MySQL-中间件mycat(三)

MySQL-中间件mycat(三)_第1张图片

目录

高可用方案

安装配置 HAProxy

安装 HAProxy

启动验证

配置 Keepalived

安装 Keepalived

修改配置文件

启动验证

测试高可用

mycat 安全设置

权限配置

SQL 拦截


    博客主页:大虾好吃吗的博客

    MySQL专栏:MySQL专栏地址

        在实际项目中, Mycat 服务也需要考虑高可用性,如果 Mycat 所在服务器出现宕机,或 Mycat 服务故障,需要有备机提供服务,需要考虑 Mycat 集群。

高可用方案

        我们可以使用 HAProxy + Keepalived 配合两台 Mycat 搭起 Mycat 集群,实现高可用性。 HAProxy实现了MyCat 多节点的集群高可用和负载均衡, 而 HAProxy 自身的高可用则可以通过 Keepalived 来实现。继续上一章的部署,添加一台mycat做轮询,mycat2部署和mycat1一样,需要提前配置,添加两台haproxy加keepalived。

拓扑图如下:

MySQL-中间件mycat(三)_第2张图片

安装配置 HAProxy

安装 HAProxy

注意:两台haproxy服务器都需要安装。

1. 准备好HAProxy安装包,传到/opt目录下 解压到/usr/local/src

[root@haproxy1 ~]# tar zxf haproxy-2.1.2.tar.gz -C /usr/local/src

2. 进入解压后的目录,查看内核版本, 进行编译

[root@haproxy1 ~]# cd /usr/local/src/haproxy-2.1.2
[root@haproxy1 haproxy-2.1.2]# uname -r
3.10.0-1160.el7.x86_64
[root@haproxy1 haproxy-2.1.2]# make TARGET=linux310 PREFIX=/usr/local/haproxy ARCH=x86_64

ARGET=linux310,内核版本,使用uname -r查看内核,如: 3.10.0-514.el7,此时该参数就为linux310;

ARCH=x86_64,系统位数;

PREFIX=/usr/local/haprpxy #/usr/local/haprpxy,为haprpxy安装路径。

3. 编译完成后,进行安装,向配置文件中插入以下配置信息,并保存

[root@haproxy1 haproxy-2.1.2]# make install PREFIX=/usr/local/haproxy
[root@haproxy1 haproxy-2.1.2]# vim /usr/local/haproxy/haproxy.conf
global
log 127.0.0.1 local0
#log 127.0.0.1 local1 notice
#log loghost local0 info
maxconn 4096
chroot /usr/local/haproxy
pidfile /usr/local/haproxy/haproxy.pid
uid 99
gid 99
daemon
#debug
#quiet
defaults
log global
mode tcp
option abortonclose
option redispatch
retries 3
maxconn 2000
timeout connect 5000
timeout client 50000
timeout server 50000
listen proxy_status
bind :48066
mode tcp
balance roundrobin
server mycat_1 192.168.8.10:8066 check inter 10s            #mycat1主机
server mycat_2 192.168.8.11:8066 check inter 10s            #mycat2主机
frontend admin_stats
bind :7777
mode http
stats enable
option httplog
maxconn 10
stats refresh 30s
stats uri /admin
stats auth admin:123123
stats hide-version
stats admin if TRUE

注意:haproxy2配置和haproxy1相同,这里不在重复。

启动验证

1. 启动HAProxy

[root@haproxy1 haproxy-2.1.2]# /usr/local/haproxy/sbin/haproxy -f /usr/local/haproxy/haproxy.conf

2. 查看HAProxy进程

[root@haproxy1 haproxy-2.1.2]# ps -ef | grep haproxy
nobody   101066      1  0 17:14 ?        00:00:00 /usr/local/haproxy/sbin/haproxy -f /usr/local/haproxy/haproxy.conf
root     101086   5343  0 17:15 pts/2    00:00:00 grep --color=auto haproxy

3. 打开浏览器访问 http://192.168.8.1:7777/admin 或者8.2主机,在弹出登录框后输入用户名: admin密码: 123123,注意开启mycat。

MySQL-中间件mycat(三)_第3张图片

4. 验证负载均衡,通过haproxy1和haproxy2访问mycat登录mysql,端口号为48066

[root@master1 ~]# mysql -umycat -p123456 -h192.168.8.1 -P 48066

配置 Keepalived

注意:两台haproxy主机都需要安装keepalived,这里以haproxy1主机为例。

安装 Keepalived

1. 准备好Keepalived安装包,传到/opt目录下 解压到/usr/local/src

[root@haproxy1 ~]# tar zxf keepalived-2.2.7.tar.gz -C /usr/local/src

2. 安装依赖插件

[root@haproxy1 ~]# yum install -y gcc openssl-devel popt-devel

3. 进入解压后的目录, 进行配置, 进行编译

[root@haproxy1 ~]# cd /usr/local/src/keepalived-2.2.7/
[root@haproxy1 keepalived-2.2.7]# ./configure --prefix=/usr/local/keepalived

4. 进行编译, 完成后进行安装

[root@haproxy1 keepalived-2.2.7]# make && make install

5. 运行前配置

[root@haproxy1 keepalived-2.2.7]# cp /usr/local/src/keepalived-2.2.7/keepalived/etc/init.d/keepalived /etc/init.d/
[root@haproxy1 keepalived-2.2.7]# mkdir /etc/keepalived
[root@haproxy1 keepalived-2.2.7]# cp /usr/local/keepalived/etc/keepalived/keepalived.conf.sample /etc/keepalived/
[root@haproxy1 keepalived-2.2.7]# mv /etc/keepalived/keepalived.conf.sample /etc/keepalived/keepalived.conf
[root@haproxy1 keepalived-2.2.7]# cp /usr/local/src/keepalived-2.2.7/keepalived/etc/sysconfig/keepalived /etc/sysconfig/
[root@haproxy1 keepalived-2.2.7]# cp /usr/local/keepalived/sbin/keepalived /usr/sbin/

修改配置文件

haproxy1配置文件

[root@haproxy1 ~]# vim /etc/keepalived/keepalived.conf
! Configuration File for keepalived

global_defs {
   router_id ha1
}

vrrp_instance VI_1 {
    state MASTER
    interface ens33
    virtual_router_id 51
    priority 100
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress {
        192.168.8.100
    }
}

virtual_server 192.168.8.100 48066 {
    delay_loop 6
    lb_algo rr
    lb_kind NAT
    persistence_timeout 50
    protocol TCP

    real_server 192.168.8.1 48066 {
        weight 1
        TCP_CHECK {
            connect_timeout 3
            retry 3
            delay_before_retry 3
        }
    }
    real_server 192.168.8.2 48066 {
        weight 1
        TCP_CHECK {
            connect_timeout 3
            retry 3
            delay_before_retry 3
        }
    } 
}

haproxy2配置文件

[root@haproxy2 ~]# cat /etc/keepalived/keepalived.conf 
! Configuration File for keepalived

global_defs {
   router_id ha2
}

vrrp_instance VI_1 {
    state BACKUP
    interface ens33
    virtual_router_id 51
    priority 50
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress {
        192.168.8.100
    }
}

virtual_server 192.168.8.100 48066 {
    delay_loop 6
    lb_algo rr
    lb_kind NAT
    persistence_timeout 50
    protocol TCP

    real_server 192.168.8.1 48066 {
        weight 1
        TCP_CHECK {
            connect_timeout 3
            retry 3
            delay_before_retry 3
        }
    }
    real_server 192.168.8.2 48066 {
        weight 1
        TCP_CHECK {
            connect_timeout 3
            retry 3
            delay_before_retry 3
        }
    } 
}

启动验证

两台主机都启动Keepalived

[root@haproxy1 ~]# systemctl start keepalived
[root@haproxy1 ~]# ps -ef | grep keep
root       2864   2487  0 16:21 ?        00:00:00 /usr/libexec/gsd-housekeeping
root     108226      1  0 17:43 ?        00:00:00 /usr/local/keepalived/sbin/keepalived --dont-fork -D
root     108227 108226  0 17:43 ?        00:00:00 /usr/local/keepalived/sbin/keepalived --dont-fork -D
root     108228 108226  0 17:43 ?        00:00:00 /usr/local/keepalived/sbin/keepalived --dont-fork -D
root     108244   5343  0 17:43 pts/2    00:00:00 grep --color=auto keep
[root@haproxy1 ~]# ip a show dev ens33
2: ens33:  mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:e6:ef:60 brd ff:ff:ff:ff:ff:ff
    inet 192.168.8.1/24 brd 192.168.8.255 scope global noprefixroute ens33
       valid_lft forever preferred_lft forever
    inet 192.168.8.100/32 scope global ens33
       valid_lft forever preferred_lft forever

使用一台mysql服务器远程登录验证

[root@slave1 ~]# mysql -umycat -p123456 -P48066 -h192.168.8.100
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 16
Server version: 5.6.29-mycat-1.6.7.6-release-20220524173810 MyCat Server (OpenCloudDB)

Copyright (c) 2000, 2022, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

测试高可用

关闭一台mycat通过虚拟ip查询数据,通过mysql访问登录mysql

[root@mycat1 ~]# mycat stop
Stopping Mycat-server...
Stopped Mycat-server.[root@mycat1 ~]# mycat stop
Stopping Mycat-server...
Stopped Mycat-server.

登录mycat

[root@slave1 ~]# mysql -umycat -p123456 -P48066 -h192.168.8.100

mycat 安全设置

权限配置

        user 标签权限控制 目前 Mycat 对于中间件的连接控制并没有做太复杂的控制,目前只做了中间件逻辑库级别的读写权限控制。是通过 server.xml 的 user 标签进行配置。

修改server.xml配置文件user部分,通过下面配置文件看到,有mycat用户(这里就不多讲了)和user用户,可以看到user用户密码,逻辑库等信息。

[root@mycat1 ~]# cd /usr/local/mycat/conf
[root@mycat1 conf]# vim server.xml
#省略部分内容
        
                123456
                TESTDB
                TESTDB
        

        
                user
                TESTDB
                true
                TESTDB
        

        privileges 标签权限控制 在 user 标签下的 privileges 标签可以对逻辑库(schema)、表(table)进行精细化的 DML 权限控制。 privileges 标签下的 check 属性,如为 true 开启权限检查,为 false 不开启,默认为 false。 由于 Mycat 一个用户的 schemas 属性可配置多个逻辑库(schema) ,所以 privileges 的下级节点 schema 节点同样可配置多个,对多库多表进行细粒度的 DML 权限控制。

MySQL-中间件mycat(三)_第4张图片

修改server.xml配置文件privileges部分,orders表没有删除权限,配置tb1表没有增删改查权限。

[root@mycat1 ~]# cd /usr/local/mycat/conf
[root@mycat1 conf]# vim server.xml
#省略部分内容
                
                
                        
                                
[root@mycat1 conf]# mycat restart Stopping Mycat-server... Stopped Mycat-server. Starting Mycat-server...

配置说明

DML 权限 增加(insert) 更新(update) 查询(select) 删除(delete)
0000 禁止 禁止 禁止 禁止
0001 禁止 禁止 禁止 允许
0010 禁止 禁止 允许 禁止
1111 允许 允许 允许 允许

测试查看两个表是否按照要求修改成功,我这里只修改了mycat1主机,就直接登录mycat1测试了。

[root@master2 ~]# mysql -umycat -p123456 -h192.168.8.10 -P8066
#省略部分内容
mysql> use TESTDB
mysql> select * from orders;
+------+------------+-------------+-----------+
| id   | order_type | customer_id | amount    |
+------+------------+-------------+-----------+
|    2 |        101 |         100 | 100300.00 |
|    4 |        101 |         101 | 103000.00 |
|    6 |        102 |         100 | 100020.00 |
|    1 |        101 |         100 | 100100.00 |
|    3 |        101 |         101 | 120000.00 |
|    5 |        102 |         101 | 100400.00 |
+------+------------+-------------+-----------+
6 rows in set (0.34 sec)

mysql> delete from orders where id=1;
ERROR 3012 (HY000): The statement DML privilege check is not passed, reject for user 'mycat'

mysql> show tables;
+------------------+
| Tables_in_mytest |
+------------------+
| customer         |
| dict_order_type  |
| orders           |
| orders_detail    |
| tb1              |
+------------------+
5 rows in set (0.01 sec)

mysql> select * from tb1;
ERROR 3012 (HY000): The statement DML privilege check is not passed, reject for user 'mycat'

        通过上面命令行显示,删除orders以及查看tb1无法成功执行,返回结果为DML权限检查未通过而拒绝。

SQL 拦截

        firewall 标签用来定义防火墙; firewall 下 whitehost 标签用来定义 IP 白名单 , blacklist 用来定义SQL 黑名单。

MySQL-中间件mycat(三)_第5张图片

1. 白名单 可以通过设置白名单, 实现某主机某用户可以访问 Mycat,而其他主机用户禁止访问。

        修改server.xml配置文件firewall标签,配置只有192.168.8.50主机可以通过mycat用户访问,其他主机拒绝访问。

[root@mycat1 conf]# vim server.xml
		
           
              
           
        
[root@mycat1 conf]# mycat restart
Stopping Mycat-server...
Stopped Mycat-server.
Starting Mycat-server...

        测试用mysql服务器通过192.168.8.10登录mysql,最终结果为只有192.168.8.50主机成功登录,至此白名单完成。

[root@master2 ~]# mysql -umycat -p123456 -h192.168.8.10 -P8066
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 1
Server version: 5.6.29-mycat-1.6.7.6-release-20220524173810 MyCat Server (OpenCloudDB)

Copyright (c) 2000, 2022, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> 

2. 黑名单 可以通过设置黑名单, 实现 Mycat 对具体 SQL 操作的拦截, 如增删改查等操作的拦截。

修改server.xml配置文件firewall标签,配置禁止mycat用户进行插入操作

[root@mycat1 conf]# vim server.xml
        
           
              
           
        
         false
        
        
[root@mycat1 conf]# mycat restart
Stopping Mycat-server...
Stopped Mycat-server.
Starting Mycat-server...

测试使用8.50主机登录,并且对orders表插入数据,最终结果发现无法插入,黑名单成功。

mysql> use TESTDB
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
+------------------+
| Tables_in_mytest |
+------------------+
| customer         |
| dict_order_type  |
| orders           |
| orders_detail    |
+------------------+
4 rows in set (0.02 sec)

mysql> select * from orders;
+------+------------+-------------+-----------+
| id   | order_type | customer_id | amount    |
+------+------------+-------------+-----------+
|    2 |        101 |         100 | 100300.00 |
|    4 |        101 |         101 | 103000.00 |
|    6 |        102 |         100 | 100020.00 |
|    1 |        101 |         100 | 100100.00 |
|    3 |        101 |         101 | 120000.00 |
|    5 |        102 |         101 | 100400.00 |
+------+------------+-------------+-----------+
6 rows in set (0.04 sec)

mysql> insert into orders values(^C
mysql> INSERT INTO orders(id,order_type,customer_id,amount) VALUES(7,102,101,111400);
ERROR 3012 (HY000): The statement is unsafe SQL, reject for user 'mycat'

在修改一次,使其可以插入数据,通过下面语法很好理解,false为拒绝,true为允许。

[root@mycat1 conf]# vim server.xml 
              
           
        
         true
        
        
[root@mycat1 conf]# mycat restart
Stopping Mycat-server...
Stopped Mycat-server.
Starting Mycat-server...

插入数据成功。

[root@master2 ~]# mysql -umycat -p123456 -P48066 -h192.168.8.100

mysql> INSERT INTO orders(id,order_type,customer_id,amount) VALUES(7,102,101,111400);
Query OK, 1 row affected (0.21 sec)
 OK!

mysql> select * from orders;
+------+------------+-------------+-----------+
| id   | order_type | customer_id | amount    |
+------+------------+-------------+-----------+
|    2 |        101 |         100 | 100300.00 |
|    4 |        101 |         101 | 103000.00 |
|    6 |        102 |         100 | 100020.00 |
|    1 |        101 |         100 | 100100.00 |
|    3 |        101 |         101 | 120000.00 |
|    5 |        102 |         101 | 100400.00 |
|    7 |        102 |         101 | 111400.00 |
+------+------------+-------------+-----------+
7 rows in set (0.06 sec)

可以设置的黑名单 SQL 拦截功能列表

配置项 缺省值 描述
selectAllow true 是否允许执行 SELECT 语句
deleteAllow true 是否允许执行 DELETE 语句
updateAllow true 是否允许执行 UPDATE 语句
insertAllow true 是否允许执行 INSERT 语句
creaetTableAllow true 是否允许创建表
setAllow true 是否允许使用SET语法
alterTableAllow true 是否允许执行 Alter Table 语句
dropTableAllow true 是否允许修改表
commitAllow true 是否允许执行 commit 操作
rollbackAllow true 是否允许执行 roll back 操作

你可能感兴趣的:(MySQL,服务器,linux,运维)