To limit the client applications accessing the broker, set to ON for the ACCESS_ CONTROL parameter in the cubrid_broker.conf file, and enter a name of the file in which the users and the list of databases and IP addresses allowed to access the ACCESS_CONTROL_FILE parameter value are written. The default value of the ACCESS_CONTROL broker parameter is OFF. The ACCESS_CONTROL and ACCESS_CONTROL_FILE parameters must be written under [broker] in which common parameters are specified.
The format of ACCESS_CONTROL_FILE is as follows:
[%<broker_name>]
<db_name>:<db_user>:<ip_list_file>
…
[%<broker_name>] and <db_name>:<db_user>:<ip_list_file> can be specified separately for each broker.
The format of the ip_list_file is as follows:
<ip_addr>
…
If a value for ACCESS_CONTROL is set to ON and a value for ACCESS_CONTROL_FILE is not specified, the broker will only allow the access requests from the localhost. If the analysis of ACCESS_CONTROL_FILE and ip_list_file fails while a broker is running, the broker will only allow the access requests from the localhost.
If the analysis of ACCESS_CONTROL_FILE and ip_list_file fails while a broker is running, the broker will not run.
# cubrid_broker.conf
[broker]
MASTER_SHM_ID =30001
ADMIN_LOG_FILE =log/broker/cubrid_broker.log
ACCESS_CONTROL =ON
ACCESS_CONTROL_FILE =/home1/cubrid/access_file.txt
[%QUERY_EDITOR]
SERVICE =ON
BROKER_PORT =38000
......
The following example shows the content of ACCESS_CONTROL_FILE. The * symbol represents everything, and you can use it when you want to specify database names, database user IDs and IPs in the IP list file which are allowed to access the broker server.
[%QUERY_EDITOR]
dbname1:dbuser1:READIP.txt
dbname1:dbuser2:WRITEIP1.txt,WRITEIP2.txt
*:dba:READIP.txt
*:dba:WRITEIP1.txt
*:dba:WRITEIP2.txt
[%BROKER2]
dbname:dbuser:iplist2.txt
[%BROKER3]
dbname:dbuser:iplist2.txt
[%BROKER4]
dbname:dbuser:iplist2.txt
The brokers specified above are QUERY_EDITOR, BROKER2, BROKER3 and BROKER4.
The QUERY_EDITOR broker only allows the following application access requests.
The following example shows how to specify the IPs allowed in ip_list_file.
192.168.1.25
192.168.*
10.*
*
The descriptions for the IPs specified in the example above are as follows:
For the broker which has already been running, you can modify the configuration file or check the currently applied status of configuration by using the following commands.
To configure databases, database user IDs and IPs allowed to access the broker and then apply the modified configuration to the server, use the following command.
cubrid broker acl reload [<BR_NAME>]
To display the databases, database user IDs and IPs that are allowed to access the broker in running on the screen, use the following command.
cubrid broker acl status [<BR_NAME>]
If you try to access brokers through IP addresses that are not allowed, the following logs will be created.
Note For details on how to limit an access to the database server, see Limiting Database Server Access.