RPC connection authentication

Introduction

The RPC connection authentication feature is designed to improve the security of communications over the Remote Procedure Call (RPC) protocol. When RPC connection authentication is enabled, only authenticated clients can establish RPC connections with OBServer nodes. This feature effectively blocks attackers' malicious RPC packets, preventing them from being executed by OBServer nodes and enhancing the security protection capability of OceanBase Database.

In terms of upgrade compatibility, this feature supports a gray upgrade process, allowing for smooth upgrades in stages without affecting businesses. During the upgrade process, higher and lower versions of OBServer nodes are mutually compatible. This means that a higher version client can connect to a lower version server, or the other way around. By default, RPC connection authentication is not enabled after the upgrade and needs to be manually enabled.

Limitations

The RPC connection authentication feature in OceanBase Database V4.2.0 can only be used when the PKT-NIO framework is enabled. In other words, the _enable_pkt_nio parameter must be set to True before you enable RPC connection authentication.

Examples

Enable RPC connection authentication

Currently, OBServer nodes provide RPC connection authentication based on SSL handshake, which can be enabled as follows.

Prepare SSL certificates

Create a folder named wallet in the installation directory and put the certificate and private key files into the folder. The certificate and private key files include three files: root certificate (ca.pem), certificate (server-cert.pem), and private key (server-key.pem).

Execute SQL statements

Log on to the sys tenant of OceanBase Database and execute the following SQL statements:

1. Specify the SSL protocol version. Currently, only TLS V1.0, TLS V1.1, TLS V1.2, and TLS V1.3 are supported. After you specify a version, the specified version and later versions are supported. For more information, see sql_protocol_min_tls_version.

   ALTER SYSTEM SET sql_protocol_min_tls_version = 'TLSv1.1';
   

2. Enable the SSL connection. For more information, see ssl_client_authentication.

   ALTER SYSTEM SET ssl_client_authentication=True;
   

3. Set the client authentication method to SSL_NO_ENCRYPT.

   For more information, see rpc_client_authentication_method.

   ALTER SYSTEM SET rpc_client_authentication_method = 'SSL_NO_ENCRYPT';
   

4. Set the server authentication method to SSL_NO_ENCRYPT.

   For more information, see rpc_server_authentication_method.

   ALTER SYSTEM SET rpc_server_authentication_method = 'SSL_NO_ENCRYPT';
   

   Notice

   Although setting the server authentication method to ALL (ALTER SYSTEM SET rpc_server_authentication_method = 'ALL';) can also enable authentication, it means that the server allows clients to connect without authentication, which poses a significant security risk. Therefore, this method is not recommended in production environments.

Disable RPC connection authentication

1. Set the client authentication method to NONE.

   ALTER SYSTEM SET rpc_client_authentication_method = 'NONE';
   

2. Set the server authentication method to NONE or ALL.

   ALTER SYSTEM SET rpc_server_authentication_method = 'NONE';
   -- Or
   ALTER SYSTEM SET rpc_server_authentication_method = 'ALL';
   

Considerations

• If you need to change the authentication method in the future, simply modify the settings again.
• After RPC connection authentication is enabled, only new RPC connections will be authenticated. To authenticate existing RPC connections, restart the nodes in batches.