At present, OBKV-HBase supports identity authentication and transparent data encryption.
Identity authentication
Access to OBKV-HBase is performed through APIs, so identity authentication in OBKV-HBase is different from that in an OceanBase SQL cluster. OBKV-HBase implements identity authentication based on TCP connections. The working mechanism is the same when you connect to OBKV-HBase directly or by using ODP:
- After a TCP connection is established, the first message is a logon message. This message carries logon information such as the cluster name, tenant name, username, password, and salt value.
- After the database authenticates the identity based on the username and password, it generates a credential for the client, which will be carried and verified in each subsequent message. The client can access data in the database only if the carried credential is verified to be valid.
- Each credential has a validity period. After a credential expires, the database server will refuse to provide services.
Transparent data encryption
Data storage encryption refers to transparent data encryption of clog files and other data stored in disks. Data is automatically encrypted before the data is written to a storage device, and the data is automatically decrypted when it is read. The processes are transparent to users. Hackers and malicious users cannot read sensitive data from files, database backups, or disks.
To protect the security of data stored in memory and disks, OceanBase Database supports the AES and SM4 encryption algorithms. AES is a popular algorithm across the world, and SM4 is an algorithm developed by China.
The references for transparent data encryption are as follows:
- For more information about the concept of transparent data encryption, see Overview.
- For more information about operations related to transparent data encryption, see the following topics: