安全架构设计
认证机制
| 方式 | 说明 |
|---|
| MySQL原生认证 | 兼容mysql_native_password和caching_sha2_password |
| LDAP/AD | 集成企业目录服务 |
| OAuth 2.0 / OIDC | 云原生单点登录 |
| JWT | 无状态Token认证 |
| Kerberos | 企业级强认证 |
认证配置示例
authentication:
methods:
- type: mysql_native
enabled: true
- type: caching_sha2_password
enabled: true
- type: ldap
enabled: false
config:
url: ldap://ldap.example.com:389
baseDN: dc=example,dc=com
userFilter: (uid=%s)
session:
timeout: 3600 # 会话超时(秒)
maxConnectionsPerUser: 100 # 每用户最大连接数
授权机制 (RBAC)
authorization:
type: rbac
roles:
- name: admin
permissions:
- ALL
- name: developer
permissions:
- SELECT
- INSERT
- UPDATE
- CREATE
- ALTER
- name: readonly
permissions:
- SELECT
users:
- username: root
password: hashed_password
roles: [admin]
- username: app_user
password: hashed_password
roles: [developer]
网络安全
| 特性 | 说明 |
|---|
| TLS 1.3 | 强制加密所有网络通信 |
| mTLS | 双向TLS认证 |
| IP白名单 | 限制允许连接的IP地址 |
| 连接限流 | 防止暴力破解和DDoS |
| SQL注入防护 | 内置SQL注入检测 |
network:
ssl:
enabled: true
tlsVersion: 1.3
certPath: /certs/server.crt
keyPath: /certs/server.key
caPath: /certs/ca.crt
mtls:
enabled: false
ipFilter:
enabled: true
whitelist:
- 192.168.1.0/24
- 10.0.0.0/8
rateLimit:
enabled: true
maxRequestsPerSecond: 1000
banDuration: 300
数据加密
encryption:
at_rest:
enabled: true
algorithm: AES-256-GCM
keyManagement: vault # vault / aws_kms / local
vaultConfig:
url: https://vault.example.com:8200
path: Mycat3/encryption
in_transit:
enabled: true
tlsVersion: 1.3
data_masking:
enabled: true
rules:
- columnPattern: "*.phone"
maskType: phone
- columnPattern: "*.email"
maskType: email
- columnPattern: "*.id_card"
maskType: idcard
审计日志
audit:
enabled: true
events:
- LOGIN
- LOGOUT
- DDL
- DML
- DCL
- ADMIN_OPERATION
storage:
type: elasticsearch
connection:
urls: ["http://es1:9200", "http://es2:9200"]
index: Mycat3-audit-{date}
retention:
days: 90
local:
enabled: true
path: /var/log/Mycat3/audit/
maxFileSize: 100MB
maxBackups: 30
设计原则: Security First - 所有安全特性默认开启。零信任架构 - 不信任任何来源,所有请求均需认证和授权。