Advanced Security Options
In addition to traditional user and permission management, TDengine also offers other security strategies such as IP whitelisting, audit logs, data encryption, etc., which are unique features of TDengine Enterprise. The whitelisting feature was first released in version 3.2.0.0, audit logs in version 3.1.1.0, and database encryption in version 3.3.0.0. It is recommended to use the latest version.
IP Whitelisting
IP whitelisting is a network security technology that allows IT administrators to control "who" can access the system and resources, enhancing the security of database access and preventing external malicious attacks. IP whitelisting works by creating a list of trusted IP addresses, assigning them as unique identifiers to users, and only allowing these IP addresses to access the target server. Please note that user permissions and IP whitelisting are managed separately. Below are the specific methods for configuring IP whitelisting.
The SQL to add an IP whitelist is as follows.
create user test pass password [sysinfo value] [host host_name1[,host_name2]]
alter user test add host host_name1
The SQL to query the IP whitelist is as follows.
SELECT TEST, ALLOWED_HOST FROM INS_USERS;
SHOW USERS;
The command to delete from the IP whitelist is as follows.
ALTER USER TEST DROP HOST HOST_NAME1
Notes
- Both the open-source and enterprise versions can add successfully and can be queried, but the open-source version does not impose any restrictions on IPs.
- create user u_write pass 'taosdata1' host 'iprange1','iprange2', multiple ipranges can be added at once, the server will deduplicate, the logic for deduplication requires the ipranges to be exactly the same
- By default, 127.0.0.1 is added to the whitelist and can be queried in the whitelist
- The IP set of cluster nodes is automatically added to the whitelist, but cannot be queried.
- When taosadaper and taosd are not on the same machine, the taosadaper IP needs to be manually added to the taosd whitelist
- In a cluster situation, all nodes should have enableWhiteList set the same, either all false or all true, otherwise the cluster cannot start
- Whitelist changes take effect within 1s, no more than 2s, each change has a slight impact on transmission performance (one more judgment, which can be ignored), after the change, the impact is negligible, and there is no impact on the cluster during the change process, nor on the clients currently accessing (assuming their IPs are included in the whitelist)
- If adding two ip ranges, 192.168.1.1/16 (suppose A), 192.168.1.1/24 (suppose B), strictly speaking, A includes B, but considering the situation too complicated, A and B will not be merged
- When deleting, it must match exactly. That is, if added as 192.168.1.1/24, it must also be deleted as 192.168.1.1/24
- Only root has the permission to add or delete ip white list for other users
- Compatible with previous versions, but does not support rolling back from the current version to a previous version
- x.x.x.x/32 and x.x.x.x are considered the same iprange, displayed as x.x.x.x
- If the client gets 0.0.0.0/0, it means the whitelist is not enabled
- If the whitelist changes, the client will detect it in the heartbeat.
- For one user, the maximum number of IPs that can be added is 2048