This is an automated email from the ASF dual-hosted git repository.
gavinchou pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/doris-website.git
The following commit(s) were added to refs/heads/master by this push:
new 414f1e83da5 Add MySQL TLS doc (#2617)
414f1e83da5 is described below
commit 414f1e83da5eae3e5f8cff5da926d368293900d3
Author: abmdocrt <[email protected]>
AuthorDate: Mon Aug 11 11:49:23 2025 +0800
Add MySQL TLS doc (#2617)
## Versions
- [x] dev
- [x] 3.0
- [x] 2.1
- [x] 2.0
## Languages
- [x] Chinese
- [x] English
## Docs Checklist
- [ ] Checked by AI
- [ ] Test Cases Built
---
docs/admin-manual/auth/certificate.md | 30 ++++++++++++++++
.../current/admin-manual/auth/certificate.md | 30 ++++++++++++++++
.../admin-manual/privilege-ldap/certificate.md | 42 ++++++++++++++++++----
.../version-2.1/admin-manual/auth/certificate.md | 30 ++++++++++++++++
.../version-3.0/admin-manual/auth/certificate.md | 30 ++++++++++++++++
.../admin-manual/privilege-ldap/certificate.md | 30 ++++++++++++++++
.../version-2.1/admin-manual/auth/certificate.md | 30 ++++++++++++++++
.../version-3.0/admin-manual/auth/certificate.md | 30 ++++++++++++++++
8 files changed, 246 insertions(+), 6 deletions(-)
diff --git a/docs/admin-manual/auth/certificate.md
b/docs/admin-manual/auth/certificate.md
index b4bd0d0e941..3378162f821 100644
--- a/docs/admin-manual/auth/certificate.md
+++ b/docs/admin-manual/auth/certificate.md
@@ -5,6 +5,36 @@
}
---
+## Communicate with the server over an encrypted connection
+
+Doris supports SSL-based encrypted connections. It currently supports TLS1.2
and TLS1.3 protocols. Doris' SSL mode can be enabled through the following
configuration:
+Modify the FE configuration file `conf/fe.conf` and add `enable_ssl = true`.
+
+Next, connect to Doris through `mysql` client, mysql supports three SSL modes:
+
+1. `mysql -uroot -P9030 -h127.0.0.1` is the same as `mysql
--ssl-mode=PREFERRED -uroot -P9030 -h127.0.0.1`, both try to establish an SSL
encrypted connection at the beginning, if it fails , a normal connection is
attempted.
+
+2. `mysql --ssl-mode=DISABLE -uroot -P9030 -h127.0.0.1`, do not use SSL
encrypted connection, use normal connection directly.
+
+3. `mysql --ssl-mode=REQUIRED -uroot -P9030 -h127.0.0.1`, force the use of SSL
encrypted connections.
+
+>Note:
+>`--ssl-mode` parameter is introduced by mysql5.7.11 version, please refer to
[here](https://dev.mysql.com/doc/connector-j/8.0/en/connector-j-connp-props-security.html)
for mysql client version lower than this version。
+Doris needs a key certificate file to verify the SSL encrypted connection. The
default key certificate file is located at
`Doris/fe/mysql_ssl_default_certificate/certificate.p12`, and the default
password is `doris`. You can modify the FE configuration file `conf/fe. conf`,
add `mysql_ssl_default_certificate = /path/to/your/certificate` to modify the
key certificate file, and you can also add the password corresponding to your
custom key book file through `mysql_ssl_default_certificate_p [...]
+
+Doris also supports mTLS:
+Modify the FE configuration file `conf/fe.conf` and add
`ssl_force_client_auth=true`.
+
+Then you can connect to Doris via the `mysql` client:
+
+`mysql -ssl-mode=VERIFY_CA -uroot -P9030 -h127.0.0.1 --tls-version=TLSv1.2
--ssl-ca=/path/to/your/ca --ssl-cert=/path/to/your/cert
--ssl-key=/path/to/your/key`
+
+The default ca, cert, and key files are located in
`Doris/conf/mysql_ssl_default_certificate/client_certificate/`, named `ca.pem`,
`client-cert.pem`, and `client-key.pem` respectively.
+
+You can also generate your own certificate files using openssl or keytool.
+
+## Key Certificate Configuration
+
Enabling SSL functionality in Doris requires configuring both a CA key
certificate and a server-side key certificate. To enable mutual authentication,
a client-side key certificate must also be generated:
* The default CA key certificate file is located at
`Doris/fe/mysql_ssl_default_certificate/ca_certificate.p12`, with a default
password of `doris`. You can modify the FE configuration file `conf/fe.conf` to
add `mysql_ssl_default_ca_certificate = /path/to/your/certificate` to change
the CA key certificate file. You can also add
`mysql_ssl_default_ca_certificate_password = your_password` to specify the
password for your custom key certificate file.
diff --git
a/i18n/zh-CN/docusaurus-plugin-content-docs/current/admin-manual/auth/certificate.md
b/i18n/zh-CN/docusaurus-plugin-content-docs/current/admin-manual/auth/certificate.md
index ecaa4a712c8..1a9a166cb8f 100644
---
a/i18n/zh-CN/docusaurus-plugin-content-docs/current/admin-manual/auth/certificate.md
+++
b/i18n/zh-CN/docusaurus-plugin-content-docs/current/admin-manual/auth/certificate.md
@@ -5,6 +5,36 @@
}
---
+## 加密连接 FE
+
+Doris支持基于SSL的加密连接,当前支持TLS1.2,TLS1.3协议,可以通过以下配置开启Doris的SSL模式:
+修改FE配置文件`conf/fe.conf`,添加`enable_ssl = true`即可。
+
+接下来通过`mysql`客户端连接Doris,mysql支持三种SSL模式:
+
+1.`mysql -uroot -P9030 -h127.0.0.1`与`mysql --ssl-mode=PREFERRED -uroot -P9030
-h127.0.0.1`一样,都是一开始试图建立SSL加密连接,如果失败,则尝试使用普通连接。
+
+2.`mysql --ssl-mode=DISABLE -uroot -P9030 -h127.0.0.1`,不使用SSL加密连接,直接使用普通连接。
+
+3.`mysql --ssl-mode=REQUIRED -uroot -P9030 -h127.0.0.1`,强制使用SSL加密连接。
+
+>注意:
+>`--ssl-mode`参数是mysql5.7.11版本引入的,低于此版本的mysql客户端请参考[这里](https://dev.mysql.com/doc/connector-j/8.0/en/connector-j-connp-props-security.html)。
+Doris开启SSL加密连接需要密钥证书文件验证,默认的密钥证书文件位于`Doris/fe/mysql_ssl_default_certificate/certificate.p12`,默认密码为`doris`,您可以通过修改FE配置文件`conf/fe.conf`,添加`mysql_ssl_default_certificate
=
/path/to/your/certificate`修改密钥证书文件,同时也可以通过`mysql_ssl_default_certificate_password
= your_password`添加对应您自定义密钥书文件的密码。
+
+Doris还支持mTLS:
+修改FE配置文件`conf/fe.conf`,添加`ssl_force_client_auth=true`即可。
+
+接下来可以通过`mysql`客户端连接Doris:
+
+`mysql -ssl-mode=VERIFY_CA -uroot -P9030 -h127.0.0.1 --tls-version=TLSv1.2
--ssl-ca=/path/to/your/ca --ssl-cert=/path/to/your/cert
--ssl-key=/path/to/your/key`
+
+默认的ca,cert,key文件位于`Doris/conf/mysql_ssl_default_certificate/client_certificate/`,分别叫做`ca.pem`,`client-cert.pem`,`client-key.pem`。
+
+你也可以通过openssl或者keytool生成自己的证书文件。
+
+## SSL密钥证书配置
+
Doris 开启 SSL 功能需要配置 CA 密钥证书和 Server 端密钥证书,如需开启双向认证,还需生成 Client 端密钥证书:
* 默认的 CA
密钥证书文件位于`Doris/fe/mysql_ssl_default_certificate/ca_certificate.p12`,默认密码为`doris`,您可以通过修改
FE 配置文件`conf/fe.conf`,添加`mysql_ssl_default_ca_certificate =
/path/to/your/certificate`修改 CA
密钥证书文件,同时也可以通过`mysql_ssl_default_ca_certificate_password =
your_password`添加对应您自定义密钥证书文件的密码。
diff --git
a/i18n/zh-CN/docusaurus-plugin-content-docs/version-2.0/admin-manual/privilege-ldap/certificate.md
b/i18n/zh-CN/docusaurus-plugin-content-docs/version-2.0/admin-manual/privilege-ldap/certificate.md
index 79c6cce5fc8..1a9a166cb8f 100644
---
a/i18n/zh-CN/docusaurus-plugin-content-docs/version-2.0/admin-manual/privilege-ldap/certificate.md
+++
b/i18n/zh-CN/docusaurus-plugin-content-docs/version-2.0/admin-manual/privilege-ldap/certificate.md
@@ -5,6 +5,36 @@
}
---
+## 加密连接 FE
+
+Doris支持基于SSL的加密连接,当前支持TLS1.2,TLS1.3协议,可以通过以下配置开启Doris的SSL模式:
+修改FE配置文件`conf/fe.conf`,添加`enable_ssl = true`即可。
+
+接下来通过`mysql`客户端连接Doris,mysql支持三种SSL模式:
+
+1.`mysql -uroot -P9030 -h127.0.0.1`与`mysql --ssl-mode=PREFERRED -uroot -P9030
-h127.0.0.1`一样,都是一开始试图建立SSL加密连接,如果失败,则尝试使用普通连接。
+
+2.`mysql --ssl-mode=DISABLE -uroot -P9030 -h127.0.0.1`,不使用SSL加密连接,直接使用普通连接。
+
+3.`mysql --ssl-mode=REQUIRED -uroot -P9030 -h127.0.0.1`,强制使用SSL加密连接。
+
+>注意:
+>`--ssl-mode`参数是mysql5.7.11版本引入的,低于此版本的mysql客户端请参考[这里](https://dev.mysql.com/doc/connector-j/8.0/en/connector-j-connp-props-security.html)。
+Doris开启SSL加密连接需要密钥证书文件验证,默认的密钥证书文件位于`Doris/fe/mysql_ssl_default_certificate/certificate.p12`,默认密码为`doris`,您可以通过修改FE配置文件`conf/fe.conf`,添加`mysql_ssl_default_certificate
=
/path/to/your/certificate`修改密钥证书文件,同时也可以通过`mysql_ssl_default_certificate_password
= your_password`添加对应您自定义密钥书文件的密码。
+
+Doris还支持mTLS:
+修改FE配置文件`conf/fe.conf`,添加`ssl_force_client_auth=true`即可。
+
+接下来可以通过`mysql`客户端连接Doris:
+
+`mysql -ssl-mode=VERIFY_CA -uroot -P9030 -h127.0.0.1 --tls-version=TLSv1.2
--ssl-ca=/path/to/your/ca --ssl-cert=/path/to/your/cert
--ssl-key=/path/to/your/key`
+
+默认的ca,cert,key文件位于`Doris/conf/mysql_ssl_default_certificate/client_certificate/`,分别叫做`ca.pem`,`client-cert.pem`,`client-key.pem`。
+
+你也可以通过openssl或者keytool生成自己的证书文件。
+
+## SSL密钥证书配置
+
Doris 开启 SSL 功能需要配置 CA 密钥证书和 Server 端密钥证书,如需开启双向认证,还需生成 Client 端密钥证书:
* 默认的 CA
密钥证书文件位于`Doris/fe/mysql_ssl_default_certificate/ca_certificate.p12`,默认密码为`doris`,您可以通过修改
FE 配置文件`conf/fe.conf`,添加`mysql_ssl_default_ca_certificate =
/path/to/your/certificate`修改 CA
密钥证书文件,同时也可以通过`mysql_ssl_default_ca_certificate_password =
your_password`添加对应您自定义密钥证书文件的密码。
@@ -21,12 +51,12 @@ Doris 开启 SSL 功能需要配置 CA 密钥证书和 Server 端密钥证书,
1. 生成 CA、Server 端和 Client 端的密钥和证书
```shell
-# 生成CA certificate
+# 生成 CA certificate
openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 3600 \
-key ca-key.pem -out ca.pem
-# 生成server certificate, 并用上述CA签名
+# 生成 server certificate, 并用上述 CA 签名
# server-cert.pem = public key, server-key.pem = private key
openssl req -newkey rsa:2048 -days 3600 \
-nodes -keyout server-key.pem -out server-req.pem
@@ -34,7 +64,7 @@ openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -days 3600 \
-CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
-# 生成client certificate, 并用上述CA签名
+# 生成 client certificate, 并用上述 CA 签名
# client-cert.pem = public key, client-key.pem = private key
openssl req -newkey rsa:2048 -days 3600 \
-nodes -keyout client-key.pem -out client-req.pem
@@ -49,13 +79,13 @@ openssl x509 -req -in client-req.pem -days 3600 \
openssl verify -CAfile ca.pem server-cert.pem client-cert.pem
```
-3. 将您的 CA 密钥和证书和 Sever 端密钥和证书分别合并到 PKCS#12 (P12) 包中。您也可以指定某个证书格式,默认
PKCS12,可以通过修改 conf/fe.conf 配置文件,添加参数 ssl_trust_store_type 指定证书格式
+3. 将您的 CA 密钥和证书和 Server 端密钥和证书分别合并到 PKCS#12 (P12) 包中。您也可以指定某个证书格式,默认
PKCS12,可以通过修改 conf/fe.conf 配置文件,添加参数 ssl_trust_store_type 指定证书格式
```shell
-# 打包CA密钥和证书
+# 打包 CA 密钥和证书
openssl pkcs12 -inkey ca-key.pem -in ca.pem -export -out ca_certificate.p12
-# 打包Server端密钥和证书
+# 打包 Server 端密钥和证书
openssl pkcs12 -inkey server-key.pem -in server-cert.pem -export -out
server_certificate.p12
```
diff --git
a/i18n/zh-CN/docusaurus-plugin-content-docs/version-2.1/admin-manual/auth/certificate.md
b/i18n/zh-CN/docusaurus-plugin-content-docs/version-2.1/admin-manual/auth/certificate.md
index ecaa4a712c8..1a9a166cb8f 100644
---
a/i18n/zh-CN/docusaurus-plugin-content-docs/version-2.1/admin-manual/auth/certificate.md
+++
b/i18n/zh-CN/docusaurus-plugin-content-docs/version-2.1/admin-manual/auth/certificate.md
@@ -5,6 +5,36 @@
}
---
+## 加密连接 FE
+
+Doris支持基于SSL的加密连接,当前支持TLS1.2,TLS1.3协议,可以通过以下配置开启Doris的SSL模式:
+修改FE配置文件`conf/fe.conf`,添加`enable_ssl = true`即可。
+
+接下来通过`mysql`客户端连接Doris,mysql支持三种SSL模式:
+
+1.`mysql -uroot -P9030 -h127.0.0.1`与`mysql --ssl-mode=PREFERRED -uroot -P9030
-h127.0.0.1`一样,都是一开始试图建立SSL加密连接,如果失败,则尝试使用普通连接。
+
+2.`mysql --ssl-mode=DISABLE -uroot -P9030 -h127.0.0.1`,不使用SSL加密连接,直接使用普通连接。
+
+3.`mysql --ssl-mode=REQUIRED -uroot -P9030 -h127.0.0.1`,强制使用SSL加密连接。
+
+>注意:
+>`--ssl-mode`参数是mysql5.7.11版本引入的,低于此版本的mysql客户端请参考[这里](https://dev.mysql.com/doc/connector-j/8.0/en/connector-j-connp-props-security.html)。
+Doris开启SSL加密连接需要密钥证书文件验证,默认的密钥证书文件位于`Doris/fe/mysql_ssl_default_certificate/certificate.p12`,默认密码为`doris`,您可以通过修改FE配置文件`conf/fe.conf`,添加`mysql_ssl_default_certificate
=
/path/to/your/certificate`修改密钥证书文件,同时也可以通过`mysql_ssl_default_certificate_password
= your_password`添加对应您自定义密钥书文件的密码。
+
+Doris还支持mTLS:
+修改FE配置文件`conf/fe.conf`,添加`ssl_force_client_auth=true`即可。
+
+接下来可以通过`mysql`客户端连接Doris:
+
+`mysql -ssl-mode=VERIFY_CA -uroot -P9030 -h127.0.0.1 --tls-version=TLSv1.2
--ssl-ca=/path/to/your/ca --ssl-cert=/path/to/your/cert
--ssl-key=/path/to/your/key`
+
+默认的ca,cert,key文件位于`Doris/conf/mysql_ssl_default_certificate/client_certificate/`,分别叫做`ca.pem`,`client-cert.pem`,`client-key.pem`。
+
+你也可以通过openssl或者keytool生成自己的证书文件。
+
+## SSL密钥证书配置
+
Doris 开启 SSL 功能需要配置 CA 密钥证书和 Server 端密钥证书,如需开启双向认证,还需生成 Client 端密钥证书:
* 默认的 CA
密钥证书文件位于`Doris/fe/mysql_ssl_default_certificate/ca_certificate.p12`,默认密码为`doris`,您可以通过修改
FE 配置文件`conf/fe.conf`,添加`mysql_ssl_default_ca_certificate =
/path/to/your/certificate`修改 CA
密钥证书文件,同时也可以通过`mysql_ssl_default_ca_certificate_password =
your_password`添加对应您自定义密钥证书文件的密码。
diff --git
a/i18n/zh-CN/docusaurus-plugin-content-docs/version-3.0/admin-manual/auth/certificate.md
b/i18n/zh-CN/docusaurus-plugin-content-docs/version-3.0/admin-manual/auth/certificate.md
index ecaa4a712c8..1a9a166cb8f 100644
---
a/i18n/zh-CN/docusaurus-plugin-content-docs/version-3.0/admin-manual/auth/certificate.md
+++
b/i18n/zh-CN/docusaurus-plugin-content-docs/version-3.0/admin-manual/auth/certificate.md
@@ -5,6 +5,36 @@
}
---
+## 加密连接 FE
+
+Doris支持基于SSL的加密连接,当前支持TLS1.2,TLS1.3协议,可以通过以下配置开启Doris的SSL模式:
+修改FE配置文件`conf/fe.conf`,添加`enable_ssl = true`即可。
+
+接下来通过`mysql`客户端连接Doris,mysql支持三种SSL模式:
+
+1.`mysql -uroot -P9030 -h127.0.0.1`与`mysql --ssl-mode=PREFERRED -uroot -P9030
-h127.0.0.1`一样,都是一开始试图建立SSL加密连接,如果失败,则尝试使用普通连接。
+
+2.`mysql --ssl-mode=DISABLE -uroot -P9030 -h127.0.0.1`,不使用SSL加密连接,直接使用普通连接。
+
+3.`mysql --ssl-mode=REQUIRED -uroot -P9030 -h127.0.0.1`,强制使用SSL加密连接。
+
+>注意:
+>`--ssl-mode`参数是mysql5.7.11版本引入的,低于此版本的mysql客户端请参考[这里](https://dev.mysql.com/doc/connector-j/8.0/en/connector-j-connp-props-security.html)。
+Doris开启SSL加密连接需要密钥证书文件验证,默认的密钥证书文件位于`Doris/fe/mysql_ssl_default_certificate/certificate.p12`,默认密码为`doris`,您可以通过修改FE配置文件`conf/fe.conf`,添加`mysql_ssl_default_certificate
=
/path/to/your/certificate`修改密钥证书文件,同时也可以通过`mysql_ssl_default_certificate_password
= your_password`添加对应您自定义密钥书文件的密码。
+
+Doris还支持mTLS:
+修改FE配置文件`conf/fe.conf`,添加`ssl_force_client_auth=true`即可。
+
+接下来可以通过`mysql`客户端连接Doris:
+
+`mysql -ssl-mode=VERIFY_CA -uroot -P9030 -h127.0.0.1 --tls-version=TLSv1.2
--ssl-ca=/path/to/your/ca --ssl-cert=/path/to/your/cert
--ssl-key=/path/to/your/key`
+
+默认的ca,cert,key文件位于`Doris/conf/mysql_ssl_default_certificate/client_certificate/`,分别叫做`ca.pem`,`client-cert.pem`,`client-key.pem`。
+
+你也可以通过openssl或者keytool生成自己的证书文件。
+
+## SSL密钥证书配置
+
Doris 开启 SSL 功能需要配置 CA 密钥证书和 Server 端密钥证书,如需开启双向认证,还需生成 Client 端密钥证书:
* 默认的 CA
密钥证书文件位于`Doris/fe/mysql_ssl_default_certificate/ca_certificate.p12`,默认密码为`doris`,您可以通过修改
FE 配置文件`conf/fe.conf`,添加`mysql_ssl_default_ca_certificate =
/path/to/your/certificate`修改 CA
密钥证书文件,同时也可以通过`mysql_ssl_default_ca_certificate_password =
your_password`添加对应您自定义密钥证书文件的密码。
diff --git
a/versioned_docs/version-2.0/admin-manual/privilege-ldap/certificate.md
b/versioned_docs/version-2.0/admin-manual/privilege-ldap/certificate.md
index b4bd0d0e941..3378162f821 100644
--- a/versioned_docs/version-2.0/admin-manual/privilege-ldap/certificate.md
+++ b/versioned_docs/version-2.0/admin-manual/privilege-ldap/certificate.md
@@ -5,6 +5,36 @@
}
---
+## Communicate with the server over an encrypted connection
+
+Doris supports SSL-based encrypted connections. It currently supports TLS1.2
and TLS1.3 protocols. Doris' SSL mode can be enabled through the following
configuration:
+Modify the FE configuration file `conf/fe.conf` and add `enable_ssl = true`.
+
+Next, connect to Doris through `mysql` client, mysql supports three SSL modes:
+
+1. `mysql -uroot -P9030 -h127.0.0.1` is the same as `mysql
--ssl-mode=PREFERRED -uroot -P9030 -h127.0.0.1`, both try to establish an SSL
encrypted connection at the beginning, if it fails , a normal connection is
attempted.
+
+2. `mysql --ssl-mode=DISABLE -uroot -P9030 -h127.0.0.1`, do not use SSL
encrypted connection, use normal connection directly.
+
+3. `mysql --ssl-mode=REQUIRED -uroot -P9030 -h127.0.0.1`, force the use of SSL
encrypted connections.
+
+>Note:
+>`--ssl-mode` parameter is introduced by mysql5.7.11 version, please refer to
[here](https://dev.mysql.com/doc/connector-j/8.0/en/connector-j-connp-props-security.html)
for mysql client version lower than this version。
+Doris needs a key certificate file to verify the SSL encrypted connection. The
default key certificate file is located at
`Doris/fe/mysql_ssl_default_certificate/certificate.p12`, and the default
password is `doris`. You can modify the FE configuration file `conf/fe. conf`,
add `mysql_ssl_default_certificate = /path/to/your/certificate` to modify the
key certificate file, and you can also add the password corresponding to your
custom key book file through `mysql_ssl_default_certificate_p [...]
+
+Doris also supports mTLS:
+Modify the FE configuration file `conf/fe.conf` and add
`ssl_force_client_auth=true`.
+
+Then you can connect to Doris via the `mysql` client:
+
+`mysql -ssl-mode=VERIFY_CA -uroot -P9030 -h127.0.0.1 --tls-version=TLSv1.2
--ssl-ca=/path/to/your/ca --ssl-cert=/path/to/your/cert
--ssl-key=/path/to/your/key`
+
+The default ca, cert, and key files are located in
`Doris/conf/mysql_ssl_default_certificate/client_certificate/`, named `ca.pem`,
`client-cert.pem`, and `client-key.pem` respectively.
+
+You can also generate your own certificate files using openssl or keytool.
+
+## Key Certificate Configuration
+
Enabling SSL functionality in Doris requires configuring both a CA key
certificate and a server-side key certificate. To enable mutual authentication,
a client-side key certificate must also be generated:
* The default CA key certificate file is located at
`Doris/fe/mysql_ssl_default_certificate/ca_certificate.p12`, with a default
password of `doris`. You can modify the FE configuration file `conf/fe.conf` to
add `mysql_ssl_default_ca_certificate = /path/to/your/certificate` to change
the CA key certificate file. You can also add
`mysql_ssl_default_ca_certificate_password = your_password` to specify the
password for your custom key certificate file.
diff --git a/versioned_docs/version-2.1/admin-manual/auth/certificate.md
b/versioned_docs/version-2.1/admin-manual/auth/certificate.md
index b4bd0d0e941..3378162f821 100644
--- a/versioned_docs/version-2.1/admin-manual/auth/certificate.md
+++ b/versioned_docs/version-2.1/admin-manual/auth/certificate.md
@@ -5,6 +5,36 @@
}
---
+## Communicate with the server over an encrypted connection
+
+Doris supports SSL-based encrypted connections. It currently supports TLS1.2
and TLS1.3 protocols. Doris' SSL mode can be enabled through the following
configuration:
+Modify the FE configuration file `conf/fe.conf` and add `enable_ssl = true`.
+
+Next, connect to Doris through `mysql` client, mysql supports three SSL modes:
+
+1. `mysql -uroot -P9030 -h127.0.0.1` is the same as `mysql
--ssl-mode=PREFERRED -uroot -P9030 -h127.0.0.1`, both try to establish an SSL
encrypted connection at the beginning, if it fails , a normal connection is
attempted.
+
+2. `mysql --ssl-mode=DISABLE -uroot -P9030 -h127.0.0.1`, do not use SSL
encrypted connection, use normal connection directly.
+
+3. `mysql --ssl-mode=REQUIRED -uroot -P9030 -h127.0.0.1`, force the use of SSL
encrypted connections.
+
+>Note:
+>`--ssl-mode` parameter is introduced by mysql5.7.11 version, please refer to
[here](https://dev.mysql.com/doc/connector-j/8.0/en/connector-j-connp-props-security.html)
for mysql client version lower than this version。
+Doris needs a key certificate file to verify the SSL encrypted connection. The
default key certificate file is located at
`Doris/fe/mysql_ssl_default_certificate/certificate.p12`, and the default
password is `doris`. You can modify the FE configuration file `conf/fe. conf`,
add `mysql_ssl_default_certificate = /path/to/your/certificate` to modify the
key certificate file, and you can also add the password corresponding to your
custom key book file through `mysql_ssl_default_certificate_p [...]
+
+Doris also supports mTLS:
+Modify the FE configuration file `conf/fe.conf` and add
`ssl_force_client_auth=true`.
+
+Then you can connect to Doris via the `mysql` client:
+
+`mysql -ssl-mode=VERIFY_CA -uroot -P9030 -h127.0.0.1 --tls-version=TLSv1.2
--ssl-ca=/path/to/your/ca --ssl-cert=/path/to/your/cert
--ssl-key=/path/to/your/key`
+
+The default ca, cert, and key files are located in
`Doris/conf/mysql_ssl_default_certificate/client_certificate/`, named `ca.pem`,
`client-cert.pem`, and `client-key.pem` respectively.
+
+You can also generate your own certificate files using openssl or keytool.
+
+## Key Certificate Configuration
+
Enabling SSL functionality in Doris requires configuring both a CA key
certificate and a server-side key certificate. To enable mutual authentication,
a client-side key certificate must also be generated:
* The default CA key certificate file is located at
`Doris/fe/mysql_ssl_default_certificate/ca_certificate.p12`, with a default
password of `doris`. You can modify the FE configuration file `conf/fe.conf` to
add `mysql_ssl_default_ca_certificate = /path/to/your/certificate` to change
the CA key certificate file. You can also add
`mysql_ssl_default_ca_certificate_password = your_password` to specify the
password for your custom key certificate file.
diff --git a/versioned_docs/version-3.0/admin-manual/auth/certificate.md
b/versioned_docs/version-3.0/admin-manual/auth/certificate.md
index b4bd0d0e941..3378162f821 100644
--- a/versioned_docs/version-3.0/admin-manual/auth/certificate.md
+++ b/versioned_docs/version-3.0/admin-manual/auth/certificate.md
@@ -5,6 +5,36 @@
}
---
+## Communicate with the server over an encrypted connection
+
+Doris supports SSL-based encrypted connections. It currently supports TLS1.2
and TLS1.3 protocols. Doris' SSL mode can be enabled through the following
configuration:
+Modify the FE configuration file `conf/fe.conf` and add `enable_ssl = true`.
+
+Next, connect to Doris through `mysql` client, mysql supports three SSL modes:
+
+1. `mysql -uroot -P9030 -h127.0.0.1` is the same as `mysql
--ssl-mode=PREFERRED -uroot -P9030 -h127.0.0.1`, both try to establish an SSL
encrypted connection at the beginning, if it fails , a normal connection is
attempted.
+
+2. `mysql --ssl-mode=DISABLE -uroot -P9030 -h127.0.0.1`, do not use SSL
encrypted connection, use normal connection directly.
+
+3. `mysql --ssl-mode=REQUIRED -uroot -P9030 -h127.0.0.1`, force the use of SSL
encrypted connections.
+
+>Note:
+>`--ssl-mode` parameter is introduced by mysql5.7.11 version, please refer to
[here](https://dev.mysql.com/doc/connector-j/8.0/en/connector-j-connp-props-security.html)
for mysql client version lower than this version。
+Doris needs a key certificate file to verify the SSL encrypted connection. The
default key certificate file is located at
`Doris/fe/mysql_ssl_default_certificate/certificate.p12`, and the default
password is `doris`. You can modify the FE configuration file `conf/fe. conf`,
add `mysql_ssl_default_certificate = /path/to/your/certificate` to modify the
key certificate file, and you can also add the password corresponding to your
custom key book file through `mysql_ssl_default_certificate_p [...]
+
+Doris also supports mTLS:
+Modify the FE configuration file `conf/fe.conf` and add
`ssl_force_client_auth=true`.
+
+Then you can connect to Doris via the `mysql` client:
+
+`mysql -ssl-mode=VERIFY_CA -uroot -P9030 -h127.0.0.1 --tls-version=TLSv1.2
--ssl-ca=/path/to/your/ca --ssl-cert=/path/to/your/cert
--ssl-key=/path/to/your/key`
+
+The default ca, cert, and key files are located in
`Doris/conf/mysql_ssl_default_certificate/client_certificate/`, named `ca.pem`,
`client-cert.pem`, and `client-key.pem` respectively.
+
+You can also generate your own certificate files using openssl or keytool.
+
+## Key Certificate Configuration
+
Enabling SSL functionality in Doris requires configuring both a CA key
certificate and a server-side key certificate. To enable mutual authentication,
a client-side key certificate must also be generated:
* The default CA key certificate file is located at
`Doris/fe/mysql_ssl_default_certificate/ca_certificate.p12`, with a default
password of `doris`. You can modify the FE configuration file `conf/fe.conf` to
add `mysql_ssl_default_ca_certificate = /path/to/your/certificate` to change
the CA key certificate file. You can also add
`mysql_ssl_default_ca_certificate_password = your_password` to specify the
password for your custom key certificate file.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
