- 关于 TiDB
- 快速上手
- 部署标准集群
- 数据迁移
- 运维操作
- 监控与告警
- 故障诊断
- 性能调优
- 系统调优
- 软件调优
- SQL 性能调优
- SQL 性能调优概览
- 理解 TiDB 执行计划
- SQL 优化流程
- 控制执行计划
- 教程
- TiDB 工具
- 功能概览
- 适用场景
- 工具下载
- TiUP
- TiDB Operator
- Dumpling
- TiDB Lightning
- TiDB Data Migration
- Backup & Restore (BR)
- TiDB Binlog
- TiCDC
- sync-diff-inspector
- TiSpark
- 参考指南
- 架构
- 监控指标
- 安全加固
- 权限
- SQL
- SQL 语言结构和语法
- SQL 语句
ADD COLUMN
ADD INDEX
ADMIN
ADMIN CANCEL DDL
ADMIN CHECKSUM TABLE
ADMIN CHECK [TABLE|INDEX]
ADMIN SHOW DDL [JOBS|QUERIES]
ALTER DATABASE
ALTER INDEX
ALTER INSTANCE
ALTER TABLE
ALTER USER
ANALYZE TABLE
BACKUP
BEGIN
CHANGE COLUMN
CHANGE DRAINER
CHANGE PUMP
COMMIT
CREATE [GLOBAL|SESSION] BINDING
CREATE DATABASE
CREATE INDEX
CREATE ROLE
CREATE SEQUENCE
CREATE TABLE LIKE
CREATE TABLE
CREATE USER
CREATE VIEW
DEALLOCATE
DELETE
DESC
DESCRIBE
DO
DROP [GLOBAL|SESSION] BINDING
DROP COLUMN
DROP DATABASE
DROP INDEX
DROP ROLE
DROP SEQUENCE
DROP STATS
DROP TABLE
DROP USER
DROP VIEW
EXECUTE
EXPLAIN ANALYZE
EXPLAIN
FLASHBACK TABLE
FLUSH PRIVILEGES
FLUSH STATUS
FLUSH TABLES
GRANT <privileges>
GRANT <role>
INSERT
KILL [TIDB]
LOAD DATA
LOAD STATS
MODIFY COLUMN
PREPARE
RECOVER TABLE
RENAME INDEX
RENAME TABLE
REPLACE
RESTORE
REVOKE <privileges>
REVOKE <role>
ROLLBACK
SELECT
SET DEFAULT ROLE
SET [NAMES|CHARACTER SET]
SET PASSWORD
SET ROLE
SET TRANSACTION
SET [GLOBAL|SESSION] <variable>
SHOW [BACKUPS|RESTORES]
SHOW ANALYZE STATUS
SHOW [GLOBAL|SESSION] BINDINGS
SHOW BUILTINS
SHOW CHARACTER SET
SHOW COLLATION
SHOW [FULL] COLUMNS FROM
SHOW CONFIG
SHOW CREATE SEQUENCE
SHOW CREATE TABLE
SHOW CREATE USER
SHOW DATABASES
SHOW DRAINER STATUS
SHOW ENGINES
SHOW ERRORS
SHOW [FULL] FIELDS FROM
SHOW GRANTS
SHOW INDEX [FROM|IN]
SHOW INDEXES [FROM|IN]
SHOW KEYS [FROM|IN]
SHOW MASTER STATUS
SHOW PLUGINS
SHOW PRIVILEGES
SHOW [FULL] PROCESSSLIST
SHOW PROFILES
SHOW PUMP STATUS
SHOW SCHEMAS
SHOW STATS_HEALTHY
SHOW STATS_HISTOGRAMS
SHOW STATS_META
SHOW STATUS
SHOW TABLE NEXT_ROW_ID
SHOW TABLE REGIONS
SHOW TABLE STATUS
SHOW [FULL] TABLES
SHOW [GLOBAL|SESSION] VARIABLES
SHOW WARNINGS
SHUTDOWN
SPLIT REGION
START TRANSACTION
TABLE
TRACE
TRUNCATE
UPDATE
USE
WITH
- 数据类型
- 函数与操作符
- 聚簇索引
- 约束
- 生成列
- SQL 模式
- 事务
- 垃圾回收 (GC)
- 视图
- 分区表
- 字符集和排序规则
- 系统表
mysql
- INFORMATION_SCHEMA
- Overview
ANALYZE_STATUS
CLIENT_ERRORS_SUMMARY_BY_HOST
CLIENT_ERRORS_SUMMARY_BY_USER
CLIENT_ERRORS_SUMMARY_GLOBAL
CHARACTER_SETS
CLUSTER_CONFIG
CLUSTER_HARDWARE
CLUSTER_INFO
CLUSTER_LOAD
CLUSTER_LOG
CLUSTER_SYSTEMINFO
COLLATIONS
COLLATION_CHARACTER_SET_APPLICABILITY
COLUMNS
DATA_LOCK_WAITS
DDL_JOBS
DEADLOCKS
ENGINES
INSPECTION_RESULT
INSPECTION_RULES
INSPECTION_SUMMARY
KEY_COLUMN_USAGE
METRICS_SUMMARY
METRICS_TABLES
PARTITIONS
PROCESSLIST
SCHEMATA
SEQUENCES
SESSION_VARIABLES
SLOW_QUERY
STATISTICS
TABLES
TABLE_CONSTRAINTS
TABLE_STORAGE_STATS
TIDB_HOT_REGIONS
TIDB_INDEXES
TIDB_SERVERS_INFO
TIDB_TRX
TIFLASH_REPLICA
TIKV_REGION_PEERS
TIKV_REGION_STATUS
TIKV_STORE_STATUS
USER_PRIVILEGES
VIEWS
METRICS_SCHEMA
- UI
- CLI
- 命令行参数
- 配置文件参数
- 系统变量
- 存储引擎
- 遥测
- 错误码
- 通过拓扑 label 进行副本调度
- 常见问题解答 (FAQ)
- 版本发布历史
- 发布版本汇总
- v5.1
- v5.0
- v4.0
- v3.1
- v3.0
- v2.1
- v2.0
- v1.0
- 术语表
为 TiDB 组件间通信开启加密传输
本部分介绍如何为 TiDB 集群内各部组件间开启加密传输,一旦开启以下组件间均将使用加密传输:
- TiDB 与 TiKV、PD
- TiKV 与 PD
- TiDB Control 与 TiDB,TiKV Control 与 TiKV,PD Control 与 PD
- TiKV、PD、TiDB 各自集群内内部通讯
目前暂不支持只开启其中部分组件的加密传输。
配置开启加密传输
准备证书。
推荐为 TiDB、TiKV、PD 分别准备一个 Server 证书,并保证可以相互验证,而它们的 Control 工具则可选择共用 Client 证书。
有多种工具可以生成自签名证书,如
openssl
,easy-rsa
,cfssl
。这里提供一个使用
openssl
生成证书的示例:生成自签名证书。配置证书。
TiDB
在
config
文件或命令行参数中设置:[security] # Path of file that contains list of trusted SSL CAs for connection with cluster components. cluster-ssl-ca = "/path/to/ca.pem" # Path of file that contains X509 certificate in PEM format for connection with cluster components. cluster-ssl-cert = "/path/to/tidb-server.pem" # Path of file that contains X509 key in PEM format for connection with cluster components. cluster-ssl-key = "/path/to/tidb-server-key.pem"
TiKV
在
config
文件或命令行参数中设置,并设置相应的 URL 为 https:[security] # set the path for certificates. Empty string means disabling secure connectoins. ca-path = "/path/to/ca.pem" cert-path = "/path/to/tikv-server.pem" key-path = "/path/to/tikv-server-key.pem"
PD
在
config
文件或命令行参数中设置,并设置相应的 URL 为 https:[security] # Path of file that contains list of trusted SSL CAs. if set, following four settings shouldn't be empty cacert-path = "/path/to/ca.pem" # Path of file that contains X509 certificate in PEM format. cert-path = "/path/to/pd-server.pem" # Path of file that contains X509 key in PEM format. key-path = "/path/to/pd-server-key.pem"
TiFlash(从 v4.0.5 版本开始引入)
在
tiflash.toml
文件中设置,将http_port
项改为https_port
:[security] # Path of file that contains list of trusted SSL CAs. if set, following four settings shouldn't be empty ca_path = "/path/to/ca.pem" # Path of file that contains X509 certificate in PEM format. cert_path = "/path/to/tiflash-server.pem" # Path of file that contains X509 key in PEM format. key_path = "/path/to/tiflash-server-key.pem"
在
tiflash-learner.toml
文件中设置,[security] # Sets the path for certificates. The empty string means that secure connections are disabled. ca-path = "/path/to/ca.pem" cert-path = "/path/to/tiflash-server.pem" key-path = "/path/to/tiflash-server-key.pem"
TiCDC
在启动命令行中设置,并设置相应的 URL 为
https
:cdc server --pd=https://127.0.0.1:2379 --log-file=ticdc.log --addr=0.0.0.0:8301 --advertise-addr=127.0.0.1:8301 --ca=/path/to/ca.pem --cert=/path/to/ticdc-cert.pem --key=/path/to/ticdc-key.pem
此时 TiDB 集群各个组件间已开启加密传输。
注意若 TiDB 集群各个组件间开启加密传输后,在使用 tidb-ctl、tikv-ctl 或 pd-ctl 工具连接集群时,需要指定 client 证书,示例:
./tidb-ctl -u https://127.0.0.1:10080 --ca /path/to/ca.pem --ssl-cert /path/to/client.pem --ssl-key /path/to/client-key.pem
./pd-ctl -u https://127.0.0.1:2379 --cacert /path/to/ca.pem --cert /path/to/client.pem --key /path/to/client-key.pem
./tikv-ctl --host="127.0.0.1:20160" --ca-path="/path/to/ca.pem" --cert-path="/path/to/client.pem" --key-path="/path/to/clinet-key.pem"
认证组件调用者身份
通常被调用者除了校验调用者提供的密钥、证书和 CA 有效性外,还需要校验调用方身份以防止拥有有效证书的非法访问者进行访问(例如:TiKV 只能被 TiDB 访问,需阻止拥有合法证书但非 TiDB 的其他访问者访问 TiKV)。
如希望进行组件调用者身份认证,需要在生证书时通过 Common Name
标识证书使用者身份,并在被调用者配置检查证书 Common Name
列表来检查调用者身份。
TiDB
在
config
文件或命令行参数中设置:[security] cluster-verify-cn = [ "TiDB-Server", "TiKV-Control", ]
TiKV
在
config
文件或命令行参数中设置:[security] cert-allowed-cn = [ "TiDB-Server", "PD-Server", "TiKV-Control", "RawKvClient1", ]
PD
在
config
文件或命令行参数中设置:[security] cert-allowed-cn = ["TiKV-Server", "TiDB-Server", "PD-Control"]
TiCDC
在启动命令行中设置:
cdc server --pd=https://127.0.0.1:2379 --log-file=ticdc.log --addr=0.0.0.0:8301 --advertise-addr=127.0.0.1:8301 --ca=/path/to/ca.pem --cert=/path/to/ticdc-cert.pem --key=/path/to/ticdc-key.pem --cert-allowed-cn="client1,client2"
TiFlash(从 v4.0.5 版本开始引入)
在
tiflash.toml
文件中设置:[security] cert_allowed_cn = ["TiKV-Server", "TiDB-Server"]
在
tiflash-learner.toml
文件中设置:[security] cert-allowed-cn = ["PD-Server", "TiKV-Server", "TiFlash-Server"]
证书重加载
TiDB、PD 和 TiKV 和各种 Client 都会在每次新建相互通讯的连接时重新读取当前的证书和密钥文件内容,实现证书和密钥的重加载。目前暂不支持 CA 的重加载。