Log on to a database that runs MySQL and perform O&M operations on the database - Bastionhost

Bastionhost routes database connections through an SSH tunnel, capturing all sessions for audit. This topic shows how to connect to a database from a macOS client using DBeaver or the command-line interface (CLI).

Supported databases:

Category	Database engines
ApsaraDB RDS	MySQL, SQL Server, PostgreSQL
PolarDB	MySQL, PostgreSQL, PostgreSQL (Compatible with Oracle)
Self-managed	MySQL, SQL Server, PostgreSQL, Oracle

Prerequisites

Before you begin, make sure you have:

A database O&M tool that supports SSH tunnels — for example, DBeaver, DbVisualizer, Navicat Premium, or Navicat for MySQL
The O&M address of your bastion host, available in the Bastion Host Information section on the Overview page of the Bastionhost console. For details, see Log on to the console of a bastion host.

Use the O&M address rather than a raw IP address. Bastionhost supports both fixed and dynamic O&M IP addresses; raw IP addresses can change and cause connection failures.

Get an O&M token

An O&M token authenticates your database session through the SSH tunnel. Get one before connecting.

For instructions, see Obtain an O&M token.

If the database account is not hosted on Bastionhost, configure the account details in the O&M Token dialog box before obtaining the token. For details, see Use the database management feature.

Token rules:

Rule	Details
Validity period	Tokens are valid only within the period set by the Bastionhost administrator. If O&M review is enabled, the period approved by the administrator applies.
Renewal	If the administrator allows renewals, renew before the token expires. After expiry, apply for a new token. Renewal is not allowed when O&M review is enabled. After the settings of O&M tokens are modified, you must apply for a new O&M token or update the existing O&M token for the change to take effect.
Audit records	Audit records identify the user who obtained the token, not the username or asset account specified in the client.

Connect using DBeaver

Log on to the Bastionhost console or O&M portal and get an O&M token.
Open DBeaver and create a new database connection.

On the General tab, enter the database connection details and click Next.

Parameter	Description
Host	The address of the database asset
Port	The port of the target database
User Name	The username for the database
Password	See the password rules by database type below

Password field by database type:

Database type	Password value
MySQL, SQL Server, or PostgreSQL (account hosted on Bastionhost)	Leave blank
MySQL, SQL Server, or PostgreSQL (account not hosted on Bastionhost)	Enter the database password
Oracle (account hosted on Bastionhost)	Enter `123456` and specify the logon attribute as instructed by the O&M token
Oracle (account not hosted on Bastionhost)	Enter the actual database password and specify the logon attribute as instructed by the O&M token

On the SSH tab, configure the SSH tunnel and click Finish.

Parameter	Description
Use SSH Tunnel	Select Use SSH Tunnel
Host/IP	The public O&M address of your bastion host
Port	The O&M port for SSH tunnels (default: `60022`)
User Name	The username for your bastion host
Password	The O&M token you obtained

In DBeaver, double-click the new connection to log on to the database and start your O&M session.

Connect using the CLI

The CLI method is not supported for Oracle databases.

This example uses MySQL.

Log on to the O&M portal. For details, see Log on to the O&M portal.
In the left-side navigation pane, click Databases.
On the Databases page, find the target database and click O&M Token in the O&M Token column.
In the O&M Token dialog box, select a database account and click Obtain O&M Token.
If the database account is not hosted on Bastionhost, configure the account details in this dialog box first. See Use the database management feature.

Open a terminal and run the following command to create the SSH tunnel:

Parameter	Description
`localport`	A local port that is not currently in use
`databaseAddress`	The address of the target database
`databasePort`	The port of the target database
`bastionusername`	Your bastion host username
`bastionAddress`	The public O&M address of your bastion host
`bastionPort`	The O&M port for SSH (default: `60022`)

ssh -N -L <localport>:<databaseAddress>:<databasePort> <bastionusername>@<bastionAddress> -p <bastionPort>

When prompted for a password, enter the O&M token and press Enter.
Open a new terminal window and verify the tunnel is active. The listening port should show LISTEN status.
Connect to the MySQL database through the tunnel:
Parameter Description
accountname The username of the MySQL database
localport The local port you specified in step 5
```
mysql -h 127.0.0.1 -u <accountname> -P <localport>
```
After connecting, run SQL commands to perform your O&M operations.

Parameter	Description
`accountname`	The username of the MySQL database
`localport`	The local port you specified in step 5

Troubleshooting

The O&M token is valid but the connection fails.

Cause	Resolution
The concurrent O&M connection limit has been reached	Contact the Bastionhost administrator to upgrade your bastion host or release idle connections
Requests are blocked by an IP address or time-based restriction	Contact the Bastionhost administrator to remove the restriction

What's next

Use the database management feature — Manage database accounts hosted on Bastionhost
Obtain an O&M token — Learn more about token options and renewal