Network security access control

seekdb provides a whitelist strategy to implement network security access control. You can use the whitelist feature to specify which clients are allowed to access seekdb.

The whitelist is controlled by the system variable ob_tcp_invited_nodes, which is a global parameter. The default value is 127.0.0.1,::1, indicating that only the IP address of the current server can connect to seekdb. This variable supports list values, which are separated by commas (,). For example, A,B,C,D. When a user logs in, seekdb will match the user's IP address with A, B, C, and D in sequence. If none of them match, the access is denied. If any of them match, the access is allowed.

The list values can be assigned as follows:

• IP address, for example: 192.168.1.1. The match is an exact match, meaning that the user's client IP address must be equal to this IP address.
• IP address containing a percentage sign (%) or an underscore (_), for example: 192.168.1.% or 192.168.1._. The match is a fuzzy match, similar to the LIKE syntax.
• IP/NETMASK address, for example: 192.168.1.0/24 or 192.168.1.0/255.255.255.0. The match is a mask match. Only when Client_IP & NetMask == IP is the match successful, similar to the mask match in MySQL.

tip

Modifying the whitelist does not affect existing session objects.

View and set the whitelist

1. Log in to seekdb as the root user.

   mysql -h127.0.0.1 -uroot -P2881

2. Execute the following statement to view the whitelist.

   SHOW VARIABLES LIKE 'ob_tcp_invited_nodes';

   +----------------------+-------+
   | Variable_name        | Value |
   +----------------------+-------+
   | ob_tcp_invited_nodes | %     |
   +----------------------+-------+

   The value of % indicates that any client IP address is allowed to connect.

3. If you need to change the whitelist settings, execute the following statement to reset the whitelist.

   Here is an example:

   SET GLOBAL ob_tcp_invited_nodes='%';

   SET GLOBAL ob_tcp_invited_nodes='10.10.10.%';