Introduction
The RPC connection authentication feature is designed to improve the security of communications over the Remote Procedure Call (RPC) protocol. When RPC connection authentication is enabled, only authenticated clients can establish RPC connections with OBServer nodes. This feature effectively blocks attackers' malicious RPC packets, preventing them from being executed by OBServer nodes and enhancing the security protection capability of OceanBase Database.
This feature supports smooth canary upgrade without affecting your business. During the upgrade, OBServer nodes of a higher version are compatible with those of a lower version. A client node of the higher version can connect to a server node of the lower version, or the other way around. After an upgrade, RPC connection authentication is disabled by default. You must manually enable it as needed.
Limitations
The RPC connection authentication feature of OceanBase Database V4.2.0 can be used only after the PKT-NIO framework is enabled. Before you enable RPC connection authentication, make sure that the _enable_pkt_nio parameter is set to True.
Note
The _enable_pkt_nio parameter specifies whether to enable the PKT-NIO framework for RPC communications. The default value is True.
Examples
Enable RPC connection authentication
OBServer nodes support RPC connection authentication based on SSL handshakes. You can enable it by using the following method.
Prepare SSL certificates
Create a folder named wallet in the installation directory and put the certificate and private key files into the folder. The certificate and private key files include three files: root certificate (ca.pem), certificate (server-cert.pem), and private key (server-key.pem).
Note
- The default installation directory is
/home/admin/oceanbase. - The
walletfolder and the files in the folder cannot be renamed. - If you have multiple servers, create a
walletfolder in the installation directory on each server and put the certificate and private key files into the folder. - Make sure that the certificate and private key files are placed in the
walletfolder before you enable authentication. Otherwise, the authentication will fail, and the service will become unavailable.
Execute SQL statements
Log in to the sys tenant of OceanBase Database and execute the following SQL statements:
Specify the SSL protocol version. Currently, only TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3 are supported. After you specify a version, the specified version and later versions are supported.
ALTER SYSTEM SET sql_protocol_min_tls_version = 'TLSv1.1';Enable the SSL connection.
ALTER SYSTEM SET ssl_client_authentication=True;Set the client authentication method to
SSL_NO_ENCRYPT.ALTER SYSTEM SET rpc_client_authentication_method = 'SSL_NO_ENCRYPT';Set the server authentication method to
SSL_NO_ENCRYPT.ALTER SYSTEM SET rpc_server_authentication_method = 'SSL_NO_ENCRYPT';Notice
You can also set the security authentication method of the RPC server to
ALLby executing the following statement:ALTER SYSTEM SET rpc_server_authentication_method = 'ALL';. This method also enables the authentication, but the server allows direct connections from clients without authentication, which exposes the system to high security risk. Therefore, we recommend that you do not use this method in a production environment.
Disable RPC connection authentication
Set the client authentication method to
NONE.ALTER SYSTEM SET rpc_client_authentication_method = 'NONE';Set the server authentication method to
NONEorALL.ALTER SYSTEM SET rpc_server_authentication_method = 'NONE'; -- Or ALTER SYSTEM SET rpc_server_authentication_method = 'ALL';
Considerations
- You can change the authentication method later by modifying the settings.
- After you enable RPC connection authentication, only new RPC connections are authenticated. To authenticate the existing client connections, you must restart the nodes in batches.