Best practices of database O&M - Bastionhost - Alibaba Cloud Documentation Center

Database assets are crucial to enterprises. O&M operations on the database assets must be controlled to ensure security. Bastionhost Enterprise Edition allows O&M engineers to perform O&M operations on database assets in a secure manner. The assets include ApsaraDB RDS instances and self-managed databases that run MySQL, SQL Server, PostgreSQL, and Oracle. This topic describes how to use Bastionhost to perform database O&M.

Background information

Enterprise assets include a large number of database assets in addition to Windows servers and Linux servers. Database assets contain a large amount of sensitive data. The key requirements of enterprises are to ensure O&M security and prevent unauthorized access and operations.

The database assets of enterprises are divided into several types, such as ApsaraDB RDS instances and self-managed databases that run MySQL, SQL Server, PostgreSQL, and Oracle. The database assets of large enterprises are also distributed across multiple accounts, virtual private clouds (VPCs), data centers, or heterogeneous clouds. Bastionhost controls O&M operations on assets in the preceding hybrid scenarios and allows O&M security teams to manage the O&M operations in a centralized manner.

Bastionhost Enterprise Edition supports O&M operations on Windows servers, Linux servers, and database assets. The Bastionhost administrator can control O&M permissions on ApsaraDB RDS instances and self-managed databases that run MySQL, SQL Server, PostgreSQL, and Oracle. The O&M operations can be traced and audited. This way, database O&M security is ensured. Bastionhost Enterprise Edition supports O&M operations in hybrid scenarios. The Bastionhost administrator can use the network domain feature to connect assets that are deployed across multiple accounts, data centers, or heterogeneous clouds to Bastionhost. This way, O&M security teams can manage the assets in a centralized manner.

Bastionhost Enterprise Edition is built on top of a reliable dual-engine architecture. Both engines are active, which ensures business continuity and meets the high requirements of database O&M. For more information, see Functions and features.

Process

If Bastionhost is used to control O&M operations on database assets, the Bastionhost administrator must import the database assets into Bastionhost and grant permissions to O&M engineers. Then, O&M engineers establish SSH tunnels to Bastionhost by using database O&M tools or CLIs. This way, the O&M engineers can log on to the database assets and perform O&M operations.

Prerequisites

A database O&M tool that supports SSH tunnels is installed on the local host. The database O&M tool can be DBeaver, DbVisualizer, Navicat Premium, or Navicat for MySQL. For more information, see Recommended client connection tools and versions.
A database asset is imported into Bastionhost. For more information, see Use the database management feature.
The O&M addresses of the bastion host are obtained. You can obtain the O&M addresses in the Bastion Host Information section of the Overview page in the console of the bastion host. For more information, see Overview page.
Note
Bastionhost provides fixed O&M addresses and supports dynamic O&M IP addresses to implement disaster recovery. The IP address to which the private O&M address of a bastion host is resolved may change. We recommend that you perform O&M operations by using an O&M address. This helps prevent unavailable O&M due to the IP address change.

Step 1: Grant permissions on a database asset to an O&M engineer as the Bastionhost administrator

The Bastionhost administrator can implement fine-grained access control to prevent unauthorized access to database assets. This way, the assets and accounts that can be accessed by O&M engineers are controlled in a strict manner.

Log on to the console of your bastion host. For more information, see Log on to the console of a bastion host.
In the left-side navigation pane, choose Users > Users.
On the Users page, find the user to whom you want to grant permissions and click Authorize User to Manage Databases in the Actions column.
You can create an asset group and add multiple assets to the asset group. Then, you can grant permissions on the asset group to the user. For more information, see Use the database management feature and Manage an authorization rule.
On the user details page, click Authorize User to Manage Databases. In the Authorize User to Manage Databases panel, select the database asset on which you want to grant permissions to the user and click OK.
After the authorization is complete, find the database asset and click No accounts found. Click here to authorize the user to manage the accounts of the asset group. in the Authorized Accounts column. In the Select Account panel, select the database account on which you want to grant permissions to the user and click Update.

Step 2: Obtain an O&M token as the O&M engineer

An O&M engineer can perform O&M operations on databases that run MySQL, SQL Server, PostgreSQL, and Oracle. The O&M engineer can use O&M tokens to perform O&M and audit operations over SSH tunnels.

If you use a RAM user, perform the following steps to obtain an O&M token:
1. Log on to the console of your bastion host. For more information, see Log on to the console of a bastion host.
2. In the left-side navigation pane, choose O&M > Database O&M. Find the required database in the database list and click O&M Token in the Log On column. In the dialog box that appears, select a value from the Database Account drop-down list and click Obtain O&M Token. In the message that appears, copy the values of Database IP Address and O&M Token.
If you do not use a RAM user, perform the following steps to obtain an O&M token:
1. Paste the public O&M address of the bastion host in the address bar of a browser and press Enter. On the page that appears, enter the username and password to log on to the O&M portal. In the left-side navigation pane, click Databases.
2. In the database list, find the database on which you want to perform O&M operations and click O&M Token in the O&M Token column. In the O&M Token dialog box, select a database account and click Obtain O&M Token. In the message that appears, copy the values of Database IP Address and O&M Token.

Note

The O&M token is valid for 5 minutes. Make sure that you log on to the database within the validity period.
The O&M token is the unique identifier of the current O&M session and can be used only once. Keep the O&M token confidential. If you test the connection to the database on the connection configuration page of the client tool, the O&M token becomes invalid. In this case, you must obtain a new O&M token before you log on to the database to perform O&M operations.
If the account of the database is not hosted on the bastion host, you must configure the basic information about the O&M token in the O&M Token dialog box before you can obtain the O&M token. For more information about how to create a database account, see Manage database accounts.
The O&M administrator of the audit record refers to the user who applies for the O&M token, instead of the user of the bastion host.

Step 3: Establish an SSH tunnel by using a database O&M tool or a CLI as the O&M engineer

Bastionhost provides two methods for O&M engineers to perform O&M operations on database assets. O&M engineers can use database O&M tools or CLIs to establish SSH tunnels and use O&M tokens to perform O&M and audit operations. For more information, see Perform O&M operations on databases. In this example, a database O&M tool is used to describe the O&M process:

Open Navicat Premium and establish a connection to the database asset that runs PostgreSQL.

On the General tab, configure the parameters such as Connection Name, Host, User Name, and Password.

The following table describes the parameters.

Parameter	Description
Host	The address of the database.
User Name	The username that you use to log on to the database asset.
Password	The password that you use to log on to the database asset. If the administrator hosts the username and password of the database asset on the bastion host, you can leave this parameter empty. Otherwise, you must configure this parameter. Note We recommend that you save the password. If you do not save the password, the database O&M tool may require you to enter a password. In this case, you can enter the O&M token.

On the SSH tab, configure the parameters such as Use SSH tunnel, Host, Port, User Name, and Password. Click OK.

The following table describes the parameters.

Parameter	Description
Use SSH tunnel	Select Use SSH tunnel.
Host	Enter the public O&M address of the bastion host.
Port	Enter the O&M port of the bastion host for SSH tunnels. Default value: 60022.
User Name	Enter the username that you use to log on to the bastion host.
Password	Enter the O&M token that is obtained from Step 2: Obtain an O&M token as the O&M engineer. Note We recommend that you save the password. If you do not save the password, the database O&M tool may require you to enter a password. In this case, you can enter the O&M token.

Double-click the newly created connection to log on to the database and perform O&M operations.

Step 4: Audit O&M operations as an auditor

After O&M engineers use Bastionhost to perform O&M operations on database assets, session records and operation logs are generated. Auditors can view the session records and operation logs to trace O&M operations. Auditors can also monitor sessions in real time to check whether unauthorized operations are performed.

Log on to the console of your bastion host. For more information, see Log on to the console of a bastion host.
In the left-side navigation pane, choose O&M Audit > Session Audit.
On the Session Audit page, view the session records.