Database assets are crucial to enterprises. O&M operations on the database assets must be controlled to ensure security. Bastionhost Enterprise Edition allows O&M engineers to perform O&M operations on database assets in a secure manner. The assets include ApsaraDB RDS for MySQL instances, ApsaraDB RDS for SQL Server instances, ApsaraDB RDS for PostgreSQL instances, and self-managed databases. This topic describes how to use Bastionhost to perform database O&M.
Background information
Enterprise assets include a large number of database assets in addition to Windows servers and Linux servers. Database assets contain a large amount of sensitive data. The key requirements of enterprises are to ensure O&M security and prevent unauthorized access and operations.
The database assets of enterprises are divided into several types, such as ApsaraDB RDS instances and self-managed databases that run MySQL, SQL Server, and PostgreSQL. The database assets of large enterprises are also distributed across multiple accounts, virtual private clouds (VPCs), data centers, or heterogeneous clouds. Bastionhost controls O&M operations on assets in the preceding hybrid scenarios and allows O&M security teams to manage the O&M operations in a centralized manner.
Bastionhost Enterprise Edition supports O&M operations on Windows servers, Linux servers, and database assets. The Bastionhost administrator can control O&M permissions on ApsaraDB RDS instances and self-managed databases that run MySQL, SQL Server, and PostgreSQL. The O&M operations can be traced and audited. This way, database O&M security is ensured. Bastionhost Enterprise Edition supports O&M operations in hybrid scenarios. The Bastionhost administrator can use the network domain feature to connect assets that are deployed across multiple accounts, data centers, or heterogeneous clouds to Bastionhost. This way, O&M security teams can manage the assets in a centralized manner.
Bastionhost Enterprise Edition is built on top of a reliable dual-engine architecture. Both engines are active, which ensures business continuity and meets the high requirements of database O&M. For more information, see Features.
Process
If Bastionhost is used to control O&M operations on database assets, the Bastionhost administrator must import the database assets into Bastionhost and grant permissions to O&M engineers. Then, O&M engineers establish SSH tunnels to Bastionhost by using database O&M tools or CLIs. This way, the O&M engineers can log on to the database assets and perform O&M operations.
Prerequisites
- A database O&M tool that supports SSH tunnels is installed on the local host. The database O&M tool can be DBeaver, DbVisualizer, Navicat Premium, or Navicat for MySQL. For more information, see Recommended database O&M tools and versions.
- A database asset is imported into Bastionhost. For more information, see Use the database management feature.
Step 1: Grant permissions on a database asset to an O&M engineer as the Bastionhost administrator
The Bastionhost administrator can implement fine-grained access control to prevent unauthorized access to database assets. This way, the assets and accounts that can be accessed by O&M engineers are controlled in a strict manner.
Step 2: Obtain an O&M token as the O&M engineer
An O&M engineer can perform O&M operations on databases that run MySQL, SQL Server, and PostgreSQL. The O&M engineer can use O&M tokens to perform O&M and audit operations over SSH tunnels.
- If you use a RAM user, perform the following steps to obtain an O&M token:
- Log on to the console of a bastion host. For more information, see Log on to the console of a bastion host.
- In the left-side navigation pane, choose O&M Token in the Log On column. In the dialog box that appears, select a value from the Database Account drop-down list and click Obtain O&M Token. In the message that appears, copy the values of Database IP Address and O&M Token. . Find the required database in the database list and click
- If you do not use a RAM user, perform the following steps to obtain an O&M token:
- Paste the public O&M address of the bastion host in the address bar of a browser and press Enter. On the page that appears, enter the username and password to log on to the O&M portal. In the left-side navigation pane, click Databases.
- In the database list, find the database on which you want to perform O&M operations and click O&M Token in the O&M Token column. In the O&M Token dialog box, select a database account and click Obtain O&M Token. In the message that appears, copy the values of Database IP Address and O&M Token.
- The O&M token is valid for 5 minutes. Make sure that you log on to the database within the validity period.
- The O&M token is the unique identifier of the current O&M session and can be used only once. Keep the O&M token confidential. If you test the connection to the database on the connection settings page of the client tool, the O&M token becomes invalid. In this case, you must obtain a new O&M token before you log on to the database to perform O&M operations.
- If the account of the database is not hosted on the bastion host, you must configure the basic information about the O&M token in the O&M Token dialog box before you can obtain the O&M token. For more information about how to create a database account, see Manage database accounts.
Step 3: Establish an SSH tunnel by using a database O&M tool or a CLI as the O&M engineer
Bastionhost provides two methods for O&M engineers to perform O&M operations on database assets. O&M engineers can use database O&M tools or CLIs to establish SSH tunnels and use O&M tokens to perform O&M and audit operations. For more information, see Perform O&M operations on databases. In this example, a database O&M tool is used to describe the O&M process:
Step 4: Audit O&M operations as an auditor
After O&M engineers use Bastionhost to perform O&M operations on database assets, session records and operation logs are generated. Auditors can view the session records and operation logs to trace O&M operations. Auditors can also monitor sessions in real time to check whether unauthorized operations are performed.
- Log on to your bastion host. For more information, see Log on to the console of a bastion host.
- In the left-side navigation pane, choose .
- On the Session Audit page, view the session records.