This guide provides a complete security hardening checklist for a gbase database cluster, covering user privileges, password policies, SSL encryption, audit logging, and network access control — all with ready‑to‑run commands.
1. User Privilege Management
A GBase 8a user is identified by both username and source IP. Always follow the principle of least privilege.
Creating Users and Granting Permissions
-- User from a specific subnet
CREATE USER 'analyst'@'10.168.10.%' IDENTIFIED BY 'Str0ng#Pwd!2024';
-- Read‑only
GRANT SELECT ON sales_db.* TO 'analyst'@'10.168.10.%';
-- Read‑write
GRANT SELECT, INSERT, UPDATE, DELETE ON sales_db.* TO 'app_user'@'10.168.10.%';
-- Data loader (FILE privilege is required for LOAD DATA)
GRANT SELECT, INSERT, FILE ON sales_db.* TO 'loader'@'10.168.10.%';
-- Schema administrator (cannot manage users)
GRANT ALL PRIVILEGES ON sales_db.* TO 'db_admin'@'10.168.10.%';
FLUSH PRIVILEGES;
Inspecting and Revoking Privileges
SHOW GRANTS FOR 'analyst'@'10.168.10.%';
REVOKE INSERT, UPDATE, DELETE ON sales_db.* FROM 'analyst'@'10.168.10.%';
DROP USER 'old_user'@'%';
Common Privilege Reference
| Privilege | Description | Safe for ordinary users? |
|---|---|---|
| SELECT | Query data | ✅ |
| INSERT | Write data | On demand |
| UPDATE / DELETE | Modify / remove rows | On demand, tightly controlled |
| FILE | LOAD DATA / SELECT INTO OUTFILE | Load accounts only |
| SUPER | Change system variables, kill connections | ❌ |
| GRANT OPTION | Grant privileges to others | ❌ Administrators only |
| ALL PRIVILEGES | Everything | ❌ DBA accounts only |
2. Password Policy
Configure in gbase.cnf (both gcluster and gnode):
password_min_length = 8
password_format_option = 15 # 1=upper, 2=lower, 4=digit, 8=special — 15 = all
password_max_contain_continuous_char = 3
password_not_same_reverse_username = 1
password_life_time = 90 # days
password_reuse_max = 5
password_reuse_time = 180
login_attempt_max = 5
login_locked_time = 300 # seconds; 0 = permanent
login_locked_factor = 2 # exponential backoff
Unlocking an Account
SELECT user, host, account_locked FROM gclusterdb.user;
ALTER USER 'app_user'@'%' ACCOUNT UNLOCK;
-- Reset password and unlock simultaneously
ALTER USER 'app_user'@'%' IDENTIFIED BY 'New#Pwd!2024';
Changing Passwords
-- Own password
SET PASSWORD = PASSWORD('New#Pwd!2024');
-- Administrator changing another user's password
ALTER USER 'analyst'@'10.168.10.%' IDENTIFIED BY 'New#Pwd!2024';
3. SSL Encryption
Generate Self‑Signed Certificates (on the gcluster primary)
cd /opt/gbase/gcluster/config/ssl
# CA private key and certificate
openssl genrsa -out ca-key.pem 4096
openssl req -new -x509 -days 3650 -key ca-key.pem -out ca.pem \
-subj "/CN=GBase-CA/O=MyCompany"
# Server private key and CSR
openssl genrsa -out server-key.pem 4096
openssl req -new -key server-key.pem -out server-req.pem \
-subj "/CN=gcluster-server/O=MyCompany"
# Sign the server certificate
openssl x509 -req -days 3650 \
-in server-req.pem -CA ca.pem -CAkey ca-key.pem \
-CAcreateserial -out server-cert.pem
Enable SSL in gcluster
Add to gbase.cnf:
ssl-ca = /opt/gbase/gcluster/config/ssl/ca.pem
ssl-cert = /opt/gbase/gcluster/config/ssl/server-cert.pem
ssl-key = /opt/gbase/gcluster/config/ssl/server-key.pem
Restart gcluster and verify:
SHOW VARIABLES LIKE 'have_ssl'; -- YES
SHOW STATUS LIKE 'Ssl_cipher'; -- non‑empty means SSL is active
Enforce SSL for Specific Users
CREATE USER 'secure_user'@'%' IDENTIFIED BY 'Str0ng#Pwd!2024' REQUIRE SSL;
ALTER USER 'analyst'@'10.168.10.%' REQUIRE SSL;
JDBC SSL Configuration
String url = "jdbc:gbase://10.168.10.26:5258/sales_db"
+ "?useSSL=true"
+ "&requireSSL=true"
+ "&verifyServerCertificate=true"
+ "&trustCertificateKeyStoreUrl=file:/path/to/truststore.jks"
+ "&trustCertificateKeyStorePassword=changeit";
Import the server certificate into a Java truststore:
keytool -importcert -alias gbase-server \
-file /path/to/server-cert.pem \
-keystore truststore.jks \
-storepass changeit -noprompt
4. Audit Logging
Configuration
Set in gbase.cnf on both gcluster and gnode:
audit_log = ON
log_output = FILE # or TABLE
long_query_time = 0 # 0 logs everything; tune in production
Querying Audit Logs (when log_output = TABLE)
-- Recent operations
SELECT start_time, user_host,
ROUND(query_time, 3) AS query_sec,
ROUND(lock_time, 6) AS lock_sec,
rows_sent, rows_examined,
db, LEFT(sql_text, 300) AS sql_snippet
FROM gclusterdb.slow_log
ORDER BY start_time DESC LIMIT 50;
-- Find DDL statements
SELECT start_time, user_host, db, sql_text
FROM gclusterdb.slow_log
WHERE sql_text REGEXP '^(DROP|ALTER|CREATE|TRUNCATE)'
ORDER BY start_time DESC;
-- User activity summary
SELECT SUBSTRING_INDEX(user_host, '[', 1) AS user_name,
COUNT(*) AS sql_count,
ROUND(AVG(query_time), 3) AS avg_sec
FROM gclusterdb.slow_log
WHERE start_time >= CURDATE()
GROUP BY user_name
ORDER BY sql_count DESC;
5. Network Access Control
-- Restrict by source IP via the host portion of the user
CREATE USER 'app_user'@'10.168.10.%' IDENTIFIED BY '...';
-- Limit maximum concurrent connections for a user
CREATE USER 'app_user'@'%'
IDENTIFIED BY '...'
WITH MAX_USER_CONNECTIONS 20;
6. Security Checklist
-- Empty passwords
SELECT user, host FROM gclusterdb.user WHERE password = '';
-- Wildcard host for privileged users
SELECT user, host FROM gclusterdb.user WHERE host = '%';
-- Root allowed from anywhere?
SELECT user, host FROM gclusterdb.user WHERE user = 'root';
-- Password and login policies
SHOW VARIABLES LIKE 'password%';
SHOW VARIABLES LIKE 'login%';
-- SSL status
SHOW VARIABLES LIKE 'have_ssl';
SHOW VARIABLES LIKE 'ssl_%';
-- Audit log settings
SHOW VARIABLES LIKE 'audit_log';
SHOW VARIABLES LIKE 'log_output';
SHOW VARIABLES LIKE 'long_query_time';
7. Common Mistakes
| Mistake | Risk | Correct Practice |
|---|---|---|
| Using root for applications | Excessive privileges | Create per‑application least‑privilege accounts |
| All users with host='%' | Any IP can attempt login | Restrict to application server IP ranges |
| No password expiration | Credentials stagnate | Set 90–180 day expiration |
| Audit log only on gcluster | gnode activity untracked | Configure on both gcluster and gnode |
| SSL certificate files world‑readable | Certificates leaked | chmod 600, owned by gbase |
| Forgetting FLUSH PRIVILEGES | Grant changes not applied | Execute after every GRANT/REVOKE |
A hardened gbase database cluster requires consistent application of these controls across all nodes. Use the checklist above as part of your regular security audit to keep your GBASE environment protected.
Top comments (0)