IdP512: 安装数据库Mariadb(第4/11步)
Mariadb数据库(MySQL)用来保存用户校园网唯一真实id(如学工号)和CARSI eduPersonTargetedID(eptid)/pairwise-id的对应关系。在2020年1月版eduPerson规范中,eptid将被放弃,推荐使用pairwise-id。CARSI将在一段时间内同时支持eptid和pairwise-id,取值相同,对应数据库中的persistentId。eptid和pairwise-id是CARSI联盟公开使用的用户唯一id,根据用户的校园真实id(如学工号)计算获得,不可反解,不会泄露个人敏感信息,所有CARSI SP可使用。
确因管理需要,SP可联系学校IdP管理员通过它反查校园网真实id,如学工号。
注意:
- 为了同时兼顾SP对用户唯一id的需求和保护用户个人隐私的需要,推荐学校对外公布eptid/pairwise-id,而不是其他用户属性。
- CARSI联盟在发展过程中,会推荐SP根据此id区分用户并赋予特殊的访问权限,建议部署IdP时重视数据库和此id的配置。
1.安装Mariadb
注: 本手册使用carsi用户进行安装和配置Mariadb,也可以使用root进行Mariadb的安装和配置。
[carsi@www ~]$ sudo yum -y install mariadb-server [root@www ~]# vi /etc/my.cnf.d/mariadb-server.cnf #增加以下配置内容 [mysqld] character-set-server=utf8 log_bin = /var/lib/mysql/bin-log log_bin_index = /var/lib/mysql/mysql-bin.index expire_logs_days = 180 port=13306 [root@www ~]# systemctl start mariadb [root@www ~]# systemctl enable mariadb
2.初始化数据库
[root@www ~]# /usr/bin/mysql_secure_installation NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY! In order to log into MariaDB to secure it, we'll need the current password for the root user. If you've just installed MariaDB, and you haven't set the root password yet, the password will be blank, so you should just press enter here. # 回车 Enter current password for root (enter for none): OK, successfully used password, moving on... Setting the root password or using the unix_socket ensures that nobody can log into the MariaDB root user without the proper authorisation. You already have your root account protected, so you can safely answer 'n'. Switch to unix_socket authentication [Y/n] y //可以输入y,也可以输入n, 在openAnolis系统中没有这个步骤 Enabled successfully! Reloading privilege tables.. ... Success! You already have your root account protected, so you can safely answer 'n'. # 设置root密码 Change the root password? [Y/n] y New password: //输入mysql root密码 Re-enter new password: //再次输入mysql root密码 Password updated successfully! Reloading privilege tables.. ... Success! By default, a MariaDB installation has an anonymous user, allowing anyone to log into MariaDB without having to have a user account created for them. This is intended only for testing, and to make the installation go a bit smoother. You should remove them before moving into a production environment. # 删除匿名账户 Remove anonymous users? [Y/n] y ... Success! Normally, root should only be allowed to connect from 'localhost'. This ensures that someone cannot guess at the root password from the network. # 禁止远程登陆 Disallow root login remotely? [Y/n] y ... Success! By default, MariaDB comes with a database named 'test' that anyone can access. This is also intended only for testing, and should be removed before moving into a production environment. # 删除test数据库 Remove test database and access to it? [Y/n] y - Dropping test database... ... Success! - Removing privileges on test database... ... Success! Reloading the privilege tables will ensure that all changes made so far will take effect immediately. # 刷新权限 Reload privilege tables now? [Y/n] y ... Success! Cleaning up... All done! If you've completed all of the above steps, your MariaDB installation should now be secure. Thanks for using MariaDB!
3. 新建数据库及表
[root@www ~]#mysql -u root -p Enter password: #刚刚创建的root密码 MariaDB [(none)]> CREATE DATABASE idp_db CHARACTER SET utf8 COLLATE utf8_bin; MariaDB [(none)]> use idp_db; MariaDB [idp_db]> CREATE TABLE shibpid ( localEntity VARCHAR(255) NOT NULL, peerEntity VARCHAR(255) NOT NULL, persistentId VARCHAR(50) NOT NULL, principalName VARCHAR(50) NOT NULL, localId VARCHAR(50) NOT NULL, peerProvidedId VARCHAR(50) NULL, creationDate TIMESTAMP NOT NULL, deactivationDate TIMESTAMP NULL, PRIMARY KEY (localEntity, peerEntity, persistentId) );
4.新建数据库用户
为了加强安全防护,为IdP新建一个非root用户对接数据库,请勿直接复制下面语句,需要将username替换成自定义的用户名,password替换成密码。
MariaDB [idp_db]> create user 'username' identified by 'password'; MariaDB [idp_db]> grant all on idp_db.shibpid to 'username'; MariaDB [idp_db]> flush privileges; MariaDB [idp_db]> exit;
5. 退出root用户身份,回到carsi用户。
6. 修改IdP配置文件,设置数据库访问用户和密码
[carsi@www ~]$ sudo vi /opt/shibboleth-idp/conf/global.xml #将 p:username="xxxxxxx" p:password="xxxxxxx" #改成第4步中新建的用户名和密码
版权所有©北京大学计算中心