Comments (21)
-
To add support for Postgres, TiDB or other databases, you need to add files like https://github.com/apache/shardingsphere/tree/master/mode%2Ftype%2Fstandalone%2Frepository%2Fprovider%2Fjdbc%2Fsrc%2Fmain%2Fresources%2Fsql to the
/sql/
folder of the project's classpath. These xml files define how ShardingSphere CRUDs the database to save metadata. These files do not take into account SPI. -
Or you can use cluster mode, in which case the metadata is in zoookeeper etc.
-
IMHO, the original CVE description is Illogical, as h2database V2 does not allow access to the web console by default. This CVE is for the
com.datomic:datomic-free
dependency. For this CVE, the maintainer has requested to revoke the CVE, and you can see that the CVE has been marked as disputed.
from shardingsphere.
-
I tend to think this is a false positive from a low-quality security platform, since CVE-2018-10054 as pointed out by https://security.snyk.io/vuln/SNYK-JAVA-COMH2DATABASE-31685 , and
com.h2database:h2
almost doesn't matter. This CVE comes fromcom.datomic:datomic-free
, whichorg.apache.shardingsphere:shardingsphere-jdbc
does not depend on. Refer to GHSA-9pf8-qqhm-7w64 . -
I recommend you check further with Synk.
from shardingsphere.
I don't think this is a false positive from Snyk, here are the details I provided:
As you can see from the report, the current issue comes from shardingsphere-jdbc-core->shardingsphere-standalone-model-repository-jdbc->h2
from shardingsphere.
I found from the documentation that when I use Mode: Standalone I have to use H2 or MySQL to load my metadata,But we did not use the above database. Is there any way to remove h2database from source code?
from shardingsphere.
-
Snyk only reported CVE-2018-10054, which is not specific to h2database. You need to check the original report of CVE.
-
You can set the place to keep Metadata to other JDBC URL, whether it is MySQL or PostgreSQL.
from shardingsphere.
Snyk reported https://security.snyk.io/vuln/SNYK-JAVA-COMH2DATABASE-2331071 please double check this high issue
h2database import from shardingsphere 5.4.1
To be honest,Metadata only keep in storage in H2 or MySQL ,that is not good idea,as you konw ,sometime we have not any choice,at this moment we just only use MSSQL ,but Snyk reported SNYK-JAVA-COMH2DATABASE-2331071 for Metadata in H2,Is it true that we have to build other MySQL for Metadata ,I think that is very funny!
from shardingsphere.
- You can set the place to keep Metadata to other JDBC URL, whether it is MySQL or PostgreSQL.
If I don't use h2datbase and mysql to save my metadata, what should I do? Is there any corresponding documentation? Because I found in the documentation that Database Repository only supports H2 and Mysql
from shardingsphere.
thank your suggestion,let us try it
from shardingsphere.
- It's hard to say what the significance of this issue is, because the h2database team does not think this CVE is meaningful. Unless someone plans to provide the ShardingSphere Standalone mode implementation for
org.hsqldb:hsqldb:2.7.2
ororg.apache.derby:derby:10.17.1.0
, two of the alternatives to h2database.
from shardingsphere.
I have other question for encrypt password for DB in shardingsphere 5.4.1
Could you provide suggestion for encrypt password for DB?
from shardingsphere.
-
If you’re referring to encrypting a metadata entry in the Zookeeper or H2database Metadata Repository that stores a database password, this requires a separate mode SPI implementation.
-
And considering the US export controls and China export controls that come with the concept of encryption algorithms, which also involve Apache LICENSE conflicts with regulatory approaches, you’ll want to consider a closed source implementation of your own.
-
If you just need to encrypt a local YAML configuration file, you can do this in a separate
org.apache.shardingsphere.infra.url.ShardingSphereURLLoader
implementation, such as MD5 salted with a private key. Refer to https://shardingsphere.apache.org/document/current/en/user-manual/shardingsphere-jdbc/yaml-config/jdbc-driver/known-implementation/ . -
IMHO, this topic has gone beyond the current issue description, and I fully recommend opening a new issue.
from shardingsphere.
I have checked shardingsphere 5.4.1,https://github.com/apache/shardingsphere/tree/5.4.1/infra/executor/src
there is not any class org.apache.shardingsphere.infra.url.ShardingSphereURLLoader.
org.apache.shardingsphere
shardingsphere-infra-url
5.4.2-SNAPSHOT
just need to encrypt a local YAML configuration file
from shardingsphere.
-
@20001931 I remember another PMC and I refactored the related SPI design to support potential file transformations at the 5.5.0 milestone, so you need to manually compile the master branch at this stage.
-
As for when 5.5.0 will be released, this is not a question that can be discussed on github.com, you need to go to the shardingsphere mailing list to discuss it.
from shardingsphere.
I have other question for decrypt password for DB in shardingsphere 5.4.1
As you konw i have encrypted password for DB in classpath yaml
But where i intercept code shardingsphere read classpath yaml?
url: jdbc:shardingsphere:classpath:sharding-dev.yaml?placeholder-type=system_props
password: $${fixture.config.driver.password::}
I konw can use URLArgumentLineRender to replace $${} But where i intercept code shardingsphere initiative read classpath yaml
from shardingsphere.
- I'm not sure what you are talking about. A custom implementation of
org.apache.shardingsphere.infra.url.ShardingSphereURLLoader
can place the key of a certain private key inside. When such an implementation exists, you can directly reference the YAML file containing the encryption information. I assume that the string returned by your implementation ofgetType()
isclasspath-with-encrypt
.
jdbc:shardingsphere:classpath-with-encrypt:config.yaml
org.apache.shardingsphere.infra.url.ShardingSphereURLLoader
can also read JDBCURL parameters, it depends on whether you need to pass in the public key for verification.- This is completely beyond what the issue describes. I don't think there's any way to handle a PR without opening a new issue.
from shardingsphere.
you did not get my point ,i konw to use ShardingSphereURLLoader reading YAML file,But i need to intercept code jdbcRepositoryProps.getValue(JDBCRepositoryPropertyKey.PASSWORD))
The password which i have encrypted in YAML file
I need to decrypt this password and retuen the ShardingSphere dataSource
you can not intercept the ShardingSphere dataSource if you just custom implementation ShardingSphereURLLoader
May i konw how to intercept props in JDBCRepositoryProperties jdbcRepositoryProps = new JDBCRepositoryProperties(props);
I need to change props before JDBCRepository init
from shardingsphere.
- The easiest way to do this is to implement a custom Mode, which is a repeatable operation.
from shardingsphere.
Could you share more detail? Where i can refer to code template?
Do you mean use SPI org.apache.shardingsphere.mode.repository.standalone.StandalonePersistRepository point to custom implementation class?
from shardingsphere.
-
The answer is yes. See https://shardingsphere.apache.org/document/current/en/dev-manual/mode/. I still don't think that encrypting entries within a YAML file requires a reimplementation of Mode, as you said earlier, only encrypting local files.
-
It's hard to say what the reference template is, since under normal circumstances, JDBC implementations cover most scenarios. Just refer to the processing of normal unit tests.
from shardingsphere.
I got you point ,you mean i need change SPI org.apache.shardingsphere.mode.repository.standalone.StandalonePersistRepository to custom implementation class for example (JDBCRepositoryAli.class ) ,so i will control dataSource init ,that is right?
from shardingsphere.
I got you point ,you mean i need change SPI org.apache.shardingsphere.mode.repository.standalone.StandalonePersistRepository to custom implementation class for example (JDBCRepositoryAli.class ) ,so i will control dataSource init ,that is right?
- Yes.
from shardingsphere.
Related Issues (20)
- springboot3.1.2+shardingsphere5.4.1 Caused by: java.lang.ClassNotFoundException: com.sun.xml.internal.bind.v2.ContextFactory HOT 1
- MySQL max() in nested subquery fails HOT 6
- What's the differences between data masking and data encrpytion? HOT 2
- Shardingsphere proxy configuration for vertical sharding, different ActualDataNodes configurations are incorrect
- Questions about broadcast tables and single tables
- org.yaml.snakeyaml.representer.Representer: method 'void <init>()' not found HOT 16
- spring-boot-starter-parent 3.2.4 use shardingsphere-jdbc-core 5.4.1 throw NoSuchMethodError HOT 1
- database-strategy:none not working HOT 6
- NPE when convert yaml configuration with empty data sources or empty rules
- Load single table should check storage units are not empty
- E2E test,build docker image permission denied. HOT 1
- How to start Native test for jdbc-encrypt HOT 1
- Under one mysql instance, two database schemas, how to join tables cross schemas HOT 2
- Add dependency-check-maven to shardingsphere HOT 2
- how to onlu sharding database? HOT 1
- Version 5.4.1 of ShardingSphere references SnakeYAML version 1.33, which has a security vulnerability. How to upgrade it? HOT 1
- TableNotExistsException: Table or view *** does not exist HOT 1
- some question about Readwrite-splitting HOT 1
- null point error when the table name is unstandardized HOT 1
- 5.4.1 CHAR_DIGEST_LIKE error HOT 8
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from shardingsphere.