OceanBase Deployer (obd) supports encrypting cluster passwords since V3.2.0. This topic describes the commands related to password encryption. You can specify the -h or --help option in a command to query the help information of its subcommands. You can also specify the -v or --verbose option to query the execution details of a command that returns an error.
Note
These commands apply only to obd. Once password encryption is enabled, all clusters managed by obd will be encrypted, including the current and future new clusters.
obd pwd encrypt
You can run this command to enable or disable password encryption.
obd pwd encrypt [enable | disable]
You can use the enable keyword to enable password encryption. If no passkey has been specified before, you must specify one when you enable this feature. If you have specified a passkey by using the obd pwd set-epk command, you must provide the passkey for verification. When you run the obd cluster display command to view cluster information after password encryption is enabled, the cluster passwords are displayed in ciphertext. To view the passwords in plaintext, you must add the --epk or --encryption-passkey option to the obd cluster display command and enter the passkey.
You can use the disable keyword to disable password encryption. To disable this feature, you must provide the passkey for verification. You can provide the passkey by using the --epk or --encryption-passkey option, or enter it when prompted in the command output.
Examples
Enable password encryption
obd pwd encrypt enableIf no passkey has been configured before, the command output is as follows:
First time setting the encryption passkey. please enter the encryption passkey: Please enter the encryption passkey again: First time setting the encryption passkey successful! Encrypt password ok Trace ID: b96a5f82-0ec2-11f0-8b44-00163e49899d If you want to view detailed obd logs, please run: obd display-trace b96a5f82-0ec2-11f0-8b44-00163e49899dIf you run the
obd cluster displaycommand to view cluster information after password encryption is enabled, the output is as follows, where the passwords after the-poption are displayed in ciphertext.+-------------------------------------------------+ | oceanbase-ce | +---------------+---------+------+-------+--------+ | ip | version | port | zone | status | +---------------+---------+------+-------+--------+ | 10.10.10.1 | 4.3.5.0 | 2881 | zone1 | ACTIVE | +---------------+---------+------+-------+--------+ obclient -h10.10.10.1 -P2881 -uroot -p'********' -Doceanbase -A +----------------------------------------------------------------+ | obproxy-ce | +------------+------+-----------------+-----------------+--------+ | ip | port | prometheus_port | rpc_listen_port | status | +------------+------+-----------------+-----------------+--------+ | 10.10.10.2 | 2883 | 2884 | 2885 | active | +------------+------+-----------------+-----------------+--------+ obclient -h10.10.10.2 -P2883 -uroot@proxysys -p'********' -Doceanbase -ADisable password encryption
obd pwd encrypt disable --epk=******
obd pwd set-epk
You can run this command to specify a passkey or change the passkey.
obd pwd set-epk <new decryption passkey>
The following table describes the options in the command.
| Option | Required | Data type | Default value | Description |
|---|---|---|---|---|
| -c/--current-passkey | No | string | N/A | If you have specified a passkey in obd, you must use this option to provide the passkey for verification. |
| -f/--force | No | bool | N/A | If you forget the existing passkey, you can add the -f or --force option to the command to forcibly change the passkey. To do so, you require a user account with sudo privileges and the corresponding password. |
Examples
Specify a passkey
obd pwd set-epk 12345Here is an example of setting the passkey to
12345. If the output is as follows, the passkey is successfully set. If you run theobd pwd encrypt enablecommand to enable password encryption, you must provide the passkey specified here for verification.Change the passkey
obd pwd set-epk 123 -c 12345Here is an example of changing the passkey from
12345to123. If the output is as follows, the passkey is successfully changed.Check encryption passkey. Update encryption passkey successful. Trace ID: fb5e2608-0ec2-11f0-a28b-00163e49899d If you want to view detailed obd logs, please run: obd display-trace fb5e2608-0ec2-11f0-a28b-00163e49899dForcibly change the passkey
obd pwd set-epk 123 -fHere is an example of forcibly changing the passkey to
123. The output is as follows:Please input username with sudo privileges. (default: root): please input root password: Update encryption passkey successful. Trace ID: 4f3d41f0-0ec3-11f0-919b-00163e49899d If you want to view detailed obd logs, please run: obd display-trace 4f3d41f0-0ec3-11f0-919b-00163e49899d