Security¶
On occasion, you may want or need to enable degrees of security that go beyond the basics of Unix file permissions and secure database management. For situations such as these, you can secure both node communications and client connections between the application servers and the cluster.
-
In order to use Galera Cluster, nodes must have access to a number of ports to maintain network connectivity with the cluster. While it was touched upon briefly in the Installation section, this section provides more detailed guides on configuring a system firewall using
iptables
, FirewallD and PF. -
To secure communications between nodes and from the application severs, you can enable encryption through the SSL protocol for client connections, replication traffic and State Snapshot Transfers. This section provides guidance to configuring SSL on Galera Cluster.
-
Without proper configuration, SELinux can either block nodes from communicating or it can block the database server from starting at all. When it does so, it causes the given process to fail silently, without any notification sent to standard output or error as to why. While you can configure SELinux to permit all activity from the database server, (as was explained in the Installation section, this is not a good long-term solution.
This section provides a guide to creating an SELinux security policy for Galera Cluster.
Related Documents