Oracle MySQL Cloud Service之安全
创建MySQL Cloud Service时,会要求提供一个SSH登录密钥,所有的Oracle云服务主机登录用户都是opc,因此在服务创建完毕,收到通知邮件之后,就可以通过ssh登录到服务器上。
登录到主机以后,服务器显示了MySQL运行状态和存储使用量的提醒。
这里介绍了 Oracle MySQL Cloud Service 提供的安全选件功能,如果我们用MySQL Workbench登录到数据库中,在Server Status页面可以看到:SSL连接,PAM验证,密码校验,数据库审计等多种安全功能全部是开启的。
类比,阿里云的 MySQL RDS 并没有开启任何安全选项,或许是为了性能考虑?
Oracle对于数据库安全性的看重确实超越了大多数数据库提供商,而这也带来了一些小麻烦。
在创建MySQL云服务的时候,需要指定数据库root用户的密码,这个密码有比较强的安全要求,需要有大写、小写英文字母,有数字,同时还需要有特殊字符(比如#)。因此在后续创建Login Path时,在mysql_config_editor命令提示输入密码的时候,需要在密码前后加上双引号(比如”Passw#rd”),否则会一直出现拒绝访问的提示。
--opc用户没有办法直接登录MySQL,需要切换到oracle用户 [opc@mysql-cloud-mysql-1 ~]$ mysql -uroot -p Please switch to "oracle" user to use mysql client [opc@mysql-cloud-mysql-1 ~]$ sudo su - oracle --使用密码直接登录是没有问题的 [oracle@mysql-cloud-mysql-1 ~]$ mysql -uroot -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 1509246 Server version: 5.7.17-enterprise-commercial-advanced-log MySQL Enterprise Server - Advanced Edition (Commercial) Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> exit Bye --创建Login Path,仍然输入上述一样的密码 [oracle@mysql-cloud-mysql-1 ~]$ mysql_config_editor set --host=localhost --user=root --password Enter password: --检查确认Login Path已经创建成功 [oracle@mysql-cloud-mysql-1 ~]$ mysql_config_editor print --login-path=client [client] user = root password = ***** host = localhost --直接登录报错 [oracle@mysql-cloud-mysql-1 ~]$ mysql ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES) --在密码前后加上双引号重新创建Login Path [oracle@mysql-cloud-mysql-1 ~]$ mysql_config_editor set --host=localhost --user=root --password Enter password: WARNING : 'client' path already exists and will be overwritten. Continue? (Press y|Y for Yes, any other key for No) : Y --再次登录,成功 [oracle@mysql-cloud-mysql-1 ~]$ mysql Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 1510011 Server version: 5.7.17-enterprise-commercial-advanced-log MySQL Enterprise Server - Advanced Edition (Commercial) Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> status -------------- mysql Ver 14.14 Distrib 5.7.17, for linux-glibc2.5 (x86_64) using EditLine wrapper Connection id: 1510011 Current database: Current user: root@localhost SSL: Not in use Current pager: stdout Using outfile: '' Using delimiter: ; Server version: 5.7.17-enterprise-commercial-advanced-log MySQL Enterprise Server - Advanced Edition (Commercial) Protocol version: 10 Connection: Localhost via UNIX socket Server characterset: utf8mb4 Db characterset: utf8mb4 Client characterset: utf8 Conn. characterset: utf8 UNIX socket: /tmp/mysql.sock Uptime: 10 days 13 hours 24 min 56 sec Threads: 13 Questions: 50733146 Slow queries: 0 Opens: 6203 Flush tables: 1 Open tables: 4808 Queries per second avg: 55.610 --------------
在进行Audit功能的检查之前,对于默认的mysql命令行提示只有mysql> 这样简陋的显示不能忍,要加上当前登录的用户和数据库名称。在oracle用户的.my.cnf下增加以下行。
[mysql] prompt=\\u@\\h [\\d]>\\_
再次登录,mysql命令行的提示就比较顺眼了。
[oracle@mysql-cloud-mysql-1 ~]$ mysql Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 1510385 Server version: 5.7.17-enterprise-commercial-advanced-log MySQL Enterprise Server - Advanced Edition (Commercial) Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. root@localhost [(none)]> show databases; +-------------------------+ | Database | +-------------------------+ | information_schema | | mem | | mem__advisor_text | | mem__advisors | | mem__bean_config | | mem__config | | mem__enterprise | | mem__events | | mem__instruments | | mem__instruments_config | | mem__inventory | | mem__quan | | mysql | | performance_schema | | sys | | testdb | +-------------------------+ 16 rows in set (0.00 sec) root@localhost [(none)]> use testdb Database changed root@localhost [testdb]> show tables; Empty set (0.00 sec) root@localhost [testdb]>
接下来进入本文的正题,在Oracle MySQL Cloud Service中默认是如何设置Audit的? 首先先检查一下audit_log的相关参数设置。
root@localhost [testdb]> show variables like 'audit_log_%'; +-----------------------------+--------------+ | Variable_name | Value | +-----------------------------+--------------+ | audit_log_buffer_size | 1048576 | | audit_log_connection_policy | ALL | | audit_log_current_session | ON | | audit_log_exclude_accounts | | | audit_log_file | audit.log | | audit_log_filter_id | 0 | | audit_log_flush | OFF | | audit_log_format | NEW | | audit_log_include_accounts | | | audit_log_policy | ALL | | audit_log_rotate_on_size | 1073741824 | | audit_log_statement_policy | ERRORS | | audit_log_strategy | ASYNCHRONOUS | +-----------------------------+--------------+ 13 rows in set (0.01 sec)
那么audit_log_file=audit.log表示仍然使用了默认的名字,到MySQL的数据文件目录中检查一下audit.log文件的存在。
[oracle@mysql-cloud-mysql-1 mysql]$ ls -l audit* -rw-r----- 1 oracle oracle 838348830 Apr 21 13:42 audit.log -rw-r----- 1 oracle oracle 1073742130 Apr 14 23:20 audit.log.14922120508218349.xml
这里可以看到总共的audit日志已经有1.9GB之大,在第一个audit.log达到audit_log_rotate_on_size参数设置的大小之后,自动切换成了新的audit.log。
题外话,之所以有这么巨大的audit.log,是由于启用了MySQL Enterprise Monitor,不断地记录了Monitor进程的登录和退出,为了方便后面观察audit.log,先将Monitor停止。
[oracle@mysql-cloud-mysql-1 monitor]$ pwd /u01/bin/enterprise/monitor [oracle@mysql-cloud-mysql-1 monitor]$ ./mysqlmonitorctl.sh stop Stopping tomcat service . [ OK ]
接下来进行一些常规操作,并观察audit.log文件的输出内容。
1. 用root用户登录,在audit文件中显示一条Connect类型的记录。TIMESTAMP记录了时间,USER标签记录了登录的用户,HOST标签记录了登录的机器,COMMAND_CLASS为connect。
2. 尝试直接CTAS一张测试表,在enforce_gtid_consistency=ON时会报1786错误,这是GTID特性决定的。
root@localhost [testdb]> create table mytables as select * from information_schema.tables; ERROR 1786 (HY000): Statement violates GTID consistency: CREATE TABLE ... SELECT.
在audit.log中也记录下了这次报错的操作,STATUS标签为错误代码1786,STATUS_CODE标签值为1表示这条SQL没有成功执行,SQLTEXT标签记录了整个SQL语句。
3. 下面的三条语句,select,create table,insert均没有在audit.log中记录下来。
root@localhost [testdb]> select count(*) from information_schema.tables; +----------+ | count(*) | +----------+ | 591 | +----------+ 1 row in set (0.01 sec) root@localhost [testdb]> create table mytables like information_schema.tables; Query OK, 0 rows affected (0.10 sec) root@localhost [testdb]> insert into mytables select * from information_schema.tables; Query OK, 592 rows affected (1.94 sec) Records: 592 Duplicates: 0 Warnings: 0
这样的行为是由audit_log_statement_policy=ERRORS参数决定的,默认只记录报错的SQL,而不会记录所有的执行语句。
4. 将audit_log_statement_policy参数修改为ALL,再执行同样的select语句。
root@localhost [testdb]> SET GLOBAL audit_log_statement_policy = ALL; Query OK, 0 rows affected (0.00 sec) root@localhost [testdb]> select count(*) from mytables; +----------+ | count(*) | +----------+ | 592 | +----------+ 1 row in set (0.00 sec)
可以发现audit.log中已经有记录了。
结论:在Oracle MySQL Cloud Service中默认会启动MySQL Enterprise Audit组件,并且设置即记录用户登录又记录执行语句(audit_log_policy=ALL),用户登录情况则不管登录成功还是失败每次都记录(audit_log_connection_policy=ALL),而执行语句则只记录执行失败的语句(audit_log_statement_policy=ERRORS)。
感谢Kamus