热衷于分享各种干货知识,大家有想看或者想学的可以评论区留言,秉承着“开源知识来源于互联网,回归于互联网”的理念,分享一些日常工作中能用到或者比较重要的内容,希望大家能够喜欢,不足之处请大家多提宝贵地意见,我们一起提升,守住自己的饭碗。
在日常的运维过程中,使用高权限账号具有一定的风险,建议使用低权限账号进行日常运维工作,创建巡检只读账号在数据管理和系统维护中具有重要的意义和作用,尤其是在确保系统安全性、审计合规性以及操作高效性方面。
1. 提高安全性
• 访问控制:只读账号限制用户只能查看数据,而不能进行增加、删除或修改等操作。这种限制减少了误操作或恶意行为对数据完整性的威胁。
• 最小权限原则:通过分配最低权限来访问必要信息,降低了因权限过高而产生的安全风险。
2. 提升运维效率
• 快速巡检:巡检人员可以使用只读账号迅速访问所需信息进行系统检查、性能监控和问题诊断,而不必担心对生产数据造成影响。
• 简化管理:利用统一的只读账号进行常规检查,使管理员可以轻松地管理、监控和调整权限配置。
3. 确保数据完整性
• 防止误操作:只读权限确保用户不能更改数据,从而避免人为错误导致的数据损坏或丢失。
• 数据审核:允许用户查看但不修改数据,支持更可靠的审计和合规检查。
4. 合规与审计
• 遵从法规要求:满足许多行业标准(如ISO 27001)中关于数据访问控制和日志记录的规定。
• 追踪活动:提供一个明确的权限边界,帮助审计员识别和跟踪合法的数据信息访问,而不涉及敏感操作。
5. 增强问题排查能力
• 集中观察:通过只读访问权限,技术支持团队能够快速汇总和分析系统状态与性能数据,帮助定位潜在问题。
• 实时监控:允许实时查看日志和状态信息,有助于及时发现问题并采取相应措施。
总体而言,只读账号是IT治理中不可或缺的一部分,确保系统的稳定性、安全性并有效支持日常运营和管理工作。在IT行业,控制访问权限特别重要,确保数据的安全和合规处理是其核心任务之一。下面是常见数据库的巡检账号的一键创建脚本。
1、mysql
#! bin/bash
echo "-------------------------------"
echo -e "| \033[34mBEGIN!!!\033[0m |"
echo -e "-------------------------------\n\n\n"
# 1.确定mysql命令的路径
if[-f etc/my.cnf ];then
BASEDIR=`cat etc/my.cnf | grep basedir | awk -F= '{print $2}'`
else
read -p "请输出mysql配置文件的全路径名:" CONF
BASEDIR=`cat $CONF | grep basedir | awk -F= '{print $2}'`
fi
BINDIR=$BASEDIR/bin
# 2.输入root用户密码
echo "(1)登陆数据库"
read -s -p "请输入root用户的密码:" MYSQL_PWD
export MYSQL_PWD
# 3.判断数据库版本信息
## 清空/tmp/version.txt中的内容
if[-f tmp/version.txt ];then
>/tmp/version.txt
fi
VERSION_FILE=`$BINDIR/mysql -uroot -e "tee tmp/version.txt;select version();"`
VERSION=`cat tmp/version.txt | sed -n '2p' | awk -F. '{print $1}'`
echo -e "\n数据库版本为:`cat tmp/version.txt | sed -n '2p'`"
# 4.根据数据库版本执行相应的命令
if[ $VERSION -eq 5];then
SQL="system echo '(2)创建用户';
create user 'zyjc'@'%' identified by 'Gs5tgb%TGB6yhn^YHN';
system echo '(3)授予巡检用户查询权限';
system echo ' 普通表查看权限:';
grant select on *.* to 'zyjc';
system echo ' show权限:';
grant show databases on *.* to zyjc;
system echo ' 查询线程相关表:';
grant process on *.* to 'zyjc';
system echo ' 查询主从复制相关信息权限:';
grant replication client on *.* to 'zyjc';
system echo '(4)刷新权限缓存';
flush privileges;
quit"
elif[ $VERSION -eq 8];then
SQL="system echo '(2)创建用户';
create user 'zyjc'@'%' identified by 'Gs5tgb%TGB6yhn^YHN';
system echo '(3)授予巡检用户查询权限';
system echo ' 普通表查看权限:';
grant select on *.* to 'zyjc';
system echo ' show权限:';
grant show databases on *.* to zyjc;
system echo ' 查询线程相关表:';
grant process on *.* to 'zyjc';
system echo ' 查询主从复制相关信息权限:';
grant replication client on *.* to 'zyjc';
system echo ' MySQL8需要增加权限,否则监控可能无法连接';
GRANT SERVICE_CONNECTION_ADMIN ON *.* TO 'zyjc';
system echo '(4)刷新权限缓存';
flush privileges;
quit"
fi
# 5.判断MySQL数据库中是否存在zyjc用户
ZYJC=`$BINDIR/mysql -uroot -e "select user from mysql.user where user = 'zyjc'" | wc -l`
if[ $ZYJC -eq 0];then
$BINDIR/mysql -uroot -e "$SQL"
else
echo -e "||\033[31m用户zxjc已存在!!!无需创建!!!\033[0m||"
fi
echo -e "\n\n\n-------------------------------"
echo -e "| \033[34mCOMPLETION!!!\033[0m |"
echo "-------------------------------"
2、mariadb
#! bin/bash
if[-f etc/my.cnf ];then
BASEDIR=`cat etc/my.cnf | grep basedir | awk -F= '{print $2}'`
else
read -p "请输出mysql配置文件的全路径名:" CONF
BASEDIR=`cat $CONF | grep basedir | awk -F= '{print $2}'`
fi
BINDIR=$BASEDIR/bin
# 判断是否为mariadb数据库
IS_MARIA=`/usr/bin/systemctl is-active mariadb.service`
echo "(1)登陆数据库"
read -s -p "请输入root用户的密码:" MYSQL_PWD
export MYSQL_PWD
# 判断MySQL数据库中是否存在zyjc用户
ZYJC=`$BINDIR/mysql -uroot -e "select user from mysql.user where user = 'zyjc'" | wc -l`
if[ $ZYJC -eq 0];then
$BINDIR/mysql -uroot -e "
system echo '(2)创建用户';
create user 'zyjc'@'%' identified by 'Gs5tgb%TGB6yhn^YHN';
system echo '(3)授予巡检用户查询权限';
system echo '普通表查看权限:';
grant select on *.* to 'zyjc';
system echo 'show权限:';
grant show databases on *.* to zyjc;
system echo '查询线程相关表:';
grant process on *.* to 'zyjc';
system echo '查询主从复制相关信息权限:';
grant replication client on *.* to 'zyjc';
-- system echo '刷新权限缓存';
-- system echo 'MySQL8需要增加权限,否则监控可能无法连接';
-- system echo 'GRANT SERVICE_CONNECTION_ADMIN ON *.* TO 'zyjc'; ';
flush privileges;
quit"
else
echo "用户zyjc已存在!!!无需创建!!!"
fi
3、postgresql
#!/bin/bash
PWD=Gs5tgb%TGB6yhn^YHN
PGPORT=5432
PGHOST=127.0.0.1
#1、创建zyjc用户
psql -d postgres -U postgres -h ${PGHOST}-p ${PGPORT}-c "CREATE USER zyjc WITH ENCRYPTED PASSWORD '$PWD'"
#2、查询所有数据库
dbs=`psql -h ${PGHOST} -p ${PGPORT} -c 'select datname from pg_database;' |grep -v datname |grep -v "\--" |grep -v rows |grep -v template`
#3、所有数据库给zyjc用户授权只读
for i in $dbs ;
do
psql -d $i -U postgres -h ${PGHOST}-p ${PGPORT}<<EOF
GRANT USAGE ON SCHEMA public to zyjc;
grant select on all tables in schema public to zyjc;
alter default privileges in schema public grant select on tables to zyjc;
\q
EOF
done
4、oracle
#!/bin/bash
# 数据库连接信息
DB_USER="sys"
DB_PASS="your_sys_password"# 请替换为实际的管理员密码
DB_CONN_STRING="your_db_connection_string"# 请替换为实际的数据库连接字符串,如 "//hostname:port/SID"
# 巡检账号信息
INSPECTION_USER="zyjc"
INSPECTION_PASS="YwDbAcc@2022#117!"
# 创建巡检用户并授予权限的SQL命令
SQL_COMMANDS=$(cat <<EOF
CREATE USER $INSPECTION_USER IDENTIFIED BY "$INSPECTION_PASS";
GRANT CONNECT TO $INSPECTION_USER;
DECLARE
CURSOR cur_objects IS
SELECT 'grant select on '|| owner ||'.'|| object_name ||' to $INSPECTION_USER;' AS grant_statement
FROM dba_objects
WHERE object_type IN ('JOB','SYNONYM','TABLE PARTITION','PACKAGE BODY','TRIGGER','PROCEDURE','VIEW')
AND owner IN ('SYS','SYSTEM');
BEGIN
FOR object_rec IN cur_objects LOOP
EXECUTE IMMEDIATE object_rec.grant_statement;
END LOOP;
END;
/
GRANT SELECT ANY DICTIONARY TO $INSPECTION_USER;
GRANT SELECT ANY TABLE TO $INSPECTION_USER;
EOF
)
# 执行SQL命令
echo "Connecting to Oracle database and executing commands..."
echo "$SQL_COMMANDS"| sqlplus -s "$DB_USER/$DB_PASS@$DB_CONN_STRING AS SYSDBA"
echo "巡检用户 $INSPECTION_USER 创建及权限授予已完成。"
echo "使用以下命令连接到数据库:"
echo "conn $INSPECTION_USER/$INSPECTION_PASS"
echo "sqlplus '$INSPECTION_USER/$INSPECTION_PASS'"
5、mongodb
#!/bin/bash
echo "输入管理员账号和密码,如:root 123 (注意账号和密码中间用空格隔开)"
read -a use_pw
ports=$(netstat -antup|awk -F ":"'/mongod/{print $2}'|awk '{print $1}')
echo -e "\e[33m账号:${use_pw[0]} 密码:${use_pw[1]} 端口:$ports\e[0m"
read -p "信息是否正确:y/n " ch
if[ $ch =='y']
then
chang=1
ack2=$(mongo admin --port $ports -u ${use_pw[0]}-p ${use_pw[1]}--eval'db.getUser("zyjc")'|tail -1)
if[ $ack2 !="null"]
then
echo -e "\e[31m账号已存在!即将删除!\e[0m"
sleep 1
mongo admin --port $ports -u ${use_pw[0]}-p ${use_pw[1]}-quiet --eval'db.dropUser("zyjc")'
echo -e "\e[33m已删除原账号,即将创建...\e[0m"
sleep 1
fi
mongo --port $ports -u ${use_pw[0]}-p ${use_pw[1]}--eval'db = db.getSiblingDB("admin");db.createUser({user:"zyjc",pwd:"Gs5tgb%TGB6yhn^YHN",roles:[{role:"readAnyDatabase", db: "admin" },{role:"read",db:"local"}]});'>/dev/null
echo "adduser success!"
else
chang=2
echo "请输入正确信息,账号 密码 端口"
read -a use_pw
ack2=$(mongo admin --port $ports -u ${use_pw[0]}-p ${use_pw[1]}--eval'db.getUser("zyjc")'|tail -1)
if[ $ack2 !="null"]
then
echo -e "\e[31m账号已存在!即将删除!\e[0m"
sleep 1
mongo admin --port $ports -u ${use_pw[0]}-p ${use_pw[1]}-quiet --eval'db.dropUser("zyjc")'
echo -e "\e[33m已删除原账号,即将创建...\e[0m"
sleep 1
fi
mongo --port ${use_pw[2]}-u ${use_pw[0]}-p ${use_pw[1]}--eval'db = db.getSiblingDB("admin");db.createUser({user:"zyjc",pwd:"Gs5tgb%TGB6yhn^YHN",roles:[{role:"readAnyDatabase", db: "admin" },{role:"read",db:"local"}]});'>/dev/null
echo "adduser success!"
fi
ack1=$(echo $?)
if[ $chang ==1]
then
echo -e "\e[33m正在进行可用性检测...\e[0m"
sleep 1
ack2=$(mongo admin --port $ports -u ${use_pw[0]}-p ${use_pw[1]}--eval'db.getUser("zyjc")'|tail -1)
else
echo -e "\e[33m正在进行可用性检测...\e[0m"
sleep 1
ack2=$(mongo admin --port ${use_pw[2]}-u ${use_pw[0]}-p ${use_pw[1]}--eval'db.getUser("zyjc")'|tail -1)
fi
if[ $ack1 !=0]
then
echo "false"
echo -e "\e[31m巡检账号创建失败\e[0m"
elif[ $ack2 =='null']
then
echo "false"
echo -e "\e[31m巡检账号创建失败:null\e[0m"
else
echo "true"
echo -e "\e[33m巡检账号创建成功\e[0m"
fi
6、redis
#! bin/bash
#1、获取redis的端口和密码
read -s -p "请输入redis的端口号:" REDIS_PORT
export REDIS_PORT
echo ${REDIS_PORT}
read -s -p "请输入redis管理员的密码:" REDIS_PWD
export REDIS_PWD
echo ${REDIS_PWD}
ZYJC_PWD=Gs5tgb%TGB6yhn^YHN
export=ZYJC_PWD
#2、获取redis-cli命令路径
prono=`ps -ef|grep redis-server |grep -v grep|awk -F' ' '{print $2}'`
redisser=`ls -l proc/${prono} |grep redis-server|awk -F' ' '{print $11}'`
redisdir=`dirname ${redisser}`
rediscli=${redisdir}/redis-cli
#echo ${rediscli}
#3、执行创建巡检账号命令
echo "acl setuser zyjc on >${ZYJC_PWD} ~* +@read"| ${rediscli}-p ${REDIS_PORT}-a ${REDIS_PWD}
echo "acl setuser zyjc on >${ZYJC_PWD} ~* +info"| ${rediscli}-p ${REDIS_PORT}-a ${REDIS_PWD}
echo "acl setuser zyjc on >${ZYJC_PWD} ~* +time"| ${rediscli}-p ${REDIS_PORT}-a ${REDIS_PWD}
#4、测试账号
CREATE_RES=`echo "auth zyjc ${ZYJC_PWD}" | ${rediscli} -p ${REDIS_PORT}`
if["${CREATE_RES}"=="OK"];then
echo -e "zyjc巡检账号创建成功!"
else
echo -e "zyjc巡检账号创建失败!"
fi
#删除用户命令
#acl deluser zyjc
7、elasticsearch
#! bin/bash
read -p "请输入当前主机IP: " es_ip
read -p "请输入elasticsearch管理员用户: " es_user
read -p "请输入elasticsearch管理员用户的密码: " es_passwd
read -p "请输入elasticsearch服务端口:" es_port
user_check=`curl -H 'Content-Type:application/json' -XGET -u $es_user:$es_passwd "http://$es_ip:$es_port/_security/user/zyjc?pretty=true"`
privilege_check=`curl -H 'Content-Type:application/json' -XGET -u $es_user:$es_passwd "http://$es_ip:$es_port/_security/role/zyjc?pretty"`
delete_user=`curl -XDELETE -u $es_user:$es_passwd '$es_ip:$es_port/_xpack/security/user/zyjc'`
delete_role=`curl -XDELETE -u $es_user:$es_passwd '$es_ip:$es_port/_xpack/security/role/zyjc'`
delete_user(){
delete_user=`curl -XDELETE -u $es_user:$es_passwd '$es_ip:$es_port/_xpack/security/user/zyjc'`
echo "用户已删除!!!"
}
delete_role(){
delete_role=`curl -XDELETE -u $es_user:$es_passwd '$es_ip:$es_port/_xpack/security/role/zyjc'`
echo "角色已删除"
}
print_account(){
create_account=`curl -H 'Content-Type:application/json' -XPUT -u $es_user:$es_passwd "http://$es_ip:$es_port/_security/user/zyjc" -d '{
"password":"Gs5tgb%TGB6yhn^YHN","roles":["zyjc"]}'`
echo ""zyjc" 巡检账号已创建!!!"
}
if["$user_check"="{ }"]
then
print_account
else
delete_user
delete_role
print_account
fi
print_privilege(){
create_privilege=`curl -H 'Content-Type: application/json' -u $es_user:$es_passwd -XPOST "http://$es_ip:$es_port/_xpack/security/role/zyjc/" -d '{"cluster":["monitor"],"indices":[{"names":["*"],"privileges":["read"]}]}'`
echo ""zyjc"账号巡检权限已授予!!!"
}
if["$privilege_check"="{ }"]
then
print_privilege
else
delete_role
print_privilege
fi
check_logged(){
check_logged=`curl -H 'Content-Type:application/json' -XGET -u zyjc:Gs5tgb%TGB6yhn^YHN "http://$es_ip:$es_port/_cat/health?v"`
}
check_logged
if[ $?-eq 0]
then
echo "登录成功"
else
echo "登录失败"
fi
8、ClickHouse
#!/bin/bash
# 功能:配置ClickHouse,创建新用户和角色并进行授权
# ClickHouse服务器信息
CLICKHOUSE_HOST="localhost"
DEFAULT_USER="default"
DEFAULT_PASSWORD="YwDbAcc@2022#117!"
# 新用户信息
NEW_USER="test"
NEW_USER_PASSWORD="YwDbAcc@2022#117!"
NEW_ROLE="zyjc_role"
# 检查并启用访问管理
CONFIG_FILE="/etc/clickhouse-server/users.xml"
# 确保默认用户配置为管理员
echo "Configuring ClickHouse default user as admin..."
if grep -q "<access_management>""$CONFIG_FILE";then
sudo sed -i '/<access_management>/s/<!--//g'"$CONFIG_FILE"
sudo sed -i '/<\/access_management>/s/-->//g'"$CONFIG_FILE"
fi
# 重启ClickHouse服务以应用更改
echo "Restarting ClickHouse service..."
sudo systemctl restart clickhouse-server
# 创建新用户和角色,进行授权
echo "Connecting to ClickHouse and executing SQL commands..."
clickhouse-client -h $CLICKHOUSE_HOST -u $DEFAULT_USER --password $DEFAULT_PASSWORD --multiquery <<EOF
CREATE USER IF NOT EXISTS $NEW_USER IDENTIFIED WITH sha256_password BY '$NEW_USER_PASSWORD' HOST ANY;
CREATE ROLE IF NOT EXISTS $NEW_ROLE;
GRANT SELECT ON *.* TO $NEW_ROLE;
GRANT SHOW USERS ON *.* TO $NEW_ROLE;
GRANT $NEW_ROLE TO $NEW_USER;
SELECT * FROM system.users FORMAT Vertical;
EOF
echo "ClickHouse用户和角色设置已完成。"
文中的概念来源于互联网,如有侵权,请联系我删除。
欢迎关注公众号:小周的数据库进阶之路,一起交流数据库、中间件和云计算等技术。如果觉得读完本文有收获,可以转发给其他朋友,大家一起学习进步!感兴趣的朋友可以加我微信,拉您进群与业界的大佬们一起交流学习。
文章转载自小周的数据库进阶之路,如果涉嫌侵权,请发送邮件至:contact@modb.pro进行举报,并提供相关证据,一经查实,墨天轮将立刻删除相关内容。
