Overview
This feature aims to improve the security of remote procedure call (RPC) communication. After you enable RPC connection authentication, only an authenticated client can establish an RPC connection with an OBServer node. This can effectively prevent OBServer nodes from executing malicious RPC packets sent by attackers, thereby enhancing the security protection capability of OceanBase Database.
Grayscale upgrade is supported. An upgrade can be smoothly performed in phases without affecting business processes. During an upgrade, OBServer nodes of different versions are compatible. In other words, a client of a later version can connect to a server of an earlier version, and the vice versa. After the upgrade, RPC connection authentication is disabled by default and must be manually enabled.
Scenarios and examples
Enable authentication
At present, OBServer nodes support RPC connection authentication based on SSL handshakes. You can perform the following steps to enable RPC connection authentication.
Prepare an SSL certificate
In the installation directory, create a folder named wallet and put the certificate and private key files in this folder. The files include a root certificate file (ca.pem), a certificate file (server-cert.pem), and a private key file (server-key.pem).
Note
- By default, the installation directory is /home/admin/oceanbase.
- You cannot rename the wallet folder or files in this folder.
- If you have multiple servers, you must create a wallet folder in the installation directory of each server and put the certificate and private key files in this folder.
- Enable authentication after you make sure that all required certificate files are in place. Otherwise, the authentication will fail and services will become unavailable.
Run commands to enable authentication
Log on to the sys tenant of your OceanBase cluster and run the following commands in sequence.
Enable SSL connection. For more information about how to enable SSL connection, see ssl_client_authentication.
ALTER SYSTEM SET ssl_client_authentication=True;Set the authentication mode to
SSL_NO_ENCRYPTfor the client. For more information about client authentication, see rpc_client_authentication_method.ALTER SYSTEM SET rpc_client_authentication_method = 'SSL_NO_ENCRYPT';Set the authentication mode to
SSL_NO_ENCRYPTfor the server. For more information about server authentication, see rpc_server_authentication_method.ALTER SYSTEM SET rpc_server_authentication_method = 'SSL_NO_ENCRYPT';Notice
Setting the authentication mode for the server to
ALL(ALTER SYSTEM SET rpc_server_authentication_method = 'ALL';) allows the client to connect without authentication, which poses significant security risks. Therefore, this mode is not recommended in a production environment.
Disable authentication
Set the authentication mode to
NONEfor the client.ALTER SYSTEM SET rpc_client_authentication_method = 'NONE';Set the authentication mode to
NONEorALLfor the server.ALTER SYSTEM SET rpc_server_authentication_method = 'NONE'; -- Or ALTER SYSTEM SET rpc_server_authentication_method = 'ALL';
Considerations
- To change the authentication mode, you only need to modify the settings.
- After you enable authentication, the setting takes effect only for newly established RPC connections. To authenticate a connected client, you must restart the nodes in batches.