Open Source RDBMS - Seamless, Scalable, Stable and Free

한국어 | Login |Register

Versions available for this page: CUBRID 8.4.1 |  CUBRID 8.4.3 |  CUBRID 9.0.0 | 



Limiting Broker Server Access

Description

To limit the client applications accessing the broker, set to ON for the ACCESS_ CONTROL parameter in the cubrid_broker.conf file, and enter a name of the file in which the users and the list of databases and IP addresses allowed to access the ACCESS_CONTROL_FILE parameter value are written. The default value of the ACCESS_CONTROL broker parameter is OFF. The ACCESS_CONTROL and ACCESS_CONTROL_FILE parameters must be written under [broker] in which common parameters are specified.

The format of ACCESS_CONTROL_FILE is as follows:

[%<broker_name>]

<db_name>:<db_user>:<ip_list_file>

  • <broker_name> : A broker name. It is the one of broker names specified in cubrid_broker.conf.
  • <db_name> : A database name. If it is specified as *, all databases are allowed to access the broker server.
  • <db_user> : A database user ID. If it is specified as *, all database user IDs are allowed to access the broker server.
  • <ip_list_file> : Names of files in which the list of accessible IPs are stored. Several files such as ip_list_file1, ip_list_file2, ... can be specified by using a comma (,).

[%<broker_name>] and <db_name>:<db_user>:<ip_list_file> can be specified separately for each broker.

The format of the ip_list_file is as follows:

<ip_addr>

  • <ip_addr> : An IP address that is allowed to access the server. If the last digit of the address is specified as *, all IP addresses in that rage are allowed to access the broker server.

If a value for ACCESS_CONTROL is set to ON and a value for ACCESS_CONTROL_FILE is not specified, the broker will only allow the access requests from the localhost. If the analysis of ACCESS_CONTROL_FILE and ip_list_file fails while a broker is running, the broker will only allow the access requests from the localhost.

If the analysis of ACCESS_CONTROL_FILE and ip_list_file fails while a broker is running, the broker will not run.

# cubrid_broker.conf

[broker]

MASTER_SHM_ID           =30001

ADMIN_LOG_FILE          =log/broker/cubrid_broker.log

ACCESS_CONTROL   =ON

ACCESS_CONTROL_FILE     =/home1/cubrid/access_file.txt

[%QUERY_EDITOR]

SERVICE                 =ON

BROKER_PORT             =38000

......

The following example shows the content of ACCESS_CONTROL_FILE. The * symbol represents everything, and you can use it when you want to specify database names, database user IDs and IPs in the IP list file which are allowed to access the broker server.

[%QUERY_EDITOR]

dbname1:dbuser1:READIP.txt

dbname1:dbuser2:WRITEIP1.txt,WRITEIP2.txt

*:dba:READIP.txt

*:dba:WRITEIP1.txt

*:dba:WRITEIP2.txt

 

[%BROKER2]

dbname:dbuser:iplist2.txt

 

[%BROKER3]

dbname:dbuser:iplist2.txt

 

[%BROKER4]

dbname:dbuser:iplist2.txt

The brokers specified above are QUERY_EDITOR, BROKER2, BROKER3 and BROKER4.

The QUERY_EDITOR broker only allows the following application access requests.

  • When a user logging into dbname1 with a dbuser1 account connects from IPs registered in READIP.txt
  • When a user logging into dbname1 with a dbuser2 account connects from IPs registered in WRITEIP1.txt and WRITEIP2.txt
  • When a user logging into every database with a dba account connects from IPs registered in READIP.txt, WRITEIP1.txt, and WRITEIP2.txt

The following example shows how to specify the IPs allowed in ip_list_file.

192.168.1.25

192.168.*

10.*

*

The descriptions for the IPs specified in the example above are as follows:

  • The first line setting allows an access from 192.168.1.25.
  • The second line setting allows an access from all IPs starting with 192.168.
  • The third line setting allows an access from all IPs starting with 10.
  • The fourth line setting allows an access from all IPs.

For the broker which has already been running, you can modify the configuration file or check the currently applied status of configuration by using the following commands.

Syntax

To configure databases, database user IDs and IPs allowed to access the broker and then apply the modified configuration to the server, use the following command.

cubrid broker acl reload [<BR_NAME>]

  • BR_NAME : A broker name. If you specify this value, you can apply the changes only to specified brokers. If you omit it, you can apply the changes to all brokers.

To display the databases, database user IDs and IPs that are allowed to access the broker in running on the screen, use the following command.

cubrid broker acl status [<BR_NAME>]

  • BR_NAME : A broker name. If you specify the value, you can display the specified broker configuration. If you omit it, you can display all broker configurations.
Broker Logs

If you try to access brokers through IP addresses that are not allowed, the following logs will be created.

  • ACCESS_LOG
  • 1 192.10.10.10 - - 1288340944.198 1288340944.198 2010/10/29 17:29:04 ~ 2010/10/29 17:29:04 14942 - -1 db1 dba : rejected
  • SQL LOG
  • 10/29 10:28:57.591 (0) CLIENT IP 192.10.10.10 10/29 10:28:57.592 (0) connect db db1 user dba url jdbc:cubrid:192.10.10.10:30000:db1::: - rejected

Note For details on how to limit an access to the database server, see Limiting Database Server Access.