Ngokulindele ukuqala kokubhaliswa okusha kwalesi sifundo Sikulungiselele ukuhunyushwa kwesihloko esiwusizo.
I-Transparent Data Encryption (TDE) ivele ku kanye ne-MySQL isikhathi eside. Kodwa uke wacabanga ukuthi isebenza kanjani ngaphansi kwe-hood nokuthi i-TDE ingaba namuphi umthelela kuseva yakho? Kulolu chungechunge lwezihloko sizobheka ukuthi i-TDE isebenza kanjani ngaphakathi. Ake siqale ngokhiye wokugcina, njengoba lokhu kuyadingeka ukuze noma yikuphi ukubethela kusebenze. Sizobe sesibhekisisa ukuthi ukubethela kusebenza kanjani ku-Percona Server ye-MySQL/MySQL nokuthi yiziphi izici ezengeziwe i-Percona Server ye-MySQL enazo.
MySQL Keyring
Ama-keyring ama-plugin avumela iseva ukuthi ibuze, idale, futhi isuse okhiye kufayela lasendaweni (keyring_file) noma kuseva ekude (njenge-HashiCorp Vault). Okhiye bahlala befakwe kunqolobane endaweni ukuze kusheshiswe ukubuyiswa kwabo.
Ama-plugin angahlukaniswa ngezigaba ezimbili:
- Isitoreji sendawo. Isibonelo, ifayela lendawo (lokhu sikubiza ngokuthi ukhiye osuselwe kufayela).
- Isitoreji esikude. Isibonelo, i-Vault Server (lokhu sikubiza ngokhiye osuselwe kuseva).
Lokhu kuhlukaniswa kubalulekile ngoba izinhlobo ezahlukene zesitoreji ziziphatha ngendlela ehlukile, hhayi kuphela lapho ugcina futhi ulanda okhiye, kodwa nalapho uzisebenzisa.
Uma usebenzisa isitoreji sefayela, lapho uqala, konke okuqukethwe kwesitoreji kulayisha kunqolobane: i-id yokhiye, umsebenzisi ongukhiye, uhlobo lokhiye, kanye nokhiye ngokwawo.
Esimeni sesitolo esiseceleni kweseva (njengeseva ye-Vault), kuphela umazisi wokhiye nomsebenzisi ongukhiye okulayishwayo ekuqaleni, ngakho ukuthola bonke okhiye akubambezeli ukuqalisa. Izikhiye zilayishwa ngobuvila. Okusho ukuthi, ukhiye ngokwawo ulayishwa ku-Vault kuphela lapho udingeka ngempela. Uma isilandiwe, ukhiye ugcinwa kunqolobane ukuze ungadingi ukufinyelelwa ngoxhumo lwe-TLS kuseva ye-Vault esikhathini esizayo. Okulandelayo, ake sibheke ukuthi yiluphi ulwazi olukhona esitolo sokhiye.
Ulwazi olubalulekile luqukethe okulandelayo:
- i-id engukhiye - isihlonzi esingukhiye, isibonelo:
INNODBKey-764d382a-7324-11e9-ad8f-9cb6d0d5dc99-1 - uhlobo lokhiye — uhlobo lokhiye olusekelwe ku-algorithm yokubethela esetshenzisiwe, amanani angenzeka: “AES”, “RSA” noma “DSA”.
- ubude bokhiye — ubude bokhiye ngamabhayithi, AES: 16, 24 noma 32, RSA 128, 256, 512 kanye ne-DSA 128, 256 noma 384.
- umsebenzisi - umnikazi wokhiye. Uma ukhiye kuwuhlelo, isibonelo, Ukhiye Omkhulu, khona-ke le nkambu ayinalutho. Uma ukhiye udalwe kusetshenziswa i-keyring_udf, khona-ke le nkambu ikhomba umnikazi wokhiye.
- ukhiye ngokwawo
Ukhiye ukhonjwa ngokuhlukile ngababili: key_id, umsebenzisi.
Kukhona futhi umehluko ekugcinweni nasekusuleni okhiye.
Isitoreji sefayela siyashesha. Ungase ucabange ukuthi isitolo sokhiye simane sibhala ukhiye wefayela kanye, kodwa cha, kuningi okuqhubekayo lapha. Noma kunini uma kwenziwa ukuguqulwa kwesitoreji sefayela, ikhophi eyisipele yakho konke okuqukethwe iyaqala ukwenziwa. Ake sithi ifayela libizwa ngokuthi my_biggest_secrets, ikhophi eyisipele izoba my_biggest_secrets.backup. Okulandelayo, i-cache iyashintshwa (izinkinobho zengezwe noma zisusiwe) futhi, uma konke kuphumelele, i-cache isethwe kabusha efayeleni. Ezimweni ezingavamile, njengokwehluleka kweseva, ungase ubone leli fayela eliyisipele. Ifayela eliyisipele liyasuswa ngesikhathi esilandelayo lapho izinkinobho zilayishwa (imvamisa ngemva kokuba iseva isiqaliswe kabusha).
Uma ulondoloza noma ususa ukhiye endaweni yokugcina iseva, isitoreji kufanele sixhume kuseva ye-MySQL ngemiyalo ethi "thumela ukhiye" / "cela ukususwa kokhiye".
Masibuyele kusivinini sokuqalisa iseva. Ngaphezu kweqiniso lokuthi isivinini sokuqalisa siyathinteka yi-vault ngokwayo, kuphinde kube nenkinga yokuthi bangaki okhiye abasuka ku-vault okudingeka babuyiselwe ekuqaleni. Yiqiniso, lokhu kubaluleke kakhulu ekugcinweni kweseva. Ekuqaleni, iseva ihlola ukuthi yimuphi ukhiye odingekayo kumathebula/izindawo zetafula ezibethelwe bese icela ukhiye endaweni yokugcina. Kuseva "ehlanzekile" enombhalo oyimfihlo we-Master Key, kufanele kube nokhiye oyinhloko owodwa, okumele ulandwe endaweni yokugcina. Nokho, inombolo enkulu yokhiye ingase idingeke, isibonelo, uma iseva eyisipele ibuyisela isipele esivela kuseva eyinhloko. Ezimweni ezinjalo, ukuguqulwa kwe-Master Key kufanele kuhlinzekwe. Lokhu kuzodingidwa kabanzi ezihlokweni ezizayo, nakuba lapha ngithanda ukuqaphela ukuthi iseva esebenzisa Okhiye Abayinhloko abaningi ingase ithathe isikhashana ukuqalisa, ikakhulukazi uma isebenzisa isitolo sokhiye oseceleni kweseva.
Manje ake sikhulume kancane mayelana ne-keyring_file. Ngenkathi ngithuthukisa i-keyring_file, ngangiphinde ngikhathazeke ngokuthi ngingazihlola kanjani izinguquko ze-keyring_file ngenkathi iseva isebenza. Ngo-5.7, isheke lenziwe ngokusekelwe kwizibalo zefayela, okwakungesona isixazululo esikahle, futhi ngo-8.0 kwathathelwa indawo isheke ye-SHA256.
Uma uqala ukusebenzisa i-keyring_file, izibalo zefayela kanye nokuhlola kubalwa, okukhunjulwa iseva, futhi izinguquko zisetshenziswa kuphela uma zifana. Uma ifayela lishintsha, isheke liyabuyekezwa.
Sesivele siphendule imibuzo eminingi mayelana nama-vaults angukhiye. Nokho, kunesinye isihloko esibalulekile esivame ukulibaleka noma ukungaqondwa kahle: ukwabelana ngokhiye kuwo wonke amaseva.
Ngiqonde ukuthini? Iseva ngayinye (ngokwesibonelo, Iseva ye-Percona) kuqoqo kufanele ibe nendawo ehlukile kuseva ye-Vault lapho Iseva ye-Percona kufanele igcine khona okhiye bayo. I-Master Key ngayinye elondolozwe kusitoreji iqukethe i-GUID Yeseva ye-Percona ngaphakathi kwesihlonzi sayo. Kungani ibalulekile? Cabanga ukuthi uneseva eyodwa kuphela ye-Vault kanye nawo wonke amaseva e-Percona kuqoqo asebenzisa leyo Seva ye-Vault eyodwa. Inkinga ibonakala isobala. Uma wonke amaseva e-Percona esebenzise Ukhiye Omkhulu ngaphandle kwezihlonzi ezihlukile, njenge-id = 1, id = 2, njll., khona-ke wonke amaseva kuqoqo azosebenzisa Ukhiye Oyinhloko ofanayo. Okuhlinzekwa yi-GUID wumehluko phakathi kwamaseva. Kungani-ke ukhuluma ngokhiye wokwabelana phakathi kwamaseva uma i-GUID eyingqayizivele isivele ikhona? Kukhona enye i-plugin - keyring_udf. Ngale plugin, umsebenzisi wakho weseva angagcina okhiye bakhe kuseva ye-Vault. Inkinga yenzeka lapho umsebenzisi enza ukhiye kuseva1, isibonelo, bese ezama ukwakha ukhiye one-ID efanayo kuseva2, isibonelo:
--server1:
select keyring_key_store('ROB_1','AES',"123456789012345");
1
--1 значит успешное завершение
--server2:
select keyring_key_store('ROB_1','AES',"543210987654321");
1Linda. Womabili amaseva asebenzisa iseva ye-Vault efanayo, akufanele yini umsebenzi we-keyring_key_store wehluleke kuseva2? Kuyathakazelisa ukuthi uma uzama ukwenza okufanayo kuseva eyodwa, uzothola iphutha:
--server1:
select keyring_key_store('ROB_1','AES',"123456789012345");
1
select keyring_key_store('ROB_1','AES',"543210987654321");
0Kulungile, i-ROB_1 isivele ikhona.
Ake sixoxe ngesibonelo sesibili kuqala. Njengoba sishilo ekuqaleni, i-keyring_vault noma enye i-plugin ye-keyring igcina wonke ama-ID okhiye enkumbulweni. Ngakho-ke, ngemva kokudala ukhiye omusha, i-ROB_1 yengezwa kuseva1, futhi ngaphezu kokuthumela lo khiye ku-Vault, ukhiye uphinde wengezwe kunqolobane. Manje, uma sizama ukwengeza ukhiye ofanayo okwesibili, i-keyring_vault ihlola ukuthi ingabe ukhiye ukhona yini kunqolobane bese iphonsa iphutha.
Esimweni sokuqala isimo sihlukile. I-Server1 kanye ne-server2 zinezinqolobane ezihlukene. Ngemva kokwengeza i-ROB_1 kunqolobane yokhiye kuseva1 kanye neseva ye-Vault, inqolobane yokhiye kuseva2 ayisavumelaniswa. Awukho ukhiye ongu-ROB_2 kunqolobane kuseva1. Ngakho, ukhiye we-ROB_1 ubhalelwa ku-keyring_key_store nakuseva ye-Vault, empeleni evala (!) inani langaphambilini. Manje ukhiye we-ROB_1 kuseva ye-Vault uthi 543210987654321. Kuyathakazelisa ukuthi iseva ye-Vault ayizivimbi izenzo ezinjalo futhi ibhala ngaphezulu inani elidala kalula.
Manje sesiyabona ukuthi kungani ukuhlukaniswa kweseva ku-Vault kungabalulekile - uma usebenzisa i-keyring_udf futhi ufuna ukugcina okhiye ku-Vault. Ungakufeza kanjani lokhu kuhlukaniswa kuseva ye-Vault?
Kunezindlela ezimbili zokuhlukanisa zibe yi-Vault. Ungakha izindawo zokukhweza ezihlukene zeseva ngayinye, noma usebenzise izindlela ezihlukile endaweni efanayo yokukhweza. Lokhu kuboniswa kangcono ngezibonelo. Ngakho-ke ake sibheke amaphuzu okukhweza ngamanye kuqala:
--server1:
vault_url = http://127.0.0.1:8200
secret_mount_point = server1_mount
token = (...)
vault_ca = (...)
--server2:
vault_url = http://127.0.0.1:8200
secret_mount_point = sever2_mount
token = (...)
vault_ca = (...)Lapha ungabona ukuthi i-server1 kanye ne-server2 zisebenzisa izindawo ezihlukene zokukhweza. Lapho uhlukanisa izindlela, ukucushwa kuzobukeka kanjena:
--server1:
vault_url = http://127.0.0.1:8200
secret_mount_point = mount_point/server1
token = (...)
vault_ca = (...)
--server2:
vault_url = http://127.0.0.1:8200
secret_mount_point = mount_point/sever2
token = (...)
vault_ca = (...)Kulokhu, zombili iziphakeli zisebenzisa i-mount point "mount_point", kodwa izindlela ezihlukile. Lapho udala imfihlo yokuqala kuseva1 usebenzisa le ndlela, iseva ye-Vault idala ngokuzenzakalelayo inkomba ethi “server1”. Kuseva2 konke kuyafana. Uma ususa imfihlo yokugcina kokuthi mount_point/server1 noma mount_point/server2, iseva ye-Vault iphinde isuse lezo zinkomba. Uma kwenzeka usebenzisa ukuhlukaniswa kwendlela, kufanele udale indawo eyodwa kuphela yokukhweza bese ushintsha amafayela okumisa ukuze amaseva asebenzise izindlela ezihlukene. Iphoyinti lokukhweza lingadalwa kusetshenziswa isicelo se-HTTP. Ukusebenzisa i-CURL lokhu kungenziwa kanje:
curl -L -H "X-Vault-Token: TOKEN" –cacert VAULT_CA
--data '{"type":"generic"}' --request POST VAULT_URL/v1/sys/mounts/SECRET_MOUNT_POINTZonke izinkambu (TOKEN, VAULT_CA, VAULT_URL, SECRET_MOUNT_POINT) zihambisana nemingcele yefayela lokumisa. Kunjalo, ungasebenzisa izinsiza ze-Vault ukwenza okufanayo. Kodwa kulula ukwenza ngokuzenzakalelayo ukwakhiwa kwendawo yokukhuphuka. Ngithemba ukuthi lolu lwazi uluthola luwusizo futhi sizokubona ezihlokweni ezilandelayo zalolu chungechunge.
Funda kabanzi:
Source: www.habr.com