Background Image

DOCUMENTATION

?

Shortcut

PrevPrev Article

NextNext Article

Larger Font Smaller Font Up Down Go comment Print

 

Author: Seojin Heo 

 

Access Control is used to restrict access of unauthorised IP and DB users (permitted IP lists and permitted DB users are authorised) to the broker or database server. By using this feature, you can protect the database from problems caused by external incorrect access.

 

CUBRID provides database access control management to limit brokers and CSQL interprinters accessing the database and provides broker access control management to restrict application clients accessing the broker.

 

In this post, we will explore how to set up and monitor database and broker access control management. The example is created based on CUBRID version 9.3.6.0002.

 

Database Server Access Control Management​​

  1. Setting up database server connection control management

1) cubrid.conf file setting ($CUBRID/conf/cubrid.conf)

  • To use the access control management function of the database server, the access_ip_control parameter must be set to yes (default is no), and the path to access_ip_control_file (the file where the IP list that allows access is created) must be entered.
  • The setting value can be applied after restarting the database server.
  • Example:
    cubridconf.png

 

2)  access_ip_control_file file creation format

[@<db_name>]

<ip_addr>

  • <db_name>: Database name to allow access
  • -<ip_addr>: IP address to allow access. Entering a backseat as * allows all IPs in the backseat.
  • You can also add multiple lines of <ip_addr> to the line following a database name.
  • Example:
    access_ip_control_file.png
  • testdb database allows access to all IPs starting with 10.182
  • -The demodb database allows access to all IPs starting with 10. and IPs of 192.168.0.83.
  • -cubriddb database allows all IP access. (In case of HA configuration or broker server separation, the IP of the host must be written.)

 

3)  Apply new access_ip_control_file to database server which is already running

cubrid server acl reload <database_name>      -- HA 구성인 경우 @<hostname> 추가
  • Example: 
    server_acl_reload.png

4) Check the access control management settings of the running database server

cubrid server acl status <database_name>      -- HA 구성인 경우 @<hostname> 추가
  • Example: 
    server_acl_status.png

 

2. Verify the database server access control management logs

  • Access from an unacceptable IP will leave a record in the server error log file.
  • The database server error log is created in the $CUBRID/log/server directory, and the file name is saved in the format of <db_name>_<yyyymmdd>_<hhmi>.err
  • Example:
    acl_server_err.png

 

===================================================================================================

Broker Access Control Management

  1. Setting up the broker access control management

 1) cubrid_broker.conf file setting ($CUBRID/conf/cubrid_broker.conf)

  • In order to use the broker's access control management function, the access_control parameter must be set to on (default is off), and the access_control_file parameter value must be entered with the user and database and IP file paths that allow access.
  • The accss_control and accss_control_file parameters should be written under [broker] where common application parameters are located.
  • The setting value can be applied after restarting the broker.
  • Example:
    brokerconf.png

2) access_control_file file creation format

[%<broker_name>]

<db_name>:<db_user>:<ip_list_file>

  • -<broker_name>: Broker name. One of the broker names specified in cubrid_broker.conf.
  • -<db_name>: Database name. Specifying * allows all databases
  • -<db_user>: Database user ID. Specifying * allows all database user IDs.
  • -<ip_list_file>: The name of a file that stores a list of accessible ips. Multiple files can be separated by commas (,).
  • Example:
    access_control_file.png
  • query_editor broker’s permission scope:
  1. All users accessing testdb are allowed only from the IP registered in readonlyip.txt.
  2. When connecting to testdb as user testuser, only IP registered in IPlist.txt is allowed.
  3. When connecting to all databases with dba, only IP registered in writeip.txt is allowed.

3) Ip_list_file  file creation format

192.168.0.21

10.*

*

  • First line: allow 192.168.0.21
  • Second line: Allow all IPs starting with 10
  • Third 3rd line: Allow all Ips

4) Apply new access_control_file to brokers already running

cubrid broker acl reload <broker_name>     
  • If the broker name is omitted, the change is applied to the entire broker.
  • Example:
    broker_acl_reload.png

5) Check the setting of access control management of a running broker

cubrid broker acl status <broker_name>     
  • If the broker name is omitted, all broker settings are displayed.
  • Example:
    broker_acl_status.png

2. Verify the broker access control management Logs

  • Access from disallowed IP will leave a record in Broker ACCESS_LOG and SQL_LOG.
  • ACCESS_LOG and SQL_LOG are created by default under the $CUBRID/log/broker directory and may vary depending on the setting value.
  • For ACCESS_LOG, the ACCESS_LOG parameter must be set to ON for creation.
  • ACCESS_LOG Example:
    access_log.png
  • SQL_LOG example:
    sql_log.png

We recommend that you use the access control management function provided by CUBRID correctly to protect the database from problems caused by external incorrect access. This concludes the introduction to CUBRID access control management.

 


List of Articles
No. Category Subject Date
17 Interfaces How to Configure to Log4J to Log Messages to CUBRID Database 2020.05.12
16 Server How to Start CUBRID Automatically upon LINUX Boot 2020.07.17
15 Installation Installing CUBRID and CUBRID Admin on Windows 2020.05.11
14 Installation Installing CUBRID on Linux 2020.05.06
13 Server Introduction to CUBRID Security – Part I file 2020.06.25
12 Server Introduction to CUBRID Security – Part II file 2020.06.26
11 Tools Let’s Take a Look at SQLGate for CUBRID! file 2020.07.23
10 Server Replace the Linux Version CUBRID Default Installation Directory 2020.07.14
9 Tools Reverse Engineering CUBRID Database with ERwin file 2020.07.14
8 Tools Running CUBRID Container Services in Docker, Kubernetes Environment file 2020.07.23
Board Pagination Prev 1 2 3 4 Next
/ 4

Join the CUBRID Project on