Igama lam nguDenis Rozhkov, ndiyintloko yophuhliso lwesoftware kwinkampani yeGazinformservice, kwiqela lemveliso. . Umthetho kunye nemimiselo yenkampani ibeka iimfuno ezithile zokhuseleko lokugcinwa kwedatha. Akukho mntu ufuna abantu besithathu ukuba bafumane ulwazi oluyimfihlo, ngoko ke le miba ilandelayo ibalulekile kuyo nayiphi na iprojekthi: ukuchongwa kunye nokuqinisekiswa, ukulawula ukufikelela kwidatha, ukuqinisekisa ukunyaniseka kolwazi kwinkqubo, ukugawulwa kweziganeko zokhuseleko. Ke ngoko, ndifuna ukuthetha ngamanqaku anomdla malunga nokhuseleko lweDBMS.
Eli nqaku lilungiswe lisekelwe kwintetho ngo ilungelelanisiwe . Ukuba awufuni ukufunda, ungabukela:
Inqaku liza kuba namacandelo amathathu:
- Indlela yokukhusela imidibaniso.
- Yintoni uphicotho lwezenzo kunye nendlela yokurekhoda okwenzekayo kwicala ledatha kwaye udibanise kuyo.
- Indlela yokukhusela idatha kwi-database ngokwayo kwaye yintoni iteknoloji ekhoyo kule nto.
Amacandelo amathathu okhuseleko lwe-DBMS: ukukhuselwa koqhagamshelwano, ukuphicothwa komsebenzi kunye nokukhuselwa kwedatha
Ukukhusela imidibaniso yakho
Ungaqhagamshela kuvimba ngokuthe ngqo okanye ngokungathanga ngqo ngokusebenzisa izicelo zewebhu. Njengomthetho, umsebenzisi wezoshishino, oko kukuthi, umntu osebenza kunye ne-DBMS, usebenzisana nayo ngokungathanga ngqo.
Ngaphambi kokuba uthethe malunga nokukhusela uqhagamshelo, kufuneka uphendule imibuzo ebalulekileyo ebonisa ukuba amanyathelo okhuseleko aya kumiswa njani:
- Ngaba umsebenzisi omnye weshishini ulingana nomsebenzisi omnye weDBMS?
- nokuba ukufikelela kwidatha yeDBMS kubonelelwa kuphela nge-API oyilawulayo, okanye nokuba iitafile zifikelelwa ngokuthe ngqo;
- ingaba i-DBMS yabelwe inxalenye ekhuselweyo eyahlukileyo, ngubani osebenzisana nayo kunye nendlela;
- ingaba i-pooling / proxy kunye ne-intermediate layers isetyenzisiweyo, enokutshintsha ulwazi malunga nendlela uxhulumaniso olwakhiwe ngayo kwaye ngubani osebenzisa i-database.
Ngoku makhe sibone ukuba zeziphi izixhobo ezinokusetyenziswa ukukhusela imidibaniso:
- Sebenzisa izisombululo zeklasi ze-firewall. Uluhlu olongezelelweyo lokukhusela luya kuthi, ubuncinci, lukhulise ukucaca kwento eyenzekayo kwi-DBMS, kwaye kubuninzi, uya kukwazi ukubonelela ngokukhuselekileyo kwedatha.
- Sebenzisa imigaqo-nkqubo yokugqitha. Ukusetyenziswa kwabo kuxhomekeke kwindlela i-architecture yakho eyakhiwe ngayo. Kwimeko nayiphi na into, igama eliyimfihlo kwifayile yoqwalaselo yesicelo sewebhu esidibanisa neDBMS ayanele ukukhusela. Kukho inani lezixhobo zeDBMS ezikuvumela ukuba ulawule ukuba umsebenzisi kunye negama lokugqitha zifuna ukuhlaziywa.
Unokufunda ngakumbi malunga nemisebenzi yokukala komsebenzisi , unokufumana kwakhona malunga ne-MS SQL Vulnerability Assessmen .
- Ukutyebisa umxholo weseshoni ngolwazi oluyimfuneko. Ukuba iseshoni i-opaque, awuqondi ukuba ngubani osebenza kwi-DBMS ngaphakathi kwesakhelo sayo, unako, ngaphakathi kwesakhelo sokusebenza okwenziwayo, ukongeza ulwazi malunga nokuba ngubani owenza ntoni kwaye kutheni. Olu lwazi lunokubonwa kuphicotho.
- Qwalasela i-SSL ukuba awunalo ulwahlulo lomsebenzi womnatha phakathi kweDBMS nabasebenzisi bokuphela, ayikho kwiVLAN eyahlukileyo. Kwiimeko ezinjalo, kunyanzelekile ukukhusela umjelo phakathi komthengi kunye ne-DBMS ngokwayo. Izixhobo zokhuseleko zikwafumaneka kumthombo ovulekileyo.
Oku kuya kuchaphazela njani ukusebenza kwe-DBMS?
Makhe sijonge kumzekelo we-PostgreSQL ukubona ukuba i-SSL iwuchaphazela njani umthwalo we-CPU, yonyusa amaxesha kunye nokunciphisa i-TPS, kwaye ingaba iya kusebenzisa izixhobo ezininzi kakhulu ukuba uyayenza.
Ukulayisha iPostgreSQL usebenzisa i-pgbench yinkqubo elula yokuqhuba iimvavanyo zokusebenza. Yenza ulandelelwano olunye lwemiyalelo ngokuphindaphindiweyo, kunokwenzeka kwiiseshoni zesiseko sedatha ezihambelanayo, kwaye emva koko ibala umndilili wentengiselwano.
Uvavanyo olu-1 ngaphandle kwe-SSL kunye nokusebenzisa i-SSL — uqhagamshelwano lusekiwe kwintengiselwano nganye:
pgbench.exe --connect -c 10 -t 5000 "host=192.168.220.129 dbname=taskdb user=postgres sslmode=require
sslrootcert=rootCA.crt sslcert=client.crt sslkey=client.key"vs
pgbench.exe --connect -c 10 -t 5000 "host=192.168.220.129 dbname=taskdb user=postgres"Uvavanyo olu-2 ngaphandle kwe-SSL kunye nokusebenzisa i-SSL — zonke iitransekshini zenziwa kuqhagamshelo olunye:
pgbench.exe -c 10 -t 5000 "host=192.168.220.129 dbname=taskdb user=postgres sslmode=require
sslrootcert=rootCA.crt sslcert=client.crt sslkey=client.key"vs
pgbench.exe -c 10 -t 5000 "host=192.168.220.129 dbname=taskdb user=postgres"Ezinye iisetingi:
scaling factor: 1
query mode: simple
number of clients: 10
number of threads: 1
number of transactions per client: 5000
number of transactions actually processed: 50000/50000Iziphumo zovavanyo:
AKUKHO SSL
SSL
Uqhagamshelo lusekiwe kuyo yonke intengiselwano
umyinge we-latency
171.915 ms
187.695 ms
tps kuquka ukuseka imidibaniso
58.168112
53.278062
tps ngaphandle kokusekwa kwemidibaniso
64.084546
58.725846
ICPU
24%
28%
Zonke iintengiselwano zenziwa kuqhagamshelwano olunye
umyinge we-latency
6.722 ms
6.342 ms
tps kuquka ukuseka imidibaniso
1587.657278
1576.792883
tps ngaphandle kokusekwa kwemidibaniso
1588.380574
1577.694766
ICPU
17%
21%
Kwimithwalo ekhanyayo, impembelelo ye-SSL ifaniswa nephutha lokulinganisa. Ukuba inani ledatha edluliselweyo likhulu kakhulu, imeko ingahluka. Ukuba siseka umdibaniso omnye ngentengiselwano (oku kunqabile, ngokuqhelekileyo uxhulumaniso lwabelwana phakathi kwabasebenzisi), unenani elikhulu loqhagamshelo / uqhawulo, impembelelo ingaba nkulu kancinane. Oko kukuthi, kunokubakho umngcipheko wokuncipha kokusebenza, nangona kunjalo, umahluko awukho mkhulu kangangokuba ungasebenzisi ukhuseleko.
Nceda uqaphele ukuba kukho umahluko onamandla ukuba uthelekisa iindlela zokusebenza: usebenza ngaphakathi kwiseshoni enye okanye ezahlukeneyo. Oku kuyaqondakala: izibonelelo zichithwa ekudaleni uxhulumaniso ngalunye.
Sasinecala xa sidibanisa i-Zabbix kwimodi yokuthembela, oko kukuthi, i-md5 ayizange ihlolwe, kwakungekho mfuneko yokuqinisekisa. Emva koko umthengi ucele ukwenza imo yokuqinisekisa ye-md5. Oku kubeka umthwalo onzima kwi-CPU, kwaye ukusebenza kwehla. Saqala ukukhangela iindlela zokwandisa. Esinye sezisombululo ezinokwenzeka kwingxaki kukuphumeza izithintelo zenethiwekhi, yenza iiVLAN ezahlukileyo zeDBMS, yongeza izicwangciso ukuze kucace ukuba ngubani odibanisa ukusuka phi kwaye ususe ukuqinisekiswa. ngokubanzi ukusetyenziswa kweendlela ezahlukeneyo ukuqinisekiswa kuchaphazela ukusebenza kwaye kufuna ukuba kuthathelwe ingqalelo le miba xa kuyilwa amandla e-computing yeeseva (i-hardware) ye-DBMS.
Isiphelo: kwiisombululo ezininzi, kwanokuba amancinci amancinci ekuqinisekiseni inokuchaphazela kakhulu iprojekthi kwaye kubi xa oku kucaca kuphela xa kuphunyezwe kwimveliso.
Uphicotho-zincwadi
Uphicotho alunakuba yi-DBMS kuphela. Uphicotho-zincwadi lumalunga nokufumana ulwazi malunga nokwenzekayo kumacandelo ahlukeneyo. Oku kunokuba yi-firewall yedatha okanye inkqubo yokusebenza apho i-DBMS yakhiwe khona.
Kwinqanaba loShishino loRhwebo lwe-DBMS yonke into ilungile ngophicotho-zincwadi, kodwa kumthombo ovulekileyo - hayi rhoqo. Nantsi into enayo iPostgreSQL:
- ilogi engagqibekanga - ukuloga eyakhelwe-ngaphakathi;
- izandiso: pgaudit - ukuba ukuloga okungagqibekanga akwanelanga kuwe, ungasebenzisa izicwangciso ezahlukeneyo ezisombulula iingxaki ezithile.
Ukongeza kwingxelo kwividiyo:
"Isiteyitimenti sokugawulwa kwemithi sinokubonelelwa ngoncedo oluqhelekileyo lokugawula ngelog_statement = konke.
Oku kwamkelekile ekubekweni kweliso kunye nolunye usetyenziso, kodwa akuboneleli ngenqanaba leenkcukacha ezifunekayo kuphicotho-zincwadi.
Akwanelanga ukuba noluhlu lwayo yonke imisebenzi eyenziwa kwisiseko sedatha.
Kufuneka kwakhona kube nokwenzeka ukufumana iingxelo ezithile ezinomdla kumphicothi-zincwadi.
Ukuloga okusemgangathweni kubonisa into ecelwe ngumsebenzisi, ngelixa i-pgAudit igxininisa kwiinkcukacha zento eyenzekayo xa uvimba wedatha uqhuba umbuzo.
Umzekelo, umphicothi-zincwadi unokufuna ukuqinisekisa ukuba itheyibhile ethile yenziwe ngaphakathi kwefestile yolondolozo ebhaliweyo.
Oku kunokubonakala njengomsebenzi olula ngophicotho olusisiseko kunye ne-grep, kodwa kuthekani ukuba ubuthiwe thaca ngento enje (ebhidayo ngenjongo) umzekelo:
YENZA$$
QALA
YENZA 'YEKA Ukungenisa kweTable' || 'ant_table(id int)';
END$$;
Ukuloga okusemgangathweni kuya kukunika oku:
I-LOG: ingxelo: YENZA $$
QALA
YENZA 'YEKA Ukungenisa kweTable' || 'ant_table(id int)';
END$$;
Kubonakala ngathi ukufumana itheyibhile yomdla kunokufuna ulwazi oluthile lwekhowudi kwiimeko apho iitheyibhile zenziwe ngokuguquguqukayo.
Oku akulunganga, njengoko kungakhethwa ukukhangela nje ngegama letafile.
Apha kulapho pgAudit iza kakuhle.
Ngegalelo elifanayo, liya kuvelisa le mveliso kwilog:
UPHICOTHO-ZINCWADI: ISESHINI,33,1,UMSEBENZI,YENZA,,,"YENZA $$
QALA
YENZA 'YEKA Ukungenisa kweTable' || 'ant_table(id int)';
END$$;"
UPHICOTHO-ZINCWADI: ISESHINI,33,2,DDL,YENZA ITAFILE,ITHEBILE,public.important_table,YEKA ITABILE_itheyibhile ebalulekileyo (id INT)
Ayilogwanga kuphela ibhloko ye-DO, kodwa kunye nokubhaliweyo okupheleleyo kwe-CREATE TABLE kunye nodidi lwengxelo, uhlobo lwento, kunye negama elipheleleyo, ukwenza ukukhangela kube lula.
Xa uloga KHETHA kunye neengxelo ze-DML, i-pgAudit ingaqwalaselwa ukuba ifake ingeniso eyahlukileyo kubudlelwane obuchazwe kwingxelo.
Akukho ulwahlulo olufunekayo ukufumana zonke iingxelo ezichukumisa itafile ethile () ».
Oku kuya kuchaphazela njani ukusebenza kwe-DBMS?
Masiqhube iimvavanyo ngophicotho olupheleleyo olunikwe amandla kwaye sibone ukuba kwenzeka ntoni ekusebenzeni kwePostgreSQL. Masenze ugcino lwedatha oluphezulu kuzo zonke iiparamitha.
Sitshintsha phantse akukho nto kwifayile yoqwalaselo, eyona nto ibalulekileyo kukuvula imowudi ye-debug5 ukufumana ulwazi oluninzi.
postgresql.conf
log_destination = 'stderr'
logging_collector = on
log_truncate_on_rotation = on
log_rotation_age = 1d
log_rotation_size = 10MB
log_min_messages = debug5
log_min_error_statement = debug5
log_min_duration_statement = 0
debug_print_pase = on
debug_print_rewritten = on
debug_print_plan = ivuliwe
debug_pretty_print = on
log_checkpoints = on
log_connections = ivuliwe
log_disconnections = ivuliwe
log_duration = ivuliwe
log_hostname = ivuliwe
log_lock_wait = on
log_replication_commands = ivuliwe
log_temp_iifayile = 0
log_timezone = 'Yurophu/Moscow'
Kwi-PostgreSQL DBMS eneparameters ye-1 CPU, 2,8 GHz, 2 GB RAM, 40 GB HDD, siqhuba iimvavanyo ezintathu zomthwalo sisebenzisa imiyalelo:
$ pgbench -p 3389 -U postgres -i -s 150 benchmark
$ pgbench -p 3389 -U postgres -c 50 -j 2 -P 60 -T 600 benchmark
$ pgbench -p 3389 -U postgres -c 150 -j 2 -P 60 -T 600 benchmarkIziphumo zovavanyo:
Akukho kugawulwa
Ngokugawulwa kwemithi
Ixesha lokuzaliswa kwedatha epheleleyo
I-43,74 sec
I-53,23 sec
I-RAM
24%
40%
ICPU
72%
91%
Uvavanyo 1 (50 imidibaniso)
Inani lentengiselwano kwimizuzu eyi-10
74169
32445
Iintengiselwano/umzuzwana
123
54
I-Avareji yokuLala
I-405 ms
I-925 ms
Uvavanyo 2 (150 unxibelelwano kunye 100 kunokwenzeka)
Inani lentengiselwano kwimizuzu eyi-10
81727
31429
Iintengiselwano/umzuzwana
136
52
I-Avareji yokuLala
I-550 ms
I-1432 ms
Malunga nobukhulu
DB ubukhulu
I-2251 MB
I-2262 MB
Ubungakanani belog yedatabase
0 MB
4587 MB
Umgca osezantsi: uphicotho olupheleleyo alulunganga kakhulu. Idatha evela kuphicotho iya kuba nkulu njengedatha ekwisiseko sedatha ngokwayo, okanye nangaphezulu. Ubungakanani bokugawulwa kwemithi eyenziwa xa usebenza ne-DBMS yingxaki eqhelekileyo kwimveliso.
Makhe sijonge ezinye iiparamitha:
- Isantya asitshintshi kakhulu: ngaphandle kokungena - imizuzwana ye-43,74, ngokugawula - imizuzwana ye-53,23.
- Ukusebenza kwe-RAM kunye ne-CPU kuya kubandezeleka ngenxa yokuba kufuneka uvelise ifayile yophicotho. Oku kukwaphawuleka kwimveliso.
Njengoko inani loxhulumaniso landa, ngokwemvelo, ukusebenza kuya kuhla kancinci.
Kumaqumrhu anophicotho-zincwadi kunzima ngakumbi:
- kukho idatha eninzi;
- ukuphicothwa akufuneki kuphela nge-syslog kwi-SIEM, kodwa nakwiifayile: ukuba kukho into eyenzekayo kwi-syslog, kufuneka kubekho ifayile esondeleyo kwisiseko sedatha apho idatha igcinwa khona;
- ishelufu eyahlukileyo iyadingeka ukuze kuphicothwe ukuze ungachithi iidiski ze-I / O, njengoko kuthatha indawo eninzi;
- Kwenzeka ukuba abasebenzi bokhuseleko lolwazi bafuna imigangatho ye-GOST kuyo yonke indawo, bafuna ukuchongwa kwelizwe.
Ukuthintela ukufikelela kwidatha
Makhe sijonge itekhnoloji esetyenziselwa ukukhusela idatha kunye nokufikelela kuyo kwii-DBMS zentengiso kunye nomthombo ovulekileyo.
Yintoni ongayisebenzisa ngokubanzi:
- Uguqulelo oluntsonkothileyo kunye obfuscation iinkqubo kunye nemisebenzi (Ukusonga) - oko kukuthi, izixhobo ezahlukeneyo kunye nezinto eziluncedo ezenza ikhowudi efundekayo ingafundeki. Inyaniso, ngoko ayinakuguqulwa okanye iphinde ibuyiselwe umva. Le ndlela ngamanye amaxesha iyafuneka ubuncinane kwicala le-DBMS - ingqiqo yezithintelo zelayisenisi okanye ingqiqo yogunyaziso ifihliwe ngokuchanekileyo kwinqanaba lenkqubo kunye nomsebenzi.
- Ukunciphisa ukubonakala kwedatha ngemigca (RLS) kuxa abasebenzisi abahlukeneyo bebona itafile enye, kodwa ukubunjwa okuhlukeneyo kwemigca kuyo, oko kukuthi, into ayinakuboniswa kumntu kwinqanaba lomqolo.
- Ukuhlela idatha ebonisiweyo (Masking) kuxa abasebenzisi kwikholamu enye yetafile bebona idatha okanye iinkwenkwezi kuphela, oko kukuthi, kwabanye abasebenzisi ulwazi luya kuvalwa. Itekhnoloji inquma ukuba nguwuphi umsebenzisi oboniswa oko kusekelwe kwinqanaba lokufikelela kwabo.
- Ukhuseleko lwe-DBA/Isicelo solawulo lokufikelela kwi-DBA/DBA, kunoko, malunga nokukhawulelana nokufikelela kwi-DBMS ngokwayo, oko kukuthi, abasebenzi bokhuseleko lolwazi banokwahlulwa kubalawuli bedatabase kunye nabalawuli bezicelo. Zimbalwa iitekhnoloji ezinjalo kumthombo ovulekileyo, kodwa zininzi kwii-DBMS zentengiso. Ziyafuneka xa kukho abasebenzisi abaninzi abanokufikelela kwiiseva ngokwabo.
- Ukukhawulela ukufikelela kwiifayile kwinqanaba lenkqubo yefayile. Unokunika amalungelo kunye namalungelo okufikelela kubalawuli ukwenzela ukuba umlawuli ngamnye afikelele kuphela kwiinkcukacha eziyimfuneko.
- Ukufikelela okunyanzelekileyo kunye nokucoca imemori - ezi teknoloji azifane zisetyenziswe.
- Ukufikelela ekupheleni ukuya ekupheleni ngokuthe ngqo kwi-DBMS kukufihlwa kwecala lomxhasi kunye nolawulo oluphambili kwicala lomncedisi.
- Uguqulelo oluntsonkothileyo lwedatha. Umzekelo, uguqulelo oluntsonkothileyo kuxa usebenzisa indlela entsonkothileyo ikholamu enye yesiseko sedatha.
Oku kukuchaphazela njani ukusebenza kweDBMS?
Makhe sijonge kumzekelo wokubethelwa kwekholamu kwiPostgreSQL. Kukho imodyuli ye-pgcrypto, ikuvumela ukuba ugcine iindawo ezikhethiweyo kwifom efihliweyo. Oku kuluncedo xa kuphela idatha ethile ixabisekile. Ukufunda imihlaba efihliweyo, umxhasi uthumela iqhosha le-decryption, umncedisi ususa idatha kwaye ayibuyisele kumxhasi. Ngaphandle kwesitshixo, akukho mntu unokwenza nantoni na ngedatha yakho.
Makhe sivavanye ngepgcrypto. Masenze itafile enedatha efihliweyo kunye nedatha eqhelekileyo. Ngezantsi yimiyalelo yokwenza iitafile, kumgca wokuqala kakhulu kukho umyalelo oluncedo-ukwenza ulwandiso ngokwalo ngobhaliso lweDBMS:
CREATE EXTENSION pgcrypto;
CREATE TABLE t1 (id integer, text1 text, text2 text);
CREATE TABLE t2 (id integer, text1 bytea, text2 bytea);
INSERT INTO t1 (id, text1, text2)
VALUES (generate_series(1,10000000), generate_series(1,10000000)::text, generate_series(1,10000000)::text);
INSERT INTO t2 (id, text1, text2) VALUES (
generate_series(1,10000000),
encrypt(cast(generate_series(1,10000000) AS text)::bytea, 'key'::bytea, 'bf'),
encrypt(cast(generate_series(1,10000000) AS text)::bytea, 'key'::bytea, 'bf'));Okulandelayo, makhe sizame ukwenza isampuli yedatha kwitafile nganye kwaye sijonge amaxesha okwenziwa.
Ukukhetha kwitafile ngaphandle komsebenzi woguqulelo oluntsonkothileyo:
psql -c "timing" -c "select * from t1 limit 1000;" "host=192.168.220.129 dbname=taskdb
user=postgres sslmode=disable" > 1.txtIstopwotshi sivuliwe.
id | umbhalo1 | umbhalo2
——+———-+———-
1 | 1 | 1
2 | 2 | 2
3 | 3 | 3
...
997 | 997 | 997
998 | 998 | 998
999 | 999 | 999
1000 | 1000 | 1000
(1000 imigca)
Ixesha: 1,386 ms
Ukukhetha kwitafile enomsebenzi woguqulelo oluntsonkothileyo:
psql -c "timing" -c "select id, decrypt(text1, 'key'::bytea, 'bf'),
decrypt(text2, 'key'::bytea, 'bf') from t2 limit 1000;"
"host=192.168.220.129 dbname=taskdb user=postgres sslmode=disable" > 2.txtIstopwotshi sivuliwe.
id | decrypt | decrypt
——+——————+—————
1 | x31 | x31
2 | x32 | x32
3 | x33 | x33
...
999 | x393939 | x393939
1000 | x31303030 | x31303030
(1000 imigca)
Ixesha: 50,203 ms
Iziphumo zovavanyo:
Ngaphandle koguqulelo oluntsonkothileyo
I-Pgcrypto (decrypt)
Isampulu ye-1000 imiqolo
I-1,386 ms
I-50,203 ms
ICPU
15%
35%
I-RAM
+ 5%
Uguqulelo oluntsonkothileyo lunempembelelo enkulu ekusebenzeni. Ingabonwa ukuba ixesha linyukile, kuba imisebenzi yokuguqulelwa kwekhowudi yedatha efihliweyo (kwaye uguqulelo lwentsokolo luqhele ukusongelwa kwingqiqo yakho) lufuna izixhobo ezibalulekileyo. Oko kukuthi, umbono wokubethela zonke iikholamu eziqulethe idatha ethile uzaliswe kukuncipha kokusebenza.
Nangona kunjalo, uguqulelo oluntsonkothileyo ayisiyombumbulu yesilivere esombulula zonke iingxaki. Idata ekhutshiweyo kunye neqhosha le-decryption ngexesha lenkqubo yokucofa kunye nokuhambisa idatha ibekwe kwiseva. Ke ngoko, izitshixo zinokubanjwa ngumntu onofikelelo olupheleleyo kwiseva yedatha, njengomlawuli wenkqubo.
Xa kukho isitshixo esisodwa kwikholamu yonke kubo bonke abasebenzisi (nokuba akunjalo kubo bonke, kodwa kubathengi besethi esilinganiselweyo), oku akusoloko kulungile kwaye kuchanekile. Kungenxa yoko le nto baqala ukwenza i-encryption ekupheleni ukuya ekupheleni, kwi-DBMS baqala ukuqwalasela iinketho zokubethela idatha kumxhasi kunye necala leseva, kwaye kwavela ezo zitshixo ze-vault storages - iimveliso ezahlukileyo ezibonelela ngolawulo oluphambili kwi-DBMS. icala.
Iimpawu zokhuseleko kwi-DBMS yorhwebo kunye nomthombo ovulekileyo
Imisebenzi
Uhlobo
Igama lomgaqo-nkqubo
Uphicotho
Ukukhusela ikhowudi yemvelaphi yeenkqubo kunye nemisebenzi
RLS
Encryption
Oracle
ezorhwebo
+
+
+
+
+
MsSql
ezorhwebo
+
+
+
+
+
ezorhwebo
+
+
+
+
ukwandiswa
PostgreSQL
free
ukwandiswa
ukwandiswa
-
+
ukwandiswa
MongoDb
free
-
+
-
-
Ifumaneka kwi-MongoDB Enterprise kuphela
Itheyibhile ikude nokugqiba, kodwa imeko yile: kwiimveliso zorhwebo, iingxaki zokhuseleko zixazululwe ixesha elide, kumthombo ovulekileyo, njengomthetho, uhlobo oluthile lwezongezo lusetyenziselwa ukhuseleko, imisebenzi emininzi ilahlekile. , ngamanye amaxesha kufuneka wongeze into. Umzekelo, imigaqo-nkqubo yegama lokugqitha-iPostgreSQL inezandiso ezininzi ezahlukeneyo (, , , , ), ezalisekisa imigaqo-nkqubo yephasiwedi, kodwa, ngokombono wam, akukho namnye kubo ogubungela zonke iimfuno zecandelo leenkampani zasekhaya.
Yintoni omawuyenze ukuba awunayo into oyifunayo naphi na? Ngokomzekelo, ufuna ukusebenzisa i-DBMS ethile engenayo imisebenzi efunwa ngumthengi.
Emva koko ungasebenzisa izisombululo zenkampani yesithathu ezisebenza ngeeDBMS ezahlukeneyo, umzekelo, i-Crypto DB okanye i-Garda DB. Ukuba sithetha ngezisombululo ezivela kwicandelo lasekhaya, ngoko bayazi malunga ne-GOSTs kangcono kunomthombo ovulekileyo.
Inketho yesibini kukubhala into oyifunayo ngokwakho, ukuphumeza ukufikelela kwedatha kunye ne-encryption kwisicelo kwinqanaba lenkqubo. Enyanisweni, kuya kuba nzima ngakumbi ngeGOST. Kodwa ngokubanzi, unokufihla idatha njengoko kufuneka, uyibeke kwi-DBMS, emva koko uyibuyisele kwaye uyikhuphe njengoko kufuneka, ngokuchanekileyo kwinqanaba lesicelo. Kwangaxeshanye, khawucinge ngokukhawuleza malunga nendlela oza kukhusela ngayo ezi algorithms kwisicelo. Ngokombono wethu, oku kufuneka kwenziwe kwinqanaba le-DBMS, kuba liya kusebenza ngokukhawuleza.
Le ngxelo yaqala ukunikezelwa ngo nguMail.ru Cloud Solutions. Jongaeminye imisebenzi kwaye ubhalisele izibhengezo zeminyhadala kwiTelegram .
Yintoni enye ekufuneka uyifunde ngesihloko:
- .
- .
umthombo: www.habr.com