四权分立
简介
为了提高数据库的安全性,限制单一管理员权限过大的问题,平凯数据库支持的四权分离功能,通过创建四个不同职责的 admin role 来对管理员权限进行拆分,做到了建立职责分离、角色约束的权限管理机制。
开启四权分离模式
四权分离模式的配置
平凯数据库通过配置参数 security.tidb-enable-duty-separation_mode 来决定是否开启四权分离模式,默认情况下,系统是不开启此功能的。仅在部署集群或升级集群时修改此配置参数来开启四权分离模式,不支持在集群运行过程中在线开启。
部署集群时开启四权分离模式
使用 TiUP 工具部署集群时,通过下列部署步骤,使集群开启四权分离模式:
修改部署配置文件,添加配置项。
server_configs: tidb: security.tidb-enable-duty-separation-mode: true使用
tiup cluster deploy命令部署集群。
部署完集群后并启动集群,此时集群已经开启了四权分离模式。
升级集群开启四权分离模式
如果旧版本集群不带有四权分离功能,而新版本带有此功能,从旧版本升级到新版本时,可以开启四权分离模式,步骤如下:
修改集群配置项,使用如下命令:
tiup cluster edit-config ${cluster-name}修改添加配置如下:
server_configs: tidb: security.tidb-enable-duty-separation-mode: trueReload 集群配置,注意 reload 集群配置需要跳过重启阶段,命令如下:
tiup cluster reload ${cluster-name} --skip-restart升级集群:
tiup cluster upgrade ${cluster-name} ${version}
集群滚动升级完成后,此时集群已经开启了四权分离模式。
查询是否开启四权分离模式
查询系统变量
通过查询系统变量,可以确认集群是否开启了四权分离模式,查询方式如下:
mysql> show variables like 'tidb_enable_duty_separation_mode';
+----------------------------------+-------+
| Variable_name | Value |
+----------------------------------+-------+
| tidb_enable_duty_separation_mode | ON |
+----------------------------------+-------+
查询四权分离角色
可通过查询集群中的 admin role 来确认集群当前是否开启了四权分离模式,通过 root 用户登录数据库,然后查询:
mysql> select user from mysql.user;
+----------------+
| user |
+----------------+
| audit_admin |
| database_admin |
| root |
| security_admin |
| system_admin |
+----------------+
MySQL [(none)]> select * from mysql.user;
+------+----------------+-----------------------+-----------------------+-------------+-------------+-------------+-------------+-------------+-----------+--------------+------------+-----------------+------------+--------------+------------+-----------------------+------------------+--------------+------------------+----------------+---------------------+--------------------+------------+------------------+------------+-----------------+------------------+--------------+------------------+----------------+----------------+---------------+-------------+-----------+-------------+------------------------+------------------------+---------------------+-----------------+--------------+------------------+-----------------------+-------------------+----------------------+
| Host | User | authentication_string | plugin | Select_priv | Insert_priv | Update_priv | Delete_priv | Create_priv | Drop_priv | Process_priv | Grant_priv | References_priv | Alter_priv | Show_db_priv | Super_priv | Create_tmp_table_priv | Lock_tables_priv | Execute_priv | Create_view_priv | Show_view_priv | Create_routine_priv | Alter_routine_priv | Index_priv | Create_user_priv | Event_priv | Repl_slave_priv | Repl_client_priv | Trigger_priv | Create_role_priv | Drop_role_priv | Account_locked | Shutdown_priv | Reload_priv | FILE_priv | Config_priv | Create_Tablespace_Priv | Password_reuse_history | Password_reuse_time | User_attributes | Token_issuer | Password_expired | Password_last_changed | Password_lifetime | Max_user_connections |
+------+----------------+-----------------------+-----------------------+-------------+-------------+-------------+-------------+-------------+-----------+--------------+------------+-----------------+------------+--------------+------------+-----------------------+------------------+--------------+------------------+----------------+---------------------+--------------------+------------+------------------+------------+-----------------+------------------+--------------+------------------+----------------+----------------+---------------+-------------+-----------+-------------+------------------------+------------------------+---------------------+-----------------+--------------+------------------+-----------------------+-------------------+----------------------+
| % | root | | mysql_native_password | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | N | Y | Y | Y | Y | Y | NULL | NULL | NULL | | N | 2024-04-06 22:54:45 | NULL | 0 |
| % | system_admin | | mysql_native_password | N | N | N | N | Y | Y | N | Y | Y | Y | N | N | Y | N | N | Y | N | Y | Y | Y | N | N | N | N | N | N | N | Y | N | Y | N | N | Y | NULL | NULL | {} | | Y | 2024-04-06 22:54:45 | NULL | 0 |
| % | security_admin | | mysql_native_password | N | N | N | N | N | N | N | Y | N | N | N | N | N | N | N | N | N | N | N | N | Y | N | N | N | N | Y | Y | Y | Y | Y | N | Y | N | NULL | NULL | {} | | Y | 2024-04-06 22:54:45 | NULL | 0 |
| % | database_admin | | mysql_native_password | Y | Y | Y | Y | N | N | Y | Y | N | N | Y | N | N | Y | Y | N | Y | N | N | N | N | Y | Y | Y | Y | N | N | Y | N | Y | Y | N | N | NULL | NULL | {} | | Y | 2024-04-06 22:54:45 | NULL | 0 |
| % | audit_admin | | mysql_native_password | N | N | N | N | N | N | N | Y | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | Y | N | Y | N | N | N | NULL | NULL | {} | | Y | 2024-04-06 22:54:45 | NULL | 0 |
+------+----------------+-----------------------+-----------------------+-------------+-------------+-------------+-------------+-------------+-----------+--------------+------------+-----------------+------------+--------------+------------+-----------------------+------------------+--------------+------------------+----------------+---------------------+--------------------+------------+------------------+------------+-----------------+------------------+--------------+------------------+----------------+----------------+---------------+-------------+-----------+-------------+------------------------+------------------------+---------------------+-----------------+--------------+------------------+-----------------------+-------------------+----------------------+