From 37cd2f682abb323c531d407403b51a1f53c865f6 Mon Sep 17 00:00:00 2001 From: spaceoddity91719 Date: Wed, 22 Nov 2023 11:19:24 +0800 Subject: [PATCH 1/4] =?UTF-8?q?update(mogdb):=E6=B7=BB=E5=8A=A0NDPPlugin?= =?UTF-8?q?=20Extension=E6=96=87=E6=A1=A3?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../resource-pooling-operator-offloading.md | 2 +- .../developer-guide/extension/extension.md | 1 + .../libsmartscan/libsmartscan-installation.md | 34 +++++++ .../libsmartscan/libsmartscan-parameters.md | 92 +++++++++++++++++++ .../libsmartscan/libsmartscan.md | 11 +++ .../ndpplugin-extension-constraints.md | 13 +++ .../ndpplugin-extension-installation.md | 39 ++++++++ .../ndpplugin-extension-overview.md | 10 ++ .../ndpplugin-extension-guc-parameters.md | 43 +++++++++ .../ndpplugin-extension-reference.md | 11 +++ .../ndpplugin-extension-view.md | 32 +++++++ .../ndpplugin-extension.md | 14 +++ product/zh/docs-mogdb/v5.1/toc.md | 10 ++ .../v5.1/toc_extension-referecne.md | 15 ++- 14 files changed, 323 insertions(+), 4 deletions(-) create mode 100644 product/zh/docs-mogdb/v5.1/developer-guide/extension/ndpplugin-extension/libsmartscan/libsmartscan-installation.md create mode 100644 product/zh/docs-mogdb/v5.1/developer-guide/extension/ndpplugin-extension/libsmartscan/libsmartscan-parameters.md create mode 100644 product/zh/docs-mogdb/v5.1/developer-guide/extension/ndpplugin-extension/libsmartscan/libsmartscan.md create mode 100644 product/zh/docs-mogdb/v5.1/developer-guide/extension/ndpplugin-extension/ndpplugin-extension-constraints.md create mode 100644 product/zh/docs-mogdb/v5.1/developer-guide/extension/ndpplugin-extension/ndpplugin-extension-installation.md create mode 100644 product/zh/docs-mogdb/v5.1/developer-guide/extension/ndpplugin-extension/ndpplugin-extension-overview.md create mode 100644 product/zh/docs-mogdb/v5.1/developer-guide/extension/ndpplugin-extension/ndpplugin-extension-reference/ndpplugin-extension-guc-parameters.md create mode 100644 product/zh/docs-mogdb/v5.1/developer-guide/extension/ndpplugin-extension/ndpplugin-extension-reference/ndpplugin-extension-reference.md create mode 100644 product/zh/docs-mogdb/v5.1/developer-guide/extension/ndpplugin-extension/ndpplugin-extension-reference/ndpplugin-extension-view.md create mode 100644 product/zh/docs-mogdb/v5.1/developer-guide/extension/ndpplugin-extension/ndpplugin-extension.md diff --git a/product/zh/docs-mogdb/v5.1/characteristic-description/resource-pooling/resource-pooling-operator-offloading.md b/product/zh/docs-mogdb/v5.1/characteristic-description/resource-pooling/resource-pooling-operator-offloading.md index 8c699040..2a45797d 100644 --- a/product/zh/docs-mogdb/v5.1/characteristic-description/resource-pooling/resource-pooling-operator-offloading.md +++ b/product/zh/docs-mogdb/v5.1/characteristic-description/resource-pooling/resource-pooling-operator-offloading.md @@ -44,7 +44,7 @@ MogDB资源池化算子卸载特性支持Agg、SeqScan、Filter、Projection的 计算侧算子卸载并不会改变原有的执行计划以及算子的相关信息,通过存储引擎接口hook实现NDP数据的处理逻辑屏蔽执行引擎感知卸载的存在。 -插件安装与使能见:**[ndpplugin-Extension](https://docs.opengauss.org/zh/docs/5.1.0/docs/ExtensionReference/ndpplugin-Extension.html)** +插件安装与使能见:**[NDPPlugin Extension](../../developer-guide/extension/ndpplugin-extension/ndpplugin-extension.md)** ## 特性增强 diff --git a/product/zh/docs-mogdb/v5.1/developer-guide/extension/extension.md b/product/zh/docs-mogdb/v5.1/developer-guide/extension/extension.md index 5064c8c7..e52ada01 100644 --- a/product/zh/docs-mogdb/v5.1/developer-guide/extension/extension.md +++ b/product/zh/docs-mogdb/v5.1/developer-guide/extension/extension.md @@ -7,6 +7,7 @@ date: 2023-05-19 # Extension +- **[NDPPlugin Extension](ndpplugin-extension/ndpplugin-extension.md)** - **[PostGIS Extension](postgis-extension/postgis-extension.md)** - **[Foreign Data Wrapper](foreign-data-wrapper/fdw-introduction.md)** - **[pg_bulkload](pg_bulkload-user-guide.md)** diff --git a/product/zh/docs-mogdb/v5.1/developer-guide/extension/ndpplugin-extension/libsmartscan/libsmartscan-installation.md b/product/zh/docs-mogdb/v5.1/developer-guide/extension/ndpplugin-extension/libsmartscan/libsmartscan-installation.md new file mode 100644 index 00000000..d06d8d1c --- /dev/null +++ b/product/zh/docs-mogdb/v5.1/developer-guide/extension/ndpplugin-extension/libsmartscan/libsmartscan-installation.md @@ -0,0 +1,34 @@ +--- +title: libsmartscan安装 +summary: libsmartscan安装 +author: Guo Huan +date: 2023-11-21 +--- + +# libsmartscan安装 + +1. 获取Libsmartscan_5.1.0_openEuler_aarch64.tar.gz。 + +2. 解压tar包,创建log目录。 + + ```bash + tar -zxvf Libsmartscan_5.1.0_openEuler_aarch64.tar.gz + cd Libsmartscan_5.1.0_openEuler_aarch64 + mkdir log + ``` + +3. 添加如下环境变量: + + ```bash + export UCX_NET_DEVCES=enp132s0 #enp132s0为libsmartscan监听ip对应的网口 + export UCX_TLS=tcp + export UCX_IB_REG_METHODS=rcache,odp,direct + export LD_LIBRARY_PATH=/path/to/Libsmartscan_5.1.0_openEuler_aarch64/LibSmartScan_ThirdParty + /rpc/openEuler_2003_armlib:$LD_LIBRARY_PATH + ``` + +4. 配置参数,启动libsmartscan + + ```bash + ./libsmartscan + ``` \ No newline at end of file diff --git a/product/zh/docs-mogdb/v5.1/developer-guide/extension/ndpplugin-extension/libsmartscan/libsmartscan-parameters.md b/product/zh/docs-mogdb/v5.1/developer-guide/extension/ndpplugin-extension/libsmartscan/libsmartscan-parameters.md new file mode 100644 index 00000000..81c81076 --- /dev/null +++ b/product/zh/docs-mogdb/v5.1/developer-guide/extension/ndpplugin-extension/libsmartscan/libsmartscan-parameters.md @@ -0,0 +1,92 @@ +--- +title: libsmartscan配置参数说明 +summary: libsmartscan配置参数说明 +author: Guo Huan +date: 2023-11-21 +--- + +# libsmartscan配置参数说明 + +## logPath + +**参数说明**:参数值为字符串,该参数为日志文件写入路径。 + +**取值范围**:字符串 + +**默认值**:./log + +## logLevel + +**参数说明**:参数值为枚举字符串,该参数为日志打印级别。 + +**取值范围**:ERROR | DEBUG | WARNING | INFO + +**默认值**:ERROR + +## dataPath + +**参数说明**:参数值为字符串,该参数为开发人员单机环境DEBUG调试使用。 + +**取值范围**:字符串 + +**默认值**:无 + +## ip + +**参数说明**:参数值为字符串,该参数为libsmartscan监听ip。 + +**取值范围**:字符串 + +**默认值**:127.0.0.1 + +## port + +**参数说明**:参数值为整数,该参数为libsmartscan监听端口。 + +**取值范围**:[0, 65535] + +**默认值**:6060 + +## threadNum + +**参数说明**:参数值为整数,该参数为libsmartscan工作线程个数。 + +**取值范围**:[1, 64] + +**默认值**:4 + +## cephConfPath + +**参数说明**:参数值为字符串,该参数为ceph集群配置文件ceph.conf路径,ceph.conf默认安装路径为"/etc/ceph/ceph.conf"。 + +**取值范围**:字符串 + +**默认值**:无 + +## shareBuffers + +**参数说明**:参数值为整数,该参数为预留参数,无实意。 + +## certPath + +**参数说明**:参数值为字符串,该参数仅在开启SSL时有效,指定CA证书路径。 + +**取值范围**:字符串 + +**默认值**:无 + +## privateKeyPath + +**参数说明**:参数值为字符串,该参数仅在开启SSL时有效,指定private key路径。 + +**取值范围**:字符串 + +**默认值**:无 + +## keypass + +**参数说明**:参数值为字符串,该参数仅在开启SSL时有效,指定keypass路径。 + +**取值范围**:字符串 + +**默认值**:无 \ No newline at end of file diff --git a/product/zh/docs-mogdb/v5.1/developer-guide/extension/ndpplugin-extension/libsmartscan/libsmartscan.md b/product/zh/docs-mogdb/v5.1/developer-guide/extension/ndpplugin-extension/libsmartscan/libsmartscan.md new file mode 100644 index 00000000..f6f0c03f --- /dev/null +++ b/product/zh/docs-mogdb/v5.1/developer-guide/extension/ndpplugin-extension/libsmartscan/libsmartscan.md @@ -0,0 +1,11 @@ +--- +title: libsmartscan介绍 +summary: libsmartscan介绍 +author: Guo Huan +date: 2023-11-21 +--- + +# libsmartscan介绍 + +- **[libsmartscan安装](./libsmartscan-installation.md)** +- **[配置参数说明](./libsmartscan-parameters.md)** \ No newline at end of file diff --git a/product/zh/docs-mogdb/v5.1/developer-guide/extension/ndpplugin-extension/ndpplugin-extension-constraints.md b/product/zh/docs-mogdb/v5.1/developer-guide/extension/ndpplugin-extension/ndpplugin-extension-constraints.md new file mode 100644 index 00000000..8f00f1db --- /dev/null +++ b/product/zh/docs-mogdb/v5.1/developer-guide/extension/ndpplugin-extension/ndpplugin-extension-constraints.md @@ -0,0 +1,13 @@ +--- +title: NDPPlugin限制 +summary: NDPPlugin限制 +author: Guo Huan +date: 2023-11-21 +--- + +# NDPPlugin限制 + +- 暂时仅支持shared_preload_libraries方式加载插件 +- 暂不支持Toast表场景 +- 暂不支持ustore场景 +- 暂不支持synchronize_seqscans \ No newline at end of file diff --git a/product/zh/docs-mogdb/v5.1/developer-guide/extension/ndpplugin-extension/ndpplugin-extension-installation.md b/product/zh/docs-mogdb/v5.1/developer-guide/extension/ndpplugin-extension/ndpplugin-extension-installation.md new file mode 100644 index 00000000..48e5b38e --- /dev/null +++ b/product/zh/docs-mogdb/v5.1/developer-guide/extension/ndpplugin-extension/ndpplugin-extension-installation.md @@ -0,0 +1,39 @@ +--- +title: NDPPlugin安装 +summary: NDPPlugin安装 +author: Guo Huan +date: 2023-11-21 +--- + +# NDPPlugin安装 + +MogDB 5.1.0版本已经默认编译安装NDPPlugin插件,使用步骤如下: + +1. 获取LibSmartScan_5.1.0_openEuler_aarch64.tar.gz并解压。 + + ```shell + tar -zxvf LibSmartScan_5.1.0_openEuler_aarch64.tar.gz + ``` + +2. 添加如下环境变量: + + ```bash + export LD_LIBRARY_PATH=/path/to/LibSmartScan_5.1.0_openEuler_aarch64/LibSmartScan_ThirdParty/ceph/openEuler_2003_armlib:$LD_LIBRARY_PATH + export LD_LIBRARY_PATH=/path/to/LibSmartScan_5.1.0_openEuler_aarch64/LibSmartScan_ThirdParty/rpc/openEuler_2003_armlib:$LD_LIBRARY_PATH + ``` + +3. postgresql.conf添加guc参数: + + ```shell + shared_preload_libraries = 'ndpplugin' + synchronize_seqscans = off + ``` + +4. 启动libsmartscan服务,见**[libsmartscan安装](./libsmartscan/libsmartscan-installation.md)**。 + +5. 创建数据库并连接数据库开始使用。 + + ```sql + MogDB=# create extension ndpplugin; + CREATE EXTENSION + ``` \ No newline at end of file diff --git a/product/zh/docs-mogdb/v5.1/developer-guide/extension/ndpplugin-extension/ndpplugin-extension-overview.md b/product/zh/docs-mogdb/v5.1/developer-guide/extension/ndpplugin-extension/ndpplugin-extension-overview.md new file mode 100644 index 00000000..38be84e9 --- /dev/null +++ b/product/zh/docs-mogdb/v5.1/developer-guide/extension/ndpplugin-extension/ndpplugin-extension-overview.md @@ -0,0 +1,10 @@ +--- +title: NDPPlugin概述 +summary: NDPPlugin概述 +author: Guo Huan +date: 2023-11-21 +--- + +# NDPPlugin概述 + +MogDB提供NDPPluign Extension(版本为ndpplugin-1.0.0)。NDPPlugin Extension是MogDB资源池化场景下算子卸载扩展。共享存储虽然带来弹性,可靠性的好处,但是和本地盘单机比较性能会下降较多,主要是网络IO和分布式存储自身带来的延迟,尤其对于大规模查询buffer pool无法缓存的场景,大量的数据需要从存储节点搬运到计算节点,这些批量数据经过滤后大部分场景有效数据内容占比非常少,耗费大量的无用网络IO时间,性能较差。通过算子卸载将数据过滤卸载到存储侧执行,去除不需要的数据,从而减少网络通信数据量,提升端到端性能。 diff --git a/product/zh/docs-mogdb/v5.1/developer-guide/extension/ndpplugin-extension/ndpplugin-extension-reference/ndpplugin-extension-guc-parameters.md b/product/zh/docs-mogdb/v5.1/developer-guide/extension/ndpplugin-extension/ndpplugin-extension-reference/ndpplugin-extension-guc-parameters.md new file mode 100644 index 00000000..a26253b2 --- /dev/null +++ b/product/zh/docs-mogdb/v5.1/developer-guide/extension/ndpplugin-extension/ndpplugin-extension-reference/ndpplugin-extension-guc-parameters.md @@ -0,0 +1,43 @@ +--- +title: NDPPlugin GUC参数说明 +summary: NDPPlugin GUC参数说明 +author: Guo Huan +date: 2023-11-21 +--- + +# NDPPlugin GUC参数说明 + +## ndpplugin.enable_ndp + +**参数说明**:参数值为布尔类型,该参数用于使能插件。 + +**取值范围**:布尔型 + +- on表示开启算子卸载特性。 +- off表示关闭算子卸载特性。 + +**默认值**:off + +## ndpplugin.pushdown_min_blocks + +**参数说明**:参数值为整数,该参数限制下推页面数阈值,页面数小于阈值的表即使满足下推条件也不会走下推流程。 + +**取值范围**:[0, INT_MAX / 1000] + +**默认值**:0 + +## ndpplugin.ndp_port + +**参数说明**:参数值为整数,该参数指定存储集群libsmartscan进程监听的端口号,用于和libsmartscan进程通信,发送任务。 + +**取值范围**:字符串 + +**默认值**:./ + +## ndpplugin.crl_path + +**参数说明**:参数为字符串,该参数仅在开启SSL时有效,指定CRL证书路径。 + +**取值范围**:字符串 + +**默认值**:./ diff --git a/product/zh/docs-mogdb/v5.1/developer-guide/extension/ndpplugin-extension/ndpplugin-extension-reference/ndpplugin-extension-reference.md b/product/zh/docs-mogdb/v5.1/developer-guide/extension/ndpplugin-extension/ndpplugin-extension-reference/ndpplugin-extension-reference.md new file mode 100644 index 00000000..8cc2ca31 --- /dev/null +++ b/product/zh/docs-mogdb/v5.1/developer-guide/extension/ndpplugin-extension/ndpplugin-extension-reference/ndpplugin-extension-reference.md @@ -0,0 +1,11 @@ +--- +title: ndpplugin Extension +summary: ndpplugin Extension +author: Guo Huan +date: 2023-11-21 +--- + +# NDPPlugin参考 + +- **[系统视图](./ndpplugin-extension-view)** +- **[GUC参数说明](./ndpplugin-extension-guc-parameters.md)** diff --git a/product/zh/docs-mogdb/v5.1/developer-guide/extension/ndpplugin-extension/ndpplugin-extension-reference/ndpplugin-extension-view.md b/product/zh/docs-mogdb/v5.1/developer-guide/extension/ndpplugin-extension/ndpplugin-extension-reference/ndpplugin-extension-view.md new file mode 100644 index 00000000..0b95c82e --- /dev/null +++ b/product/zh/docs-mogdb/v5.1/developer-guide/extension/ndpplugin-extension/ndpplugin-extension-reference/ndpplugin-extension-view.md @@ -0,0 +1,32 @@ +--- +title: ndpplugin系统视图 +summary: ndpplugin系统视图 +author: Guo Huan +date: 2023-11-21 +--- + +# NDPPlugin系统视图 + +pushdown_statics视图显示下推查询基础统计信息。 + +| 名称 | 类型 | 描述 | +| :-------------------- | :------------ | :--------------------------------- | +| query | unsigned long | 下推查询数 | +| total_pushdown_page | unsigned long | 下推页面数 | +| back_to_gauss | unsigned long | 返回原生处理页面数 | +| received_scan | unsigned long | 接收到的scan算子数据过滤后的页面数 | +| received_agg | unsigned long | 接收到的agg算子数据聚合后的页面数 | +| failed_backend_handle | unsigned long | 存储侧libsmartscan处理失败页面数 | +| failed_sendback | unsigned long | 发送失败页面数 | + +## 查看视图 + +ndpplugin视图用于查看查询语句下推详细统计信息,帮助用户判断语句下推情况。 + +```sql +MogDB=# select * from pushdown_statics(); + query | total_pushdown_page | back_to_gauss | received_scan | received_agg | failed_backend_handle | failed_sendback +-------+---------------------+---------------+---------------+--------------+-----------------------+----------------- + 0 | 0 | 0 | 0 | 0 | 0 | 0 +(1 row) +``` diff --git a/product/zh/docs-mogdb/v5.1/developer-guide/extension/ndpplugin-extension/ndpplugin-extension.md b/product/zh/docs-mogdb/v5.1/developer-guide/extension/ndpplugin-extension/ndpplugin-extension.md new file mode 100644 index 00000000..f51782a4 --- /dev/null +++ b/product/zh/docs-mogdb/v5.1/developer-guide/extension/ndpplugin-extension/ndpplugin-extension.md @@ -0,0 +1,14 @@ +--- +title: ndpplugin Extension +summary: ndpplugin Extension +author: Guo Huan +date: 2023-11-21 +--- + +# NDPPlugin Extension + +- **[NDPPlugin概述](./ndpplugin-extension-overview.md)** +- **[NDPPlugin限制](./ndpplugin-extension-constraints.md)** +- **[NDPPlugin安装](./ndpplugin-extension-installation.md)** +- **[NDPPlugin参考](./ndpplugin-extension-reference/ndpplugin-extension-reference.md)** +- **[libsmartscan介绍](./libsmartscan/libsmartscan.md)** diff --git a/product/zh/docs-mogdb/v5.1/toc.md b/product/zh/docs-mogdb/v5.1/toc.md index c1a3827d..169c04ef 100644 --- a/product/zh/docs-mogdb/v5.1/toc.md +++ b/product/zh/docs-mogdb/v5.1/toc.md @@ -564,6 +564,16 @@ + [配置设置](/developer-guide/logical-replication/publication-subscription/configuration-settings.md) + [快速设置](/developer-guide/logical-replication/publication-subscription/quick-setup.md) + [Extension](/developer-guide/extension/extension.md) + + [NDPPlugin Extension](/developer-guide/extension/ndpplugin-extension/ndpplugin-extension.md) + + [NDPPlugin概述](/developer-guide/extension/ndpplugin-extension/ndpplugin-extension-overview.md) + + [NDPPlugin限制](/developer-guide/extension/ndpplugin-extension/ndpplugin-extension-constraints.md) + + [NDPPlugin安装](/developer-guide/extension/ndpplugin-extension/ndpplugin-extension-installation.md) + + [NDPPlugin参考](/developer-guide/extension/ndpplugin-extension/ndpplugin-extension-reference/ndpplugin-extension-reference.md) + + [系统视图](/developer-guide/extension/ndpplugin-extension/ndpplugin-extension-reference/ndpplugin-extension-view.md) + + [GUC参数说明](/developer-guide/extension/ndpplugin-extension/ndpplugin-extension-reference/ndpplugin-extension-guc-parameters.md) + + [libsmartscan介绍](/developer-guide/extension/ndpplugin-extension/libsmartscan/libsmartscan.md) + + [libsmartscan安装](/developer-guide/extension/ndpplugin-extension/libsmartscan/libsmartscan-installation.md) + + [配置参数说明](/developer-guide/extension/ndpplugin-extension/libsmartscan/libsmartscan-parameters.md) + [PostGIS Extension](/developer-guide/extension/postgis-extension/postgis-extension.md) + [PostGIS概述](/developer-guide/extension/postgis-extension/postgis-overview.md) + [PostGIS使用](/developer-guide/extension/postgis-extension/using-postgis.md) diff --git a/product/zh/docs-mogdb/v5.1/toc_extension-referecne.md b/product/zh/docs-mogdb/v5.1/toc_extension-referecne.md index 3bbda21b..465fbeed 100644 --- a/product/zh/docs-mogdb/v5.1/toc_extension-referecne.md +++ b/product/zh/docs-mogdb/v5.1/toc_extension-referecne.md @@ -5,12 +5,21 @@ ## 插件指南 -+ PostGIS Extension ++ [NDPPlugin Extension](/developer-guide/extension/ndpplugin-extension/ndpplugin-extension.md) + + [NDPPlugin概述](/developer-guide/extension/ndpplugin-extension/ndpplugin-extension-overview.md) + + [NDPPlugin限制](/developer-guide/extension/ndpplugin-extension/ndpplugin-extension-constraints.md) + + [NDPPlugin安装](/developer-guide/extension/ndpplugin-extension/ndpplugin-extension-installation.md) + + [NDPPlugin参考](/developer-guide/extension/ndpplugin-extension/ndpplugin-extension-reference/ndpplugin-extension-reference.md) + + [系统视图](/developer-guide/extension/ndpplugin-extension/ndpplugin-extension-reference/ndpplugin-extension-view.md) + + [GUC参数说明](/developer-guide/extension/ndpplugin-extension/ndpplugin-extension-reference/ndpplugin-extension-guc-parameters.md) + + [libsmartscan介绍](/developer-guide/extension/ndpplugin-extension/libsmartscan/libsmartscan.md) + + [libsmartscan安装](/developer-guide/extension/ndpplugin-extension/libsmartscan/libsmartscan-installation.md) + + [配置参数说明](/developer-guide/extension/ndpplugin-extension/libsmartscan/libsmartscan-parameters.md) ++ [PostGIS Extension](/developer-guide/extension/postgis-extension/postgis-extension.md) + [PostGIS概述](/developer-guide/extension/postgis-extension/postgis-overview.md) + [PostGIS使用](/developer-guide/extension/postgis-extension/using-postgis.md) + [PostGIS支持和限制](/developer-guide/extension/postgis-extension/postgis-support-and-constraints.md) -+ Foreign Data Wrapper - + [介绍](/developer-guide/extension/foreign-data-wrapper/fdw-introduction.md) ++ [Foreign Data Wrapper](/developer-guide/extension/foreign-data-wrapper/fdw-introduction.md) + [oracle_fdw](/developer-guide/extension/foreign-data-wrapper/1-oracle_fdw.md) + [mysql_fdw](/developer-guide/extension/foreign-data-wrapper/2-mysql_fdw.md) + [postgres_fdw](/developer-guide/extension/foreign-data-wrapper/3-postgres_fdw.md) -- Gitee From 2767dd76b6e29de06b38234d36a694741948e028 Mon Sep 17 00:00:00 2001 From: spaceoddity91719 Date: Wed, 22 Nov 2023 11:23:55 +0800 Subject: [PATCH 2/4] =?UTF-8?q?update(mogdb):=E5=88=A0=E9=99=A4=E6=8C=87?= =?UTF-8?q?=E5=AE=9A=E8=8A=82=E7=82=B9=E5=8D=87=E7=BA=A7=E7=9B=B8=E5=85=B3?= =?UTF-8?q?=E5=86=85=E5=AE=B9?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../characteristic-description-overview.md | 2 - .../designated-node-upgrade.md | 36 --------- .../maintainability/maintainability.md | 1 - .../gs_upgradectl.md | 78 +------------------ product/zh/docs-mogdb/v5.1/toc.md | 1 - .../v5.1/toc_characteristic_description.md | 1 - 6 files changed, 1 insertion(+), 118 deletions(-) delete mode 100644 product/zh/docs-mogdb/v5.1/characteristic-description/maintainability/designated-node-upgrade.md diff --git a/product/zh/docs-mogdb/v5.1/characteristic-description/characteristic-description-overview.md b/product/zh/docs-mogdb/v5.1/characteristic-description/characteristic-description-overview.md index 9b1d9b81..9458495f 100644 --- a/product/zh/docs-mogdb/v5.1/characteristic-description/characteristic-description-overview.md +++ b/product/zh/docs-mogdb/v5.1/characteristic-description/characteristic-description-overview.md @@ -57,7 +57,6 @@ MogDB 5.1版本具有以下特性: + [表级别并行恢复优化](./high-availability/table-level-parallel-recovery-optimization.md) + 维护性 + [灰度升级](./maintainability/1-gray-upgrade.md) - + [指定节点升级](./maintainability/designated-node-upgrade.md) + [支持WDR诊断报告](./maintainability/2-workload-diagnosis-report.md) + [慢SQL诊断](./maintainability/3-slow-sql-diagnosis.md) + [Session性能诊断](./maintainability/4-session-performance-diagnosis.md) @@ -66,7 +65,6 @@ MogDB 5.1版本具有以下特性: + [插件拆分](./maintainability/extension-splitting.md) + [内置stack工具](./maintainability/built-in-stack-tool.md) + [支持SQL PATCH](./maintainability/sql-patch.md) - + 兼容性 + [视图增加%rowtype属性](./compatibility/add-rowtype-attribute-to-the-view.md) + [聚合函数distinct性能优化](./compatibility/aggregate-functions-distinct-performance-optimization.md) diff --git a/product/zh/docs-mogdb/v5.1/characteristic-description/maintainability/designated-node-upgrade.md b/product/zh/docs-mogdb/v5.1/characteristic-description/maintainability/designated-node-upgrade.md deleted file mode 100644 index b7d2e259..00000000 --- a/product/zh/docs-mogdb/v5.1/characteristic-description/maintainability/designated-node-upgrade.md +++ /dev/null @@ -1,36 +0,0 @@ ---- -title: 指定节点升级 -summary: 指定节点升级 -author: Guo Huan -date: 2023-10-19 ---- - -# 指定节点升级 - -## 可获得性 - -本特性自MogDB 5.1.0版本开始引入。 - -## 特性简介 - -在灰度升级下支持升级指定的部分节点,再升级剩余节点。 - -## 客户价值 - -在灰度升级下,提供一种升级指定部分节点的功能。保证在不中断业务的情况下,先升级部分节点再升级剩余节点。 - -## 特性描述 - -指定节点升级是一种支持升级部分节点的在线升级方式。目前指定节点升级是在灰度升级基础上添加升级指定节点的功能,同灰度升级一样,再升级部分节点过程中,涉及数据库二进制的替换,为了尽可能降低对于业务的影响,采用同一节点两套二进制同时存在的方式,使用软连接切换的方式来进行进程版本的切换升级(闪断一次,10秒以内)。所有节点的升级,可通过两步完成升级操作,第一步升级指定节点,第二步升级剩余节点。待所有节点全部升级之后,才可进行提交操作。 - -## 特性增强 - -无。 - -## 特性约束 - -满足所有灰度升级的约束条件。灰度升级的约束条件请参见“管理指南 -> 升级指南”章节。 - -## 依赖关系 - -无。 diff --git a/product/zh/docs-mogdb/v5.1/characteristic-description/maintainability/maintainability.md b/product/zh/docs-mogdb/v5.1/characteristic-description/maintainability/maintainability.md index ea60c1a5..a1723c16 100644 --- a/product/zh/docs-mogdb/v5.1/characteristic-description/maintainability/maintainability.md +++ b/product/zh/docs-mogdb/v5.1/characteristic-description/maintainability/maintainability.md @@ -8,7 +8,6 @@ date: 2023-05-22 # 维护性 + **[灰度升级](1-gray-upgrade.md)** -+ **[指定节点升级](designated-node-upgrade.md)** + **[支持WDR诊断报告](2-workload-diagnosis-report.md)** + **[慢SQL诊断](3-slow-sql-diagnosis.md)** + **[Session性能诊断](4-session-performance-diagnosis.md)** diff --git a/product/zh/docs-mogdb/v5.1/reference-guide/tool-reference/tools-used-in-the-internal-system/gs_upgradectl.md b/product/zh/docs-mogdb/v5.1/reference-guide/tool-reference/tools-used-in-the-internal-system/gs_upgradectl.md index 7ab1be9a..0ccec644 100644 --- a/product/zh/docs-mogdb/v5.1/reference-guide/tool-reference/tools-used-in-the-internal-system/gs_upgradectl.md +++ b/product/zh/docs-mogdb/v5.1/reference-guide/tool-reference/tools-used-in-the-internal-system/gs_upgradectl.md @@ -19,8 +19,6 @@ date: 2021-06-07 灰度升级:灰度升级支持全业务操作,也是一次性升级所有节点(MogDB 2.0版本之后的版本支持该功能)。 -指定节点升级:指定节点升级支持全业务操作,可先升级部分指定节点,在升级剩余节点(MogDB 3.1.0版本之后的版本支持该功能)。 - ## 注意事项 - 升级操作不能和扩容、缩容同时执行。 @@ -261,81 +259,7 @@ Successfully Cleaned old install path. Commit binary upgrade succeeded. ``` -**示例五**:使用gs\_upgradectl脚本执行指定节点升级。 - -``` -gs_upgradectl -t auto-upgrade -X /data/node2.xml --grey -h hostname0 -Static configuration matched with old static configuration files. -Successfully set upgrade_mode to 0. -Checking upgrade environment. -Successfully checked upgrade environment. -Start to do health check. -Successfully checked cluster status. -Upgrade nodes ['hostname0']. -NOTICE: The directory /data/install/app_oldcommitid will be deleted after commit-upgrade, please make sure there is no personal data. -Performing grey rollback. -No need to rollback. -The directory /data/install/app_oldcommitid will be deleted after commit-upgrade, please make sure there is no personal data. -Installing new binary. -copy certs from /data/install/app_oldcommitid to /data/install/app_newcommitid. -Successfully copy certs from /data/install/app_oldcommitid to /data/install/app_newcommitid. -Successfully backup hotpatch config file. -Sync cluster configuration. -Successfully synced cluster configuration. -Switch symbolic link to new binary directory. -Successfully switch symbolic link to new binary directory. -Switching all db processes. -Check cluster state. -Create checkpoint before switching. -Switching DN processes. -Ready to grey start cluster. -Grey start cluster successfully. -Wait for the cluster status normal or degrade. -Successfully switch all process version -The nodes ['hostname0'] have been successfully upgraded to new version. Then do health check. -Start to do health check. -Successfully checked cluster status. -The nodes ['hostname0']ve been successfully upgraded.Then can upgrade the remaining nodes. -``` - -升级剩余节点 - -``` -gs_upgradectl -t auto-upgrade -X /data/node2.xml --grey --continue -Static configuration matched with old static configuration files. -Checking upgrade environment. -['hostname0'] node have been upgrade, can upgrade the remaining nodes. -Successfully checked upgrade environment. -Start to do health check. -Successfully checked cluster status. -Successfully backup hotpatch config file. -Sync cluster configuration. -Successfully synced cluster configuration. -Switch symbolic link to new binary directory. -Successfully switch symbolic link to new binary directory. -Switching all db processes. -Check cluster state. -Create checkpoint before switching. -Switching DN processes. -Ready to grey start cluster. -Grey start cluster successfully. -Wait for the cluster status normal or degrade. -Successfully switch all process version -The nodes ['hostname1'] have been successfully upgraded to new version. Then do health check. -Start to do health check. -Successfully checked cluster status. -Waiting for the cluster status to become normal. -. -The cluster status is normal. -Create checkpoint before switching. -Upgrade main process has been finished, user can do some check now. -Once the check done, please execute following command to commit upgrade: - -gs_upgradectl -t commit-upgrade -X /data/node2.xml -Successfully upgrade all nodes. -``` - -**示例六**:使用gs_upgradectl脚本执行集群管理组件增量升级。 +**示例五**:使用gs_upgradectl脚本执行集群管理组件增量升级。 ```bash gs_upgradectl -t upgrade-cm --upgarde-package /data/MogDB-3.1.0-CentOS-64bit-cm.tar.gz diff --git a/product/zh/docs-mogdb/v5.1/toc.md b/product/zh/docs-mogdb/v5.1/toc.md index 169c04ef..b2168ae2 100644 --- a/product/zh/docs-mogdb/v5.1/toc.md +++ b/product/zh/docs-mogdb/v5.1/toc.md @@ -95,7 +95,6 @@ + [表级别并行恢复优化](/characteristic-description/high-availability/table-level-parallel-recovery-optimization.md) + [维护性](/characteristic-description/maintainability/maintainability.md) + [灰度升级](/characteristic-description/maintainability/1-gray-upgrade.md) - + [指定节点升级](/characteristic-description/maintainability/designated-node-upgrade.md) + [支持WDR诊断报告](/characteristic-description/maintainability/2-workload-diagnosis-report.md) + [慢SQL诊断](/characteristic-description/maintainability/3-slow-sql-diagnosis.md) + [Session性能诊断](/characteristic-description/maintainability/4-session-performance-diagnosis.md) diff --git a/product/zh/docs-mogdb/v5.1/toc_characteristic_description.md b/product/zh/docs-mogdb/v5.1/toc_characteristic_description.md index c8d8b292..308e3aaa 100644 --- a/product/zh/docs-mogdb/v5.1/toc_characteristic_description.md +++ b/product/zh/docs-mogdb/v5.1/toc_characteristic_description.md @@ -55,7 +55,6 @@ + [表级别并行恢复优化](/characteristic-description/high-availability/table-level-parallel-recovery-optimization.md) + [维护性](/characteristic-description/maintainability/maintainability.md) + [灰度升级](/characteristic-description/maintainability/1-gray-upgrade.md) - + [指定节点升级](/characteristic-description/maintainability/designated-node-upgrade.md) + [支持WDR诊断报告](/characteristic-description/maintainability/2-workload-diagnosis-report.md) + [慢SQL诊断](/characteristic-description/maintainability/3-slow-sql-diagnosis.md) + [Session性能诊断](/characteristic-description/maintainability/4-session-performance-diagnosis.md) -- Gitee From ffb9e1ad43d90d5c84fe0df5dbdf1ac5590a6e13 Mon Sep 17 00:00:00 2001 From: spaceoddity91719 Date: Wed, 22 Nov 2023 11:45:54 +0800 Subject: [PATCH 3/4] =?UTF-8?q?update(mogdb):=E4=BC=98=E5=8C=96dolphin=20I?= =?UTF-8?q?NDEX=5FSTAITISTIC=E8=A7=86=E5=9B=BE=E5=AD=97=E6=AE=B5=E6=8F=8F?= =?UTF-8?q?=E8=BF=B0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../dolphin-syntax/system-views/dolphin-INDEX_STAITISTIC.md | 6 +++--- .../dolphin-syntax/system-views/dolphin-INDEX_STAITISTIC.md | 6 +++--- .../functions-and-operators/aggregate-functions.md | 4 ++-- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/product/zh/docs-mogdb/v5.0/developer-guide/mysql-compatibility-description/dolphin-extension/dolphin-syntax/system-views/dolphin-INDEX_STAITISTIC.md b/product/zh/docs-mogdb/v5.0/developer-guide/mysql-compatibility-description/dolphin-extension/dolphin-syntax/system-views/dolphin-INDEX_STAITISTIC.md index 17a01af2..a08ab0cd 100644 --- a/product/zh/docs-mogdb/v5.0/developer-guide/mysql-compatibility-description/dolphin-extension/dolphin-syntax/system-views/dolphin-INDEX_STAITISTIC.md +++ b/product/zh/docs-mogdb/v5.0/developer-guide/mysql-compatibility-description/dolphin-extension/dolphin-syntax/system-views/dolphin-INDEX_STAITISTIC.md @@ -21,9 +21,9 @@ INDEX_STAITISTIC视图存储当前数据库的索引信息。 | column_name | name | 索引列的列名 | | collation | text | 取值有A(默认,升序),D(降序)、NULL(索引不支持排序) | | cardinality | double precision | 根据pg_statistic.stadistinct和pg_class.reltuples计算得到:
stadistinct > 0: stadistinct
stadistinct = 0: NULL
stadistinct < 0: reltuples \* stadistinct \* -1 | -| sub_part | text | 索引前缀。如果该列仅被部分索引,则是索引字符的数量;如果整个列都被索引,则是NULL。当前不支持前缀索引,NULL | +| sub_part | text | 索引前缀。如果该列仅被部分索引,则是索引字符的数量;如果整个列都被索引,则是NULL。当前不支持前缀索引,恒为NULL | | packed | text | 如何打包key值,create table时指定pack_keys;否则返回NULL。当前不支持,为NULL | -| null | text | 可能包含NULL值则是YES,否则为 | +| null | text | 可能包含NULL值则是YES,否则为空字符串'' | | index_type | name | 使用的索引方法:BTREE、HASH等 | -| comment | text | pg_index表中记录的indisusable为true则显示disabled,false则显示'' | +| comment | text | pg_index表中记录的indisusable为true则显示disabled,false则显示空字符串'' | | index_comment | text | 创建索引时COMMENT指定的注释信息 | \ No newline at end of file diff --git a/product/zh/docs-mogdb/v5.1/developer-guide/mysql-compatibility-description/dolphin-extension/dolphin-syntax/system-views/dolphin-INDEX_STAITISTIC.md b/product/zh/docs-mogdb/v5.1/developer-guide/mysql-compatibility-description/dolphin-extension/dolphin-syntax/system-views/dolphin-INDEX_STAITISTIC.md index 17a01af2..a08ab0cd 100644 --- a/product/zh/docs-mogdb/v5.1/developer-guide/mysql-compatibility-description/dolphin-extension/dolphin-syntax/system-views/dolphin-INDEX_STAITISTIC.md +++ b/product/zh/docs-mogdb/v5.1/developer-guide/mysql-compatibility-description/dolphin-extension/dolphin-syntax/system-views/dolphin-INDEX_STAITISTIC.md @@ -21,9 +21,9 @@ INDEX_STAITISTIC视图存储当前数据库的索引信息。 | column_name | name | 索引列的列名 | | collation | text | 取值有A(默认,升序),D(降序)、NULL(索引不支持排序) | | cardinality | double precision | 根据pg_statistic.stadistinct和pg_class.reltuples计算得到:
stadistinct > 0: stadistinct
stadistinct = 0: NULL
stadistinct < 0: reltuples \* stadistinct \* -1 | -| sub_part | text | 索引前缀。如果该列仅被部分索引,则是索引字符的数量;如果整个列都被索引,则是NULL。当前不支持前缀索引,NULL | +| sub_part | text | 索引前缀。如果该列仅被部分索引,则是索引字符的数量;如果整个列都被索引,则是NULL。当前不支持前缀索引,恒为NULL | | packed | text | 如何打包key值,create table时指定pack_keys;否则返回NULL。当前不支持,为NULL | -| null | text | 可能包含NULL值则是YES,否则为 | +| null | text | 可能包含NULL值则是YES,否则为空字符串'' | | index_type | name | 使用的索引方法:BTREE、HASH等 | -| comment | text | pg_index表中记录的indisusable为true则显示disabled,false则显示'' | +| comment | text | pg_index表中记录的indisusable为true则显示disabled,false则显示空字符串'' | | index_comment | text | 创建索引时COMMENT指定的注释信息 | \ No newline at end of file diff --git a/product/zh/docs-mogdb/v5.1/reference-guide/functions-and-operators/aggregate-functions.md b/product/zh/docs-mogdb/v5.1/reference-guide/functions-and-operators/aggregate-functions.md index e3dc52fd..40198fbb 100644 --- a/product/zh/docs-mogdb/v5.1/reference-guide/functions-and-operators/aggregate-functions.md +++ b/product/zh/docs-mogdb/v5.1/reference-guide/functions-and-operators/aggregate-functions.md @@ -24,9 +24,9 @@ date: 2021-04-20 ```sql MogDB=# CREATE TABLE tab(a int); CREATE TABLE - MogDB=# INSERT INTO tab vvaluse(1); + MogDB=# INSERT INTO tab valuse(1); INSERT 0 1 - MogDB=# INSERT INTO tab vvaluse(2); + MogDB=# INSERT INTO tab valuse(2); INSERT 0 1 MogDB=# SELECT SUM(a) FROM tab; sum -- Gitee From a526d5b86000a1f4895af866ab7a0074164ddacd Mon Sep 17 00:00:00 2001 From: spaceoddity91719 Date: Thu, 23 Nov 2023 17:12:43 +0800 Subject: [PATCH 4/4] =?UTF-8?q?update(mogdb):=E8=AE=BE=E7=BD=AE=E7=BB=9F?= =?UTF-8?q?=E4=B8=80=E5=AE=A1=E8=AE=A1=E7=AD=96=E7=95=A5?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../security/3-configuring-database-audit.md | 92 +++++++++++++++++++ .../security/3-configuring-database-audit.md | 92 +++++++++++++++++++ 2 files changed, 184 insertions(+) diff --git a/product/zh/docs-mogdb/v5.0/security-guide/security/3-configuring-database-audit.md b/product/zh/docs-mogdb/v5.0/security-guide/security/3-configuring-database-audit.md index 736a8a85..651e2962 100644 --- a/product/zh/docs-mogdb/v5.0/security-guide/security/3-configuring-database-audit.md +++ b/product/zh/docs-mogdb/v5.0/security-guide/security/3-configuring-database-audit.md @@ -328,6 +328,98 @@ date: 2021-03-04
+## 设置统一审计策略 + +**背景信息** + +传统审计会产生大量的审计日志,且不支持定制化的访问对象和访问来源配置,不方便数据库安全管理员对审计日志的分析。而统一审计策略支持绑定资源标签、配置数据来源输出审计日志,可以提升安全管理员对数据库监控的效率。 + +**操作步骤** + +1. 执行以下命令开启统一审计开关。 + + ```shell + gs_guc reload -Z coordinator -N all -I all -c "enable_security_policy=on" + ``` + +2. 操作系统root用户进行rsyslog配置。 + + 在操作系统后台服务配置文件/etc/rsyslog.conf中添加: + + ```shell + local0.* /var/log/localmessages + ``` + + 重启rsyslog服务使配置生效。 + + ```shell + sudo systemctl restart rsyslog + ``` + +3. 安全策略管理员登录数据库,配置资源标签,对于安全策略管理员的相关操作参考[管理员](./2-managing-users-and-their-permissions.md#管理员)章节,审计策略参数参考SQL语法描述。 + + ```sql + -- 初始化资源 + DROP TABLE IF EXISTS table_security_auditing; + CREATE TABLE table_security_auditing(id int,name char(10)); + create user user001 password '********'; + create user user002 password '********'; + grant all privileges to user001; + + -- 新建资源标签 + DROP RESOURCE LABEL IF EXISTS rl_security_auditing; + CREATE RESOURCE LABEL rl_security_auditing ADD TABLE(table_security_auditing); + + -- 创建审计策略,审计用户user001在资源标签rl_security_auditing上的DDL、DML操作 + CREATE AUDIT POLICY audit_security_priall PRIVILEGES all on LABEL(rl_security_auditing) FILTER ON ROLES(user001); + CREATE AUDIT POLICY audit_security_accall ACCESS all on LABEL(rl_security_auditing) FILTER ON ROLES(user001); + ``` + +4. 使用用户user001登录数据库,执行如下操作, 触发审计策略。 + + ```sql + -- DML + insert into table_security_auditing values(1,'22'); + update table_security_auditing set name=234123 where id=1; + delete from table_security_auditing where id=1; + truncate table table_security_auditing; + -- DDL + GRANT INSERT ON TABLE table_security_auditing TO user002; + revoke insert on table table_security_auditing from user002; + ``` + +5. 使用操作系统root用户查看审计日志/var/log/localmessage。 + + ```shell + Oct 9 15:38:11 localhost PGAUDIT: AUDIT EVENT: user name: [user001], app_name: [gsql], client_ip: [local], access type: [INSERT], policy id: [16423], table: [public.table_security_auditi ng], result: [OK] + Oct 9 15:38:11 localhost PGAUDIT: AUDIT EVENT: user name: [user001], app_name: [gsql], client_ip: [local], access type: [UPDATE], policy id: [16423], table: [public.table_security_auditi ng], result: [OK] + Oct 9 15:38:11 localhost PGAUDIT: AUDIT EVENT: user name: [user001], app_name: [gsql], client_ip: [local], access type: [DELETE], policy id: [16423], table: [public.table_security_auditi ng], result: [OK] + Oct 9 15:38:12 localhost PGAUDIT: AUDIT EVENT: user name: [user001], app_name: [gsql], client_ip: [local], access type: [TRUNCATE], policy id: [16423], table: [public.table_security_audi ting], result: [OK] + Oct 9 15:49:41 localhost PGAUDIT: AUDIT EVENT: user name: [user001], app_name: [gsql], client_ip: [local], privilege type: [GRANT ON TABLE postgres.public.table_security_auditing TO user002], poy id: [16408], result: [OK] + Oct 9 15:49:53 localhost PGAUDIT: AUDIT EVENT: user name: [user001], app_name: [gsql], client_ip: [local], privilege type: [REVOKE ON TABLE postgres.public.table_security_auditing FROM user002],licy id: [16408], result: [OK] + ``` + +6. 如不需要继续对特定资源进行审计,可移除审计策略。 + + ```sql + drop audit policy audit_security_priall; + drop audit policy audit_security_accall; + ``` + +**统一审计日志字段说明** + +```shell +Oct 9 15:38:12 localhost PGAUDIT: AUDIT EVENT: user name: [user001], app_name: [gsql], client_ip: [local], access type: [TRUNCATE], policy id: [16423], table: [public.table_security_auditing], result: [OK] +``` + +以如上TRUNCATE操作触发的审计日志为例,字段说明如下: + +|时间戳|主机名|事件类型|用户名|触发客户端|客户端IP|操作类型|策略ID|列名称|执行结果| + +> ![img](https://cdn-mogdb.enmotech.com/docs-media/icon/icon-note.gif) **注意:** 在使用DATABASE LINK功能的场景下,客户端发起的DATABASE LINK请求,实际的发送方是服务端,发送端ip地址等相关的属性将是服务端的值。 + +
+ ## 设置文件权限安全策略 **背景信息** diff --git a/product/zh/docs-mogdb/v5.1/security-guide/security/3-configuring-database-audit.md b/product/zh/docs-mogdb/v5.1/security-guide/security/3-configuring-database-audit.md index 736a8a85..651e2962 100644 --- a/product/zh/docs-mogdb/v5.1/security-guide/security/3-configuring-database-audit.md +++ b/product/zh/docs-mogdb/v5.1/security-guide/security/3-configuring-database-audit.md @@ -328,6 +328,98 @@ date: 2021-03-04
+## 设置统一审计策略 + +**背景信息** + +传统审计会产生大量的审计日志,且不支持定制化的访问对象和访问来源配置,不方便数据库安全管理员对审计日志的分析。而统一审计策略支持绑定资源标签、配置数据来源输出审计日志,可以提升安全管理员对数据库监控的效率。 + +**操作步骤** + +1. 执行以下命令开启统一审计开关。 + + ```shell + gs_guc reload -Z coordinator -N all -I all -c "enable_security_policy=on" + ``` + +2. 操作系统root用户进行rsyslog配置。 + + 在操作系统后台服务配置文件/etc/rsyslog.conf中添加: + + ```shell + local0.* /var/log/localmessages + ``` + + 重启rsyslog服务使配置生效。 + + ```shell + sudo systemctl restart rsyslog + ``` + +3. 安全策略管理员登录数据库,配置资源标签,对于安全策略管理员的相关操作参考[管理员](./2-managing-users-and-their-permissions.md#管理员)章节,审计策略参数参考SQL语法描述。 + + ```sql + -- 初始化资源 + DROP TABLE IF EXISTS table_security_auditing; + CREATE TABLE table_security_auditing(id int,name char(10)); + create user user001 password '********'; + create user user002 password '********'; + grant all privileges to user001; + + -- 新建资源标签 + DROP RESOURCE LABEL IF EXISTS rl_security_auditing; + CREATE RESOURCE LABEL rl_security_auditing ADD TABLE(table_security_auditing); + + -- 创建审计策略,审计用户user001在资源标签rl_security_auditing上的DDL、DML操作 + CREATE AUDIT POLICY audit_security_priall PRIVILEGES all on LABEL(rl_security_auditing) FILTER ON ROLES(user001); + CREATE AUDIT POLICY audit_security_accall ACCESS all on LABEL(rl_security_auditing) FILTER ON ROLES(user001); + ``` + +4. 使用用户user001登录数据库,执行如下操作, 触发审计策略。 + + ```sql + -- DML + insert into table_security_auditing values(1,'22'); + update table_security_auditing set name=234123 where id=1; + delete from table_security_auditing where id=1; + truncate table table_security_auditing; + -- DDL + GRANT INSERT ON TABLE table_security_auditing TO user002; + revoke insert on table table_security_auditing from user002; + ``` + +5. 使用操作系统root用户查看审计日志/var/log/localmessage。 + + ```shell + Oct 9 15:38:11 localhost PGAUDIT: AUDIT EVENT: user name: [user001], app_name: [gsql], client_ip: [local], access type: [INSERT], policy id: [16423], table: [public.table_security_auditi ng], result: [OK] + Oct 9 15:38:11 localhost PGAUDIT: AUDIT EVENT: user name: [user001], app_name: [gsql], client_ip: [local], access type: [UPDATE], policy id: [16423], table: [public.table_security_auditi ng], result: [OK] + Oct 9 15:38:11 localhost PGAUDIT: AUDIT EVENT: user name: [user001], app_name: [gsql], client_ip: [local], access type: [DELETE], policy id: [16423], table: [public.table_security_auditi ng], result: [OK] + Oct 9 15:38:12 localhost PGAUDIT: AUDIT EVENT: user name: [user001], app_name: [gsql], client_ip: [local], access type: [TRUNCATE], policy id: [16423], table: [public.table_security_audi ting], result: [OK] + Oct 9 15:49:41 localhost PGAUDIT: AUDIT EVENT: user name: [user001], app_name: [gsql], client_ip: [local], privilege type: [GRANT ON TABLE postgres.public.table_security_auditing TO user002], poy id: [16408], result: [OK] + Oct 9 15:49:53 localhost PGAUDIT: AUDIT EVENT: user name: [user001], app_name: [gsql], client_ip: [local], privilege type: [REVOKE ON TABLE postgres.public.table_security_auditing FROM user002],licy id: [16408], result: [OK] + ``` + +6. 如不需要继续对特定资源进行审计,可移除审计策略。 + + ```sql + drop audit policy audit_security_priall; + drop audit policy audit_security_accall; + ``` + +**统一审计日志字段说明** + +```shell +Oct 9 15:38:12 localhost PGAUDIT: AUDIT EVENT: user name: [user001], app_name: [gsql], client_ip: [local], access type: [TRUNCATE], policy id: [16423], table: [public.table_security_auditing], result: [OK] +``` + +以如上TRUNCATE操作触发的审计日志为例,字段说明如下: + +|时间戳|主机名|事件类型|用户名|触发客户端|客户端IP|操作类型|策略ID|列名称|执行结果| + +> ![img](https://cdn-mogdb.enmotech.com/docs-media/icon/icon-note.gif) **注意:** 在使用DATABASE LINK功能的场景下,客户端发起的DATABASE LINK请求,实际的发送方是服务端,发送端ip地址等相关的属性将是服务端的值。 + +
+ ## 设置文件权限安全策略 **背景信息** -- Gitee