Best practices of database O&M - Bastionhost - Alibaba Cloud Documentation Center

Database assets are crucial to enterprises. O&M operations on the database assets must be controlled to ensure security. You can use Bastionhost Enterprise Edition to perform O&M and audit operations on ApsaraDB RDS for MySQL, ApsaraDB RDS for SQL Server, and ApsaraDB RDS for PostgreSQL instances, PolarDB for MySQL, PolarDB for PostgreSQL, and PolarDB for PostgreSQL (Compatible with Oracle) clusters, and self-managed MySQL, SQL Server, PostgreSQL, and Oracle databases. This topic describes how to use Bastionhost to perform database O&M.

Background information

Enterprise assets include a large number of database assets in addition to Windows servers and Linux servers. Database assets contain a large amount of sensitive data. The key requirements of enterprises are to ensure O&M security and prevent unauthorized access and operations.

The database assets of enterprises are divided into several types, such as ApsaraDB RDS instances and self-managed databases that run MySQL, SQL Server, PostgreSQL, and Oracle. The database assets of large enterprises are also distributed across multiple accounts, virtual private clouds (VPCs), data centers, or heterogeneous clouds. Bastionhost controls O&M operations on assets in the preceding hybrid scenarios and allows O&M security teams to manage the O&M operations in a centralized manner.

Bastionhost Enterprise Edition supports O&M operations on Windows servers, Linux servers, and database assets. The Bastionhost administrator can control O&M permissions on different types of databases. The O&M operations can be traced and audited. This way, database O&M security is ensured. Bastionhost Enterprise Edition supports O&M operations in hybrid scenarios. The Bastionhost administrator can use the network domain feature to connect assets that are deployed across multiple accounts, data centers, or heterogeneous clouds to Bastionhost. This way, O&M security teams can manage the assets in a centralized manner.

Bastionhost Enterprise Edition is built on top of a reliable dual-engine architecture. Both engines are active, which ensures business continuity and meets the high requirements of database O&M. For more information, see Functions and features.

Process

If Bastionhost is used to control O&M operations on database assets, the Bastionhost administrator must import the database assets into Bastionhost and grant permissions to O&M engineers. Then, O&M engineers establish SSH tunnels to Bastionhost by using database O&M tools or command-line interfaces (CLIs). This way, the O&M engineers can log on to the database assets and perform O&M operations.

Prerequisites

A database O&M tool that supports SSH tunnels is installed on the local host. The database O&M tool can be DBeaver, DbVisualizer, Navicat Premium, or Navicat for MySQL. For more information, see Recommended client connection tools and versions.
A database asset is imported into Bastionhost. For more information, see Use the database management feature.
The O&M addresses of the bastion host are obtained. You can obtain the O&M addresses in the Bastion Host Information section on the Overview page of the console of the bastion host. For more information, see Log on to the console of a bastion host.
Note
Bastionhost provides fixed O&M addresses and supports dynamic O&M IP addresses to ensure security. The IP address to which the private O&M address of a bastion host is resolved may change. We recommend that you perform O&M operations by using an O&M address. This helps prevent unavailable O&M due to the IP address change.

Step 1: Grant permissions on a database asset to an O&M engineer as the Bastionhost administrator

The Bastionhost administrator can implement fine-grained access control to prevent unauthorized access to database assets. This way, the assets and accounts that can be accessed by O&M engineers are controlled in a strict manner. Perform the following steps to enable topology-aware CPU scheduling.

Log on to the console of a bastion host. For more information, see Log on to the console of a bastion host.
In the left-side navigation pane, choose Users > Users.
On the Users page, find the user to whom you want to grant permissions and click Authorize User to Manage Databases in the Actions column.
You can create an asset group and add multiple assets to the asset group. Then, you can grant permissions on the asset group to the user. For more information, see Use the database management feature and Manage an authorization rule.
On the user details page, click Authorize User to Manage Databases. In the Authorize User to Manage Databases panel, select the database asset on which you want to grant permissions to the user and click OK.
After the authorization is complete, find the database asset and click No accounts found. Click here to authorize the user to manage the accounts of the asset group. in the Authorized Accounts column. In the Select Account panel, select the database account on which you want to grant permissions to the user and click Update.

Step 2: Obtain an O&M token as the O&M engineer

The O&M engineer can use O&M tokens to perform O&M and audit operations over SSH tunnels. For more information about how to obtain an O&M token, see Obtain an O&M token.

Note

If the account of the database is not hosted on the bastion host, you must configure the basic information about the O&M token in the O&M Token dialog box before you can obtain the O&M token. For more information about how to create a database account, see Manage database accounts.
You can use an O&M token only within its validity period. A Bastionhost administrator can configure a validity period for O&M tokens in the console of a bastion host. If O&M review is enabled, the validity period of the O&M token that is approved by an administrator takes effect.
If a Bastionhost administrator allows O&M engineers to renew O&M tokens, O&M engineers can renew O&M tokens before the O&M tokens expire. After the O&M tokens expire, the O&M engineers must apply for new O&M tokens. If O&M review is enabled, the O&M engineers cannot renew O&M tokens. After the settings of O&M tokens are modified, an O&M engineer must apply for a new O&M token or update the existing O&M token for the change to take effect.
If an O&M token is valid but the O&M connection fails, the number of concurrent O&M connections may have reached the upper limit or a Bastionhost administrator blocked the O&M requests that are sent during the period of time and from the source IP address. In the first case, contact the Bastionhost administrator to upgrade your bastion host or release idle connections. In the second case, contact the Bastionhost administrator to remove the restrictions.
The O&M engineer information in the audit records contains the information about the users who applied for O&M tokens. The information does not include the usernames and asset accounts that are specified in clients.

Step 3: Establish an SSH tunnel by using a database O&M tool or a CLI as the O&M engineer

Bastionhost provides two methods for O&M engineers to perform O&M operations on database assets. O&M engineers can use database O&M tools or CLIs to establish SSH tunnels and use O&M tokens to perform O&M and audit operations. For more information, see Perform O&M operations on databases. In this example, a database O&M tool is used to describe the O&M process:

Open Navicat Premium and establish a connection to the database asset that runs PostgreSQL.

On the General tab, configure the parameters such as Connection Name, Host, User Name, and Password.

The following table describes the parameters.

Parameter
Host	The address of the database.
User Name	The username that you use to log on to the database asset.
Password	The password that you use to log on to the database asset. If the administrator hosts the username and password of the database asset on the bastion host, you can leave this parameter empty. Otherwise, you must configure this parameter. Note We recommend that you save the password. If you do not save the password, the database O&M tool may require you to enter a password. In this case, you can enter the O&M token.

常规页签

On the SSH tab, configure the parameters such as Use SSH tunnel, Host, Port, User Name, and Password. Click OK.

The following table describes the parameters.

Parameter
Use SSH tunnel	Select Use SSH tunnel.
Host	Enter the public O&M address of your bastion host.
Port	Enter the O&M port of the bastion host for SSH tunnels. Default value: 60022.
User Name	Enter the username that you use to log on to your bastion host.
Password	Enter the O&M token that is obtained from Step 2: Obtain an O&M token as the O&M engineer. Note We recommend that you save the password. If you do not save the password, the database O&M tool may require you to enter a password. In this case, you can enter the O&M token.

SSH页签

Double-click the newly created connection to log on to the database and perform O&M operations.

Step 4: Audit O&M operations as an auditor

After O&M engineers use Bastionhost to perform O&M operations on database assets, session records and operation logs are generated. Auditors can view the session records and operation logs to trace O&M operations. Auditors can also monitor sessions in real time to check whether unauthorized operations are performed.

Log on to the console of a bastion host. For more information, see Log on to the console of a bastion host.
In the left-side navigation pane, choose O&M Audit > Session Audit.
On the Session Audit page, view the session records.