Author: Seojin Heo
Access Control is used to restrict access of unauthorised IP and DB users (permitted IP lists and permitted DB users are authorised) to the broker or database server. By using this feature, you can protect the database from problems caused by external incorrect access.
CUBRID provides database access control management to limit brokers and CSQL interprinters accessing the database and provides broker access control management to restrict application clients accessing the broker.
In this post, we will explore how to set up and monitor database and broker access control management. The example is created based on CUBRID version 9.3.6.0002.
Database Server Access Control Management
- Setting up database server connection control management
1) cubrid.conf file setting ($CUBRID/conf/cubrid.conf)
- To use the access control management function of the database server, the access_ip_control parameter must be set to yes (default is no), and the path to access_ip_control_file (the file where the IP list that allows access is created) must be entered.
- The setting value can be applied after restarting the database server.
2) access_ip_control_file file creation format
- <db_name>: Database name to allow access
- -<ip_addr>: IP address to allow access. Entering a backseat as * allows all IPs in the backseat.
- You can also add multiple lines of <ip_addr> to the line following a database name.
- testdb database allows access to all IPs starting with 10.182
- -The demodb database allows access to all IPs starting with 10. and IPs of 192.168.0.83.
- -cubriddb database allows all IP access. (In case of HA configuration or broker server separation, the IP of the host must be written.)
3) Apply new access_ip_control_file to database server which is already running
|cubrid server acl reload <database_name> -- HA 구성인 경우 @<hostname> 추가|
4) Check the access control management settings of the running database server
|cubrid server acl status <database_name> -- HA 구성인 경우 @<hostname> 추가|
2. Verify the database server access control management logs
- Access from an unacceptable IP will leave a record in the server error log file.
- The database server error log is created in the $CUBRID/log/server directory, and the file name is saved in the format of <db_name>_<yyyymmdd>_<hhmi>.err
Broker Access Control Management
- Setting up the broker access control management
1) cubrid_broker.conf file setting ($CUBRID/conf/cubrid_broker.conf)
- In order to use the broker's access control management function, the access_control parameter must be set to on (default is off), and the access_control_file parameter value must be entered with the user and database and IP file paths that allow access.
- The accss_control and accss_control_file parameters should be written under [broker] where common application parameters are located.
- The setting value can be applied after restarting the broker.
2) access_control_file file creation format
- -<broker_name>: Broker name. One of the broker names specified in cubrid_broker.conf.
- -<db_name>: Database name. Specifying * allows all databases
- -<db_user>: Database user ID. Specifying * allows all database user IDs.
- -<ip_list_file>: The name of a file that stores a list of accessible ips. Multiple files can be separated by commas (,).
- query_editor broker’s permission scope:
- All users accessing testdb are allowed only from the IP registered in readonlyip.txt.
- When connecting to testdb as user testuser, only IP registered in IPlist.txt is allowed.
- When connecting to all databases with dba, only IP registered in writeip.txt is allowed.
3) Ip_list_file file creation format
- First line: allow 192.168.0.21
- Second line: Allow all IPs starting with 10
- Third 3rd line: Allow all Ips
4) Apply new access_control_file to brokers already running
|cubrid broker acl reload <broker_name>|
- If the broker name is omitted, the change is applied to the entire broker.
5) Check the setting of access control management of a running broker
|cubrid broker acl status <broker_name>|
- If the broker name is omitted, all broker settings are displayed.
2. Verify the broker access control management Logs
- Access from disallowed IP will leave a record in Broker ACCESS_LOG and SQL_LOG.
- ACCESS_LOG and SQL_LOG are created by default under the $CUBRID/log/broker directory and may vary depending on the setting value.
- For ACCESS_LOG, the ACCESS_LOG parameter must be set to ON for creation.
- ACCESS_LOG Example:
- SQL_LOG example:
We recommend that you use the access control management function provided by CUBRID correctly to protect the database from problems caused by external incorrect access. This concludes the introduction to CUBRID access control management.