Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
OneAccess
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT
IoT Device Access
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Situation Awareness
Managed Threat Detection
Blockchain
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
SoftWare Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive
Help Center/ Cloud Bastion Host/ Best Practices/ Secondary Authorization for High-Risk Database Operations

Secondary Authorization for High-Risk Database Operations

Updated on 2022-11-30 GMT+08:00

With CBH editions, you can delete, modify, and view your database instances by running commands. To secure sensitive database information and prevent key information from being lost or disclosed, CBH gives you the ability to configure an approval process for high-risk database operations and monitor key information.

Use administrator admin_A as an example to describe how to authorize O&M user User_A to perform secondary authorization for high-risk operations on MySQL database instance RDS_A.

Application Scenarios

With Cloud Bastion Host (CBH), you can dynamically identify and intercept high-risk commands (including deleting databases, modifying key information, and viewing sensitive information) to interrupt database O&M sessions by setting database control policies and preset command execution policies. In addition, the system automatically generates a database authorization ticket and sends it to the administrator for secondary authorization. O&M users can resume interrupted O&M sessions only after the administrator approves the ticket and authorizes the high-risk operations.

Constraints

Currently, secondary authorization of high-risk operations only applies to the commands executed on the MySQL or Oracle database instances.

Prerequisites

  • The security group to which the CBH instance belongs has enabled the database access port, and the network connection between the database and the CBH system is normal.
  • Database RDS_A has been managed as a host resource.
  • O&M user User_A has obtained the access control permission for RDS_A.

Configuring the Secondary Authorization Policy

To approve high-risk operations on database instances, you need to preset command rules on the DB Rules page in the Policy module and enable Dynamic approval in the Action field.

  1. Log in to the CBH system as admin_A.
  2. Choose Policy > DB Rules to go to the DB Rules page.
  3. Configure the database rule set and select the preset high-risk operation commands.

    1. Click the RegSet tab.
      Figure 1 RegSet
    2. Click New to create a rule set for MySQL databases. Use the DB-test rule set as an example.
      Figure 2 New RegSet
    3. Click Add Regulation in the Operation column of the DB-test row to add a library, table, or command rule. The following describes how to add the DELETE command for deleting table content.
      NOTE:
      • The Cmd field is mandatory. You must select at least one command. You can select multiple commands at a time.
      • Set the Lib or Table field to restrict operation commands on the database library or tables.
      • If the Lib or Table field is left blank, all operation commands in the database are restricted.
      Figure 3 Add regulation

  4. Configure a DB rule.

    1. Click the DB Rules tab.
      Figure 4 DB Rules
    2. Click New to create a Dynamic approval rule for the database. Use database rule DB-ACL as an example.
      Figure 5 Configuring dynamic approval
    3. Relate the rule to rule set DB-test.
      Figure 6 Relating a new database rule to a rule set (RegSet)
    4. Relate user User_A to resource RDS_A.
      Figure 7 Relating users to resources

Verifying the Secondary Authorization Policy

An O&M user performs a high-risk operation and applies for operation permissions after the operation is intercepted. The administrator authorizes the high-risk operation after review to strengthen the management and control of core database assets.

  1. Log in to RDS_A as O&M user User_A.

    1. Log in to the CBH system.
    2. Choose Operation > Host Ops.
    3. Click Log In to log in to database resource RDS_A using an SSO tool.
      Figure 8 Database login

  2. Use the Navicat client as an example. O&M user User_A deletes table content from RDS_A. The DELETE command is automatically intercepted, and a message is displayed indicating that User_A does not have the permission to delete the table content.
  3. O&M user User_A submits a database authorization ticket to administrator admin_A for approval of the deletion operation.

    1. Log in to the CBH system as O&M user User_A.
    2. Choose Ticket > DB Tickets and view the tickets generated due to the interception of the deletion.
    3. Click Submit to submit the application for granting the required permissions on RDS_A.
      Figure 9 DB Tickets

  4. The admin_A approves or rejects the O&M operations performed by User_A based on situation.

    1. Log in to the CBH system as administrator admin_A.
    2. Choose Ticket > Approve and review the ticket submitted by User_A.
    3. Click Approve or Reject to approve or reject the ticket.
      NOTE:

      Only after the administrator approves the ticket, the O&M user can resume the intercepted high-risk operations.

      Figure 10 Ticket approval

We use cookies to improve our site and your experience. By continuing to browse our site you accept our cookie policy. Find out more

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback