From 68839a6725f1bbb828f15367b59c7fdb0d2278d2 Mon Sep 17 00:00:00 2001 From: fang <2535030577@qq.com> Date: Sun, 10 Dec 2023 01:15:46 +0800 Subject: [PATCH] =?UTF-8?q?[DOC]=E6=96=B0=E5=A2=9EMySQL=E5=AF=86=E7=A0=81?= =?UTF-8?q?=E4=BB=A5=E5=8A=A0=E5=AF=86=E6=96=B9=E5=BC=8F=E5=AD=98=E5=82=A8?= =?UTF-8?q?=E5=B9=B6=E4=BD=BF=E7=94=A8=E7=9A=84=E6=96=87=E6=A1=A3=20(#1135?= =?UTF-8?q?)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...40\345\257\206\346\211\213\345\206\214.md" | 115 ++++++++++++++++++ km-rest/pom.xml | 6 + 2 files changed, 121 insertions(+) create mode 100644 "docs/dev_guide/MYSQL\345\257\206\347\240\201\345\212\240\345\257\206\346\211\213\345\206\214.md" diff --git "a/docs/dev_guide/MYSQL\345\257\206\347\240\201\345\212\240\345\257\206\346\211\213\345\206\214.md" "b/docs/dev_guide/MYSQL\345\257\206\347\240\201\345\212\240\345\257\206\346\211\213\345\206\214.md" new file mode 100644 index 000000000..f38b5b006 --- /dev/null +++ "b/docs/dev_guide/MYSQL\345\257\206\347\240\201\345\212\240\345\257\206\346\211\213\345\206\214.md" @@ -0,0 +1,115 @@ +## YML文件MYSQL密码加密存储手册 + +### 1、本地部署加密 + +**第一步:生成密文** + +在本地仓库中找到jasypt-1.9.3.jar,默认在org/jasypt/jasypt/1.9.3中,使用`java -cp`生成密文。 + +```bash +java -cp jasypt-1.9.3.jar org.jasypt.intf.cli.JasyptPBEStringEncryptionCLI input=mysql密码 password=加密的salt algorithm=PBEWithMD5AndDES +``` + +```bash +## 得到密文 +DYbVDLg5D0WRcJSCUGWjiw== +``` + +**第二步:配置jasypt** + +在YML文件中配置jasypt,例如 + +```yaml +jasypt: + encryptor: + algorithm: PBEWithMD5AndDES + iv-generator-classname: org.jasypt.iv.NoIvGenerator +``` + +**第三步:配置密文** + +使用密文替换YML文件中的明文密码为ENC(密文),例如[application.yml](https://github.com/didi/KnowStreaming/blob/master/km-rest/src/main/resources/application.yml)中MYSQL密码。 + +```yaml +know-streaming: + username: root + password: ENC(DYbVDLg5D0WRcJSCUGWjiw==) +``` + +**第四步:配置加密的salt(选择其一)** + +- 配置在YML文件中(不推荐) + +```yaml +jasypt: + encryptor: + password: salt +``` + +- 配置程序启动时的命令行参数 + +```bash +java -jar xxx.jar --jasypt.encryptor.password=salt +``` + +- 配置程序启动时的环境变量 + +```bash +export JASYPT_PASSWORD=salt +java -jar xxx.jar --jasypt.encryptor.password=${JASYPT_PASSWORD} +``` + +## 2、容器部署加密 + +利用docker swarm 提供的 secret 机制加密存储密码,使用docker swarm来管理密码。 + +### 2.1、secret加密存储 + +**第一步:初始化docker swarm** + +```bash +docker swarm init +``` + +**第二步:创建密钥** + +```bash +echo "admin2022_" | docker secret create mysql_password - + +# 输出密钥 +f964wi4gg946hu78quxsh2ge9 +``` + +**第三步:使用密钥** + +```yaml +# mysql用户密码 +SERVER_MYSQL_USER: root +SERVER_MYSQL_PASSWORD: mysql_password + +knowstreaming-mysql: + # root 用户密码 + MYSQL_ROOT_PASSWORD: mysql_password +secrets: + mysql_password: + external: true +``` + +### 2.2、使用密钥文件加密 + +**第一步:创建密钥** + +```bash +echo "admin2022_" > password +``` + +**第二步:使用密钥** + +```yaml +# mysql用户密码 +SERVER_MYSQL_USER: root +SERVER_MYSQL_PASSWORD: mysql_password +secrets: + mysql_password: + file: ./password +``` diff --git a/km-rest/pom.xml b/km-rest/pom.xml index 0c69eccc7..954629fc8 100644 --- a/km-rest/pom.xml +++ b/km-rest/pom.xml @@ -138,6 +138,12 @@ ${springboot.version} + + com.github.ulisesbocchio + jasypt-spring-boot-starter + 3.0.5 + + org.testcontainers