管理端口访问验证需求背景
集群的 TLS 状态
部署好的 TiDB 集群缩容成单 PD 节点后,可以使用 tiup cluster tls clustername enable 命令启用集群的 tls 功能。
[tidb@vm10-2-103-12 ~]$ tiup cluster display tidb-test1
Cluster type: tidb
Cluster name: tidb-test1
Cluster version: v6.5.6
Deploy user: tidb
SSH type: builtin
TLS encryption: enabled
CA certificate: /home/tidb/.tiup/storage/cluster/clusters/tidb-test1/tls/ca.crt
Client private key: /home/tidb/.tiup/storage/cluster/clusters/tidb-test1/tls/client.pem
Client certificate: /home/tidb/.tiup/storage/cluster/clusters/tidb-test1/tls/client.crt
Dashboard URL: https://10.2.103.12:2479/dashboard
Grafana URL: http://10.2.103.64:3100
ID Role Host Ports OS/Arch Status Data Dir Deploy Dir
-- ---- ---- ----- ------- ------ -------- ----------
10.2.103.64:9193 alertmanager 10.2.103.64 9193/9194 linux/x86_64 Up /tidb-data-test1/alertmanager-9193 /tidb-deploy-test1/alertmanager-9193
10.2.103.64:3100 grafana 10.2.103.64 3100 linux/x86_64 Up - /tidb-deploy-test1/grafana-3100
10.2.103.12:2479 pd 10.2.103.12 2479/2480 linux/x86_64 Up|L|UI /tidb-data-test1/pd-2479 /tidb-deploy-test1/pd-2479
10.2.103.64:9290 prometheus 10.2.103.64 9290/12220 linux/x86_64 Up /tidb-data-test1/prometheus-9290 /tidb-deploy-test1/prometheus-9290
10.2.103.12:4100 tidb 10.2.103.12 4100/11080 linux/x86_64 Up - /tidb-deploy-test1/tidb-4100
10.2.103.28:4100 tidb 10.2.103.28 4100/11080 linux/x86_64 Up - /tidb-deploy-test1/tidb-4100
10.2.103.147:21160 tikv 10.2.103.147 21160/21180 linux/x86_64 Up /tidb-data-test1/tikv-21160 /tidb-deploy-test1/tikv-21160
10.2.103.202:21160 tikv 10.2.103.202 21160/21180 linux/x86_64 Up /tidb-data-test1/tikv-21160 /tidb-deploy-test1/tikv-21160
10.2.103.92:21160 tikv 10.2.103.92 21160/21180 linux/x86_64 Up /tidb-data-test1/tikv-21160 /tidb-deploy-test1/tikv-21160
管理端口未实现访问控制
在集群启用 tls 后,PD 2379 等端口已经实现证书验证,但是扫描工具仍可以扫描出 go 语言组件的 debug/pprof 和 tidb-server cdc-server 等 api 接口,浏览器也能正常访问。如果进行安全备案说明,可能会被安排部门拒绝。
启用 TLS 后的集群证书
所有节点和组件的 ca 证书一致
[tidb@vm10-2-103-12 ~]$ md5sum /home/tidb/.tiup/storage/cluster/clusters/tidb-test1/tls/ca.crt
97eb790c1e0299fb1ffb7346f71e9fde /home/tidb/.tiup/storage/cluster/clusters/tidb-test1/tls/ca.crt
[tidb@vm10-2-103-12 ~]$ md5sum /tidb-deploy-test1/pd-2479/tls/ca.crt
97eb790c1e0299fb1ffb7346f71e9fde /tidb-deploy-test1/pd-2479/tls/ca.crt
[tidb@vm10-2-103-12 ~]$ md5sum /tidb-deploy-test1/tidb-4100/tls/ca.crt
97eb790c1e0299fb1ffb7346f71e9fde /tidb-deploy-test1/tidb-4100/tls/ca.crt
[tidb@vm10-2-103-12 ~]$ openssl x509 -noout -subject -in /home/tidb/.tiup/storage/cluster/clusters/tidb-test1/tls/client.crt
subject= /O=PingCAP/OU=TiUP/OU=tiup-cluster-client/CN=tidb-test1-client
[tidb@vm10-2-103-12 ~]$ openssl x509 -text -in /home/tidb/.tiup/storage/cluster/clusters/tidb-test1/tls/ca.crt -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
7b:22:10:dc:75:17:cb:29:ff:bc:b0:28:60:a0:9d:16
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=PingCAP, OU=TiUP
Validity
Not Before: May 5 06:46:18 2024 GMT
Not After : Apr 23 06:46:18 2074 GMT
Subject: O=PingCAP, OU=TiUP
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e8:c7:f2:bf:7c:8d:81:76:cd:07:05:b0:00:19:
...
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Certificate Sign
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
65:AA:D3:27:5D:EC:F3:53:C4:AE:46:8A:F1:E4:22:D1:A9:E8:DF:ED
Signature Algorithm: sha256WithRSAEncryption
53:58:49:d7:7c:67:ec:30:d5:59:5b:58:76:19:3c:90:58:ba:
...
所有节点和组件的证书使用各自组件的 CN(common name,注意看证书中的 CN 配置值)和指定节点的 IP 地址,由于 PD 的 cert-allowed-cn 配置项只能设置一个值,所以 TiUP 当前版本配置各自组件的 CN 名称不符合要求。
[tidb@vm10-2-103-12 ~]$ md5sum /tidb-deploy-test1/pd-2479/tls/pd.crt
470ab67dc5b9d1f3d4f530a2467f02d3 /tidb-deploy-test1/pd-2479/tls/pd.crt
[tidb@vm10-2-103-12 ~]$ md5sum /tidb-deploy-test1/tidb-4100/tls/tidb.crt
5c6ef0c2bf996231cccb22e6c3505b8f /tidb-deploy-test1/tidb-4100/tls/tidb.crt
[tidb@vm10-2-103-12 ~]$ md5sum /home/tidb/.tiup/storage/cluster/clusters/tidb-test1/tls/client.crt
07caa98266a24ba42828f0f01217b659 /home/tidb/.tiup/storage/cluster/clusters/tidb-test1/tls/client.crt
[tidb@vm10-2-103-12 ~]$ openssl x509 -noout -subject -in /tidb-deploy-test1/pd-2479/tls/pd.crt
subject= /O=PingCAP/OU=pd/OU=TiUP/CN=pd
[tidb@vm10-2-103-12 ~]$ openssl x509 -noout -subject -in /tidb-deploy-test1/tidb-4100/tls/tidb.crt
subject= /O=PingCAP/OU=TiUP/OU=tidb/CN=tidb
[tidb@vm10-2-103-12 ~]$ openssl x509 -noout -subject -in /home/tidb/.tiup/storage/cluster/clusters/tidb-test1/tls/client.crt
subject= /O=PingCAP/OU=TiUP/OU=tiup-cluster-client/CN=tidb-test1-client
[tidb@vm10-2-103-12 tlsold]$ openssl x509 -text -in tidb.crt -noout |grep -A 1 Alternative
X509v3 Subject Alternative Name:
DNS:localhost, IP Address:127.0.0.1, IP Address:10.2.103.12
[tidb@vm10-2-103-12 tlsold]$ openssl x509 -text -in pd.crt -noout |grep -A 1 Alternative
X509v3 Subject Alternative Name:
DNS:localhost, IP Address:127.0.0.1, IP Address:10.2.103.12
手工方式重建组件证书
- 从 v8.4.0 起,PD 的
cert-allowed-cn配置项支持设置多个值。你可以根据需要在 TiDB 的cluster-verify-cn配置项以及其它组件的cert-allowed-cn配置项中设置多个Common Name。需要额外注意的是,TiUP 在查询组件状态的时候会使用独立的标识,比如集群名是test,它会使用test-client作为Common Name。
- 对于 v8.3.0 及之前版本,PD 的
cert-allowed-cn配置项只能设置一个值。因此,所有认证对象的Common Name必须设置成同一个值。
校验调用方身份可以防止未授权的用户对管理端口进行访问,在启用调用方身份验证前,v8.4.0 前,需要利用原 CA 证书重建组件证书需要将证书的 commonName 设置成同一个值(TiDB)。
在 TiUP 主机上复制 CA 证书。
[tidb@vm10-2-103-12 ~]$ cd /home/tidb/.tiup/storage/cluster/clusters/tidb-test1/tls/
[tidb@vm10-2-103-12 tls]$ ls
ca.crt ca.pem client.crt client.pem client.pfx
[tidb@vm10-2-103-12 tls]$ mkdir ~/tidbcrt
[tidb@vm10-2-103-12 tls]$ cp ca.crt ~/tidbcrt/
[tidb@vm10-2-103-12 tls]$ cp ca.pem ~/tidbcrt/
[tidb@vm10-2-103-12 tls]$ cd ~/tidbcrt/
[tidb@vm10-2-103-12 tidbcrt]$ ls
ca.crt ca.pem
[tidb@vm10-2-103-12 crt]$ cp /etc/pki/tls/openssl.cnf openssl_tidb.cnf
[tidb@vm10-2-103-12 crt]$ vi openssl_tidb.cnf
手工配置 openssl.conf 的 req_distinguished_name、req_extensions、subjectAltName。
由于手工配置证书较繁琐,在本例中,将 subjectAltName 可以配置为所有的集群节点 IP 地址,和同一个 common_name,实现所有组件共享证书,如果安装时使用域名,需要使用 DNS 配置方式补充所有的域名。commonName_default 配置为 TiDB。
[tidb@vm10-2-103-12 tidbcrt]$ cat openssl_tidb.cnf |grep -v ^$|grep -v ^#
HOME = .
RANDFILE = $ENV::HOME/.rnd
oid_section = new_oids
[ new_oids ]
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha256 # use SHA-256 by default
preserve = no # keep passed DN ordering
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 2048
default_md = sha256
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
string_mask = utf8only
req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
0.organizationName = Organization Name (eg, company)
0.organizationName_default = PingCAP
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = TiUP
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_default = TiDB
commonName_max = 64
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
basicConstraints=CA:FALSE
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
[ v3_req ]
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, serverAuth
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = localhost
IP.1 = 127.0.0.1
IP.2 = 10.2.103.64
IP.3 = 10.2.103.12
IP.4 = 10.2.103.28
IP.5 = 10.2.103.147
IP.6 = 10.2.103.202
IP.7 = 10.2.103.92
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier = keyid:always
basicConstraints = CA:true
[ crl_ext ]
authorityKeyIdentifier=keyid:always
[ proxy_cert_ext ]
basicConstraints=CA:FALSE
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
[ tsa ]
default_tsa = tsa_config1 # the default TSA section
[ tsa_config1 ]
dir = ./demoCA # TSA root directory
serial = $dir/tsaserial # The current serial number (mandatory)
crypto_device = builtin # OpenSSL engine to use for signing
signer_cert = $dir/tsacert.pem # The TSA signing certificate
# (optional)
certs = $dir/cacert.pem # Certificate chain to include in reply
# (optional)
signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
default_policy = tsa_policy1 # Policy if request did not specify it
# (optional)
other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
clock_precision_digits = 0 # number of digits after dot. (optional)
ordering = yes # Is ordering defined for timestamps?
# (optional, default: no)
tsa_name = yes # Must the TSA name be included in the reply?
# (optional, default: no)
ess_cert_id_chain = no # Must the ESS cert id chain be included?
# (optional, default: no)
生成组件证书
[tidb@vm10-2-103-12 tidbcrt]$ openssl genrsa -out tidb.key 2048
[tidb@vm10-2-103-12 tidbcrt]$ openssl req -new -key tidb.key -out tidb.csr -config openssl_tidb.cnf
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Organization Name (eg, company) [PingCAP]:
Organizational Unit Name (eg, section) [TiUP]:
Common Name (eg, your name or your server's hostname) [TiDB]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[tidb@vm10-2-103-12 tidbcrt]$ ls
ca.crt ca.pem openssl.cnf openssl_tidb.cnf tidb.csr tidb.key
[tidb@vm10-2-103-12 tidbcrt]$ openssl x509 -req -days 3650 -CA ca.crt -CAkey ca.pem -CAcreateserial -in tidb.csr -out tidb.crt -extensions v3_req -extfile openssl_tidb.cnf
Signature ok
subject=/O=PingCAP/OU=TiUP/CN=TiDB
Getting CA Private Key
新证书包含所有组件 IP 地址,由于 CN=TiDB 也是标准配置。
[tidb@vm10-2-103-12 tidbcrt]$ openssl x509 -text -in /home/tidb/tidbcrt/tidb.crt -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
f8:01:3b:c4:c4:d8:7a:30
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=PingCAP, OU=TiUP
Validity
Not Before: May 5 08:50:09 2024 GMT
Not After : May 3 08:50:09 2034 GMT
Subject: O=PingCAP, OU=TiUP, CN=TiDB
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:cf:e5:80:03:4c:6e:e8:1f:e6:67:46:ab:88:de:
...
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Subject Alternative Name:
DNS:localhost, IP Address:127.0.0.1, IP Address:10.2.103.64, IP Address:10.2.103.12, IP Address:10.2.103.28, IP Address:10.2.103.147, IP Address:10.2.103.202, IP Address:10.2.103.92
Signature Algorithm: sha256WithRSAEncryption
26:d1:f7:37:76:fc:c0:f1:e9:89:a3:c6:a9:b3:de:85:e8:19:
...
与原来的组件证书对比 X509v3 extensions 属性配置一致。
[tidb@vm10-2-103-12 crt]$ openssl x509 -text -in /tidb-deploy-test1/tidb-4100/tls/tidb.crt -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
d7:b3:af:df:e3:b1:8e:2e:3f:b2:f7:de:14:ba:c1:1e
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=PingCAP, OU=TiUP
Validity
Not Before: May 5 06:46:19 2024 GMT
Not After : May 3 06:46:19 2034 GMT
Subject: O=PingCAP, OU=TiUP, OU=tidb, CN=tidb
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d8:fe:3a:b6:c1:b2:bd:e9:05:05:5c:55:b0:0e:
...
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Authority Key Identifier:
keyid:65:AA:D3:27:5D:EC:F3:53:C4:AE:46:8A:F1:E4:22:D1:A9:E8:DF:ED
X509v3 Subject Alternative Name:
DNS:localhost, IP Address:127.0.0.1, IP Address:10.2.103.12
Signature Algorithm: sha256WithRSAEncryption
1d:7f:30:96:dd:07:05:4a:0c:c4:53:5a:42:95:cf:f3:52:d8:
...
推送新的证书
tiup cluster exec tidb-test1 --command "ls /tidb-deploy-test1/tidb-4100/tls" -R tidb
tiup cluster exec tidb-test1 --command "cp -rp /tidb-deploy-test1/tidb-4100/tls /tidb-deploy-test1/tidb-4100/tlsold" -R tidb
tiup cluster exec tidb-test1 --command "ls /tidb-deploy-test1/tidb-4100/tlsold" -R tidb
tiup cluster push tidb-test1 tidb.key /tidb-deploy-test1/tidb-4100/tls/tidb.pem -R tidb
tiup cluster push tidb-test1 tidb.crt /tidb-deploy-test1/tidb-4100/tls/tidb.crt -R tidb
tiup cluster exec tidb-test1 --command "ls /tidb-deploy-test1/tikv-21160/tls" -R tikv
tiup cluster exec tidb-test1 --command "cp -rp /tidb-deploy-test1/tikv-21160/tls /tidb-deploy-test1/tikv-21160/tlsold" -R tikv
tiup cluster exec tidb-test1 --command "ls /tidb-deploy-test1/tikv-21160/tlsold" -R tikv
tiup cluster push tidb-test1 tidb.key /tidb-deploy-test1/tikv-21160/tls/tikv.pem -R tikv
tiup cluster push tidb-test1 tidb.crt /tidb-deploy-test1/tikv-21160/tls/tikv.crt -R tikv
tiup cluster exec tidb-test1 --command "ls /tidb-deploy-test1/pd-2479/tls" -R pd
tiup cluster exec tidb-test1 --command "cp -rp /tidb-deploy-test1/pd-2479/tls /tidb-deploy-test1/pd-2479/tlsold" -R pd
tiup cluster exec tidb-test1 --command "ls /tidb-deploy-test1/pd-2479/tlsold" -R pd
tiup cluster push tidb-test1 tidb.key /tidb-deploy-test1/pd-2479/tls/pd.pem -R pd
tiup cluster push tidb-test1 tidb.crt /tidb-deploy-test1/pd-2479/tls/pd.crt -R pd
tiup cluster exec tidb-test1 --command "ls /tidb-deploy-test1/prometheus-9290/tls" -R prometheus
tiup cluster exec tidb-test1 --command "cp -rp /tidb-deploy-test1/prometheus-9290/tls /tidb-deploy-test1/prometheus-9290/tlsold" -R prometheus
tiup cluster exec tidb-test1 --command "ls /tidb-deploy-test1/prometheus-9290/tlsold" -R prometheus
tiup cluster push tidb-test1 tidb.key /tidb-deploy-test1/prometheus-9290/tls/prometheus.pem -R prometheus
tiup cluster push tidb-test1 tidb.crt /tidb-deploy-test1/prometheus-9290/tls/prometheus.crt -R prometheus
tiup cluster exec tidb-test1 --command "ls /tidb-deploy-test1/grafana-3100/tls" -R grafana
tiup cluster exec tidb-test1 --command "cp -rp /tidb-deploy-test1/grafana-3100/tls /tidb-deploy-test1/grafana-3100/tlsold" -R grafana
tiup cluster exec tidb-test1 --command "ls /tidb-deploy-test1/grafana-3100/tlsold" -R grafana
tiup cluster push tidb-test1 tidb.key /tidb-deploy-test1/grafana-3100/tls/grafana.pem -R grafana
tiup cluster push tidb-test1 tidb.crt /tidb-deploy-test1/grafana-3100/tls/grafana.crt -R grafana
tiup cluster exec tidb-test1 --command "ls /tidb-deploy-test1/alertmanager-9193/tls" -R alertmanager
tiup cluster exec tidb-test1 --command "cp -rp /tidb-deploy-test1/alertmanager-9193/tls /tidb-deploy-test1/alertmanager-9193/tlsold" -R alertmanager
tiup cluster exec tidb-test1 --command "ls /tidb-deploy-test1/alertmanager-9193/tlsold" -R alertmanager
tiup cluster push tidb-test1 tidb.key /tidb-deploy-test1/alertmanager-9193/tls/alertmanager.pem -R alertmanager
tiup cluster push tidb-test1 tidb.crt /tidb-deploy-test1/alertmanager-9193/tls/alertmanager.crt -R alertmanager
tiup cluster exec tidb-test1 --command "ls /tidb-deploy-test1/cdc-8400/tls" -R cdc
tiup cluster exec tidb-test1 --command "cp -rp /tidb-deploy-test1/cdc-8400/tls /tidb-deploy-test1/cdc-8400/tlsold" -R cdc
tiup cluster exec tidb-test1 --command "ls /tidb-deploy-test1/cdc-8400/tlsold" -R cdc
tiup cluster push tidb-test1 tidb.key /tidb-deploy-test1/cdc-8400/tls/cdc.pem -R cdc
tiup cluster push tidb-test1 tidb.crt /tidb-deploy-test1/cdc-8400/tls/cdc.crt -R cdc
cp tidb.key /home/tidb/.tiup/storage/cluster/clusters/tidb-test1/tls/client.pem
cp tidb.crt /home/tidb/.tiup/storage/cluster/clusters/tidb-test1/tls/client.crt
注意:如果有新扩容的节点,需要重新加入 IP 清单,生成推送一次证书。
注意:如果是 tiup cluster display 显示 tidb-server 的状态不正常,可能是 tiup 节点的证书替代的最后两步未执行。
集群启用 common name
集群启用 common name 后,会对客户端的证书验证 common name 是否符合条件。前置生成 证书的步骤中,已经将证书的 common name 统一成 TiDB,所以配置项中的验证值也是 TiDB。
[tidb@vm10-2-103-12 tidbcrt]$ tiup cluster edit-config tidb-test1
global:
user: tidb
ssh_port: 22
ssh_type: builtin
enable_tls: true
deploy_dir: /tidb-deploy-test1
data_dir: /tidb-data-test1
os: linux
systemd_mode: system
monitored:
node_exporter_port: 9200
blackbox_exporter_port: 9215
deploy_dir: /tidb-deploy-test1/monitor-9200
data_dir: /tidb-data-test1/monitor-9200
log_dir: /tidb-deploy-test1/monitor-9200/log
server_configs:
tidb:
security.cluster-verify-cn:
- TiDB
tikv:
security.cert-allowed-cn:
- TiDB
pd:
security.cert-allowed-cn:
- TiDB
replication.location-labels:
- zone
- host
tidb_dashboard: {}
tiflash: {}
tiproxy: {}
tiflash-learner: {}
pump: {}
drainer: {}
cdc:
security.cert-allowed-cn:
- TiDB
kvcdc: {}
grafana: {}
tidb_servers:
[tidb@vm10-2-103-12 tidbcrt]$ tiup cluster reload tidb-test1
启用 common name 后的保护效果
10080 8300 等管理端口不再可以被访问,漏扫主机也不能访问这个端口。
启用 common name 的后续操作
恢复 PD 的三个节点的数量。
node_exporter 9100 端口和 blackbox_exporter 9115 端口两个组件是第三方组件, prometheus 社区认为 debug pprof 接口并不会导致安装问题,所以不提供关闭参数等修复方案,目前可行的方式是根据源代码手工注释 debug 模块后编译后更新二进制,建议进行安全备案说明。
总结
TLS 证书 common name 可以实现管理端口的保护,TiUP 组件有计划在未来版本升级后可以实现证书 common name 的统一配置。