito siyenera kulephera pa seva2? Chosangalatsa ndichakuti, ngati mungayese kuchita chimodzimodzi pa seva imodzi, mudzalandira cholakwika:
--server1:
select keyring_key_store('ROB_1','AES',"123456789012345");
1
select keyring_key_store('ROB_1','AES',"543210987654321");
0Ndiko kulondola, ROB_1 ilipo kale.
Tiyeni tikambirane chitsanzo chachiwiri choyamba. Monga tanena kale, keyring_vault kapena pulogalamu yowonjezera ina iliyonse imasunga ma ID onse pamtima. Chifukwa chake, mutapanga kiyi yatsopano, ROB_1 imawonjezedwa ku seva1, ndipo kuwonjezera pa kutumiza kiyi iyi ku Vault, fungulo limawonjezedwa ku cache. Tsopano, tikayesa kuwonjezera kiyi yomweyo kachiwiri, keyring_vault imayang'ana ngati kiyiyo ilipo mu cache ndikuponya cholakwika.
Poyamba zinthu zimakhala zosiyana. Server1 ndi server2 ali ndi ma cache osiyana. Pambuyo powonjezera ROB_1 ku cache kiyi pa seva1 ndi seva ya Vault, chosungira chachikulu pa seva2 sichinalumikizidwe. Palibe makiyi a ROB_2 posungira pa seva1. Chifukwa chake, fungulo la ROB_1 limalembedwa ku keyring_key_store ndi seva ya Vault, yomwe imachotsa (!) mtengo wam'mbuyo. Tsopano fungulo la ROB_1 pa seva ya Vault ndi 543210987654321. Chochititsa chidwi n'chakuti seva ya Vault sichimaletsa zochita zoterezi ndipo imalemba mosavuta mtengo wakale.
Tsopano titha kuwona chifukwa chake kugawa kwa seva mu Vault kungakhale kofunikira - mukamagwiritsa ntchito keyring_udf ndikufuna kusunga makiyi mu Vault. Kodi mungakwaniritse bwanji kulekanitsa pa seva ya Vault?
Pali njira ziwiri zogawanitsa mu Vault. Mutha kupanga malo okwera osiyanasiyana pa seva iliyonse, kapena kugwiritsa ntchito njira zosiyanasiyana pamalo okwera omwewo. Izi zikuwonetsedwa bwino ndi zitsanzo. Chifukwa chake, choyamba, tiyeni tiyang'ane pazigawo zingapo:
--server1:
vault_url = http://127.0.0.1:8200
secret_mount_point = server1_mount
token = (...)
vault_ca = (...)
--server2:
vault_url = http://127.0.0.1:8200
secret_mount_point = sever2_mount
token = (...)
vault_ca = (...)Apa mutha kuwona kuti seva1 ndi seva2 zikugwiritsa ntchito malo osiyanasiyana okwera. Mukagawaniza njira, kasinthidwe kakuwoneka motere:
--server1:
vault_url = http://127.0.0.1:8200
secret_mount_point = mount_point/server1
token = (...)
vault_ca = (...)
--server2:
vault_url = http://127.0.0.1:8200
secret_mount_point = mount_point/sever2
token = (...)
vault_ca = (...)Pankhaniyi, ma seva onsewa amagwiritsa ntchito malo omwewo "mount_point", koma njira zosiyanasiyana. Mukapanga chinsinsi choyamba pa seva1 pogwiritsa ntchito njirayi, seva ya Vault imangopanga chikwatu cha "server1". Kwa seva2 zonse ndizofanana. Mukachotsa chinsinsi chomaliza mu mount_point/server1 kapena mount_point/server2, seva ya Vault imachotsanso zolembazo. Ngati mutagwiritsa ntchito kulekanitsa njira, muyenera kupanga malo amodzi okha ndikusintha mafayilo osinthika kuti ma seva agwiritse ntchito njira zosiyana. Malo okwera amatha kupangidwa pogwiritsa ntchito pempho la HTTP. Pogwiritsa ntchito CURL izi zitha kuchitika motere:
curl -L -H "X-Vault-Token: TOKEN" βcacert VAULT_CA
--data '{"type":"generic"}' --request POST VAULT_URL/v1/sys/mounts/SECRET_MOUNT_POINTMagawo onse (TOKEN, VAULT_CA, VAULT_URL, SECRET_MOUNT_POINT) akugwirizana ndi zomwe zili mufayilo yosinthira. Zachidziwikire, mutha kugwiritsa ntchito zida za Vault kuti muchite zomwezo. Koma ndizosavuta kupanga makina opangira malo okwera. Ndikukhulupirira kuti nkhaniyi mwaipeza kukhala yothandiza ndipo tidzaonana nanu mβnkhani zotsatira za mpambo uno.
Werengani zambiri:
Source: www.habr.com