Modifying a Client Authentication Configuration
Scenarios
You can modify a client authentication configuration record based on your application requirements. After the modification, existing sessions that have already been authenticated using the original configuration remain unaffected and continue to function. New sessions, however, will fail to connect if they do not meet the updated authentication requirements. Ensure that the modified configuration aligns with your application requirements.
Constraints
- Client authentication configurations can only be modified for an instance when all its nodes are in the available state.
- In a cross-region disaster recovery scenario, modifying a client authentication configuration on the primary instance is not automatically synchronized to the DR instance. If you also need to modify the same configuration on the DR instance, manually modify it on the DR instance.
- Instances of V2.0-8.1.0 or later support IPv6 addresses. For details about how to view the instance version, see Checking the DB Engine Version.
- For centralized instances, configuration changes are synchronized across all nodes. For distributed instances, changes are synchronized across all CN components.
- When an external client uses the M-compatible protocol to remotely connect to an M-compatible database, only the SHA-256 authentication method is supported.
- Modified authentication configurations are only applied for newly created sessions.
Procedure
- Log in to the management console.
- Click
in the upper left corner and select a region and project.
- Click
in the upper left corner of the page and choose .
- On the Instances page, click the name of the target instance to go to the Basic Information page.
- In the navigation pane, choose Database Management > Client Authentication.
- On the Authentication Configurations tab, locate the target configuration and click Modify in the Operation column.
Figure 1 Modifying a client authentication configuration
- After a record is modified, click Save in the Operation column.
Figure 2 Modifying a client authentication configuration
Table 1 Parameter description Parameter
Description
Type
Client connection type.
- host: The DB instance accepts both standard TCP/IP socket connections and SSL-encrypted TCP/IP socket connections.
- hostssl: The DB instance only accepts SSL-encrypted TCP/IP socket connections.
- hostnossl: The DB instance only accepts standard TCP/IP socket connections.
Database
Databases that can be accessed.
- all: The rule matches all databases.
- A specific database name or a list of databases
NOTE:
- The value replication matches requests for replication connections, which are not associated with any specific database. If you intend to access a database named replication, you must explicitly specify "replication" as the database name in the Database column.
User
Users who are allowed to access the databases.
- all: The record matches all users.
- A specific database username or a list of users
Address
Allowed IP address range.
- Currently, only the IP address/mask length format is supported.
- For instances with a DB engine version of V2.0-8.1.0 or later, IPv6 addresses are also supported in the Address column.
Method
Authentication method used for connection.
- reject: A connection is rejected unconditionally. It is commonly used to block certain hosts.
- md5: MD5 is used for authentication. This method is considered insecure and is not recommended. It is disabled by default. To enable it, modify the password_encryption_type parameter. For details about how to modify the parameter, see Modifying Instance Parameters.
- sha256: The client is required to provide a password encrypted using the SHA-256 algorithm. During transmission, the password is combined with a salt (a server-provided random number) and processed using a one-way SHA-256 hash, enhancing security.
- sm3: The client is required to provide a password encrypted using the SM3 algorithm. During transmission, the password is combined with a salt (a server-provided random number) and processed using a one-way SM3 hash, enhancing security.
- cert: A client certificate is used for authentication. This method requires SSL configuration and a valid client SSL certificate. No password is required. The cert authentication method only supports rules with the hostssl client connection type.
- After the modification is saved, check the updated configuration information in the list.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot