Security
1. Authentication
LeanXcale supports two ways to handle authentication, with native support, or using an external authentication server that can be an LDAP server or a PAM server. Native support is used via standard SQL.
1.1. Native Authentication
1.1.1. Predefined Users
There are two predefined users:
It is the superuser of the system. Its password is set during the installation.
-
LXADMIN: This is the predefined user with admin rights over all databases defined.
-
NONE: This is a predefined user with only rights to connect to the database. Only useful to test that the connection to the database works.
The predefined user rights cannot be delete nor its rights can be changed.
1.1.2. Users & Schemas
In LeanXcale each database has always a predefined schema APP. Each created user has an associated schema with the same name as the user. Deleting a user, deletes the associated schema as well.
1.1.3. Predefined Database & Schema
In LeanXcale there are one predefined database DB that has a predefined schema APP. They are provided to ease the use of the database. None of them can be dropped.
1.1.4. Creating & Dropping Databases
New databases can be created by means of the CREATE DATABASE SQL statement:
createDatabaseStatement= CREATE DATABASE databaseName [USER userName IDENTIFIED BY stringLiteral]*
Only the LXADMIN user can create and drop databases. When creating the database it becomes possible to associate a user as owner of the provided database in the optional USER clause, where its name and password are provided.
To drop a database it can be done by the DROP DATABASE statement:
dropDatabaseStatement= DROP DATABASE databaseName
2. User Authorization
2.1. Permissions
User authorization is achieved by standard SQL GRANT and REVOKE statements. Permissions are expressed by the action and the database object. A GRANT statement gives one or more permissions to one or more users:
grantStatement= GRANT permissionList TO userList permissionList= permission [, permission]* permission= action databaseObject
Where action can be
action= CREATE | ALTER | DROP | SELECT | USAGE | INSERT | DELETE | UPDATE | REFERENCES | COMMENT | BACKUP | BECOME ANY USER | ALL PRIVILEGES
And database objects are:
databaseObjects= TABLE | INDEX | VIEW | SEQUENCE | TRIGGER | PROCEDURE | ANY
2.2. Roles
Roles are also supported to enable to systematize the permissions given to users depending on their role. A role is just a collection of permissions. In that sense they are similar to a user. The syntax is:
createRoleStatement= CREATE ROLE roleName IDENTIFIED BY 'password'
Permissions can be granted to a role and a user can be granted roles that is equivalent to grant to the user each of the permissions in the role.
A role can be deleted with:
dropRoleStatement= DROP ROLE roleName
4. Hardening Guide
4.1. Network Security
The host in which resides LeanXcale should only have opened the ports for connecting client applications with LeanXcale. The firewall of the host has to be exclusively opened to the IPs from the hosts where the client application(s) are running. It must not be opened to anyone in the Internet. In Ubuntu, you can set up and manage the firewall using a utility called ufw (Uncomplicated Firewall), which provides a straightforward command-line interface for configuring firewall rules.
In here you can find how to setup the ubuntu firewall: https://ubuntu.com/server/docs/security-firewall
4.2. Least Privilege Principle
Each role in your organization should get only the minimum privileges for performing his/her role, and no more. LXADMIN access should be limited to the administrators of the database. Create roles for each different activity on the database, such as developer, user, etc. Each person should have a different user. Strong password selection should be enforced.
4.3. Change Defaults
A good practice is to change the default ports, so the attacker has harder time to identify them. You can change the default ports in the configuration file. In particular, the network address used by LeanXcale to listen for client connections is 14420. You can change the port indicating in the configuration file which port you want to use for the query engine (lxque), for instance, port 3444:
host atlantis
lxqe
addr atlantis!3444
4.4. Use Encryption
Use encryption in the client-server communication activating TLS. It will prevent an attacker that gained access to your network from seeing the contents of the messages exchanged between your application and the database server.
You can enforce to always used encryption to communicate with LeanXcale setting the tls global property in the configuration file when installing:
tls host atlantis
Or it can be indicated as a parameter when installing with lxinst:
unix$ lxinst tls /usr/local/leanxcale
This will enforce to SQL console to use TLS in its connection.
Client applications should use the 'tls=yes' property in the driver connection string.
Activate storage encryption to prevent that an attacker getting access to the device physically or through the host to see the stored data.