Инструкции по повышению безопасности
This guide explains how to enhance security in your Tarantool Enterprise Edition’s cluster using built-in features and provides general recommendations on security hardening. If you need to perform a security audit of a Tarantool Enterprise cluster, refer to the security checklist.
Tarantool Enterprise Edition does not provide a dedicated API for security control. All the necessary configurations can be done via an administrative console or initialization code.
В Tarantool Enterprise есть следующие встроенные средства безопасности:
Tarantool Enterprise поддерживает аутентификацию на основе паролей и допускает два типа соединений:
- Via an administrative console.
- Over a binary port for read and write operations and procedure invocation.
For more information on authentication and connection types, see the Безопасность section of the Tarantool manual.
Кроме того, Tarantool предоставляет следующие функциональные возможности:
- Sessions – states which associate connections with users and make Tarantool API available to them after authentication.
- Authentication triggers, which execute actions on authentication events.
- Third-party (external) authentication protocols and services such as LDAP or Active Directory – supported in the web interface, but unavailable on the binary-protocol level.
Для администраторов Tarantool Enterprise предоставляет средства предотвращения несанкционированного доступа к базе данных и к определенным функциям.
Tarantool различает:
- different users (guests and administrators)
- privileges associated with users
- roles (containers for privileges) granted to users
The following system spaces are used to store users and privileges:
- The
_user
space to store usernames and hashed passwords for authentication. - The
_priv
space to store privileges for access control.
For more information, see the Access control section.
Users who create objects (spaces, indexes, users, roles, sequences, and functions) in the database become their owners and automatically acquire privileges for what they create. For more information, see the Owners and privileges section.
В Tarantool Enterprise есть встроенный журнал аудита, в котором записываются такие события, как:
- authentication successes and failures
- connection closures
- creation, removal, enabling, and disabling of users
- changes of passwords, privileges, and roles
- denials of access to database objects
The audit log contains:
- timestamps
- usernames of users who performed actions
- event types (for example,
user_create
,user_enable
,disconnect
) - descriptions
You can configure the following audit log options:
- audit_log.to – enable audit logging and define the log location (file, pipe, or syslog). The option is similar to the log.
- audit_log.nonblock – specify the logging behavior if the system is not ready to write. The option is similar to the log_nonblock.
Для получения дополнительной информации о журналировании см. следующие разделы:
- the Журналирование section
- the log section in the configuration reference
- the Tarantool audit module topic
Права доступа к файлам журнала можно настроить, как для любого другого объекта файловой системы Unix – через chmod
.
В этом разделе даны рекомендации, которые могут помочь вам повысить безопасность кластера.
Since version 2.10.0, Tarantool Enterprise Edition has built-in support for using SSL to encrypt the client-server communications over binary connections, that is, between Tarantool instances in a cluster. For details on enabling SSL encryption, see the Securing connections with SSL section of this guide.
In case the built-in encryption is not set for particular connections, consider the following security recommendations:
- настроить туннелирование соединения или
- зашифровать сами данные, которые хранятся в базе.
For more information on data encryption, see the crypto module reference.
The HTTP server module provided by rocks does not support the HTTPS protocol. To set up a secure connection for a client (e.g., REST service), consider hiding the Tarantool instance (router if it is a cluster of instances) behind an Nginx server and setting up an SSL certificate for it.
To make sure that no information can be intercepted „from the wild“, run nginx on the same physical server as the instance and set up their communication over a Unix socket. For more information, see the socket module reference.
To protect the cluster from any unwanted network activity „from the wild“, configure the firewall on each server to allow traffic on ports listed in Network requirements.
Если вы используете статические IP-адреса, повторно внесите их в белый список на каждом сервере, поскольку кластер работает на принципах полносвязной топологии (full mesh topology). Рекомендуется внести в черный список всех остальные адреса на всех серверах, кроме роутера (работающего за сервером Nginx).
Tarantool Enterprise не предоставляет защиту от DoS-атак или DDoS-атак. Для этих целей рекомендуется использовать сторонние программы.
Tarantool Enterprise Edition does not keep checksums or provide the means to control data integrity. However, it ensures data persistence using a write-ahead log, regularly snapshots the entire data set to disk, and checks the data format whenever it reads the data back from the disk. For more information, see the Data persistence section.