偷偷摘套内射激情视频,久久精品99国产国产精,中文字幕无线乱码人妻,中文在线中文a,性爽19p

<thead id="6nxrk"><rt id="6nxrk"></rt></thead>

AI.x社區(qū)

軟考社區(qū)

免費(fèi)課

企業(yè)培訓(xùn)

鴻蒙開發(fā)者社區(qū)

信創(chuàng)認(rèn)證

公眾號矩陣

移動端

視頻課免費(fèi)課排行榜短視頻直播課軟考學(xué)堂

全部課程軟考信創(chuàng)認(rèn)證華為認(rèn)證廠商認(rèn)證 IT技術(shù)PMP項(xiàng)目管理免費(fèi)題庫

在線學(xué)習(xí)

文章資源問答課堂專欄直播

51CTO

鴻蒙開發(fā)者社區(qū)

51CTO技術(shù)棧

51CTO官微

51CTO學(xué)堂

51CTO博客

CTO訓(xùn)練營

鴻蒙開發(fā)者社區(qū)訂閱號

51CTO軟考

51CTO學(xué)堂APP

51CTO學(xué)堂企業(yè)版APP

鴻蒙開發(fā)者社區(qū)視頻號

51CTO軟考題庫

賬號設(shè)置退出

GreatSQL 配置 SSL 訪問：單機(jī)與 MGR 集群指南

作者：土豆娃娃 2025-10-28 03:00:00

數(shù)據(jù)庫其他數(shù)據(jù)庫

為確保數(shù)據(jù)庫中傳輸數(shù)據(jù)的安全性與完整性，防止敏感信息在通信過程中被竊聽或篡改，建議為GreatSQL服務(wù)啟用SSL加密連接。此舉尤其適用于不安全的網(wǎng)絡(luò)環(huán)境（如公有網(wǎng)絡(luò)），或需滿足行業(yè)數(shù)據(jù)安全合規(guī)性要求的場景。

背景說明

為確保數(shù)據(jù)庫中傳輸數(shù)據(jù)的安全性與完整性，防止敏感信息在通信過程中被竊聽或篡改，建議為GreatSQL服務(wù)啟用SSL加密連接。此舉尤其適用于不安全的網(wǎng)絡(luò)環(huán)境（如公有網(wǎng)絡(luò)），或需滿足行業(yè)數(shù)據(jù)安全合規(guī)性要求的場景。以下文檔將詳述配置GreatSQL服務(wù)器端強(qiáng)制SSL連接，并為客戶端頒發(fā)證書的具體操作步驟。

單機(jī)開啟SSL

通過命令，初始化密鑰文件，其中datadir與數(shù)據(jù)庫數(shù)據(jù)目錄保持一致。

/greatsql/gdb/svr/greatsql/bin/mysql_ssl_rsa_setup --datadir=/greatsql/gdb/dbdata/3313/data
chown greatsql.greatsql /greatsql/gdb/dbdata/3313/data/*pem

會產(chǎn)生如下新的文件：

$ ll /greatsql/gdb/dbdata/3313/data/*pem
-rw------- 1 greatsql greatsql 1679 Sep 15 11:34 /greatsql/gdb/dbdata/3313/data/ca-key.pem
-rw-r--r-- 1 greatsql greatsql 1115 Sep 15 11:34 /greatsql/gdb/dbdata/3313/data/ca.pem
-rw-r--r-- 1 greatsql greatsql 1115 Sep 15 11:34 /greatsql/gdb/dbdata/3313/data/client-cert.pem
-rw------- 1 greatsql greatsql 1679 Sep 15 11:34 /greatsql/gdb/dbdata/3313/data/client-key.pem
-rw------- 1 greatsql greatsql 1676 Sep 15 11:32 /greatsql/gdb/dbdata/3313/data/private_key.pem
-rw-r--r-- 1 greatsql greatsql  452 Sep 15 11:32 /greatsql/gdb/dbdata/3313/data/public_key.pem
-rw-r--r-- 1 greatsql greatsql 1115 Sep 15 11:34 /greatsql/gdb/dbdata/3313/data/server-cert.pem
-rw------- 1 greatsql greatsql 1679 Sep 15 11:34 /greatsql/gdb/dbdata/3313/data/server-key.pem

在配置文件中，添加全局加密通信要求參數(shù)。

require_secure_transport=ON

此時通過非socket訪問數(shù)據(jù)庫均要求SSL通信。

$ /greatsql/gdb/svr/greatsql/bin/mysql -ubing -p'abc123' -h172.17.134.55 -P3313 --ssl-mode=disable
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 3159 (HY000): Connections using insecure transport are prohibited while --require_secure_transport=ON.

$ /greatsql/gdb/svr/greatsql/bin/mysql -ubing -p'abc123' -h172.17.134.55 -P3313
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 13
Server version: 8.0.32-27 GreatSQL, Release 27, Revision aa66a385910

Copyright (c) 2021-2025 GreatDB Software Co., Ltd
Copyright (c) 2009-2025 Percona LLC and/or its affiliates
Copyright (c) 2000, 2025, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h'forhelp. Type '\c' to clear the current input statement.

greatsql> \s
--------------
/greatsql/gdb/svr/greatsql/bin/mysql  Ver 8.0.32-27 for Linux on x86_64 (GreatSQL, Release 27, Revision aa66a385910)

Connection id:                13
Current database:        
Current user:                bing@172.17.134.55
SSL:                        Cipher in use is ECDHE-RSA-AES128-GCM-SHA256
Current pager:                stdout
Using outfile:                ''
Using delimiter:        ;
Server version:                8.0.32-27 GreatSQL, Release 27, Revision aa66a385910
Protocol version:        10
Connection:                172.17.134.55 via TCP/IP
Server characterset:        utf8mb4
Db     characterset:        utf8mb4
Client characterset:        utf8mb4
Conn.  characterset:        utf8mb4
TCP port:                3313
Binary data as:                Hexadecimal
Uptime:                        6 min 1 sec

Threads: 3  Questions: 19  Slow queries: 0  Opens: 150  Flush tables: 3  Open tables: 69  Queries per second avg: 0.052
--------------

如果要求必須使用正確的SSL證書文件才能登錄，則需要設(shè)置數(shù)據(jù)庫賬號權(quán)限為X509。

ALTER USER bing require x509;

無證書登錄則報錯。

$ /greatsql/gdb/svr/greatsql/bin/mysql -ubing -p'abc123' -h172.17.134.55 -P3313 
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'bing'@'172.17.134.55' (using password: YES)

有證書登錄則正常。

$ /greatsql/gdb/svr/greatsql/bin/mysql -ubing -p'abc123' -h172.17.134.55 -P3313 --ssl-ca=/greatsql/gdb/dbdata/3313/data/ca.pem --ssl-cert=/greatsql/gdb/dbdata/3313/data/client-cert.pem --ssl-key=/greatsql/gdb/dbdata/3313/data/client-key.pem
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 12
Server version: 8.0.32-27 GreatSQL, Release 27, Revision aa66a385910

Copyright (c) 2021-2025 GreatDB Software Co., Ltd
Copyright (c) 2009-2025 Percona LLC and/or its affiliates
Copyright (c) 2000, 2025, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h'forhelp. Type '\c' to clear the current input statement.

greatsql> \s
--------------
/greatsql/gdb/svr/greatsql/bin/mysql  Ver 8.0.32-27 for Linux on x86_64 (GreatSQL, Release 27, Revision aa66a385910)

Connection id:                12
Current database:        
Current user:                bing@172.17.134.55
SSL:                        Cipher in use is ECDHE-RSA-AES128-GCM-SHA256
Current pager:                stdout
Using outfile:                ''
Using delimiter:        ;
Server version:                8.0.32-27 GreatSQL, Release 27, Revision aa66a385910
Protocol version:        10
Connection:                172.17.134.55 via TCP/IP
Server characterset:        utf8mb4
Db     characterset:        utf8mb4
Client characterset:        utf8mb4
Conn.  characterset:        utf8mb4
TCP port:                3313
Binary data as:                Hexadecimal
Uptime:                        5 min 17 sec

Threads: 3  Questions: 13  Slow queries: 0  Opens: 150  Flush tables: 3  Open tables: 69  Queries per second avg: 0.041
--------------

MGR 開啟SSL

數(shù)據(jù)庫參數(shù)中添加配置

loose-group_replication_ssl_mode = REQUIRED
loose-group_replication_recovery_use_ssl = 1

證書生成

任意一種方式配置均能成功啟用SSL。

MGR組內(nèi)只能通過同一個ca.pem生成其他證書，否則連接會失敗。

方法一(每個實(shí)例單獨(dú)SSL文件，安全性高)

通過腳本，生成每個節(jié)點(diǎn)的SSL相關(guān)證書，輸入IP地址的證書，只能在對應(yīng)服務(wù)器上使用。

gen_ca_server_client_cert.sh （腳本文件有需要聯(lián)系小助手獲?。?/span>

[root@gdb01-001 /data/tmp]$  sh gen_ca_server_client_cert.sh 192.168.0.4
 未檢測到CA文件，正在生成統(tǒng)一CA...
Generating RSA private key, 4096bit long modulus (2 primes)
.............................................................................++++
................++++
e is 65537 (0x010001)
 已生成統(tǒng)一CA: ca.pem, ca-key.pem
 正在生成 Server 證書...
Generating RSA private key, 2048 bit long modulus (2 primes)
.......+++++
......+++++
e is 65537 (0x010001)
Signature ok
subject=CN = 192.168.0.4
Getting CA Private Key
192.168.0.4-server-cert.pem: OK
 Server證書生成完成:
  - 私鑰: 192.168.0.4-server-key.pem
  - 證書: 192.168.0.4-server-cert.pem
 正在生成 Client 證書...
Generating RSA private key, 2048bit long modulus (2 primes)
......................................................................................+++++
...........................................................................................................................+++++
e is 65537 (0x010001)
Signature ok
subject=CN = 192.168.0.4-client
Getting CA Private Key
192.168.0.4-client-cert.pem: OK
 Client證書生成完成:
  - 私鑰: 192.168.0.4-client-key.pem
  - 證書: 192.168.0.4-client-cert.pem
統(tǒng)一 CA: ca.pem / ca-key.pem
Server證書: 192.168.0.4-server-cert.pem / 192.168.0.4-server-key.pem
Client證書: 192.168.0.4-client-cert.pem / 192.168.0.4-client-key.pem
完整流程完成 
[root@gdb01-001 /data/tmp]#  
[root@gdb01-001 /data/tmp]$  sh gen_ca_server_client_cert.sh 192.168.0.5
 檢測到已有CA: ca.pem, ca-key.pem，直接使用
 正在生成 Server 證書...
Generating RSA private key, 2048bit long modulus (2 primes)
...........................................................................................................................................+++++
..................................+++++
e is 65537 (0x010001)
Signature ok
subject=CN = 192.168.0.5
Getting CA Private Key
192.168.0.5-server-cert.pem: OK
 Server證書生成完成:
  - 私鑰: 192.168.0.5-server-key.pem
  - 證書: 192.168.0.5-server-cert.pem
 正在生成 Client 證書...
Generating RSA private key, 2048bit long modulus (2 primes)
..............................................................................+++++
........+++++
e is 65537 (0x010001)
Signature ok
subject=CN = 192.168.0.5-client
Getting CA Private Key
192.168.0.5-client-cert.pem: OK
 Client證書生成完成:
  - 私鑰: 192.168.0.5-client-key.pem
  - 證書: 192.168.0.5-client-cert.pem
統(tǒng)一 CA: ca.pem / ca-key.pem
Server證書: 192.168.0.5-server-cert.pem / 192.168.0.5-server-key.pem
Client證書: 192.168.0.5-client-cert.pem / 192.168.0.5-client-key.pem
完整流程完成 
[root@gdb01-001 /data/tmp]#
[root@gdb01-001 /data/tmp]$  sh gen_ca_server_client_cert.sh 192.168.0.3
 檢測到已有CA: ca.pem, ca-key.pem，直接使用
 正在生成 Server 證書...
Generating RSA private key, 2048bit long modulus (2 primes)
.....................+++++
.........+++++
e is 65537 (0x010001)
Signature ok
subject=CN = 192.168.0.3
Getting CA Private Key
192.168.0.3-server-cert.pem: OK
 Server證書生成完成:
  - 私鑰: 192.168.0.3-server-key.pem
  - 證書: 192.168.0.3-server-cert.pem
 正在生成 Client 證書...
Generating RSA private key, 2048bit long modulus (2 primes)
.......+++++
...........+++++
e is 65537 (0x010001)
Signature ok
subject=CN = 192.168.0.3-client
Getting CA Private Key
192.168.0.3-client-cert.pem: OK
 Client證書生成完成:
  - 私鑰: 192.168.0.3-client-key.pem
  - 證書: 192.168.0.3-client-cert.pem
統(tǒng)一 CA: ca.pem / ca-key.pem
Server證書: 192.168.0.3-server-cert.pem / 192.168.0.3-server-key.pem
Client證書: 192.168.0.3-client-cert.pem / 192.168.0.3-client-key.pem
完整流程完成 
[root@gdb01-001 /data/tmp]#

將6個文件scp到證書目錄，注意調(diào)整屬主。

SSL文件分發(fā)：

scp ca-key.pem ca.pem 192.168.0.5-client-key.pem 192.168.0.5-client-cert.pem 192.168.0.5-server-cert.pem 192.168.0.5-server-key.pem 192.168.0.5:/greatsql/gdb/dbdata/3313/ssl_files
scp ca-key.pem ca.pem 192.168.0.4-client-key.pem 192.168.0.4-client-cert.pem 192.168.0.4-server-cert.pem 192.168.0.4-server-key.pem 192.168.0.4:/greatsql/gdb/dbdata/3313/ssl_files
scp ca-key.pem ca.pem 192.168.0.3-client-key.pem 192.168.0.3-client-cert.pem 192.168.0.3-server-cert.pem 192.168.0.3-server-key.pem 192.168.0.3:/greatsql/gdb/dbdata/3313/ssl_files

重命名SSL文件名rename '192.168.0.5-' '' *

[root@gdb01-003 /greatsql/gdb/dbdata/3313/ssl_files]$  ll
total 24K
-rw-r--r-- 1 greatsql greatsql 1.4K Sep 13 20:48 192.168.0.5-client-cert.pem
-rw-r--r-- 1 greatsql greatsql 1.7K Sep 13 20:48 192.168.0.5-client-key.pem
-rw-r--r-- 1 greatsql greatsql 1.4K Sep 13 20:48 192.168.0.5-server-cert.pem
-rw-r--r-- 1 greatsql greatsql 1.7K Sep 13 20:48 192.168.0.5-server-key.pem
-rw-r--r-- 1 greatsql greatsql 3.2K Sep 13 20:48 ca-key.pem
-rw-r--r-- 1 greatsql greatsql 1.8K Sep 13 20:48 ca.pem
[root@gdb01-003 /greatsql/gdb/dbdata/3313/ssl_files]#  rename '192.168.0.5-' '' *
[root@gdb01-003 /greatsql/gdb/dbdata/3313/ssl_files]#  ll
total 24K
-rw-r--r-- 1 greatsql greatsql 3.2K Sep 13 20:48 ca-key.pem
-rw-r--r-- 1 greatsql greatsql 1.8K Sep 13 20:48 ca.pem
-rw-r--r-- 1 greatsql greatsql 1.4K Sep 13 20:48 client-cert.pem
-rw-r--r-- 1 greatsql greatsql 1.7K Sep 13 20:48 client-key.pem
-rw-r--r-- 1 greatsql greatsql 1.4K Sep 13 20:48 server-cert.pem
-rw-r--r-- 1 greatsql greatsql 1.7K Sep 13 20:48 server-key.pem

并且要在每個實(shí)例的配置文件中，添加如下配置。

ssl-ca=/greatsql/gdb/dbdata/3313/ssl_files/ca.pem
ssl-cert=/greatsql/gdb/dbdata/3313/ssl_files/server-cert.pem
ssl-key=/greatsql/gdb/dbdata/3313/ssl_files/server-key.pem

驗(yàn)證證書有效期。

openssl x509 -in server-cert.pem -noout -dates

方法二(所有實(shí)例SSL文件相同，使用方便)

在第一個節(jié)點(diǎn)直接通過下面的命令初始化好證書。

/greatsql/gdb/svr/greatsql/bin/mysql_ssl_rsa_setup --datadir=/greatsql/gdb/dbdata/3313/data
chown greatsql.greatsql /greatsql/gdb/dbdata/3313/data/*pem

在其他節(jié)點(diǎn)，直接通過clone復(fù)制數(shù)據(jù)，然后通過scp復(fù)制證書，雖然這樣會導(dǎo)致所有節(jié)點(diǎn)證書均一致，但是不影響使用。

greatsql> SET GLOBAL clone_valid_donor_list='192.168.0.4:3313';
Query OK, 0 rows affected (0.00 sec)

greatsql> CLONE INSTANCE FROM greatsql@192.168.0.4:3313 IDENTIFIED BY '!QAZ2wsx';
scp ca-key.pem ca.pem client-key.pem client-cert.pem server-cert.pem server-key.pem 192.168.0.3:/greatsql/gdb/dbdata/3313/ssl_files

查詢MGR中SSL生效狀態(tài)

SELECT * FROM performance_schema.replication_group_members;

查看SSL生效。

greatsql> SHOW VARIABLES LIKE 'group_replication_ssl_mode';
+----------------------------+----------+
| Variable_name              | Value    |
+----------------------------+----------+
| group_replication_ssl_mode | REQUIRED |
+----------------------------+----------+
1 row inset (0.00 sec)

greatsql> SHOW VARIABLES LIKE 'group_replication_recovery_use_ssl';
+------------------------------------+-------+
| Variable_name                      | Value |
+------------------------------------+-------+
| group_replication_recovery_use_ssl | ON    |
+------------------------------------+-------+
1 row inset (0.00 sec)

責(zé)任編輯：武曉燕來源： GreatSQL社區(qū)

GreatSQL MGR 集群

點(diǎn)贊

51CTO技術(shù)棧公眾號

業(yè)務(wù)
速覽

媒體

51CTO CIOAge HC3i

社區(qū)

51CTO博客鴻蒙開發(fā)者社區(qū) AI.x社區(qū)

教育

51CTO學(xué)堂精培企業(yè)培訓(xùn) CTO訓(xùn)練營

<tt id="ltmnt"><mark id="ltmnt"></mark></tt>