SQL审核工具Yearning搭建及使用
一、背景
实际的业务场景中,我们难免会直接对生产库的数据进行修改。很多朋友都是发sql给运维,然后运维执行。过程不可控,出错几率很大。
而且没有审核,不知道提交的具体是什么sql,极有可能是删库跑路的sql,哈哈哈。
那为了避免这种尴尬呢,就得有审核机制了。而就是不错的选择。
二、安装
官方安装文档
2.1 建立库
CREATE DATABASE Yearning DEFAULT CHARACTER SET utf8mb4;
2.2 下载解压
去这里下载最新版本
wget
[root@sg yearning]# wget https://github.com/cookieY/Yearning/releases/download/v3.0.0/Yearning-v3.0.0-linux-amd64.zip
--2022-06-16 09:45:11-- https://github.com/cookieY/Yearning/releases/download/v3.0.0/Yearning-v3.0.0-linux-amd64.zip
正在解析主机 github.com (github.com)... 20.205.243.166
正在连接 github.com (github.com)|20.205.243.166|:443... 已连接。
已发出 HTTP 请求,正在等待回应... 302 Found
位置:https://objects.githubusercontent.com/github-production-release-asset-2e65be/107417113/f74f4655-ff07-42c7-90eb-68b4b73e29c4?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20220616%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20220616T014512Z&X-Amz-Expires=300&X-Amz-Signature=2cbe1ead66ea15d220b2f17cb5a9d5bef1acc2efd2e5f2aed389925a98586cc7&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=107417113&response-content-disposition=attachment%3B%20filename%3DYearning-v3.0.0-linux-amd64.zip&response-content-type=application%2Foctet-stream [跟随至新的 URL]
--2022-06-16 09:45:12-- https://objects.githubusercontent.com/github-production-release-asset-2e65be/107417113/f74f4655-ff07-42c7-90eb-68b4b73e29c4?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20220616%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20220616T014512Z&X-Amz-Expires=300&X-Amz-Signature=2cbe1ead66ea15d220b2f17cb5a9d5bef1acc2efd2e5f2aed389925a98586cc7&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=107417113&response-content-disposition=attachment%3B%20filename%3DYearning-v3.0.0-linux-amd64.zip&response-content-type=application%2Foctet-stream
正在解析主机 objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.108.133, 185.199.109.133, 185.199.110.133, ...
正在连接 objects.githubusercontent.com (objects.githubusercontent.com)|185.199.108.133|:443... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:20513606 (20M) [application/octet-stream]
正在保存至: “Yearning-v3.0.0-linux-amd64.zip”100%[==========================================================================================================================================>] 20,513,606 29.5KB/s 用时 13m 47s2022-06-16 09:59:00 (24.2 KB/s) - 已保存 “Yearning-v3.0.0-linux-amd64.zip” [20513606/20513606])解压后:
2.3 填写配置文件
cat conf.toml
[Mysql]
Db = "Yearning"
Host = "127.0.0.1"
Port = "3306"
Password = "your password"
User = "root"[General]
#数据库加解密key,只可更改一次。自定义设置后,不要再次修改
SecretKey = "JYkyLDtmqNaXICoV"
2.4 初始化及安装./
[root@sg Yearning]# ./Yearning install
是否已将数据库字符集设置为UTF8/UTF8MB4? [yes|no]: yes(/Users/henryyee/Yearning-go/src/service/migrate.go:33)
[2022-06-16 10:33:00] [0.55ms] INSERT INTO `core_accounts` (`username`,`password`,`department`,`real_name`,`email`,`is_recorder`) VALUES ('admin','pbkdf2_sha256$120000$4ySnzFwzcCuS$I9XWyE0S/bG3KY93tN9fR3R94pvy6UA3psiGT4CAp7I=','DBA','超级管理员','',0)
[1 rows affected or returned ] (/Users/henryyee/Yearning-go/src/service/migrate.go:40)
[2022-06-16 10:33:00] [1.07ms] INSERT INTO `core_global_configurations` (`authorization`,`ldap`,`message`,`other`,`stmt`,`audit_role`,`board`) VALUES ('global','{"url":"","user":"","password":"","type":"(\u0026(objectClass=organizationalPerson)(sAMAccountName=%s))","sc":"","ldaps":false,"map":"","test_user":"","test_password":""}','{"web_hook":"","host":"","port":25,"user":"","password":"","to_user":"","mail":false,"ding":false,"ssl":false,"push_type":false,"key":""}','{"limit":1000,"idc":["Aliyun","AWS"],"query":false,"register":false,"export":false,"ex_query_time":60}',0,'{"DMLAllowLimitSTMT":false,"DMLInsertColumns":false,"DMLMaxInsertRows":10,"DMLWhere":false,"DMLOrder":false,"DMLSelect":false,"DMLInsertMustExplicitly":false,"DDLEnablePrimaryKey":false,"DDLCheckTableComment":false,"DDlCheckColumnComment":false,"DDLCheckColumnNullable":false,"DDLCheckColumnDefault":false,"DDLEnableAcrossDBRename":false,"DDLEnableAutoincrementInit":false,"DDLEnableAutoIncrement":false,"DDLEnableAutoincrementUnsigned":false,"DDLEnableDropTable":false,"DDLEnableDropDatabase":false,"DDLEnableNullIndexName":false,"DDLIndexNameSpec":false,"DDLMaxKeyParts":5,"DDLMaxKey":5,"DDLMaxCharLength":10,"MaxTableNameLen":10,"MaxAffectRows":1000,"MaxDDLAffectRows":0,"SupportCharset":"","SupportCollation":"","CheckIdentifier":false,"MustHaveColumns":"","DDLMultiToCommit":false,"DDLPrimaryKeyMust":false,"DDLAllowColumnType":false,"DDLImplicitTypeConversion":false,"DDLAllowPRINotInt":false,"DDLEnableForeignKey":false,"DDLTablePrefix":"","DDLColumnsMustHaveIndex":"","DDLAllowChangeColumnPosition":false,"DDLCheckFloatDouble":false,"IsOSC":false,"OSCExpr":"","OscSize":0,"AllowCreateView":false,"AllowCrateViewWithSelectStar":false,"AllowCreatePartition":false,"AllowSpecialType":false,"PRIRollBack":false}','')
[1 rows affected or returned ] (/Users/henryyee/Yearning-go/src/service/migrate.go:47)
[2022-06-16 10:33:00] [0.35ms] INSERT INTO `core_graineds` (`username`,`group`) VALUES ('admin','["admin"]')
[1 rows affected or returned ] 初始化后的数据库表如下:
2.5 启动
./Yearning run --push "172.12.1.7" --port "8000"
[root@sg Yearning]# ./Yearning run --push "172.12.1.7" --port "8000"
检查更新.......
数据已更新!__ __ _ \/ /_________ __ /_ _ \ _ \_ / / __/ __//_/ \___/\___/ yee v0.3.3
-----Easier and Faster-----
Creator: Henry Yee
2.5 访问
浏览器输入:你的IP:8000
默认账号/密码:admin/
登录后:
至此,下载安装配置完成。
三、配置使用 3.1 配置环境
点击“设置”可以自定义环境;也可以设置提醒邮件等。
3.2 配置数据源
配置数据源之前,得先配置流程
3.3 配置权限组
就是配置拥有DML、DDL、Query权限的数据库列表:以配置只读组为例:
3.4 新建用户并赋权限
下面是新建一个的用户,赋予只读组的权限(新建用户后,在右侧权限里设置即可)。
建一个写用户
四、测试 4.1 读用户测试
我们用登录后,发现可以查询的数据源有1个。
点击数据源可以查看对应数据库示例中的数据库:
双击数据库打开,可以看到表
右键表,可以查看表数据
也可以手动写sql查询:
执行操作会提示错误信息:
4.2 写用户测试
使用执行一条语句
首先,需要申请工单:
写完sql后,需要先右键-SQL检测一下,监测通过后,“提交” 按钮才是可点击的;
提交后,点击我的工单,查看刚提交的工单信息,发现是待审核状态;
用admin进行审核:
admin登录后,点击审核下的工单,可以查看已经提交的工单列表。
点击右侧的 “详情” 按钮:刚进来后,“同意” 按钮也是置灰的,需要先进行SQL检测 通过后,才可以点击同意。
点击同意后,发现已经转交给执行者admin了
此处说明下,上述我们设置的流程是:提交-审核-执行,故为3个阶段,只是目前审核和执行都是admin罢了。一般是提交人提交—> 专门的管理员(一般是技术组长、领导等)审核------> 数据库管理员/运维具体执行。
最后,我们执行下,然后查看下改后的状态:
同意执行后,工单变为已完成状态。
同意执行后,数据已修改:
END
