diff --git a/src/.vuepress/sidebar/V2.0.x/en-Table.ts b/src/.vuepress/sidebar/V2.0.x/en-Table.ts index a7a75a2c4..3cd9b729e 100644 --- a/src/.vuepress/sidebar/V2.0.x/en-Table.ts +++ b/src/.vuepress/sidebar/V2.0.x/en-Table.ts @@ -108,7 +108,7 @@ export const enSidebar = { { text: 'Data Sync', link: 'Data-Sync_apache' }, { text: 'UDF', link: 'User-defined-function' }, { - text: 'Security Permissions', + text: 'Security Management', collapsible: true, children: [ { text: 'Authority Management', link: 'Authority-Management_apache' }, diff --git a/src/.vuepress/sidebar/V2.0.x/en-Tree.ts b/src/.vuepress/sidebar/V2.0.x/en-Tree.ts index 93bde9537..cd18177ad 100644 --- a/src/.vuepress/sidebar/V2.0.x/en-Tree.ts +++ b/src/.vuepress/sidebar/V2.0.x/en-Tree.ts @@ -127,7 +127,7 @@ export const enSidebar = { }, { text: 'UDF', link: 'User-defined-function_apache' }, { - text: 'Security Permissions', + text: 'Security Management', collapsible: true, children: [{ text: 'Permission Management', link: 'Authority-Management_apache' }], }, diff --git a/src/.vuepress/sidebar/V2.0.x/zh-Table.ts b/src/.vuepress/sidebar/V2.0.x/zh-Table.ts index 6d555172e..6b35195b9 100644 --- a/src/.vuepress/sidebar/V2.0.x/zh-Table.ts +++ b/src/.vuepress/sidebar/V2.0.x/zh-Table.ts @@ -108,7 +108,7 @@ export const zhSidebar = { { text: '数据同步', link: 'Data-Sync_apache' }, { text: 'UDF', link: 'User-defined-function' }, { - text: '安全权限', + text: '安全管理', collapsible: true, children: [{ text: '权限管理', link: 'Authority-Management_apache' }], }, diff --git a/src/.vuepress/sidebar/V2.0.x/zh-Tree.ts b/src/.vuepress/sidebar/V2.0.x/zh-Tree.ts index 499781c1e..cd66f816e 100644 --- a/src/.vuepress/sidebar/V2.0.x/zh-Tree.ts +++ b/src/.vuepress/sidebar/V2.0.x/zh-Tree.ts @@ -118,7 +118,7 @@ export const zhSidebar = { }, { text: 'UDF', link: 'User-defined-function_apache' }, { - text: '安全权限', + text: '安全管理', collapsible: true, children: [{ text: '权限管理', link: 'Authority-Management_apache' }], }, diff --git a/src/.vuepress/sidebar_timecho/V2.0.x/en-Table.ts b/src/.vuepress/sidebar_timecho/V2.0.x/en-Table.ts index d651f24d8..58b7ccd82 100644 --- a/src/.vuepress/sidebar_timecho/V2.0.x/en-Table.ts +++ b/src/.vuepress/sidebar_timecho/V2.0.x/en-Table.ts @@ -125,10 +125,11 @@ export const enSidebar = { { text: 'Data Sync', link: 'Data-Sync_timecho' }, { text: 'UDF', link: 'User-defined-function' }, { - text: 'Security Permissions', + text: 'Security Management', collapsible: true, children: [ { text: 'Authority Management', link: 'Authority-Management_timecho' }, + { text: 'Black White List', link: 'Black-White-List_timecho' }, ], }, { text: 'Tiered Storage', link: 'Tiered-Storage_timecho' }, diff --git a/src/.vuepress/sidebar_timecho/V2.0.x/en-Tree.ts b/src/.vuepress/sidebar_timecho/V2.0.x/en-Tree.ts index 438a6ac4c..46f077ac3 100644 --- a/src/.vuepress/sidebar_timecho/V2.0.x/en-Tree.ts +++ b/src/.vuepress/sidebar_timecho/V2.0.x/en-Tree.ts @@ -147,11 +147,11 @@ export const enSidebar = { { text: 'UDF', link: 'User-defined-function_timecho' }, { text: 'View', link: 'IoTDB-View_timecho' }, { - text: 'Security Permissions', + text: 'Security Management', collapsible: true, children: [ { text: 'Permission Management', link: 'Authority-Management_timecho' }, - { text: 'White List', link: 'White-List_timecho' }, + { text: 'Black White List', link: 'Black-White-List_timecho' }, { text: 'Security Audit', link: 'Audit-Log_timecho' }, ], }, diff --git a/src/.vuepress/sidebar_timecho/V2.0.x/zh-Table.ts b/src/.vuepress/sidebar_timecho/V2.0.x/zh-Table.ts index 58806cccd..8471a9467 100644 --- a/src/.vuepress/sidebar_timecho/V2.0.x/zh-Table.ts +++ b/src/.vuepress/sidebar_timecho/V2.0.x/zh-Table.ts @@ -116,9 +116,12 @@ export const zhSidebar = { { text: '数据同步', link: 'Data-Sync_timecho' }, { text: 'UDF', link: 'User-defined-function' }, { - text: '安全权限', + text: '安全管理', collapsible: true, - children: [{ text: '权限管理', link: 'Authority-Management_timecho' }], + children: [ + { text: '权限管理', link: 'Authority-Management_timecho' }, + { text: '黑白名单', link: 'Black-White-List_timecho' }, + ], }, { text: '多级存储', link: 'Tiered-Storage_timecho' }, { text: '树转表视图', link: 'Tree-to-Table' }, diff --git a/src/.vuepress/sidebar_timecho/V2.0.x/zh-Tree.ts b/src/.vuepress/sidebar_timecho/V2.0.x/zh-Tree.ts index 7251ea165..778c57839 100644 --- a/src/.vuepress/sidebar_timecho/V2.0.x/zh-Tree.ts +++ b/src/.vuepress/sidebar_timecho/V2.0.x/zh-Tree.ts @@ -129,11 +129,11 @@ export const zhSidebar = { { text: 'UDF', link: 'User-defined-function_timecho' }, { text: '视图', link: 'IoTDB-View_timecho' }, { - text: '安全权限', + text: '安全管理', collapsible: true, children: [ { text: '权限管理', link: 'Authority-Management_timecho' }, - { text: '白名单', link: 'White-List_timecho' }, + { text: '黑白名单', link: 'Black-White-List_timecho' }, { text: '安全审计', link: 'Audit-Log_timecho' }, ], }, diff --git a/src/UserGuide/Master/Table/User-Manual/Black-White-List_timecho.md b/src/UserGuide/Master/Table/User-Manual/Black-White-List_timecho.md new file mode 100644 index 000000000..dceab5681 --- /dev/null +++ b/src/UserGuide/Master/Table/User-Manual/Black-White-List_timecho.md @@ -0,0 +1,78 @@ + + +# Black White List + +## 1. Introduction + +IoTDB is a time-series database designed for IoT scenarios, supporting efficient data storage, query, and analysis. With the widespread application of IoT technology, data security and access control have become critical. In open environments, ensuring secure data access for legitimate users presents a key challenge. The whitelist mechanism allows only trusted IPs or users to connect, reducing the attack surface at the source. The blacklist function can block malicious IPs in real time in edge-cloud collaborative scenarios, preventing unauthorized access, SQL injection, brute‑force attacks, DDoS, and other threats, thereby providing continuous and stable security for data transmission. + +> Note: This feature is available starting from version 2.0.6. + +## 2. Whitelist + +### 2.1 Function Description + +By enabling the whitelist function and configuring the whitelist, client addresses allowed to connect to IoTDB are specified. Only clients within the whitelist can access IoTDB, achieving security control. + +### 2.2 Configuration Parameters + +Administrators can enable/disable the whitelist function and add, modify, or delete whitelist IPs/IP segments in the following two ways: + +* Edit the configuration file `iotdb‑system.properties`. +* Use the `set configuration` statement. + * Table model reference: [set configuration](../SQL-Manual/SQL-Maintenance-Statements.md#_2-2-update-configuration-items) + +Related parameters are as follows: + +| Name | Description | Default Value | Effective Mode | Example | +| ----------------- | ----------------------------------------------------------------------------------------------------------------------------------- | --------------- | ---------------- | ------------------------------------------------------------------- | +| `enable_white_list` | Whether to enable the whitelist function. true: enable; false: disable. The value is case‑insensitive. | false | Hot reload | `set enable_white_list = 'true'` | +| `white_ip_list` | Add, modify, or delete whitelist IPs/IP segments. Supports exact match and the \* wildcard. Multiple IPs are separated by commas. | empty | Hot reload | `set white_ip_list='192.168.1.200,192.168.1.201,192.168.1.*'` | + +## 3. Blacklist + +### 3.1 Function Description + +By enabling the blacklist function and configuring the blacklist, certain specific IP addresses are prevented from accessing the database, guarding against unauthorized access, SQL injection, brute‑force attacks, DDoS attacks, and other security threats, thereby ensuring the security and stability of data transmission. + +### 3.2 Configuration Parameters + +Administrators can enable/disable the blacklist function and add, modify, or delete blacklist IPs/IP segments in the following two ways: + +* Edit the configuration file `iotdb‑system.properties`. +* Use the `set configuration`statement. + * Table model reference:[set configuration](../SQL-Manual/SQL-Maintenance-Statements.md#_2-2-update-configuration-items) + +Related parameters are as follows: + +| Name | Description | Default Value | Effective Mode | Example | +|---------------------| ----------------------------------------------------------------------------------------------------------------------------------- | --------------- | ---------------- | ------------------------------------------------------------------- | +| `enable_black_list` | Whether to enable the blacklist function. true: enable; false: disable. The value is case‑insensitive. | false | Hot reload | `set enable_black_list = 'true'` | +| `black_ip_list` | Add, modify, or delete blacklist IPs/IP segments. Supports exact match and the \* wildcard. Multiple IPs are separated by commas. | empty | Hot reload | `set black_ip_list='192.168.1.200,192.168.1.201,192.168.1.*'` | + +## 4. Notes + +1. After the whitelist is enabled, if the list is empty, all connections are denied. If the local IP is not included, local login is denied. +2. When the same IP appears in both the whitelist and blacklist, the blacklist takes precedence. +3. The system validates the IP format. Invalid entries will cause an error when the user connects and be skipped, without affecting the loading of other valid IPs. +4. Duplicate IPs in the configuration are supported; they are automatically deduplicated in memory without notification. For manual deduplication, edit the configuration accordingly. +5. Blacklist/whitelist rules only apply to new connections. Existing connections before enabling the function are not affected; they will be intercepted only upon subsequent reconnection. diff --git a/src/UserGuide/Master/Tree/QuickStart/QuickStart_timecho.md b/src/UserGuide/Master/Tree/QuickStart/QuickStart_timecho.md index 4b86833e5..ab5818efe 100644 --- a/src/UserGuide/Master/Tree/QuickStart/QuickStart_timecho.md +++ b/src/UserGuide/Master/Tree/QuickStart/QuickStart_timecho.md @@ -70,7 +70,7 @@ This guide will assist you in quickly installing and deploying IoTDB. You can qu - Stream Framework: [Stream Framework](../User-Manual/Streaming_timecho.md) - - Security Management: [Security Management](../User-Manual/White-List_timecho.md) + - Security Management: [Security Management](../User-Manual/Black-White-List_timecho.md) - Database Administration: [Database Administration](../User-Manual/Authority-Management_timecho.md) diff --git a/src/UserGuide/Master/Tree/User-Manual/Black-White-List_timecho.md b/src/UserGuide/Master/Tree/User-Manual/Black-White-List_timecho.md new file mode 100644 index 000000000..2692edd4a --- /dev/null +++ b/src/UserGuide/Master/Tree/User-Manual/Black-White-List_timecho.md @@ -0,0 +1,78 @@ + + +# Black White List + +## 1. Introduction + +IoTDB is a time-series database designed for IoT scenarios, supporting efficient data storage, query, and analysis. With the widespread application of IoT technology, data security and access control have become critical. In open environments, ensuring secure data access for legitimate users presents a key challenge. The whitelist mechanism allows only trusted IPs or users to connect, reducing the attack surface at the source. The blacklist function can block malicious IPs in real time in edge-cloud collaborative scenarios, preventing unauthorized access, SQL injection, brute‑force attacks, DDoS, and other threats, thereby providing continuous and stable security for data transmission. + +> Note: This feature is available starting from version 2.0.6. + +## 2. Whitelist + +### 2.1 Function Description + +By enabling the whitelist function and configuring the whitelist, client addresses allowed to connect to IoTDB are specified. Only clients within the whitelist can access IoTDB, achieving security control. + +### 2.2 Configuration Parameters + +Administrators can enable/disable the whitelist function and add, modify, or delete whitelist IPs/IP segments in the following two ways: + +* Edit the configuration file `iotdb‑system.properties`. +* Use the `set configuration` statement. + * Tree model reference: [set configuration](../Reference/Modify-Config-Manual.md) + +Related parameters are as follows: + +| Name | Description | Default Value | Effective Mode | Example | +| ----------------- | ----------------------------------------------------------------------------------------------------------------------------------- | --------------- | ---------------- | ------------------------------------------------------------------- | +| `enable_white_list` | Whether to enable the whitelist function. true: enable; false: disable. The value is case‑insensitive. | false | Hot reload | `set enable_white_list = 'true'` | +| `white_ip_list` | Add, modify, or delete whitelist IPs/IP segments. Supports exact match and the \* wildcard. Multiple IPs are separated by commas. | empty | Hot reload | `set white_ip_list='192.168.1.200,192.168.1.201,192.168.1.*'` | + +## 3. Blacklist + +### 3.1 Function Description + +By enabling the blacklist function and configuring the blacklist, certain specific IP addresses are prevented from accessing the database, guarding against unauthorized access, SQL injection, brute‑force attacks, DDoS attacks, and other security threats, thereby ensuring the security and stability of data transmission. + +### 3.2 Configuration Parameters + +Administrators can enable/disable the blacklist function and add, modify, or delete blacklist IPs/IP segments in the following two ways: + +* Edit the configuration file `iotdb‑system.properties`. +* Use the `set configuration`statement. + * Tree model reference:[set configuration](../Reference/Modify-Config-Manual.md) + +Related parameters are as follows: + +| Name | Description | Default Value | Effective Mode | Example | +|---------------------| ----------------------------------------------------------------------------------------------------------------------------------- | --------------- | ---------------- | ------------------------------------------------------------------- | +| `enable_black_list` | Whether to enable the blacklist function. true: enable; false: disable. The value is case‑insensitive. | false | Hot reload | `set enable_black_list = 'true'` | +| `black_ip_list` | Add, modify, or delete blacklist IPs/IP segments. Supports exact match and the \* wildcard. Multiple IPs are separated by commas. | empty | Hot reload | `set black_ip_list='192.168.1.200,192.168.1.201,192.168.1.*'` | + +## 4. Notes + +1. After the whitelist is enabled, if the list is empty, all connections are denied. If the local IP is not included, local login is denied. +2. When the same IP appears in both the whitelist and blacklist, the blacklist takes precedence. +3. The system validates the IP format. Invalid entries will cause an error when the user connects and be skipped, without affecting the loading of other valid IPs. +4. Duplicate IPs in the configuration are supported; they are automatically deduplicated in memory without notification. For manual deduplication, edit the configuration accordingly. +5. Blacklist/whitelist rules only apply to new connections. Existing connections before enabling the function are not affected; they will be intercepted only upon subsequent reconnection. diff --git a/src/UserGuide/Master/Tree/User-Manual/White-List_timecho.md b/src/UserGuide/Master/Tree/User-Manual/White-List_timecho.md deleted file mode 100644 index ae49c1648..000000000 --- a/src/UserGuide/Master/Tree/User-Manual/White-List_timecho.md +++ /dev/null @@ -1,70 +0,0 @@ - - -# White List - -## 1. **Function Description** - -Allow which client addresses can connect to IoTDB - -## 2. **Configuration File** - -conf/iotdb-system.properties - -conf/white.list - -## 3. **Configuration Item** - -iotdb-system.properties: - -Decide whether to enable white list - -```YAML - -# Whether to enable white list -enable_white_list=true -``` - -white.list: - -Decide which IP addresses can connect to IoTDB - -```YAML -# Support for annotation -# Supports precise matching, one IP per line -10.2.3.4 - -# Support for * wildcards, one ip per line -10.*.1.3 -10.100.0.* -``` - -## 4. **Note** - -1. If the white list itself is cancelled via the session client, the current connection is not immediately disconnected. It is rejected the next time the connection is created. -2. If white.list is modified directly, it takes effect within one minute. If modified via the session client, it takes effect immediately, updating the values in memory and the white.list disk file. -3. Enable the whitelist function, there is no white.list file, start the DB service successfully, however, all connections are rejected. -4. while DB service is running, the white.list file is deleted, and all connections are denied after up to one minute. -5. whether to enable the configuration of the white list function, can be hot loaded. -6. Use the Java native interface to modify the whitelist, must be the root user to modify, reject non-root user to modify; modify the content must be legal, otherwise it will throw a StatementExecutionException. - -![](/img/%E7%99%BD%E5%90%8D%E5%8D%95.png) - diff --git a/src/UserGuide/latest-Table/User-Manual/Black-White-List_timecho.md b/src/UserGuide/latest-Table/User-Manual/Black-White-List_timecho.md new file mode 100644 index 000000000..dceab5681 --- /dev/null +++ b/src/UserGuide/latest-Table/User-Manual/Black-White-List_timecho.md @@ -0,0 +1,78 @@ + + +# Black White List + +## 1. Introduction + +IoTDB is a time-series database designed for IoT scenarios, supporting efficient data storage, query, and analysis. With the widespread application of IoT technology, data security and access control have become critical. In open environments, ensuring secure data access for legitimate users presents a key challenge. The whitelist mechanism allows only trusted IPs or users to connect, reducing the attack surface at the source. The blacklist function can block malicious IPs in real time in edge-cloud collaborative scenarios, preventing unauthorized access, SQL injection, brute‑force attacks, DDoS, and other threats, thereby providing continuous and stable security for data transmission. + +> Note: This feature is available starting from version 2.0.6. + +## 2. Whitelist + +### 2.1 Function Description + +By enabling the whitelist function and configuring the whitelist, client addresses allowed to connect to IoTDB are specified. Only clients within the whitelist can access IoTDB, achieving security control. + +### 2.2 Configuration Parameters + +Administrators can enable/disable the whitelist function and add, modify, or delete whitelist IPs/IP segments in the following two ways: + +* Edit the configuration file `iotdb‑system.properties`. +* Use the `set configuration` statement. + * Table model reference: [set configuration](../SQL-Manual/SQL-Maintenance-Statements.md#_2-2-update-configuration-items) + +Related parameters are as follows: + +| Name | Description | Default Value | Effective Mode | Example | +| ----------------- | ----------------------------------------------------------------------------------------------------------------------------------- | --------------- | ---------------- | ------------------------------------------------------------------- | +| `enable_white_list` | Whether to enable the whitelist function. true: enable; false: disable. The value is case‑insensitive. | false | Hot reload | `set enable_white_list = 'true'` | +| `white_ip_list` | Add, modify, or delete whitelist IPs/IP segments. Supports exact match and the \* wildcard. Multiple IPs are separated by commas. | empty | Hot reload | `set white_ip_list='192.168.1.200,192.168.1.201,192.168.1.*'` | + +## 3. Blacklist + +### 3.1 Function Description + +By enabling the blacklist function and configuring the blacklist, certain specific IP addresses are prevented from accessing the database, guarding against unauthorized access, SQL injection, brute‑force attacks, DDoS attacks, and other security threats, thereby ensuring the security and stability of data transmission. + +### 3.2 Configuration Parameters + +Administrators can enable/disable the blacklist function and add, modify, or delete blacklist IPs/IP segments in the following two ways: + +* Edit the configuration file `iotdb‑system.properties`. +* Use the `set configuration`statement. + * Table model reference:[set configuration](../SQL-Manual/SQL-Maintenance-Statements.md#_2-2-update-configuration-items) + +Related parameters are as follows: + +| Name | Description | Default Value | Effective Mode | Example | +|---------------------| ----------------------------------------------------------------------------------------------------------------------------------- | --------------- | ---------------- | ------------------------------------------------------------------- | +| `enable_black_list` | Whether to enable the blacklist function. true: enable; false: disable. The value is case‑insensitive. | false | Hot reload | `set enable_black_list = 'true'` | +| `black_ip_list` | Add, modify, or delete blacklist IPs/IP segments. Supports exact match and the \* wildcard. Multiple IPs are separated by commas. | empty | Hot reload | `set black_ip_list='192.168.1.200,192.168.1.201,192.168.1.*'` | + +## 4. Notes + +1. After the whitelist is enabled, if the list is empty, all connections are denied. If the local IP is not included, local login is denied. +2. When the same IP appears in both the whitelist and blacklist, the blacklist takes precedence. +3. The system validates the IP format. Invalid entries will cause an error when the user connects and be skipped, without affecting the loading of other valid IPs. +4. Duplicate IPs in the configuration are supported; they are automatically deduplicated in memory without notification. For manual deduplication, edit the configuration accordingly. +5. Blacklist/whitelist rules only apply to new connections. Existing connections before enabling the function are not affected; they will be intercepted only upon subsequent reconnection. diff --git a/src/UserGuide/latest/QuickStart/QuickStart_timecho.md b/src/UserGuide/latest/QuickStart/QuickStart_timecho.md index 4b86833e5..ab5818efe 100644 --- a/src/UserGuide/latest/QuickStart/QuickStart_timecho.md +++ b/src/UserGuide/latest/QuickStart/QuickStart_timecho.md @@ -70,7 +70,7 @@ This guide will assist you in quickly installing and deploying IoTDB. You can qu - Stream Framework: [Stream Framework](../User-Manual/Streaming_timecho.md) - - Security Management: [Security Management](../User-Manual/White-List_timecho.md) + - Security Management: [Security Management](../User-Manual/Black-White-List_timecho.md) - Database Administration: [Database Administration](../User-Manual/Authority-Management_timecho.md) diff --git a/src/UserGuide/latest/User-Manual/Black-White-List_timecho.md b/src/UserGuide/latest/User-Manual/Black-White-List_timecho.md new file mode 100644 index 000000000..2692edd4a --- /dev/null +++ b/src/UserGuide/latest/User-Manual/Black-White-List_timecho.md @@ -0,0 +1,78 @@ + + +# Black White List + +## 1. Introduction + +IoTDB is a time-series database designed for IoT scenarios, supporting efficient data storage, query, and analysis. With the widespread application of IoT technology, data security and access control have become critical. In open environments, ensuring secure data access for legitimate users presents a key challenge. The whitelist mechanism allows only trusted IPs or users to connect, reducing the attack surface at the source. The blacklist function can block malicious IPs in real time in edge-cloud collaborative scenarios, preventing unauthorized access, SQL injection, brute‑force attacks, DDoS, and other threats, thereby providing continuous and stable security for data transmission. + +> Note: This feature is available starting from version 2.0.6. + +## 2. Whitelist + +### 2.1 Function Description + +By enabling the whitelist function and configuring the whitelist, client addresses allowed to connect to IoTDB are specified. Only clients within the whitelist can access IoTDB, achieving security control. + +### 2.2 Configuration Parameters + +Administrators can enable/disable the whitelist function and add, modify, or delete whitelist IPs/IP segments in the following two ways: + +* Edit the configuration file `iotdb‑system.properties`. +* Use the `set configuration` statement. + * Tree model reference: [set configuration](../Reference/Modify-Config-Manual.md) + +Related parameters are as follows: + +| Name | Description | Default Value | Effective Mode | Example | +| ----------------- | ----------------------------------------------------------------------------------------------------------------------------------- | --------------- | ---------------- | ------------------------------------------------------------------- | +| `enable_white_list` | Whether to enable the whitelist function. true: enable; false: disable. The value is case‑insensitive. | false | Hot reload | `set enable_white_list = 'true'` | +| `white_ip_list` | Add, modify, or delete whitelist IPs/IP segments. Supports exact match and the \* wildcard. Multiple IPs are separated by commas. | empty | Hot reload | `set white_ip_list='192.168.1.200,192.168.1.201,192.168.1.*'` | + +## 3. Blacklist + +### 3.1 Function Description + +By enabling the blacklist function and configuring the blacklist, certain specific IP addresses are prevented from accessing the database, guarding against unauthorized access, SQL injection, brute‑force attacks, DDoS attacks, and other security threats, thereby ensuring the security and stability of data transmission. + +### 3.2 Configuration Parameters + +Administrators can enable/disable the blacklist function and add, modify, or delete blacklist IPs/IP segments in the following two ways: + +* Edit the configuration file `iotdb‑system.properties`. +* Use the `set configuration`statement. + * Tree model reference:[set configuration](../Reference/Modify-Config-Manual.md) + +Related parameters are as follows: + +| Name | Description | Default Value | Effective Mode | Example | +|---------------------| ----------------------------------------------------------------------------------------------------------------------------------- | --------------- | ---------------- | ------------------------------------------------------------------- | +| `enable_black_list` | Whether to enable the blacklist function. true: enable; false: disable. The value is case‑insensitive. | false | Hot reload | `set enable_black_list = 'true'` | +| `black_ip_list` | Add, modify, or delete blacklist IPs/IP segments. Supports exact match and the \* wildcard. Multiple IPs are separated by commas. | empty | Hot reload | `set black_ip_list='192.168.1.200,192.168.1.201,192.168.1.*'` | + +## 4. Notes + +1. After the whitelist is enabled, if the list is empty, all connections are denied. If the local IP is not included, local login is denied. +2. When the same IP appears in both the whitelist and blacklist, the blacklist takes precedence. +3. The system validates the IP format. Invalid entries will cause an error when the user connects and be skipped, without affecting the loading of other valid IPs. +4. Duplicate IPs in the configuration are supported; they are automatically deduplicated in memory without notification. For manual deduplication, edit the configuration accordingly. +5. Blacklist/whitelist rules only apply to new connections. Existing connections before enabling the function are not affected; they will be intercepted only upon subsequent reconnection. diff --git a/src/UserGuide/latest/User-Manual/White-List_timecho.md b/src/UserGuide/latest/User-Manual/White-List_timecho.md deleted file mode 100644 index ae49c1648..000000000 --- a/src/UserGuide/latest/User-Manual/White-List_timecho.md +++ /dev/null @@ -1,70 +0,0 @@ - - -# White List - -## 1. **Function Description** - -Allow which client addresses can connect to IoTDB - -## 2. **Configuration File** - -conf/iotdb-system.properties - -conf/white.list - -## 3. **Configuration Item** - -iotdb-system.properties: - -Decide whether to enable white list - -```YAML - -# Whether to enable white list -enable_white_list=true -``` - -white.list: - -Decide which IP addresses can connect to IoTDB - -```YAML -# Support for annotation -# Supports precise matching, one IP per line -10.2.3.4 - -# Support for * wildcards, one ip per line -10.*.1.3 -10.100.0.* -``` - -## 4. **Note** - -1. If the white list itself is cancelled via the session client, the current connection is not immediately disconnected. It is rejected the next time the connection is created. -2. If white.list is modified directly, it takes effect within one minute. If modified via the session client, it takes effect immediately, updating the values in memory and the white.list disk file. -3. Enable the whitelist function, there is no white.list file, start the DB service successfully, however, all connections are rejected. -4. while DB service is running, the white.list file is deleted, and all connections are denied after up to one minute. -5. whether to enable the configuration of the white list function, can be hot loaded. -6. Use the Java native interface to modify the whitelist, must be the root user to modify, reject non-root user to modify; modify the content must be legal, otherwise it will throw a StatementExecutionException. - -![](/img/%E7%99%BD%E5%90%8D%E5%8D%95.png) - diff --git a/src/zh/UserGuide/Master/Table/User-Manual/Black-White-List_timecho.md b/src/zh/UserGuide/Master/Table/User-Manual/Black-White-List_timecho.md new file mode 100644 index 000000000..740828f99 --- /dev/null +++ b/src/zh/UserGuide/Master/Table/User-Manual/Black-White-List_timecho.md @@ -0,0 +1,78 @@ + + +# 黑白名单 + +## 1. 引言 + +IoTDB 是一款针对物联网场景设计的时间序列数据库,支持高效的数据存储、查询和分析。随着物联网技术的广泛应用,数据安全性和访问控制变得至关重要。在开放环境中,如何保证合法用户对数据的安全访问成为了一项关键挑战。白名单机制仅允许可信 IP 或用户接入,从源头缩小攻击面;黑名单功能则能在边缘与云端协同场景下实时拦截恶意 IP,阻断非法访问、SQL 注入、暴力破解及 DDoS 等威胁,为数据传输提供持续、稳定的安全保障。 + +> 注意:该功能从 V2.0.6 版本开始提供。 + +## 2. 白名单 + +### 2.1 功能描述 + +通过开启白名单功能、配置白名单列表,指定允许连接 IoTDB 的客户端地址,来限制仅在白名单范围内的客户端才能够访问 IoTDB,从而实现安全控制。 + +### 2.2 配置参数 + +管理员可以通过以下两种方式来启用/禁用白名单功能以及添加、修改、删除白名单ip/ip段。 + +* 编辑配置文件 `iotdb-system.properties`进行维护 +* 通过 set configuration 语句进行维护 + * 表模型请参考:[set configuration](../SQL-Manual/SQL-Maintenance-Statements.md#_2-2-更新配置项) + +相关参数如下: + +| 名称 | 描述 | 默认值 | 生效方式 | 示例 | +| ------------------------- | ----------------------------------------------------------------------------------- | -------- | ---------- | ------------------------------------------------------------------- | +| `enable_white_list` | 是否启用白名单功能。true:启用;false:禁用。字段值不区分大小写。 | false | 热加载 | `set enable_white_list = 'true' ` | +| `white_ip_list` | 添加、修改、删除白名单ip/ip段。支持精确匹配,支持\*通配符,多个ip之间以逗号分隔。 | 空 | 热加载 | `set white_ip_list='192.168.1.200,192.168.1.201,192.168.1.*`' | + +## 3. 黑名单 + +### 3.1 功能描述 + +通过开启黑名单功能、配置黑名单列表,阻止某些特定 IP 地址访问数据库,来防止非法访问、SQL注入、暴力破解、DDoS攻击等安全威胁,从而确保数据传输过程中的安全性和稳定性。 + +### 3.2 配置参数 + +管理员可以通过以下两种方式来启用/禁用黑名单功能以及添加、修改、删除黑名单 ip/ip 段。 + +* 编辑配置文件 `iotdb-system.properties`进行维护 +* 通过 set configuration 语句进行维护 + * 表模型请参考:[set configuration](../SQL-Manual/SQL-Maintenance-Statements.md#_2-2-更新配置项) + +相关参数如下: + +| 名称 | 描述 | 默认值 | 生效方式 | 示例 | +| ------------------------- | ----------------------------------------------------------------------------------- | -------- | ---------- | ------------------------------------------------------------------- | +| `enable_black_list` | 是否启用黑名单功能。true:启用;false:禁用。字段值不区分大小写。 | false | 热加载 | `set enable_black_list = 'true' ` | +| `black_ip_list` | 添加、修改、删除黑名单ip/ip段。支持精确匹配,支持\*通配符,多个ip之间以逗号分隔。 | 空 | 热加载 | `set black_ip_list='192.168.1.200,192.168.1.201,192.168.1.*`' | + +## 4. 注意事项 + +1. 开启白名单后,若列表为空将拒绝所有连接,若未包含本机 IP 则拒绝本机登录。 +2. 当同一 IP 同时存在于黑白名单时,黑名单优先级更高。 +3. 系统会校验 IP 格式,无效条目将在用户连接时报错并被跳过,不影响其他有效IP的加载。 +4. 配置支持重复IP,内存中会自动去重且无提示。如需去重请手动修改。 +5. 黑/白名单规则仅对新连接生效,功能开启前的现有连接不受影响,其后续重连才会被拦截。 diff --git a/src/zh/UserGuide/Master/Tree/QuickStart/QuickStart_timecho.md b/src/zh/UserGuide/Master/Tree/QuickStart/QuickStart_timecho.md index 1d83e08ab..bbae53593 100644 --- a/src/zh/UserGuide/Master/Tree/QuickStart/QuickStart_timecho.md +++ b/src/zh/UserGuide/Master/Tree/QuickStart/QuickStart_timecho.md @@ -69,7 +69,7 @@ - 流处理框架:[流处理框架](../User-Manual/Streaming_timecho.md) - - 安全控制:[安全控制](../User-Manual/White-List_timecho.md) + - 安全控制:[安全控制](../User-Manual/Black-White-List_timecho.md) - 权限管理:[权限管理](../User-Manual/Authority-Management_timecho.md) diff --git a/src/zh/UserGuide/Master/Tree/User-Manual/Black-White-List_timecho.md b/src/zh/UserGuide/Master/Tree/User-Manual/Black-White-List_timecho.md new file mode 100644 index 000000000..66d99c273 --- /dev/null +++ b/src/zh/UserGuide/Master/Tree/User-Manual/Black-White-List_timecho.md @@ -0,0 +1,78 @@ + + +# 黑白名单 + +## 1. 引言 + +IoTDB 是一款针对物联网场景设计的时间序列数据库,支持高效的数据存储、查询和分析。随着物联网技术的广泛应用,数据安全性和访问控制变得至关重要。在开放环境中,如何保证合法用户对数据的安全访问成为了一项关键挑战。白名单机制仅允许可信 IP 或用户接入,从源头缩小攻击面;黑名单功能则能在边缘与云端协同场景下实时拦截恶意 IP,阻断非法访问、SQL 注入、暴力破解及 DDoS 等威胁,为数据传输提供持续、稳定的安全保障。 + +> 注意:该功能从 V2.0.6 版本开始提供。 + +## 2. 白名单 + +### 2.1 功能描述 + +通过开启白名单功能、配置白名单列表,指定允许连接 IoTDB 的客户端地址,来限制仅在白名单范围内的客户端才能够访问 IoTDB,从而实现安全控制。 + +### 2.2 配置参数 + +管理员可以通过以下两种方式来启用/禁用白名单功能以及添加、修改、删除白名单ip/ip段。 + +* 编辑配置文件 `iotdb-system.properties`进行维护 +* 通过 set configuration 语句进行维护 + * 树模型请参考:[set configuration](../Reference/Modify-Config-Manual.md) + +相关参数如下: + +| 名称 | 描述 | 默认值 | 生效方式 | 示例 | +| ------------------------- | ----------------------------------------------------------------------------------- | -------- | ---------- | ------------------------------------------------------------------- | +| `enable_white_list` | 是否启用白名单功能。true:启用;false:禁用。字段值不区分大小写。 | false | 热加载 | `set enable_white_list = 'true' ` | +| `white_ip_list` | 添加、修改、删除白名单ip/ip段。支持精确匹配,支持\*通配符,多个ip之间以逗号分隔。 | 空 | 热加载 | `set white_ip_list='192.168.1.200,192.168.1.201,192.168.1.*`' | + +## 3. 黑名单 + +### 3.1 功能描述 + +通过开启黑名单功能、配置黑名单列表,阻止某些特定 IP 地址访问数据库,来防止非法访问、SQL注入、暴力破解、DDoS攻击等安全威胁,从而确保数据传输过程中的安全性和稳定性。 + +### 3.2 配置参数 + +管理员可以通过以下两种方式来启用/禁用黑名单功能以及添加、修改、删除黑名单 ip/ip 段。 + +* 编辑配置文件 `iotdb-system.properties`进行维护 +* 通过 set configuration 语句进行维护 + * 树模型请参考:[set configuration](../Reference/Modify-Config-Manual.md) + +相关参数如下: + +| 名称 | 描述 | 默认值 | 生效方式 | 示例 | +| ------------------------- | ----------------------------------------------------------------------------------- | -------- | ---------- | ------------------------------------------------------------------- | +| `enable_black_list` | 是否启用黑名单功能。true:启用;false:禁用。字段值不区分大小写。 | false | 热加载 | `set enable_black_list = 'true' ` | +| `black_ip_list` | 添加、修改、删除黑名单ip/ip段。支持精确匹配,支持\*通配符,多个ip之间以逗号分隔。 | 空 | 热加载 | `set black_ip_list='192.168.1.200,192.168.1.201,192.168.1.*`' | + +## 4. 注意事项 + +1. 开启白名单后,若列表为空将拒绝所有连接,若未包含本机 IP 则拒绝本机登录。 +2. 当同一 IP 同时存在于黑白名单时,黑名单优先级更高。 +3. 系统会校验 IP 格式,无效条目将在用户连接时报错并被跳过,不影响其他有效IP的加载。 +4. 配置支持重复IP,内存中会自动去重且无提示。如需去重请手动修改。 +5. 黑/白名单规则仅对新连接生效,功能开启前的现有连接不受影响,其后续重连才会被拦截。 diff --git a/src/zh/UserGuide/Master/Tree/User-Manual/White-List_timecho.md b/src/zh/UserGuide/Master/Tree/User-Manual/White-List_timecho.md deleted file mode 100644 index e5176f313..000000000 --- a/src/zh/UserGuide/Master/Tree/User-Manual/White-List_timecho.md +++ /dev/null @@ -1,70 +0,0 @@ - - - -# 白名单 - -## 1. 功能描述 - -允许哪些客户端地址能连接 IoTDB - -## 2. 配置文件 - -conf/iotdb-system.properties - -conf/white.list - -## 3. 配置项 - -iotdb-system.properties: - -决定是否开启白名单功能 - -```YAML -# 是否开启白名单功能 -enable_white_list=true -``` - -white.list: - -决定哪些IP地址能够连接IoTDB - -```YAML -# 支持注释 -# 支持精确匹配,每行一个ip -10.2.3.4 - -# 支持*通配符,每行一个ip -10.*.1.3 -10.100.0.* -``` - -**注意事项** - -1. 如果通过session客户端取消本身的白名单,当前连接并不会立即断开。在下次创建连接的时候拒绝。 -2. 如果直接修改white.list,一分钟内生效。如果通过session客户端修改,立即生效,更新内存中的值和white.list磁盘文件 -3. 开启白名单功能,没有white.list 文件,启动DB服务成功,但是,拒绝所有连接。 -4. DB服务运行中,删除 white.list 文件,至多一分钟后,拒绝所有连接。 -5. 是否开启白名单功能的配置,可以热加载。 -6. 使用Java 原生接口修改白名单,必须是root用户才能修改,拒绝非root用户修改;修改内容必须合法,否则会抛出StatementExecutionException异常。 - -![白名单](/img/%E7%99%BD%E5%90%8D%E5%8D%95.png) - diff --git a/src/zh/UserGuide/latest-Table/User-Manual/Black-White-List_timecho.md b/src/zh/UserGuide/latest-Table/User-Manual/Black-White-List_timecho.md new file mode 100644 index 000000000..740828f99 --- /dev/null +++ b/src/zh/UserGuide/latest-Table/User-Manual/Black-White-List_timecho.md @@ -0,0 +1,78 @@ + + +# 黑白名单 + +## 1. 引言 + +IoTDB 是一款针对物联网场景设计的时间序列数据库,支持高效的数据存储、查询和分析。随着物联网技术的广泛应用,数据安全性和访问控制变得至关重要。在开放环境中,如何保证合法用户对数据的安全访问成为了一项关键挑战。白名单机制仅允许可信 IP 或用户接入,从源头缩小攻击面;黑名单功能则能在边缘与云端协同场景下实时拦截恶意 IP,阻断非法访问、SQL 注入、暴力破解及 DDoS 等威胁,为数据传输提供持续、稳定的安全保障。 + +> 注意:该功能从 V2.0.6 版本开始提供。 + +## 2. 白名单 + +### 2.1 功能描述 + +通过开启白名单功能、配置白名单列表,指定允许连接 IoTDB 的客户端地址,来限制仅在白名单范围内的客户端才能够访问 IoTDB,从而实现安全控制。 + +### 2.2 配置参数 + +管理员可以通过以下两种方式来启用/禁用白名单功能以及添加、修改、删除白名单ip/ip段。 + +* 编辑配置文件 `iotdb-system.properties`进行维护 +* 通过 set configuration 语句进行维护 + * 表模型请参考:[set configuration](../SQL-Manual/SQL-Maintenance-Statements.md#_2-2-更新配置项) + +相关参数如下: + +| 名称 | 描述 | 默认值 | 生效方式 | 示例 | +| ------------------------- | ----------------------------------------------------------------------------------- | -------- | ---------- | ------------------------------------------------------------------- | +| `enable_white_list` | 是否启用白名单功能。true:启用;false:禁用。字段值不区分大小写。 | false | 热加载 | `set enable_white_list = 'true' ` | +| `white_ip_list` | 添加、修改、删除白名单ip/ip段。支持精确匹配,支持\*通配符,多个ip之间以逗号分隔。 | 空 | 热加载 | `set white_ip_list='192.168.1.200,192.168.1.201,192.168.1.*`' | + +## 3. 黑名单 + +### 3.1 功能描述 + +通过开启黑名单功能、配置黑名单列表,阻止某些特定 IP 地址访问数据库,来防止非法访问、SQL注入、暴力破解、DDoS攻击等安全威胁,从而确保数据传输过程中的安全性和稳定性。 + +### 3.2 配置参数 + +管理员可以通过以下两种方式来启用/禁用黑名单功能以及添加、修改、删除黑名单 ip/ip 段。 + +* 编辑配置文件 `iotdb-system.properties`进行维护 +* 通过 set configuration 语句进行维护 + * 表模型请参考:[set configuration](../SQL-Manual/SQL-Maintenance-Statements.md#_2-2-更新配置项) + +相关参数如下: + +| 名称 | 描述 | 默认值 | 生效方式 | 示例 | +| ------------------------- | ----------------------------------------------------------------------------------- | -------- | ---------- | ------------------------------------------------------------------- | +| `enable_black_list` | 是否启用黑名单功能。true:启用;false:禁用。字段值不区分大小写。 | false | 热加载 | `set enable_black_list = 'true' ` | +| `black_ip_list` | 添加、修改、删除黑名单ip/ip段。支持精确匹配,支持\*通配符,多个ip之间以逗号分隔。 | 空 | 热加载 | `set black_ip_list='192.168.1.200,192.168.1.201,192.168.1.*`' | + +## 4. 注意事项 + +1. 开启白名单后,若列表为空将拒绝所有连接,若未包含本机 IP 则拒绝本机登录。 +2. 当同一 IP 同时存在于黑白名单时,黑名单优先级更高。 +3. 系统会校验 IP 格式,无效条目将在用户连接时报错并被跳过,不影响其他有效IP的加载。 +4. 配置支持重复IP,内存中会自动去重且无提示。如需去重请手动修改。 +5. 黑/白名单规则仅对新连接生效,功能开启前的现有连接不受影响,其后续重连才会被拦截。 diff --git a/src/zh/UserGuide/latest/QuickStart/QuickStart_timecho.md b/src/zh/UserGuide/latest/QuickStart/QuickStart_timecho.md index 1d83e08ab..bbae53593 100644 --- a/src/zh/UserGuide/latest/QuickStart/QuickStart_timecho.md +++ b/src/zh/UserGuide/latest/QuickStart/QuickStart_timecho.md @@ -69,7 +69,7 @@ - 流处理框架:[流处理框架](../User-Manual/Streaming_timecho.md) - - 安全控制:[安全控制](../User-Manual/White-List_timecho.md) + - 安全控制:[安全控制](../User-Manual/Black-White-List_timecho.md) - 权限管理:[权限管理](../User-Manual/Authority-Management_timecho.md) diff --git a/src/zh/UserGuide/latest/User-Manual/Black-White-List_timecho.md b/src/zh/UserGuide/latest/User-Manual/Black-White-List_timecho.md new file mode 100644 index 000000000..66d99c273 --- /dev/null +++ b/src/zh/UserGuide/latest/User-Manual/Black-White-List_timecho.md @@ -0,0 +1,78 @@ + + +# 黑白名单 + +## 1. 引言 + +IoTDB 是一款针对物联网场景设计的时间序列数据库,支持高效的数据存储、查询和分析。随着物联网技术的广泛应用,数据安全性和访问控制变得至关重要。在开放环境中,如何保证合法用户对数据的安全访问成为了一项关键挑战。白名单机制仅允许可信 IP 或用户接入,从源头缩小攻击面;黑名单功能则能在边缘与云端协同场景下实时拦截恶意 IP,阻断非法访问、SQL 注入、暴力破解及 DDoS 等威胁,为数据传输提供持续、稳定的安全保障。 + +> 注意:该功能从 V2.0.6 版本开始提供。 + +## 2. 白名单 + +### 2.1 功能描述 + +通过开启白名单功能、配置白名单列表,指定允许连接 IoTDB 的客户端地址,来限制仅在白名单范围内的客户端才能够访问 IoTDB,从而实现安全控制。 + +### 2.2 配置参数 + +管理员可以通过以下两种方式来启用/禁用白名单功能以及添加、修改、删除白名单ip/ip段。 + +* 编辑配置文件 `iotdb-system.properties`进行维护 +* 通过 set configuration 语句进行维护 + * 树模型请参考:[set configuration](../Reference/Modify-Config-Manual.md) + +相关参数如下: + +| 名称 | 描述 | 默认值 | 生效方式 | 示例 | +| ------------------------- | ----------------------------------------------------------------------------------- | -------- | ---------- | ------------------------------------------------------------------- | +| `enable_white_list` | 是否启用白名单功能。true:启用;false:禁用。字段值不区分大小写。 | false | 热加载 | `set enable_white_list = 'true' ` | +| `white_ip_list` | 添加、修改、删除白名单ip/ip段。支持精确匹配,支持\*通配符,多个ip之间以逗号分隔。 | 空 | 热加载 | `set white_ip_list='192.168.1.200,192.168.1.201,192.168.1.*`' | + +## 3. 黑名单 + +### 3.1 功能描述 + +通过开启黑名单功能、配置黑名单列表,阻止某些特定 IP 地址访问数据库,来防止非法访问、SQL注入、暴力破解、DDoS攻击等安全威胁,从而确保数据传输过程中的安全性和稳定性。 + +### 3.2 配置参数 + +管理员可以通过以下两种方式来启用/禁用黑名单功能以及添加、修改、删除黑名单 ip/ip 段。 + +* 编辑配置文件 `iotdb-system.properties`进行维护 +* 通过 set configuration 语句进行维护 + * 树模型请参考:[set configuration](../Reference/Modify-Config-Manual.md) + +相关参数如下: + +| 名称 | 描述 | 默认值 | 生效方式 | 示例 | +| ------------------------- | ----------------------------------------------------------------------------------- | -------- | ---------- | ------------------------------------------------------------------- | +| `enable_black_list` | 是否启用黑名单功能。true:启用;false:禁用。字段值不区分大小写。 | false | 热加载 | `set enable_black_list = 'true' ` | +| `black_ip_list` | 添加、修改、删除黑名单ip/ip段。支持精确匹配,支持\*通配符,多个ip之间以逗号分隔。 | 空 | 热加载 | `set black_ip_list='192.168.1.200,192.168.1.201,192.168.1.*`' | + +## 4. 注意事项 + +1. 开启白名单后,若列表为空将拒绝所有连接,若未包含本机 IP 则拒绝本机登录。 +2. 当同一 IP 同时存在于黑白名单时,黑名单优先级更高。 +3. 系统会校验 IP 格式,无效条目将在用户连接时报错并被跳过,不影响其他有效IP的加载。 +4. 配置支持重复IP,内存中会自动去重且无提示。如需去重请手动修改。 +5. 黑/白名单规则仅对新连接生效,功能开启前的现有连接不受影响,其后续重连才会被拦截。 diff --git a/src/zh/UserGuide/latest/User-Manual/White-List_timecho.md b/src/zh/UserGuide/latest/User-Manual/White-List_timecho.md deleted file mode 100644 index e5176f313..000000000 --- a/src/zh/UserGuide/latest/User-Manual/White-List_timecho.md +++ /dev/null @@ -1,70 +0,0 @@ - - - -# 白名单 - -## 1. 功能描述 - -允许哪些客户端地址能连接 IoTDB - -## 2. 配置文件 - -conf/iotdb-system.properties - -conf/white.list - -## 3. 配置项 - -iotdb-system.properties: - -决定是否开启白名单功能 - -```YAML -# 是否开启白名单功能 -enable_white_list=true -``` - -white.list: - -决定哪些IP地址能够连接IoTDB - -```YAML -# 支持注释 -# 支持精确匹配,每行一个ip -10.2.3.4 - -# 支持*通配符,每行一个ip -10.*.1.3 -10.100.0.* -``` - -**注意事项** - -1. 如果通过session客户端取消本身的白名单,当前连接并不会立即断开。在下次创建连接的时候拒绝。 -2. 如果直接修改white.list,一分钟内生效。如果通过session客户端修改,立即生效,更新内存中的值和white.list磁盘文件 -3. 开启白名单功能,没有white.list 文件,启动DB服务成功,但是,拒绝所有连接。 -4. DB服务运行中,删除 white.list 文件,至多一分钟后,拒绝所有连接。 -5. 是否开启白名单功能的配置,可以热加载。 -6. 使用Java 原生接口修改白名单,必须是root用户才能修改,拒绝非root用户修改;修改内容必须合法,否则会抛出StatementExecutionException异常。 - -![白名单](/img/%E7%99%BD%E5%90%8D%E5%8D%95.png) -