IdP4:安装数据库Mariadb103(第4/11步)

        Mariadb数据库(MySQL)用来保存用户校园网唯一真实id(如学工号)和CARSI eduPersonTargetedID(eptid)/pairwise-id的对应关系。在2020年1月版eduPerson规范中,eptid将被放弃,推荐使用pairwise-id。CARSI将在一段时间内同时支持eptid和pairwise-id,取值相同,对应数据库中的persistentId。eptid和pairwise-id是CARSI联盟采用的用户唯一id,根据用户的校园真实id(如学工号)计算获得,不可反解,不会泄露个人敏感信息,所有CARSI SP可使用。

        确因管理需要,SP可联系学校IdP管理员通过它反查校园网真实id,如学工号。

        注意:

  1. 为了同时兼顾sp对用户唯一id的需求和用户保护个人隐私的愿望,推荐学校对外公布eptid/pairwise-id,而不是其他用户属性来唯一代表用户。
  2. CARSI联盟在发展过程中,会推荐SP根据此id区分用户并针对单个用户赋予特殊的访问权限,建议部署IdP时重视数据库和此id的配置。

1.安装Mariadb

注: 以carsi用户登录系统,完成以下安装和配置。服务端口为13306。学校可根据情况修改此端口,出于安全考虑,不建议使用缺省端口3306。

[carsi@www ~]$ sudo yum --enablerepo=centos-sclo-rh -y install rh-mariadb103-mariadb-server

[carsi@www ~]$ sudo scl enable rh-mariadb103 bash

[root@www ~]# vi /etc/opt/rh/rh-mariadb103/my.cnf.d/mariadb-server.cnf   
#增加以下配置内容
[mysqld]
character-set-server=utf8
log_bin = /var/lib/mysql/bin-log
log_bin_index = /var/lib/mysql/mysql-bin.index
expire_logs_days = 180
port = 13306

[root@www ~]# systemctl start rh-mariadb103-mariadb
[root@www ~]# systemctl enable rh-mariadb103-mariadb

2.初始化数据库

[root@www ~]# /opt/rh/rh-mariadb103/root/usr/bin/mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user.  If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

# 第一次运行此命令时,还没有设置口令,直接回车
Enter current password for root (enter for none):
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.

# 设置root密码
Set root password? [Y/n] y
New password:                 //输入mysql root密码
Re-enter new password:        //再次输入mysql root密码
Password updated successfully!
Reloading privilege tables..
 ... Success!


By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

# 删除匿名账户
Remove anonymous users? [Y/n] y
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

# 禁止远程登陆
Disallow root login remotely? [Y/n] y
 ... Success!

By default, MariaDB comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

# 删除test数据库
Remove test database and access to it? [Y/n] y
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

# 刷新权限表
Reload privilege tables now? [Y/n] y
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!

3. 新建数据库及表

[root@www ~]#/opt/rh/rh-mariadb103/root/usr/bin/mysql  -u root -p
Enter password: #刚刚创建的root密码
MariaDB [(none)]> CREATE DATABASE idp_db CHARACTER SET utf8 COLLATE utf8_bin;
MariaDB [(none)]> use idp_db;
MariaDB [idp_db]> CREATE TABLE shibpid (
    localEntity VARCHAR(255) NOT NULL,
    peerEntity VARCHAR(255) NOT NULL,
    persistentId VARCHAR(50) NOT NULL,
    principalName VARCHAR(50) NOT NULL,
    localId VARCHAR(50) NOT NULL,
    peerProvidedId VARCHAR(50) NULL,
    creationDate TIMESTAMP NOT NULL,
    deactivationDate TIMESTAMP NULL,
    PRIMARY KEY (localEntity, peerEntity, persistentId)
);

4.新建数据库用户

        为了加强安全防护,为IdP新建一个非root用户账号对接数据库。请勿直接复制下面语句,需要将username替换成自定义的用户名,比如:carsi,password替换成密码。

MariaDB [idp_db]>  create user 'username' identified by 'password';
MariaDB [idp_db]>  grant all on idp_db.shibpid to 'username';
MariaDB [idp_db]>  flush privileges;
MariaDB [idp_db]>  exit;

5.  退出操作系统的root用户身份,回到carsi用户。

[root@www ~]# exit
exit
[carsi@www ~]$

6.  修改IdP配置文件,设置数据库访问用户和密码

[carsi@www ~]$ sudo vi /opt/shibboleth-idp/conf/global.xml
#将
p:username="xxxxxxx"
p:password="xxxxxxx"
#改成第4步中新建的用户名和密码



版权所有©北京大学计算中心