Open Source RDBMS - Seamless, Scalable, Stable and Free

한국어 | Login |Register

Versions available for this page: CUBRID 8.4.0 | 

Broker Server Access Limitation

Description

To limit the client applications accessing the broker, set ON for the ACCESS_ CONTROL parameter in the cubrid_broker.conf file, and input a name of the file in which the users and the list of databases and IP addresses allowed to access the ACCESS_CONTROL_FILE parameter value are written. The default value of the ACCESS_CONTROL broker parameter is OFF.

The format of ACCESS_CONTROL_FILE is as follows:

[%<broker_name>]

<db_name>:<db_user>:<ip_list_file>

  • <broker_name> : A broker name. It is the one of broker names specified in cubrid_broker.conf.
  • <db_name> : A database name. If it is specified as *, all databases are allowed to access the broker server.
  • <db_user> : A database user ID. If it is specified as *, all database user IDs are allowed to access the broker server.
  • <ip_list_file> : A file name in which the list of IP addresses that are allowed to access the server is written

To configure settings for several broker servers, it is possible to specify additional [%<broker_name>] and <db_name>:<db_user>:<ip_list_file>.

The format of the ip_list_file is as follows:

<ip_addr>

  • <ip_addr> : An IP address that is allowed to access the server. If the last digit of the address is specified as *, all IP addresses in that rage are allowed to access the broker server.

If a value for ACCESS_CONTROL is set to ON and a value for ACCESS_CONTROL_FILE is not specified, the broker will only allow the access requests from the localhost. If the analysis of ACCESS_CONTROL_FILE and ip_list_file fails while a broker is running, the broker will only allow the access requests from the localhost.

If the analysis of ACCESS_CONTROL_FILE and ip_list_file fails while a broker is running, the broker will not run.

# cubrid_broker.conf

[broker]

MASTER_SHM_ID           =30001

ADMIN_LOG_FILE          =log/broker/cubrid_broker.log

ACCESS_CONTROL   =ON

ACCESS_CONTROL_FILE     =/home1/cubrid/access_file.txt

[%QUERY_EDITOR]

SERVICE                 =ON

BROKER_PORT             =38000

......

The following is an example of ACCESS_CONTROL_FILE. The * symbol represents everything, and you can use it when you want to specify database names, database user IDs and IPs in the IP list file which are allowed to access the broker server.

[%QUERY_EDITOR]

dbname1:dbuser1:iplist1.txt

dbname2:*:iplist1.txt

*:dba:iplist1.txt

 

[%BROKER2]

dbname:dbuser:iplist2.txt

 

[%BROKER3]

dbname:dbuser:iplist2.txt

 

[%BROKER4]

dbname:dbuser:iplist2.txt

The brokers specified above are QUERY_EDITOR, BROKER2, BROKER3 and BROKER4.

The QUERY_EDITOR broker only allows the following application access requests.

  • If you connect to the IP registered in iplist1.txt and log-in to dbname1 with the dbuser1 account.
  • If you connect to the IP registered in iplist1.txt and log-in to dbname2.
  • If you connect to the IP registered in iplist1.txt and log-in to all databases with the dba user account.

The following is an example of specifying the IPs allowed in ip_list_file.

192.168.1.25

192.168.*

10.*

*

The descriptions for the IPs specified in the example above are as follows:

  • The first line setting allows an access from 192.168.1.25.
  • The second line setting allows an access from all IPs starting with 192.168.
  • The third line setting allows an access from all IPs starting with 10.
  • The fourth line setting allows an access from all IPs.

For the broker which has already been running, you can modify the configuration file or check the currently applied status of configuration by using the following commands.

Syntax

To configure databases, database user IDs and IPs allowed to access the broker and then apply the modified configuration to the server, use the following command.

cubrid broker acl reload [<BR_NAME>]

  • BR_NAME : A broker name. If you specify this value, you can apply the changes only to specified brokers. If you omit it, you can apply the changes to all brokers.

To display the databases, database user IDs and IPs that are allowed to access the broker in running on the screen, use the following command.

cubrid broker acl status [<BR_NAME>]

  • BR_NAME : A broker name. If you specify the value, you can display the specified broker configuration. If you omit it, you can display all broker configurations.
Broker Log

If you access the broker through an IP that is not allowed, the following logs will be created.

  • ACCESS_LOG
  • 1 192.10.10.10 - - 1288340944.198 1288340944.198 2010/10/29 17:29:04 ~ 2010/10/29 17:29:04 14942 - -1 db1 dba : rejected
  • SQL LOG
  • 10/29 10:28:57.591 (0) CLIENT IP 192.10.10.10 10/29 10:28:57.592 (0) connect db db1 user dba url jdbc:cubrid:192.10.10.10:30000:db1::: - rejected

Note For more information on how to limit an access to the database server, see Database Server Access Limitation.