一、受限dba功能说明(参考自官方文档)

受限DBA

受限DBA可以对当前DBA的权限进行一定限制。当功能开启后DBA将不能更改以下对象:

Table
Database
Function(by name)
Language
large object
Namespace(by name)
Tablespace(by name)
Foreign data wrapper
Foreign server
Type(by name)
Relation(by oid)
Type(by oid)
Operator(by oid)
Function(by oid)
Namespace(by oid)
Tablespace(by oid)
Operator class(by oid)
search dictionary(by oid)
search configuration(by oid)
database(by oid)
conversion(by oid)
extension(by oid)

二、测试环境

1、系统主机

[kingbase@node102 data]$ cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.1.101 node101 ---原主库
192.168.1.102 node102 ---原备库 node_id | hostname | port | status | lb_weight | role | select_cnt | load_balance_node | replication_delay
---------+---------------+-------+--------+-----------+---------+------------+-------------------+-------------------
0 | 192.168.1.101 | 54321 | up | 0.500000 | primary | 0 | true | 0
1 | 192.168.1.102 | 54321 | up | 0.500000 | standby | 0 | false | 0

2、测试版本

TEST=# select version();
VERSION
-------------------------------------------------------------------------------------------------------------------------
Kingbase V008R003C002B0290 on x86_64-unknown-linux-gnu, compiled by gcc (GCC) 4.1.2 20080704 (Red Hat 4.1.2-46), 64-bit
(1 row)

三、切换前集群状态

1、流复制状态

TEST=# select * from sys_stat_replication;
PID | USESYSID | USENAME | APPLICATION_NAME | CLIENT_ADDR | CLIENT_HOSTNAME | CLIENT_PORT | BACKEND_START | BACKEND_XMIN | STATE | SENT_LOCATION | WRITE_LOCATION | FLUSH_LOCATION | REPLAY_LOCATION | SYNC_PRIORITY | SYNC_STATE
------+----------+---------+------------------+---------------+-----------------+-------------+-------------------------------+--------------+-----------+---------------+----------------+----------------+-----------------+---------------+------------
7758 | 10 | SYSTEM | node102 | 192.168.1.102 | | 33190 | 2022-04-12 10:46:11.448058+08 | | streaming | 0/5020F48 | 0/5020F48 | 0/5020F48 | 0/5020F48 | 2 | sync
(1 row)

2、集群节点状态

[kingbase@node101 bin]$ ./ksql -U SYSTEM -W 123456 TEST -p 9999
ksql (V008R003C002B0290)
Type "help" for help. TEST=# show pool_nodes;
node_id | hostname | port | status | lb_weight | role | select_cnt | load_balance_node | replication_delay
---------+---------------+-------+--------+-----------+---------+------------+-------------------+-------------------
0 | 192.168.1.101 | 54321 | up | 0.500000 | primary | 0 | true | 0
1 | 192.168.1.102 | 54321 | up | 0.500000 | standby | 0 | false | 0
(2 rows)

二、配置集群信息及受限dba

1、关闭自动recovery primary

[kingbase@node102 etc]$ cat HAmodule.conf |grep -i auto_primary
#whether to turn on automatic recovery,0->off,1->on.example:AUTO_PRIMARY_RECOVERY="1"
AUTO_PRIMARY_RECOVERY=0

2、主备库开启受限dba

[kingbase@node101 bin]$ cat ../data/kingbase.conf |grep -i dba
restricted_dba = on [kingbase@node102 bin]$ cat ../data/kingbase.conf |grep -i dba
restricted_dba = on

3、测试受限dba功能(重启集群后)

[kingbase@node101 bin]$ ./ksql -U SYSTEM -W 123456 TEST
ksql (V008R003C002B0290)
Type "help" for help. TEST=# show restricted_dba;
restricted_dba
----------------
on
(1 row) TEST=# create database test1;
CREATE DATABASE
TEST=# create table t1 (id int);
CREATE TABLE
TEST=# alter table t1 add column name varchar(10);
ALTER TABLE TEST=# create user tom with password 'beijing';
CREATE ROLE TEST=# alter user tom with superuser;
ERROR: Restricted DBA can not alter user TEST=# alter user tom with password 'beijing01';
ERROR: Restricted DBA can not alter user

=== 从以上信息可知,system用户现在为restricted dba,其权限受到了限制,但是和官网文档说法有出入。===

四、测试集群主备切换

1、关闭主库数据库服务

[kingbase@node101 bin]$ ./sys_ctl stop -D ../data
waiting for server to shut down.... done
server stopped

2、查看备库recovery.log

=== 从以下日志信息可知,主备切换成功,由于关闭自动recovery primary,原主库节点现在为down状态===

2022-04-12 11:36:01 recover beging...
my pid is 7728,officially began to perform recovery
2022-04-12 11:36:01 check read/write on mount point
2022-04-12 11:36:01 check read/write on mount point (1 / 6).
2022-04-12 11:36:01 stat the directory of the mount point "/home/kingbase/cluster/R3HA/db/data" ...
2022-04-12 11:36:01 stat the directory of the mount point "/home/kingbase/cluster/R3HA/db/data" ... OK
2022-04-12 11:36:01 create/write the file "/home/kingbase/cluster/R3HA/db/data/rw_status_file_662084106" ...
2022-04-12 11:36:01 create/write the file "/home/kingbase/cluster/R3HA/db/data/rw_status_file_662084106" ... OK
2022-04-12 11:36:01 stat the file "/home/kingbase/cluster/R3HA/db/data/rw_status_file_662084106" ...
2022-04-12 11:36:01 stat the file "/home/kingbase/cluster/R3HA/db/data/rw_status_file_662084106" ... OK
2022-04-12 11:36:01 read the file "/home/kingbase/cluster/R3HA/db/data/rw_status_file_662084106" ...
2022-04-12 11:36:01 read the file "/home/kingbase/cluster/R3HA/db/data/rw_status_file_662084106" ... OK
2022-04-12 11:36:01 delete the file "/home/kingbase/cluster/R3HA/db/data/rw_status_file_662084106" ...
2022-04-12 11:36:01 delete the file "/home/kingbase/cluster/R3HA/db/data/rw_status_file_662084106" ... OK
2022-04-12 11:36:01 success to check read/write on mount point (1 / 6).
2022-04-12 11:36:01 check read/write on mount point ... ok
2022-04-12 11:36:01 check if the network is ok
ping trust ip 192.168.1.1 success ping times :[3], success times:[2]
determine if i am master or standby
node_id | hostname | port | status | lb_weight | role | select_cnt | load_balance_node | replication_delay
---------+---------------+-------+--------+-----------+---------+------------+-------------------+-------------------
0 | 192.168.1.101 | 54321 | down | 0.500000 | standby | 0 | false | 0
1 | 192.168.1.102 | 54321 | up | 0.500000 | primary | 0 | true | 0
(2 rows)

3、原备库已经切换为新主库

[kingbase@node102 log]$ ps -ef |grep kingbase

kingbase  4749     1  0 13:56 ?        00:00:01 /home/kingbase/cluster/R3HA/db/bin/kingbase -D /home/kingbase/cluster/R3HA/db/data
kingbase 4759 4749 0 13:56 ? 00:00:00 kingbase: logger process
kingbase 4764 4749 0 13:56 ? 00:00:00 kingbase: checkpointer process
kingbase 4765 4749 0 13:56 ? 00:00:00 kingbase: writer process
kingbase 4766 4749 0 13:56 ? 00:00:00 kingbase: stats collector process
root 5530 1 0 13:57 ? 00:00:00 ./kingbasecluster -n
root 5569 5530 0 13:57 ? 00:00:00 kingbasecluster: watchdog
root 5814 5530 0 13:57 ? 00:00:00 kingbasecluster: lifecheck
root 5816 5814 0 13:57 ? 00:00:00 kingbasecluster: heartbeat receiver
root 5817 5814 0 13:57 ? 00:00:00 kingbasecluster: heartbeat sender
kingbase 19169 4749 0 14:15 ? 00:00:00 kingbase: wal writer process
kingbase 19170 4749 0 14:15 ? 00:00:00 kingbase: autovacuum launcher process
kingbase 19171 4749 0 14:15 ? 00:00:00 kingbase: archiver process last was 00000003.history
kingbase 19172 4749 0 14:15 ? 00:00:00 kingbase: bgworker: syslogical supervisor TEST=# select sys_is_in_recovery();
SYS_IS_IN_RECOVERY
--------------------
f
(1 row)

五、人工recovery原主库为新备库

1、在原主库生成recovery.conf文件

[kingbase@node101 data]$ cp ../etc/recovery.done recovery.conf
[kingbase@node101 data]$ cat recovery.conf
standby_mode='on'
primary_conninfo='port=54321 host=192.168.1.101 user=SYSTEM password=MTIzNDU2 application_name=node102'
recovery_target_timeline='latest'
primary_slot_name ='slot_node102'

2、查看原主库recovery.log

=== 从以下可以获知,备库生成recovery.conf文件后,集群 自动启动rewind服务做recovery,在recovery过程中,出现无法访问函数的错误。===

 node_id |   hostname    | port  | status | lb_weight |  role   | select_cnt | load_balance_node | replication_delay
---------+---------------+-------+--------+-----------+---------+------------+-------------------+-------------------
0 | 192.168.1.101 | 54321 | down | 0.500000 | standby | 0 | false | 0
1 | 192.168.1.102 | 54321 | up | 0.500000 | primary | 0 | true | 0
(2 rows) if recover node up, let it down , for rewind
2022-04-12 11:49:34 sys_rewind...
sys_rewind --target-data=/home/kingbase/cluster/R3HA/db/data --source-server="host=192.168.1.102 port=54321 user=SUPERMANAGER_V8ADMIN dbname=TEST"
datadir_source = /home/kingbase/cluster/R3HA/db/data error running query (select xlog_record_read.read_record('1/0/7000028')) in source server: ERROR: permission denied for schema XLOG_RECORD_READ
LINE 1: select xlog_record_read.read_record('1/0/7000028')
^
status check: restore all the backup temp file, Done!
Failure, exiting
sed conf change #synchronous_standby_names
2022-04-12 11:49:36 file operate
cp recovery.conf...
change recovery.conf ip -> primary.ip
2022-04-12 11:49:37 no need change recovery.conf, primary node is 192.168.1.102
delete pid file if exist
del the replication_slots if exis
drop the slot [slot_node101].
drop the slot [slot_node102].
2022-04-12 11:49:37 start up the kingbase...
waiting for server to start....LOG: redirecting log output to logging collector process
HINT: Future log output will appear in directory "/home/kingbase/cluster/R3HA/db/data/sys_log". done
server started
ksql "port=54321 user=SUPERMANAGER_V8ADMIN dbname=TEST connect_timeout=10" -c "select 33333;"
SYS_CREATE_PHYSICAL_REPLICATION_SLOT
--------------------------------------
(slot_node101,)
(1 row) 2022-04-12 11:49:39 create the slot [slot_node101] success.
SYS_CREATE_PHYSICAL_REPLICATION_SLOT
--------------------------------------
(slot_node102,)
(1 row) 2022-04-12 11:49:39 create the slot [slot_node102] success.
2022-04-12 11:49:39 start up standby successful!
cluster is sync cluster.
SYNC RECOVER MODE ...
2022-04-12 11:49:39 remote primary node change sync
ALTER SYSTEM
ERROR: permission denied for function SYS_RELOAD_CONF
reload conf file failed,exit

3、查看切换后集群状态

1)主备流复制状态正常

[kingbase@node102 bin]$ ./ksql -U SYSTEM -W 123456 TEST
ksql (V008R003C002B0290)
Type "help" for help. TEST=# select * from sys_stat_replication;
^[[5~ PID | USESYSID | USENAME | APPLICATION_NAME | CLIENT_ADDR | CLIENT_HOSTNAME | CLIENT_PORT | BACKEND_START | BACKEND_XMIN | STATE | SENT_LOCATION | WRITE_LOCATION | FLUSH_LOCATION | REPLAY_LOCATION | SYNC_PRIORITY | SYNC_STATE
-------+----------+---------+------------------+---------------+-----------------+-------------+-------------------------------+--------------+-----------+---------------+----------------+----------------+-----------------+---------------+------------
15790 | 10 | SYSTEM | node101 | 192.168.1.101 | | 32411 | 2022-04-12 11:49:36.658658+08 | | streaming | 0/7000E18 | 0/7000E18 | 0/7000E18 | 0/7000E18 | 0 | async
(1 row)

2)节点状态正常

[kingbase@node102 bin]$ ./ksql -U SYSTEM -W 123456 TEST -p 9999
ksql (V008R003C002B0290)
Type "help" for help. TEST=# show pool_nodes;
node_id | hostname | port | status | lb_weight | role | select_cnt | load_balance_node | replication_delay
---------+---------------+-------+--------+-----------+---------+------------+-------------------+-------------------
0 | 192.168.1.101 | 54321 | up | 0.500000 | standby | 0 | false | 0
1 | 192.168.1.102 | 54321 | up | 0.500000 | primary | 0 | true | 0
(2 rows)

4、验证切换过程的错误信息

=在切换过程中执行报错信息,在切换完成后,执行不会再报错。=

TEST=# show restricted_dba ;
restricted_dba
----------------
on
(1 row) TEST=# alter user tom with superuser;
ERROR: Restricted DBA can not alter user TEST=# select sys_reload_conf();
SYS_RELOAD_CONF
-----------------
t
(1 row) TEST=# select xlog_record_read.read_record('1/0/7000028');
READ_RECORD
-------------
-1284001950
(1 row)

六、总结

对于生产环境为安全需要,需开启“受限dba”功能,对于单实例环境,只是权限会受到相应的限制;但是对于集群环境,涉及的因素比较多,导致主备切换出现一定的故障,虽然最终切换成功,但是存在风险,需要完善受限dba的功能,以便用于集群环境。

KingbaseES R3 受限dba影响集群切换的更多相关文章

  1. HangFire多集群切换及DashBoard登录验证

    项目中是有多个集群的,现在存在一个是:在切换web集群时,如何切换HangFire的周期性任务. 先采取的解决办法是: 每个集群分一个队列,在周期性任务入队时分配当前web集群的集群id单做队列名称. ...

  2. KingbaseES R6 通过脚本构建集群案例

      案例说明: KingbaseES V8R6部署一般可采用图形化方式快速部署,但在生产一线,有的服务器系统未启用图形化环境,所以对于KingbaseES V8R6的集群需采用手工字符界面方式部署,本 ...

  3. kingbaseES R3 集群配置 SSL

    ​ 案例说明: 本测试是在非生产环境下,在官方没有明确声明支持KingbaseCluster使用ssl的前提下,建议只能在测试环境使用,避免生产环境下直接使用. 数据库版本: TEST=# selec ...

  4. KingbaseES V8R6C5禁用root用户ssh登录图形化部署集群案例

    案例说明: 对于KingbaseES V8R6C5版本在部集群时,需要建立kingbase.root用户在节点间的ssh互信,如果在生产环境禁用root用户ssh登录,则通过ssh部署会失败:在图形化 ...

  5. KingbaseES V8R6C5 通过securecmdd工具手工脚本部署集群

    案例说明: 对于KingbaseES V8R6C5版本在部集群时,需要建立kingbase.root用户在节点间的ssh互信,如果在生产环境禁用root用户ssh登录,则通过ssh部署会失败:V8R6 ...

  6. KingbaseES V8R6集群维护案例之---停用集群node_export进程

    案例说明: 在KingbaseES V8R6集群启动时,会启动node_exporter进程,此进程主要用于向kmonitor监控服务输出节点状态信息.在系统安全漏洞扫描中,提示出现以下安全漏洞: 对 ...

  7. KingbaseES V8R6 集群环境wal日志清理

    案例说明: 1.对于集群中的wal日志,除了需要在备库执行recovery外,在集群主备切换(switchover或failover)时,sys_rewind都要读取wal日志,将数据库恢复到一致性状 ...

  8. KingbaseES R6 集群测试job管理测试

    案例说明: 本案例参考<Job And Schedule (V8R6C4)>(https://www.cnblogs.com/kingbase/p/15194227.html)单实例环境下 ...

  9. KingbaseES R3 读写分离集群在线扩容案例

    案例说明: 1. 通过sys_basebackup创建新备库. 2. 将备库加入到Cluster nodes管理,可以用kingbase_monitor.sh一键启停. 3. 主备复制切换测试. 此次 ...

随机推荐

  1. linux目录结构及定时任务

    1. Linux的根目录(最顶层的目录) windows系统有根目录:c盘的根目录就是c:\ d盘的根目录就是d:\ 每个盘(分区)都有自己的根目录 Linux系统, 也支持多个分区 Linux的分区 ...

  2. HashMap的实现原理?如何保证HashMap线程安全?

    A:HashMap简单说就是它根据建的hashcode值存储数据的,大多数情况下可以直接定位到它的值,因而具有很快的访问速度,但遍历的顺序是不确定的. B:HashMap基于哈希表,底层结构由数组来实 ...

  3. Springboot 整合 MongoDB

    Springboot 整合 MongoDB 这节我们将整合 Spring Boot 与 Mongo DB 实现增删改查的功能,并且实现序列递增. Mongo DB 的基本介绍和增删改查的用法可以参考我 ...

  4. Pytorch从0开始实现YOLO V3指南 part5——设计输入和输出的流程

    本节翻译自:https://blog.paperspace.com/how-to-implement-a-yolo-v3-object-detector-from-scratch-in-pytorch ...

  5. Ubuntu 隐藏所有窗口快捷键不生效问题

    在绑定界面卡住时,切换到一个tty窗口,再切回来 gsettings reset-recursively org.gnome.settings-daemon.plugins.media-keys gs ...

  6. 总结几个简单好用的Python人脸识别算法

    原文连接:https://mp.weixin.qq.com/s/3BgDld9hILPLCIlyysZs6Q 哈喽,大家好. 今天给大家总结几个简单.好用的人脸识别算法. 人脸识别是计算机视觉中比较常 ...

  7. 第七天python3 函数、参数及参数解构(二)

    函数参数 参数规则: 参数列表参数一般顺序是:普通参数<--缺省参数<--可变位置参数<--keyword-only参数(可带缺省值)<--可变关键字参数 def fn(x,y ...

  8. 从零开始Blazor Server(2)--整合数据库

    开篇 上一篇文章我们留了个尾巴,没有把freesql整合进去,这篇文章我们来整合. 目前的思路呢,是做一个简单的四不像的RABC,也有用户.角色. 权限三部分. 但是其中每个用户只有一个角色,即用户和 ...

  9. php rand()和mt_ran(),还有随机数生成器

    PHP 的 rand() 函数默认使用 libc 随机数发生器.mt_rand() 函数是非正式用来替换它的.该函数用了 Mersenne Twister 中已知的特性作为随机数发生器,它可以产生随机 ...

  10. ASP.NET Core 6框架揭秘实例演示[30]:利用路由开发REST API

    借助路由系统提供的请求URL模式与对应终结点之间的映射关系,我们可以将具有相同URL模式的请求分发给与之匹配的终结点进行处理.ASP.NET的路由是通过EndpointRoutingMiddlewar ...