Introduction
The RPC connection authentication feature is designed to improve the security of communications over the Remote Procedure Call (RPC) protocol. When RPC connection authentication is enabled, only authenticated clients can establish RPC connections with OBServer nodes. This feature effectively blocks attackers’ malicious RPC packets, preventing them from being executed by OBServer nodes and enhancing the security protection capability of OceanBase Database.
This feature supports smooth canary upgrade without affecting your business. During the upgrade, OBServer nodes of a higher version are compatible with those of a lower version. A client node of the higher version can connect to a server node of the lower version, or the other way around. After an upgrade, RPC connection authentication is disabled by default. You must manually enable it as needed.
Limitations
The RPC connection authentication feature of OceanBase Database V4.2.0 can be used only after the PKT-NIO framework is enabled. Before you enable RPC connection authentication, make sure that the _enable_pkt_nio parameter is set to True.
Note
The _enable_pkt_nio parameter specifies whether to enable the PKT-NIO framework for RPC communications. The default value is True.
Examples
Enable RPC connection authentication
Currently, OBServer nodes support RPC connection authentication based on SSL handshake, which can be enabled as follows.
Prepare SSL certificates
Create a folder named wallet in the installation directory and put the certificate and private key files into the folder. The certificate and private key files include three files: root certificate (ca.pem), certificate (server-cert.pem), and private key (server-key.pem).
Note
- The default installation directory is
/home/admin/oceanbase. - The
walletfolder and the files in the folder cannot be renamed. - If you have multiple servers, create a
walletfolder in the installation directory on each server and put the certificate and private key files into the folder. - Make sure that the certificate and private key files are placed in the
walletfolder before you enable authentication. Otherwise, the authentication will fail, and the service will become unavailable.
Execute SQL statements
Log on to the sys tenant of OceanBase Database and execute the following SQL statements:
Specify the SSL protocol version.
Currently, only TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3 are supported. After you specify a version, the specified version and later versions are supported. For more information, see sql_protocol_min_tls_version.
ALTER SYSTEM SET sql_protocol_min_tls_version = 'TLSv1.1';Enable the SSL connection.
For more information, see ssl_client_authentication.
ALTER SYSTEM SET ssl_client_authentication=True;Set the client authentication method to
SSL_NO_ENCRYPT.For more information, see rpc_client_authentication_method.
ALTER SYSTEM SET rpc_client_authentication_method = 'SSL_NO_ENCRYPT';Set the server authentication method to
SSL_NO_ENCRYPT.For more information, see rpc_server_authentication_method.
ALTER SYSTEM SET rpc_server_authentication_method = 'SSL_NO_ENCRYPT';Notice
Although setting the server authentication method to
ALL(ALTER SYSTEM SET rpc_server_authentication_method = 'ALL';) can also enable authentication, it means that the server allows clients to connect without authentication, which poses a significant security risk. Therefore, this method is not recommended in production environments.
Disable RPC connection authentication
Set the client authentication method to
NONE.ALTER SYSTEM SET rpc_client_authentication_method = 'NONE';Set the server authentication method to
NONEorALL.ALTER SYSTEM SET rpc_server_authentication_method = 'NONE'; -- Or ALTER SYSTEM SET rpc_server_authentication_method = 'ALL';
Considerations
- You can change the authentication method later by modifying the settings.
- After you enable RPC connection authentication, only new RPC connections are authenticated. To authenticate the existing client connections, you need to restart the nodes in batches.