Uguqulelo oluntsonkothileyo kwi-MySQL: I-Keystore

Ukulindela ukuqala kobhaliso olutsha lwekhosi "Database" Sikulungiselele uguqulelo lwenqaku eliluncedo.

Ufihlo lweDatha eNgaphandle (TDE) luvele ngaphakathi Iseva yePercona yeMySQL kunye ne-MySQL ixesha elide. Kodwa ngaba ukhe wacinga malunga nendlela esebenza ngayo phantsi kwe-hood kwaye yintoni impembelelo ye-TDE enokuba nayo kumncedisi wakho? Kolu ngcelele lwamanqaku siza kujonga indlela iTDE esebenza ngayo ngaphakathi. Masiqale ngogcino olungundoqo, kuba oku kuyafuneka ukuze naluphi na uguqulelo oluntsonkothileyo lusebenze. Emva koko siza kujonga ngokuthe ngqo ukuba i-encryption isebenza njani kwi-Percona Server ye-MySQL/MySQL kwaye zeziphi iimpawu ezongezelelweyo zePercona Server ye-MySQL enayo.

MySQL Keyring

I-Keyring ziiplagi ezivumela umncedisi ukuba abuze, enze, kwaye acime izitshixo kwifayile yendawo (keyring_file) okanye kwiseva ekude (njenge-HashiCorp Vault). Izitshixo zihlala zigcinwe kwindawo ukukhawulezisa ukufunyanwa kwazo.

Iiplagi zinokwahlulwa zibe ziindidi ezimbini:

• Indawo yokugcina. Umzekelo, ifayile yendawo (siyibiza le fayile-based keyring).
• Ugcino olukude. Umzekelo, iseva yeVault (siyibiza le nto i-keyring esekwe kwiseva).

Oku kwahlula kubalulekile kuba iintlobo ezahlukeneyo zokugcina ziziphatha ngendlela eyahlukileyo, kungekhona nje xa ugcina kwaye ubuyisela izitshixo, kodwa naxa uqhuba.

Xa usebenzisa ukugcinwa kwefayile, ekuqaliseni, yonke imixholo yokugcina ilayishwa kwi-cache: i-id engundoqo, umsebenzisi oyintloko, uhlobo oluphambili, kunye nesitshixo ngokwaso.

Kwimeko yevenkile yecala lomncedisi (njengeseva yeVault), kuphela i-id yesitshixo kunye nomsebenzisi ongundoqo zilayishwe ekuqaleni, ngoko ukufumana zonke izitshixo akucothi ukuqalisa. Izitshixo zilayishwa ngokonqena. Oko kukuthi, isitshixo ngokwaso silayishwa kwiVault kuphela xa sifuneka ngokwenene. Nje ukuba ikhutshelwe, iqhosha ligcinwe kwimemori ukuze kungafuneki ukuba lifikelelwe ngoqhagamshelo lwe-TLS kwiSeva yeVault kwixesha elizayo. Okulandelayo, makhe sijonge ukuba loluphi ulwazi olukhoyo kwivenkile yezitshixo.

Ulwazi oluphambili luqulathe oku kulandelayo:

• isitshixo id - isichongi esingundoqo, umzekelo:
  INNODBKey-764d382a-7324-11e9-ad8f-9cb6d0d5dc99-1
• uhlobo olungundoqo - uhlobo oluphambili olusekelwe kwi-algorithm ye-encryption esetyenzisiweyo, amaxabiso anokwenzeka: "AES", "RSA" okanye "DSA".
• ubude bezitshixo - ubude obuphambili kwii-bytes, i-AES: 16, 24 okanye 32, RSA 128, 256, 512 kunye ne-DSA 128, 256 okanye i-384.
• umsebenzisi - umnini isitshixo. Ukuba isitshixo sisixokelelwano, umzekelo, Isitshixo esinguMakhulu, ngoko lo mhlaba awunanto. Ukuba isitshixo senziwe kusetyenziswa keyring_udf, ngoko lo mmandla uchonga umnini wesitshixo.
• isitshixo ngokwaso

Isitshixo sichongwe ngokukodwa ngesi sibini: key_id, umsebenzisi.

Kukwakho umahluko ekugcineni nokucima izitshixo.

Ugcino lwefayile luyakhawuleza. Unokucinga ukuba isitshixo sevenkile sibhala nje isitshixo sefayile kube kanye, kodwa hayi, kuninzi okuqhubekayo apha. Nanini na xa ugcino lwefayile lwenziwe, ikopi egciniweyo yawo wonke umxholo yenziwa kuqala. Masithi ifayile ibizwa ngokuba yi-my_biggest_secrets, emva koko ikopi yogcino iya kuba yi-my_biggest_secrets.backup. Emva koko, i-cache itshintshiwe (izitshixo zongezwa okanye zicinyiwe) kwaye, ukuba yonke into iphumelele, i-cache iphinda ifakwe kwifayile. Kwiimeko ezinqabileyo, ezinjengokusilela komncedisi, unokubona le fayile yogcino. Ifayile yogcino iyacinywa kwixesha elizayo xa izitshixo zilayishwa (ngesiqhelo emva kokuba umncedisi eqalwe ngokutsha).

Xa ugcina okanye ucima isitshixo kwindawo yokugcina iseva, isitoreji kufuneka sidibanise kwiseva ye-MySQL kunye nemiyalelo "thumela isitshixo" / "isicelo sokucima isitshixo".

Masibuyele kwisantya sokuqalisa iseva. Ukongeza kwinto yokuba isantya sokuphehlelelwa sichatshazelwa yivault ngokwayo, kukwakho nomba wokuba zingaphi izitshixo ezisuka kwivault ezifuna ukufunyanwa ekuqaleni. Ewe, oku kubaluleke kakhulu kugcino lweseva. Ekuqaliseni, umncedisi ujonga ukuba leliphi iqhosha elifunekayo kwiitafile ezifihliweyo/izithuba zetafile kwaye icela isitshixo kwindawo yokugcina. Kwiseva "ecocekileyo" ene-Master Key encryption, kufuneka kubekho iSitshixo esiyiMaster esinye, ekufuneka sithathwe kwindawo yokugcina. Nangona kunjalo, inani elikhulu lezitshixo lingafuneka, umzekelo, xa umncedisi we-backup ubuyisela i-backup kwi-server yokuqala. Kwiimeko ezinjalo, ukujikeleziswa kweSitshixo esiyiNtloko kufuneka kubonelelwe. Oku kuya kugutyungelwa ngakumbi kumanqaku exesha elizayo, nangona apha ndingathanda ukuqaphela ukuba umncedisi usebenzisa amaqhosha amakhulu amaninzi angathatha ixesha elide ukuqalisa, ngakumbi xa usebenzisa ivenkile yesitshixo secala lomncedisi.

Ngoku makhe sithethe kancinci malunga keyring_file. Xa ndandiphuhlisa i-keyring_file, ndandinexhala malunga nendlela yokujonga utshintsho lwefayile ye-keyring ngelixa iseva isebenza. Kwi-5.7, isheke yenziwe ngokusekelwe kwizibalo zefayile, eyayingeyona isisombululo esifanelekileyo, kwaye kwi-8.0 yatshintshwa nge-SHA256 checksum.

Ngethuba lokuqala uqhuba i-keyring_file, izibalo zefayile kunye ne-checksum zibalwe, ezikhunjulwe ngumncedisi, kwaye utshintsho lusetyenziswa kuphela xa luhambelana. Xa ifayile itshintsha, i-checksum ihlaziywa.

Sele sigubungele imibuzo emininzi malunga neevaults eziphambili. Nangona kunjalo, kukho esinye isihloko esibalulekileyo esihlala silityalwa okanye singaqondwa kakuhle: ukwabelana ngezitshixo kuzo zonke iiseva.

Ndithetha ukuthini? Umncedisi ngamnye (umzekelo, Iseva yePercona) kwiqela kufuneka libe nendawo eyahlukileyo kwiSeva yeVault apho iseva yePercona kufuneka igcine izitshixo zayo. Iqhosha ngalinye eliMazisi eligcinwe kwindawo yokugcina liqulethe i-GUID yeSeva yePercona ngaphakathi kwesichongi sayo. Kutheni ibalulekile nje? Khawucinge ukuba uneseva enye kuphela yeVault kunye nazo zonke iiSeva zePercona kwiqela elisebenzisa loo Seva yeVault enye. Ingxaki ibonakala izicacele. Ukuba zonke iiSeva zePercona zisebenzise iSitshixo esiyiMaster ngaphandle kwezifanisi ezizodwa, ezifana ne-id = 1, id = 2, njl. njl., ngoko ke bonke abancedisi kwiqela baya kusebenzisa iSitshixo esiyiMaster esifanayo. Yintoni ebonelelwa yi-GUID ngumahluko phakathi kwabancedisi. Kutheni ke uthetha ngokwabelana ngezitshixo phakathi kweeseva ukuba i-GUID eyodwa sele ikhona? Kukho enye iplagin - keyring_udf. Ngale plugin, umsebenzisi wakho weseva unokugcina izitshixo zabo kwiseva yeVault. Ingxaki yenzeka xa umsebenzisi esenza isitshixo kwi-server1, umzekelo, aze azame ukwenza isitshixo nge-ID efanayo kwi-server2, umzekelo:

--server1:
select keyring_key_store('ROB_1','AES',"123456789012345");
1
--1 значит успешное завершение
--server2:
select keyring_key_store('ROB_1','AES',"543210987654321");
1

Yima. Zombini iiseva zisebenzisa iSeva yeVault efanayo, akufuneki ukuba umsebenzi we-keyring_key_store ungaphumeleli kwiseva2? Okubangela umdla kukuba, ukuba uzama ukwenza okufanayo kwiseva enye, uya kufumana impazamo:

--server1:
select keyring_key_store('ROB_1','AES',"123456789012345");
1
select keyring_key_store('ROB_1','AES',"543210987654321");
0

Kunjalo, ROB_1 sele ikhona.

Makhe sixubushe ngomzekelo wesibini kuqala. Njengoko besesitshilo ngaphambili, i-keyring_vault okanye nayiphi na enye iplagin yokutshixa igcina zonke ii-ID eziphambili kwimemori. Ke, emva kokwenza isitshixo esitsha, ROB_1 yongezwa kwiseva1, kwaye ukongeza ekuthumeleni esi sitshixo kwiVault, isitshixo songezwa kwicache. Ngoku, xa sizama ukongeza iqhosha elifanayo okwesibini, i-keyring_vault ijonga ukuba isitshixo sikhona kwi-cache kwaye iphosa impazamo.

Kwimeko yokuqala imeko yahlukile. Iseva1 kunye neseva2 zineendawo zokugcina ezifihlakeleyo. Emva kokongeza i-ROB_1 kwi-cache yesitshixo kwi-server1 kunye neseva yeVault, i-cache yesitshixo kwi-server2 iphumile kwi-sync. Akukho ROB_2 isitshixo kwindawo yokugcina kwiseva1. Ngaloo ndlela, iqhosha le-ROB_1 libhalwe kwi-keyring_key_store nakwi-Vault server, ebhala ngaphezulu (!) ixabiso langaphambili. Ngoku i-ROB_1 isitshixo kumncedisi weVault ngu-543210987654321. Okubangela umdla kukuba, iseva yeVault ayivaleli ezo zenzo kwaye ibhala ngaphezulu kwexabiso elidala ngokulula.

Ngoku sinokubona ukuba kutheni ukwahlulahlula kweseva kwiVault kunokubaluleka-xa usebenzisa i-keyring_udf kwaye ufuna ukugcina izitshixo kwiVault. Uluphumeza njani olu lwahlulo kwiseva yeVault?

Kukho iindlela ezimbini zokwahlulahlula kwiVault. Unokwenza iindawo ezahlukeneyo zokunyuka zomncedisi ngamnye, okanye usebenzise iindlela ezahlukeneyo ngaphakathi kwendawo enye yokunyuka. Oku kuboniswa kakuhle ngemizekelo. Ke makhe sijonge iindawo zokunyuka zomntu ngamnye kuqala:

--server1:
vault_url = http://127.0.0.1:8200
secret_mount_point = server1_mount
token = (...)
vault_ca = (...)

--server2:
vault_url = http://127.0.0.1:8200
secret_mount_point = sever2_mount
token = (...)
vault_ca = (...)

Apha ungabona ukuba iseva1 kunye neseva2 zisebenzisa iindawo ezahlukeneyo zokunyuka. Xa usahlula iindlela, uqwalaselo luya kujongeka ngolu hlobo:

--server1:
vault_url = http://127.0.0.1:8200
secret_mount_point = mount_point/server1
token = (...)
vault_ca = (...)
--server2:
vault_url = http://127.0.0.1:8200
secret_mount_point = mount_point/sever2
token = (...)
vault_ca = (...)

Kule meko, bobabini abancedisi basebenzisa indawo enye yokunyuka "mount_point", kodwa iindlela ezahlukeneyo. Xa usenza imfihlo yokuqala kwi-server1 usebenzisa le ndlela, iseva yeVault yenza ngokuzenzekelayo i-"server1" directory. Kwi-server2 yonke into iyafana. Xa ucima imfihlo yokugqibela kwi-mount_point/server1 okanye mount_point/server2, iseva yeVault ikwacima abo balawuli. Kwimeko apho usebenzisa ulwahlulo lomendo, kufuneka wenze indawo enye kuphela yokunyuka kwaye utshintshe iifayile zoqwalaselo ukuze abancedisi basebenzise iindlela ezahlukeneyo. Indawo yokunyuka ingadalwa ngokusebenzisa isicelo se-HTTP. Ukusebenzisa i-CURL oku kunokwenziwa ngolu hlobo:

curl -L -H "X-Vault-Token: TOKEN" –cacert VAULT_CA
--data '{"type":"generic"}' --request POST VAULT_URL/v1/sys/mounts/SECRET_MOUNT_POINT

Zonke iindawo (TOKEN, VAULT_CA, VAULT_URL, SECRET_MOUNT_POINT) zihambelana neeparamitha zefayile yoqwalaselo. Ewe kunjalo, ungasebenzisa izixhobo zeVault ukwenza okufanayo. Kodwa kulula ukwenza ngokuzenzekelayo ukudalwa kwendawo yokunyuka. Ndiyathemba ukuba ulufumene olu lwazi luluncedo kwaye siza kukubona kumanqaku alandelayo kolu ngcelele.

Funda ngokugqithisileyo:

• I-Sysbench kunye nokuhanjiswa kwezinto eziguquguqukayo ezingahleliwe

umthombo: www.habr.com