[doris] branch master updated: [Doc](TLS) add doc for TLS connection (#17683)

Sat, 11 Mar 2023 18:01:22 -0800 

This is an automated email from the ASF dual-hosted git repository.

dataroaring pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/doris.git


The following commit(s) were added to refs/heads/master by this push:
     new 9b687026bd [Doc](TLS) add doc for TLS connection (#17683)
9b687026bd is described below

commit 9b687026bde5d17adeb02511299230e7cb24306e
Author: abmdocrt <yukang.lian2...@gmail.com>
AuthorDate: Sun Mar 12 10:01:07 2023 +0800

    [Doc](TLS) add doc for TLS connection (#17683)
---
 docs/en/docs/admin-manual/certificate.md     | 57 ++++++++++++++++++++++++++
 docs/en/docs/get-starting/get-starting.md    | 20 +++++++++
 docs/sidebars.json                           |  1 +
 docs/zh-CN/docs/admin-manual/certificate.md  | 61 ++++++++++++++++++++++++++++
 docs/zh-CN/docs/get-starting/get-starting.md | 20 +++++++++
 5 files changed, 159 insertions(+)

diff --git a/docs/en/docs/admin-manual/certificate.md 
b/docs/en/docs/admin-manual/certificate.md
new file mode 100644
index 0000000000..22c29cb0fd
--- /dev/null
+++ b/docs/en/docs/admin-manual/certificate.md
@@ -0,0 +1,57 @@
+---
+{
+    "title": "TLS certificate",
+    "language": "en"
+}
+---
+
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+
+# Key Certificate Configuration
+
+Doris needs a key certificate file to verify the SSL encrypted connection. The 
default key certificate file is located at 
`Doris/fe/mysql_ssl_default_certificate/certificate.p12`, and the default 
password is `doris`. You can modify the FE configuration file `conf/fe. conf`, 
add `mysql_ssl_default_certificate = /path/to/your/certificate` to modify the 
key certificate file, and you can also add the password corresponding to your 
custom key book file through `mysql_ssl_default_certificate_p [...]
+
+## Custom key certificate file
+
+In addition to the Doris default certificate file, you can also generate a 
custom certificate file through `openssl`. Proceed as follows:
+
+1. Run the following OpenSSL command to generate your private key and public 
certificate. Answer the questions and enter the Common Name when prompted.
+```bash
+openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out 
certificate.pem
+```
+
+2. Review the created certificate.
+```bash
+openssl x509 -text -noout -in certificate.pem
+```
+
+3. Combine your key and certificate in a PKCS#12 (P12) bundle.
+```bash
+openssl pkcs12 -inkey key.pem -in certificate.pem -export -out certificate.p12
+```
+
+4. Validate your P2 file.
+```bash
+openssl pkcs12 -in certificate.p12 -noout -info
+```
+
+After completing these operations, you can get the certificate.p12 file.
+
+>[reference 
documents](https://www.ibm.com/docs/en/api-connect/2018.x?topic=overview-generating-self-signed-certificate-using-openssl)
diff --git a/docs/en/docs/get-starting/get-starting.md 
b/docs/en/docs/get-starting/get-starting.md
index f9eee73638..69be69525d 100644
--- a/docs/en/docs/get-starting/get-starting.md
+++ b/docs/en/docs/get-starting/get-starting.md
@@ -159,6 +159,26 @@ ReplayedJournalId: 49292
 
 1. If the IsMaster, Join and Alive columns are true, the node is normal.
 
+#### Communicate with the server over an encrypted connection
+
+Doris supports SSL-based encrypted connections. It currently supports TLS1.2 
and TLS1.3 protocols. Doris' SSL mode can be enabled through the following 
configuration:
+Modify the FE configuration file `conf/fe.conf` and add `enable_ssl = true`.
+
+Next, connect to Doris through `mysql` client, mysql supports three SSL modes:
+
+1. `mysql -uroot -P9030 -h127.0.0.1` is the same as `mysql 
--ssl-mode=PREFERRED -uroot -P9030 -h127.0.0.1`, both try to establish an SSL 
encrypted connection at the beginning, if it fails , a normal connection is 
attempted.
+
+2. `mysql --ssl-mode=DISABLE -uroot -P9030 -h127.0.0.1`, do not use SSL 
encrypted connection, use normal connection directly.
+
+3. `mysql --ssl-mode=REQUIRED -uroot -P9030 -h127.0.0.1`, force the use of SSL 
encrypted connections.
+
+>Note:
+>`--ssl-mode` parameter is introduced by mysql5.7.11 version, please refer to 
[here](https://dev.mysql.com/doc/connector-j/8.0/en/connector-j-connp-props-security.html)
 for mysql client version lower than this version。
+
+Doris needs a key certificate file to verify the SSL encrypted connection. The 
default key certificate file is located at 
`Doris/fe/mysql_ssl_default_certificate/certificate.p12`, and the default 
password is `doris`. You can modify the FE configuration file `conf/fe. conf`, 
add `mysql_ssl_default_certificate = /path/to/your/certificate` to modify the 
key certificate file, and you can also add the password corresponding to your 
custom key book file through `mysql_ssl_default_certificate_p [...]
+
+For the generation of the key certificate file, please refer to [Key 
Certificate Configuration](../admin-manual/certificate.md)。
+
 #### Stop FE
 
 The stopping of Doris FE can be done with the following command
diff --git a/docs/sidebars.json b/docs/sidebars.json
index c78ac33991..252f1040ed 100644
--- a/docs/sidebars.json
+++ b/docs/sidebars.json
@@ -1032,6 +1032,7 @@
                 "admin-manual/query-profile",
                 "admin-manual/tracing",
                 "admin-manual/optimization",
+                "admin-manual/certificate",
                 {
                     "type": "category",
                     "label": "Maintenance and Monitor",
diff --git a/docs/zh-CN/docs/admin-manual/certificate.md 
b/docs/zh-CN/docs/admin-manual/certificate.md
new file mode 100644
index 0000000000..c00d324156
--- /dev/null
+++ b/docs/zh-CN/docs/admin-manual/certificate.md
@@ -0,0 +1,61 @@
+---
+{
+    "title": "SSL密钥证书配置",
+    "language": "zh-CN"
+}
+---
+
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+
+# SSL密钥证书配置
+
+Doris开启SSL功能需要配置密钥证书,默认的密钥证书文件位于`Doris/fe/mysql_ssl_default_certificate/certificate.p12`,默认密码为`doris`,您可以通过修改FE配置文件`conf/fe.conf`,添加`mysql_ssl_default_certificate
 = 
/path/to/your/certificate`修改密钥证书文件,同时也可以通过`mysql_ssl_default_certificate_password
 = your_password`添加对应您自定义密钥证书文件的密码。
+
+## 自定义密钥证书文件
+
+除了Doris默认的证书文件,您也可以通过`openssl`生成自定义的证书文件。步骤如下:
+
+1.运行以下OpenSSL命令以生成您的私钥和公共证书,回答问题并在出现提示时输入答案。
+
+```bash
+openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out 
certificate.pem
+```
+
+2.查看创建的证书。
+
+```bash
+openssl x509 -text -noout -in certificate.pem
+```
+
+3.将您的密钥和证书合并到 PKCS#12 (P12) 包中。
+
+```bash
+ openssl pkcs12 -inkey key.pem -in certificate.pem -export -out certificate.p12
+```
+
+4.验证您的P12文件。
+
+```bash
+openssl pkcs12 -in certificate.p12 -noout -info
+```
+
+完成这些操作后即可得到certificate.p12文件。
+
+>[参考文档](https://www.ibm.com/docs/en/api-connect/2018.x?topic=overview-generating-self-signed-certificate-using-openssl)
diff --git a/docs/zh-CN/docs/get-starting/get-starting.md 
b/docs/zh-CN/docs/get-starting/get-starting.md
index df6b73f4bf..5ce1bbe006 100644
--- a/docs/zh-CN/docs/get-starting/get-starting.md
+++ b/docs/zh-CN/docs/get-starting/get-starting.md
@@ -163,6 +163,26 @@ ReplayedJournalId: 49292
 
 1. 如果 IsMaster、Join 和 Alive 三列均为true,则表示节点正常。
 
+#### 加密连接 FE
+
+Doris支持基于SSL的加密连接,当前支持TLS1.2,TLS1.3协议,可以通过以下配置开启Doris的SSL模式:
+修改FE配置文件`conf/fe.conf`,添加`enable_ssl = true`即可。
+
+接下来通过`mysql`客户端连接Doris,mysql支持三种SSL模式:
+
+1.`mysql -uroot -P9030 -h127.0.0.1`与`mysql --ssl-mode=PREFERRED -uroot -P9030 
-h127.0.0.1`一样,都是一开始试图建立SSL加密连接,如果失败,则尝试使用普通连接。
+
+2.`mysql --ssl-mode=DISABLE -uroot -P9030 -h127.0.0.1`,不使用SSL加密连接,直接使用普通连接。
+
+3.`mysql --ssl-mode=REQUIRED -uroot -P9030 -h127.0.0.1`,强制使用SSL加密连接。
+
+>注意:
+>`--ssl-mode`参数是mysql5.7.11版本引入的,低于此版本的mysql客户端请参考[这里](https://dev.mysql.com/doc/connector-j/8.0/en/connector-j-connp-props-security.html)。
+
+Doris开启SSL加密连接需要密钥证书文件验证,默认的密钥证书文件位于`Doris/fe/mysql_ssl_default_certificate/certificate.p12`,默认密码为`doris`,您可以通过修改FE配置文件`conf/fe.conf`,添加`mysql_ssl_default_certificate
 = 
/path/to/your/certificate`修改密钥证书文件,同时也可以通过`mysql_ssl_default_certificate_password
 = your_password`添加对应您自定义密钥书文件的密码。
+
+密钥证书文件的生成请参考[密钥证书配置](../admin-manual/certificate.md)。
+
 #### 停止 FE 节点
 
 Doris FE 的停止可以通过下面的命令完成


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@doris.apache.org
For additional commands, e-mail: commits-h...@doris.apache.org

Reply via email to