Database Security Fundamentals

Abstract

Database security management aims to protect the data in the database system to prevent data leakage, tampering, and destruction. Database system stores all kinds of important and sensitive data, and as a multi-user system, it is critical to provide appropriate permissions for different users.

Database security management aims to protect the data in the database system to prevent data leakage, tampering, and destruction. Database system stores all kinds of important and sensitive data, and as a multi-user system, it is critical to provide appropriate permissions for different users.

This chapter introduces the basic security management techniques used in the database, including access control , user management, permission management, object permissions , and cloud audit services , which will be elaborated in detail from three aspects: basic concepts, usage methods, and application scenarios.

5.1 Overview of Database Security Features

5.1.1 What Is Database Security Management

Database security management is to protect data from unauthorized access, prevent leakage of important information, as well as to avoid the loss of data due to hardware or software errors, including but not limited to network security, system security and data security.

5.1.2 Database Security Framework

In a broad sense, the database security framework can be divided into three levels, as shown in Fig. 5.1.

Fig. 5.1

Database security framework

See Sect. 2.1.4 of this book for a detailed description of the database security framework.

5.1.3 Database Security Features

GaussDB (for MySQL) has the following main security defenses against intentional and unintentional compromises.

1. (1)

   The first line of defense is formed through access control and SSL connection to prevent client counterfeiting, information leakage and interactive message tampering.

2. (2)

   The second line of defense is formed by user rights management, which mainly reinforces the database server to prevent risks such as permission changes.

3. (3)

   The third defense is formed by security audit management, so that all operations on the database can be traced.

GaussDB (for MySQL) also supports anti-DOS attacks to prevent clients from maliciously occupying server-side session resources. If a connection is not authenticated within the set authentication time, the server will forcibly disconnect the connection and release the session resources it occupies to avoid the connection session resources exhaustion caused by malicious TCP connections. This setting can effectively prevent DOS attacks.

This chapter will introduce the main strategies of database security management from three aspects: access control , user rights management and cloud audit service .

5.2 Access Control

5.2.1 What Is IAM

Identity and Access Management (IAM) is a basic service for Huawei Cloud to provide access management, which helps users securely control access rights to Huawei Cloud services and resources.

IAM can be used without payment, and users only need to pay for the resources in the account. After registering Huawei Cloud, the system will automatically create an account, which is the subject of resource attribution and billing. Users have full control over the resources they own and can access all the cloud services of Huawei Cloud. If a user has purchased multiple resources in Huawei Cloud, such as Elastic Cloud Server (ECS), Cloud Hard Disk (Elastic Volume Service, EVS), Bare Metal Server (BMS), etc. for his/her team or application needs, he/she can use the user management function of IAM to create IAM users for employees or applications and grant each IAM user the appropriate permissions according to the job requirements. Newly created IAM users can log in to Huawei Cloud using their individual user names and passwords. IAM users are useful to avoid sharing passwords for accounts when multiple users collaborate to operate the same account. The use of IAM is shown in Fig. 5.2.

Fig. 5.2

Use of IAM

5.2.2 IAM Features

IAM features fine-grained permission management, secure access, sensitive operations, bulk management of user permissions through user groups, isolation of resources within a region, joint authentication, delegating resource management to other accounts or cloud services, setting account security policies, and ultimate consistency.

1. (1)

   Fine-grained permission management.

   Using IAM , different resources within the account can be assigned to the created IAM users on demand to achieve fine-grained permission management, as shown in Fig. 5.3.

   For example, control user Charlie has the right to manage the VPCs in Project B, while restricted user James only has the right to view the data of the VPCs in Project B.

2. (2)

   Secure access.

   You can use IAM to generate identity credentials for users or applications without sharing the account password with other people, and the system will allow users to securely access the resources in the account through the permission information carried in the identity credentials.

3. (3)

   Sensitive operations.

   IAM provides sensitive operation protections including login protection and operation protection. When logging in to the console or performing sensitive operations, the system will require a second authentication such as a verification code for email, cell phone or virtual MFA, so as to provide a higher level of security protection for the account and resources.

4. (4)

   Bulk management of user permissions through user groups.

   Instead of individual authorization for each user, just plan the user group and grant the corresponding permission to the user group, then add the user to the user group, thus the user inheriting the permission of the user group. If the user permissions change, just delete the user in the user group or add the user into other user groups to achieve quick user authorization .

5. (5)

   Isolation of resources within a region.

   Through creating sub-projects in the region, the resources between projects under the same region can be isolated from each other.

6. (6)

   Joint authentication.

   Users who already have their own authentication system do not need to recreate users in Huawei Cloud, but can directly access Huawei Cloud through the identity provider function, thus achieving single sign-on.

7. (7)

   Delegating resource management to other accounts or cloud services.

   Through the delegate trust function, users can delegate the operation authority to other Huawei Cloud accounts or cloud services that are more professional and efficient, and these accounts or cloud services will complete daily work instead of users according to the authority.

8. (8)

   Setting account security policies.

   Improve the security of user information and system data by setting login authentication policies, password policies, and access control lists.

9. (9)

   Ultimate consistency.

   Final consistency refers to the operations performed by users in the IAM , such as creating users and user groups, giving authorization to user groups, etc. When the IAM replicates data between servers in Huawei Cloud Data Center and realizes data synchronization in multiple regions, it may cause the submitted changes to take effect on a delayed basis. It is recommended that users confirm that the submitted policy changes have taken effect before performing the operation.

Fig. 5.3

Example of fine-grained permission management

5.2.3 IAM Authorization

IAM provides authentication and authorization functions for other Huawei Cloud services. Users created in IAM can use other services in the system according to their permissions after authorization . For services that do not support the use of IAM authorization , the IAM user created in the account must log in with the account to use the cloud services. The explanation of related terms in IAM authorization is shown below.

1. (1)

   Service: Cloud services that use IAM authorization , whose service name can be clicked to display the permissions supported by the service and the difference between the different permissions.

2. (2)

   Region: The region selected for authorization by the cloud service when using IAM authorization .

3. (3)

   Global region: The service is deployed without specifying a physical region, i.e., a global-level service, where the service is authorized in a global project and can be accessed without switching regions.

4. (4)

   Other regions: The service is deployed with specifying a physical region, i.e., a project-level service, where authorization is performed in regions other than the global region and takes effect only in the authorized region, and the access to a cloud services requiring switching to the corresponding region.

5. (5)

   Console: Whether the cloud service supports permission management in the IAM console.

6. (6)

   API: Whether the cloud service supports calling API for permission management.

7. (7)

   Delegation: The user delegates operation permissions to the service, and allows the service to use other cloud services as itself, performing daily tasks on behalf of the user.

8. (8)

   Policy: Does the cloud service support permission management through policies; a policy is a language that describes a set of permission sets in JSON format, which precisely allows or denies users to perform the specified operations on the resource type of the service.

5.2.4 Relationship Between IAM and GaussDB (for MySQL) usage

If there is a need for fine-grained permission management of the user-owned cloud database GaussDB (for MySQL), IAM can be used, and the following functions can be achieved through IAM .

1. (1)

   Enterprises create IAM users in Huawei cloud accounts for employees in different functions in the enterprise according to the business organization structure, so that employees have unique security credentials and can use GaussDB (for MySQL) resources.

2. (2)

   According to the functions of enterprise users, set different access rights to achieve the isolation of rights between users.

3. (3)

   Delegate GaussDB (for MySQL) resources to other Huawei cloud accounts or cloud services that are more professional and efficient, so that they can be operated and maintained on behalf of the users according to their permissions.

5.2.5 How to Use GaussDB (for MySQL) with IAM

The flow of IAM using GaussDB (for MySQL) is shown in Fig. 5.4.

1. (1)

   Create a user group and authorize it. Create a user group in IAM console and grant GaussDB (for MySQL) read-only access "GaussDB ReadOnlyAccess".

   Before authorizing a user group, it is necessary to know the GaussDB (for MySQL) permissions that the user group can get, and select the system permissions supported by the cloud database GaussDB (for MySQL) according to the actual needs.

2. (2)

   Create users and join user groups. Create users in the IAM console and add them to the user group created in the previous step.

3. (3)

   Users log in and verify permissions. Switch to the authorization area in the newly created user login console and verify the permissions. Select GaussDB (for MySQL) in the "Service List" to display the main interface of GaussDB (for MySQL), click the "Purchase a database instance " button in the upper right corner, and try to buy an instance of GaussDB (for MySQL). If the purchase failed (assuming that the current permission only contains GaussDB ReadOnlyAccess), it means that "GaussDB ReadOnlyAccess" is in effect.

   Select any service other than cloud database GaussDB (for MySQL) in the "Service List" (assuming the current policy only contains GaussDB ReadOnlyAccess), and if it indicates insufficient permissions, it means "GaussDB ReadOnlyAccess" is in effect.

Fig. 5.4

Flow of IAM using GaussDB (for MySQL)

5.2.6 Detailed Explanation of SSL

The Secure Sockets Layer (SSL) protocol is a security protocol that provides security and data integrity to network communications. It is important for the following reasons.

1. (1)

   It is very dangerous to transmit sensitive data (bank data, transaction information, password information, etc.) in clear text in the network, and the purpose of SSL protocol is to provide communication security and data integrity guarantee.

2. (2)

   In the 7-layer Open System Interconnection (OSI), the SSL protocol is located between the transport layer and the application layer, providing support for secure communication. Many application layer protocols have derived more secure protocols by integrating SSL protocol, such as HTTPS.

3. (3)

   Google, Facebook, Taobao and other current mainstream websites and applications all support SSL communication encryption.

4. (4)

   GaussDB (for MySQL) supports SSL communication encryption between client and server to ensure the security and integrity of data transmission.

The symmetric encryption algorithm of SSL is to use the same key for encryption and decryption, which is characterized by open algorithm, fast encryption and decryption, and high efficiency. Asymmetric encryption algorithm contains a pair of keys: public key and private key. Encryption and decryption use different keys and are characterized by high algorithm complexity, high security and poor performance compared to symmetric encryption. SSL uses an asymmetric encryption algorithm to negotiate the session key during the handshake phase. After the encryption channel is established, the transmitted data is encrypted and decrypted using a symmetric encryption algorithm.

5.3 User Permission Control

5.3.1 Permission Concept

Permissions are the ability to execute certain a specific SQL statement, and the ability to access or maintain a particular object. As you can imagine, it is easy to manage a village with only a few dozen households, but it would be relatively difficult to manage a large city with several million people. Permission control on users is especially important for database resource and security management.

GaussDB (for MySQL) supports the management of user permissions, which allows you to configure the user's operational access to database objects and the use of database functions.

The permissions granted to GaussDB (for MySQL) accounts determine the operations that the accounts can perform. The different permissions of GaussDB (for MySQL) differ in the contexts and operation levels to which they apply, as shown below.

1. (1)

   Administrative permission: enables users to manage GaussDB (for MySQL) server operations; the permission is global, as it is not specific to a particular database.

2. (2)

   Database permission: applies to the database and all objects in it; the permission can be granted for a specific database or globally in order to meet different needs.

3. (3)

   Object permission : can be granted to specific objects in the database, all objects of a given type in the database (such as all tables in the database), or all objects globally (such as tables, indexes, views, and stored routines).

GaussDB (for MySQL) supports both static and dynamic permissions, with static permissions built into the server. They can always be granted to user accounts and cannot be unregistered. Dynamic permissions can be registered and deregistered at runtime, but this affects their availability. Dynamic permissions that have not been registered cannot be granted.

The GaussDB (for MySQL) server controls user access to the database through permission tables, which are stored in the GaussDB (for MySQL) database and initialized when the database is initialized. An example of permission table is shown in Table 5.1.

Table 5.1 An example of permission table

5.3.2 Users

As a database administrator, you should create a database user for each user who needs to connect to the database. The database user connects to the database by user name and password. The user here becomes a database user who can manipulate database objects and access database data after connecting to the database, such as creating tables, accessing tables, executing SQL statements, etc.

By default, users of GaussDB (for MySQL) database can be divided into 3 categories.

System administrator: has the highest permissions of the database (e.g. SYS user, SYSDBA user).

Security administrator: has the CREATE USER permission.

Ordinary user: by default, has PUBLIC object permission and only has the permission of the object they created; if you need other permissions, you need to be empowered by the system administrator through the GRANT statement.

SYSDBA is the user who can login to the database without password, with "zsql/AS SYSDBA" to connect to the database.

Two points should to be noted here. First, when connecting to a database, the database user must use a database that already exists, and cannot connect to a database that does not exist. Second, a user can establish multiple connections to the database, that is, multiple sessions can be established for operations.

Users can be created by the CREATE USER statement. When using this statement, the following three points should be noted.

1. (1)

   The user executing this statement needs to have CREATE USER system permissions , otherwise no new user can be created.

2. (2)

   When creating a user, you need to specify the user name and password, the user name and password required when the user connects to the database is specified at this time.

3. (3)

   The root user is not allowed to be created, because it is a system-preset user.

The common syntax format for creating users is as follows.

CREATE USER user_name IDENTIFIED BY password;

user_name is the user name; password is the user password, which needs to be enclosed by single quotes. After the user is successfully created, you can connect to the database with the corresponding user name and password.

The following special characters are not allowed in the user name.

Semicolon (;), vertical line (|), backquote (`), dollar sign ($), bit operator (&), greater than sign (>), less than sign (<), double quote (""), single quote (''), exclamation mark (!) , spaces, and the copyright symbol (©). Double quotes or backquotes are also not allowed. If the user name contains any special characters other than those prohibited above, it must be enclosed in double quotation marks ("") or backquotes ('').

When setting a password for a user name, the following requirements must be met.

1. (1)

   The length of the password must be greater than or equal to eight characters.

2. (2)

   When creating a password, the password must be enclosed in single quotes.

Example: To create a user with the username "smith" and the password "database_123", you can execute the following statement.

CREATE USER smith IDENTIFIED BY 'database_123';

The user name consists of letters, and the password contains letters, special symbols and numbers, which meet the requirements and can be created successfully. The password in the example satisfies the password requirements.

5.3.3 Modifying a User

You can modify users by ALTER USER, during which should pay attention to the following matters.

1. (1)

   The user executing this statement needs to have ALTER USER system permissions , similar to CREATE USER permissions.

2. (2)

   If the specified user does not exist, an error message will be displayed. Only the user that already exists can be modified.

User modification is mainly applied to the following scenarios.

1. (1)

   Modify the user password.

2. (2)

   Manually lock the user or unlock the user. For example, if a user has been locked out after a certain number of failed login attempts, the user needs to be unlocked.

The syntax format for changing the user password is as follows.

ALTER USER user_name IDENTIFIED BY new_password;

user_name is the user name to be changed and new_password is the new user password.

Example: To change user smith's password to "database_456". The administrator can change it directly with the following statement.

ALTER USER smith IDENTIFIED BY 'database_456';

5.3.4 Deleting a User

When a user is no longer in use, it is necessary to delete the user, and all the objects created by the user will be deleted accordingly. You can delete a user by the DROP USER statement. Note that the user executing the statement needs to have the DROP USER system permission , similar to the CREATE USER permission.

The syntax format for deleting a user is as follows.

DROP USER [ IF EXISTS ] user_name;

user_name indicates the user name to be deleted. IF EXISTS is used to detect whether the user to be deleted exists. If the IF EXISTS option is not specified, an error message will be displayed if the user to be deleted does not exist; if the IF EXISTS option is specified, when the user to be deleted does not exist, the result of successful execution will be returned directly, and the user will be deleted if the user exists.

Example: To delete user smith, you can use the following statement.

DROP USER IF EXISTS smith;

5.3.5 Roles

A role is a set of permissions, by which the database can divide permissions at the organization level. The concept of roles was not introduced until MySQL 8. A database may be accessed by multiple users, so for easy management, you can first group permissions and assign them to roles, with each set of permissions corresponding to one role. For users with different permission levels, you can grant different roles to users, equivalent to granting the permissions that users need in bulk, instead of granting them one by one.

For example, a company can have multiple financial roles with permissions such as paying wages and allocating funds. A role does not belong to any user, that is, a role is not private to a user, but can be owned by multiple users. For example, finance is a role that is not private to a single employee, but can be shared by multiple employees. Suppose the user smith creates the role staffs, then smith.staffs is private to smith. Other users can access or operate on smith.staffs if they have the appropriate permissions, but smith.staffs belongs only to the smith user.

Roles can be created through the CREATE ROLE statement. It should be noted that the user executing the statement needs to have the CREATE ROLE system permission . The role neither belongs to any user nor can log in to the database and execute SQL statement operations, and the role must be unique in the system.

GaussDB (for MySQL) contains the following four system-preconfigured roles by default.

1. (1)

   Database administrator: has all system permissions , which cannot be deleted.

2. (2)

   RESOURCE, the role to create base object: has the permission to create stored procedures, functions, triggers, table sequences.

3. (3)

   CONNECT, the role to connect: has the permission to connect to the database.

4. (4)

   STATISTICE, statistical role.

The syntax format for creating a role is as follows.

CREATE ROLE role_name;

role_name indicates the name of the created role.

Example: To create the role teacher.

CREATE ROLE teacher;

The role can be deleted with the DROP ROLE statement. When deleting a role, the user executing the statement must have the DROP ANY ROLE system permission , or be the creator of the role, or have been granted the role and have the WITH GRANT OPTION attribute. If the role to be deleted does not exist, an error message is displayed. When a role is deleted, the permissions that the role has are recovered from the user or other role to which the role was granted, and the user associated with the role or the role loses the permissions contained in the role.

The syntax format for deleting a role is as follows.

DROP ROLE role_name;

role_name represents the role name.

Example: To delete the role teacher.

DROP ROLE teacher;

The relationship between user roles and permissions is as follows.

1. (1)

   Users can define roles and grant them multiple permissions, and roles are a collection of multiple permissions.

2. (2)

   When the role is granted to a user or another role, the granted object has all the permissions of the role.

3. (3)

   The permissions of a role are inheritable.

GaussDB (for MySQL) supports role-based permission management. Users can define roles, and if a role is granted to a user, the user has all the permissions for that role. The financial role shown in Fig. 5.5 only has the rights to pay wages and allocate funds, while the director only has the rights to review the budget and view the income statements. After granting the financial role to the director, the director inherits the permissions of the financial role and gets the rights to audit the budget, view the income statements, and pay wages and allocate funds.

Fig. 5.5

User, role, and permission

5.3.6 Authorization

The previous sections all mention permissions, which need to be granted. Authorization is the granting of permissions or roles to users or other roles, so that the corresponding users or roles have the appropriate permissions. For example, a newly created user has no permission and cannot perform any operations on the database or even connect to the database. If you grant the CREATE SESSION create connection permission to the user, and the user has the right to connect to the database. If the user needs to create a table, he/she needs to have the CREATE TABLE permission to create a table. The table created by this user belongs to the object of this user, and this user can add, delete, change, and check the data in the table. Authorization can be achieved through the GRANT statement, which can grant one permission to a user or role, or multiple permissions to a user or role at the same time. You can grant Permission 1 to User 1, or grant permissions 1, 2, and 3 to Role 1, which then granted by Role 1 to Role 2, and finally you can grant the permissions of Role 2 to the user, as shown in Fig. 5.6.

Fig. 5.6

Authorization

The common syntax format for permission granting is as follows.

GRANT privilege_name ON db/objects TO grantee [ WITH GRANT OPTION ];

permission_name: the name of the permission.

db/objects: the database or object that is authorized to be used.

grantee: the user or role to be granted.

WITH GRANT OPTION: optional, means that the granted user or role can grant the granted permissions to other users or roles again.

Permissions and roles should be granted following the principle of minimization.

To grant a permission, the user executing the grant statement needs to have been granted the permission and have the WITH GRANT OPTION attribute.

Example: To grant the CREATE USER permission to the user smith, and allow smith to grant this permission to other users or roles.

GRANT CREATE USER ON *.* TO smith WITH GRANT OPTION;

The syntax format for granting roles is similar to the format for granting permissions, as follows.

GRANT role_name TO grantee [WITH GRANT OPTION];

role_name is the role name and grantee is the user or role to be granted. WITH GRANT OPTION is optional, if set, the granted user or role can re-grant the granted role to other users or roles.

To grant the role, the user executing the granting role statement needs to meet one of the following conditions.

1. (1)

   It has been granted the role and has the WITH GRANT OPTION attribute.

2. (2)

   It is the creator of the role.

Example: To grant the role of teacher to smith and allow smith to grant this role to other users or roles.

GRANT teacher TO smith WITH GRANT OPTION;

Having the WITH GRANT OPTION attribute means that the authorized user can re-grant the acquired permission or role to other users or roles.

5.3.7 Permission Recovery

Permission recovery is the recovery of a permission or role from the authorized person. Once recovered, the user or role in question will no longer have that permission. For example, if you do not want a user to create a table, you can recover the CREATE TABLE system permission from the user. If you do not want the user to access the database, you can recover the CREATE SESSION permission from the user. Permission recovery includes the recovery of system permissions , object permissions and role permissions, all of which can be achieved through the REVOKE statement.

The common syntax format for permission recovery is as follows.

REVOKE privilege_name ON db/objects FROM revokee;

Where, REVOKE is the authorizer, permission_name is the name of the permission to be recovered, and revokee is the user or role whose permissions are to be recovered. Up to 63 users or roles can be assigned at a time.

To grant a permission, the user executing the grant statement needs to have been granted the permission to be recovered and have the WITH GRANT OPTION attribute. Having the WITH GRANT OPTION attribute means that the authorized user can re-grant the acquired permission or role to other users or roles.

Example: To recover the CREATE USER permission of for the user smith.

REVOKE CREATE USER ON *.* FROM smith;

When a user who has been granted a role no longer needs to have the permissions contained in the role, the user's role permissions should be recovered. For example, if Employee A is a finance employee that has the right view the company's funds, when he/she is leaving, his/her finance role must be recovered. The system administrator (SYS user, user in the database administrator role) has all system permissions , including the GRANT ANY ROLE system permission , so the system administrator can execute the role recover statement.

If the role is to be recovered, the user who performs the REVOKE operation needs to meet one of the following conditions.

1. (1)

   It has been granted the role and has the WITH GRANT OPTION attribute.

2. (2)

   It is the creator of the role being recovered.

The common syntax format for recovering a role is as follows.

REVOKE role_name FROM revokee;

role_name is the name of the role, and revokee is the user or role whose permissions are recovered. Up to 63 users or roles can be assigned at a time. Note that you are not allowed to recover the permissions of the database administrator role. The initial permissions of the database administrator role are determined when the database is created, and you can subsequently grant permissions to the database administrator role, but are not allowed to recover its permissions.

The use of permissions should follow the principle of minimization, and in order to ensure the security of the database, permissions and roles need to be recovered in time when they are not in use.

An example of the application of users, roles and permissions is as follows.

To create the user smith, with the password database_123.

CREATE USER smith IDENTIFIED BY 'database_123';

Create the role manager, which is implemented by the CREATE ROLE statement.

CREATE ROLE manager;

Grant the CREATE USER permission to the role manager.

GRANT CREATE USER ON *.* TO manager;

Grant object query and insertion permissions to manager.

GRANT SELECT, INSERT ON mysql.staffs TO manager;

5.4 Cloud Audit Services

5.4.1 What Are Cloud Audit Services

The log audit module is the core component of information security audit function, and is an important part of enterprises' and organizations' risk control on information system security. In the context of gradual cloudization of information systems, global information and data security management organizations at all levels, including China's National Standardization Technical Committee, have issued several standards on this, such as ISO IEC27000, GB/T 20945-2013, COSO, COBIT, ITIL, NISTSP800, etc.

Cloud Trace Service (CTS) is a professional log auditing service contained in Huawei's cloud security solution, providing the collection, storage, and query functions for various cloud resource-related operation records, which can be used to support common application scenarios such as security analysis, compliance audit, resource tracking, and problem location, as shown in Fig. 5.7.

Fig. 5.7

Cloud audit service

The functions of cloud audit service mainly include the following.

Record audit logs: supports recording operations initiated by users through the management console or application programming interface (API), as well as self-triggered operations within each service.

Audit log query: supports querying the operation records within seven days in the management console from multiple dimensions such as event type, event source, resource type, filter type, operation user and event level.

Audit log dumping: supports periodically dumping audit logs to OBS buckets under the object storage service (OBS), which compresses audit logs into event files according to the service dimension.

Event file encryption: supports encrypting the event file with the key in the data encryption workshop (DEW) during the dumping process.

5.4.2 Key Operations to Support Cloud Audit Services

With the cloud audit service , operation events related to GaussDB (for MySQL) instances can be recorded for future queries, audits, and tracebacks. The key operation events supported by the cloud audit service are shown in Table 5.2.

Table 5.2 Key operation events supported by the cloud audit service

Track event viewing is the operation that the system starts to record cloud service resources after the cloud audit service is started. The cloud audit service management console keeps a record of the last seven days of operations. Log in to the management console and select the "Manage & Deploy > Cloud Audit Service " option in the "All Services" or "Service List" to enter the information page of cloud audit service ; select the "Event List" option in the left navigation tree to enter the event list information page. The event list supports filtering to query the corresponding operation events. The current event list supports four dimensions of the combined query, with the relevant content described below.

1. (1)

   Event source, resource type and filter type. You can select the corresponding query conditions in the drop-down box.

   Generally, select "CloudTable" as the event source; select "All Resource Types" as the resource type, or specify a specific resource type; and select "All Filter Types" as the filter type, or select one of "By Event Name", "By Resource ID", "By Resource Name".

2. (2)

   Operation user. You can select a specific operation user in the drop-down box, and this operation user is at user level, not at tenant level.

3. (3)

   Event Level. The options are "All Event Levels", "Normal", "Warning", "Incident". Only one of them can be selected.

4. (4)

   Start time and end time. The operation events can be queried by selecting the time period.

5.5 Summary

This chapter firstly introduces the basic concepts, usage and application scenarios of users, roles and permissions, and the relationship between the three; then elaborates on authorization and permission recovery, including the syntaxes and the conditions that need to be satisfied by users who perform authorization or permission recovery operations.

5.6 Exercises

1. 1.

   [True or False] The SSL technology can prevent man-in-the-middle from attacking and monitoring the network. ( )

   1. A.

      True

   2. B.

      False

2. 2.

   [True or False] The SSL technology can be used only for databases. ( )

   1. A.

      True

   2. B.

      False

3. 3.

   [Single Choice] Which of the following syntaxes is used for authorization ? ( )

   1. A.

      CREATE

   2. B.

      ALTER

   3. C.

      GRANT

   4. D.

      REVOKE

4. 4.

   [True or False] The names of roles and users can be duplicated. ( )

   1. A.

      True

   2. B.

      False

5. 5.

   [True or False] System permissions and object permissions need to be recovered when they are not used. ( )

   1. A.

      True

   2. B.

      False

6. 6.

   [Short Answer Question] Why does SSL secure connections?