使用 psycopg2 毗连高斯数据库报错 failed: none of the server‘s SASL au
[*]使用 下令安装 安装 psycopg2
pip3 install psycopg2
[*]编写python文件 test2.py,毗连数据库。
import psycopg2
#创建毗连对象
conn=psycopg2.connect(dbname="db_tpcc",user="tpcc_user",password="password",host="10.201.65.207",port=30100)
cur=conn.cursor() #创建指针对象
#创建毗连对象(SSl毗连)
#conn = psycopg2.connect(dbname="db_tpcc", user="tpcc_user", password="password", host="10.201.65.207", port=30100,sslmode="verify-ca", sslcert="client.crt",sslkey="client.key.unsecure",sslrootcert="ca.pem")
cur=conn.cursor() #创建指针对象
# 创建表
cur.execute("CREATE TABLE student(id integer,name varchar,sex varchar);")
#插入数据
cur.execute("INSERT INTO student(id,name,sex) VALUES(%s,%s,%s)",(1,'Aspirin','M'))
cur.execute("INSERT INTO student(id,name,sex) VALUES(%s,%s,%s)",(2,'Taxol','F'))
cur.execute("INSERT INTO student(id,name,sex) VALUES(%s,%s,%s)",(3,'Dixheral','M'))
# 获取结果
cur.execute('SELECT * FROM student')
results=cur.fetchall()
print (results)
# 关闭毗连
conn.commit()
cur.close()
conn.close()
[*]运行test2.py 报错
conn = _connect(dsn, connection_factory=connection_factory, **kwasync)
psycopg2.OperationalError: connection to server at "10.201.65.207", port 30100 failed: none of the server's SASL authentication mechanisms are supported
[*]大部分步伐猿采用如下方法办理
A.实行下令修改加密参数 gs_guc reload -N all -I all -c "password_encryption_type=1";
B.修改数据库每台机器的pg_hba.conf文件
切换到你们那边的gaussdb用户,在所有DN节点都要修改如下内容
cd /data/cluster/data/dn/dn_6001(目次改成你那边的)
vi pg_hba.conf ,将下图标注的sha256改为md5
https://i-blog.csdnimg.cn/blog_migrate/11c0ba9e6622ad650087381d75ef9936.png C.改完重启数据库
制止:gs_om -t stop
启动:gs_om -t start
D.修改了加密方式,以前创建的用户都不能登录,使用超级用户RsAdmin免密登录,使用下面的下令修改用户密码
实行 alter user test_user3 identified by 'password'
MD5这种加密方式,是不安全的加密方式,华为官方也不推荐.我们下面讨论,不修改高斯数据库加密方式的条件下处理题目
[*]华为官网https://opengauss.org/zh/download/下载对应版本的Python-psycopg2_3.1.1,现在只支持LINUX系统,还不支持WINDOWS
https://i-blog.csdnimg.cn/blog_migrate/2547b2bb37b2621102dc68025e87fec6.png 下载后文件名如下openGauss-3.1.1-openEuler-aarch64-Python.tar.gz
[*]将包上传到 LINUX 的任意目次下,这里为 /setup/openGauss,并解压
tar -zxvf openGauss-3.1.1-openEuler-aarch64-Python.tar.gz
解压后目次布局如下
https://i-blog.csdnimg.cn/blog_migrate/719404dc9b44a81aa0d472803fd159dd.png
[*]将依赖的lib 文件复制到/usr/lib64
cp lib/* /usr/lib64
这里提示是否覆盖,全部选否
[*]将psycopg2文件夹 copy 到 /usr/lib/python3.7/site-packages 并授权
假如不知道 site-packages的路径,使用下面的下令查找
find /usr -name *site-p*
https://i-blog.csdnimg.cn/blog_migrate/7fbdbcf90f963915ae697d35cc984795.png cp -r /setup/openGauss/psycopg2 /usr/lib/python3.7/site-packages/
chmod -R 755 /usr/lib/python3.7/site-packages/psycopg2
[*]拿step2编写的test2文件运行,运行成功
python3 test2.py
https://i-blog.csdnimg.cn/blog_migrate/fef1633db3b241f8f8836c708f9ace29.png https://i-blog.csdnimg.cn/blog_migrate/a53d93d4869e9a0a54ce0035c0faa077.png 这里我们的毗连方式使用的是明文方式,绕过了 pip install psycopg2 的MD5 加密方式
conn=psycopg2.connect(dbname="db_tpcc",user="tpcc_user",password="password",host="10.201.65.207",port=30100)
[*]为了更安全的网络毗连,我们应该使用证书的链接方式
注释掉明文链接,使用下面的毗连方式
conn = psycopg.connect(dbname="db_tpcc", user="tpcc_user", password="password", host="10.201.65.207", port=30100,sslmode="verify-ca", sslcert="client.crt",sslkey="client.key",sslrootcert="ca.pem")
[*]登录高斯数据库服务器端,并编写 client 端生成脚本genCertificate_client.sh
vim /setup/genCertificate_client.sh
脚本内容如下:
curDir=/setup
logFile=genCertificate.log
user_pwd=password #这里配置为客户端运行python步伐的用户密码
function genCertificate()
{
echo "Start to genCertificate" >> ${logFile}
openssl=$(openssl version)
ca_dir=$(awk '/Where everything is kept/{print $3}' /etc/pki/tls/openssl.cnf)
if [ -z "${openssl}" -o -z "${ca_dir}" ]; then
echo "genCertificate failed: openssl is not installed" >> ${logFile}
exit 1
fi
mkdir -p ${curDir}/certificate
cd ${curDir}/certificate
if [ "${string:0:1}" == "." ]; then
ca_dir=${curDir}/certificate/${ca_dir}
fi
mkdir -p ${ca_dir}/newcerts
touch ${ca_dir}/index.txt
sed -i "s/^unique_subject =.*/unique_subject = no/" ${ca_dir}/index.txt.attr
echo '01' >> ${ca_dir}/serial
# openssl genrsa -out ca.key 2048
# expect <<-EOF
# spawn openssl req -new -key ca.key -out ca.csr
# expect "Country Name" {send "CN\r"}
# expect "State or Province Name" {send "GD\r"}
# expect "Locality Name" {send "SZ\r"}
# expect "Organization Name" {send "HW\r"}
# expect "Organizational Unit Name" {send "OM\r"}
# expect "Common Name" {send "GAUSS\r"}
# expect "Email Address" {send "\r"}
# expect "A challenge password" {send "\r"}
# expect "An optional company name" {send "\r"}
# expect "]#" {send "\r"}
#EOF
# openssl x509 -req -days 3650 -in ca.csr -signkey ca.key -out ca.crt
expect <<-EOF
spawn clear
spawn openssl genrsa -des3 -out client.key 2048
expect "Enter pass phrase for client.key:"
send "${user_pwd}\r"
expect "Verifying - Enter pass phrase for client.key:"
send "${user_pwd}\r"
send "\r"
expect "]#" {send "\r"}
EOF
expect <<-EOF
spawn openssl req -new -key client.key -out client.csr
expect "Enter pass phrase for client.key" {send "${user_pwd}\r"}
expect "Country Name" {send "CN\r"}
expect "State or Province Name" {send "GD\r"}
expect "Locality Name" {send "SZ\r"}
expect "Organization Name" {send "HW\r"}
expect "Organizational Unit Name" {send "OM\r"}
expect "Common Name" {send "GAUSS\r"}
expect "Email Address" {send "\r"}
expect "A challenge password" {send "\r"}
expect "An optional company name" {send "\r"}
expect "]#" {send "\r"}
EOF
expect <<-EOF
spawn openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key
expect "Sign the certificate" {send "y\r"}
expect "certificate requests certified" {send "y\r"}
expect "]#" {send "\r"}
EOF
openssl x509 -in ca.crt -out ca.pem
if [ ! -s ${curDir}/certificate/ca.pem -o ! -s ${curDir}/certificate/client.crt -o ! -s ${curDir}/certificate/client.key ]; then
echo "genCertificate failed, please execute \"sh ${curDir}/install_cluster.sh genCertificate\" cmd for details" >> ${logFile}
exit 1
fi
echo "genCertificate finished, begin to deliver it to all nodes" >> ${logFile}
cat client.crt > client.pem
shift
while [ $# != 0 ]; do
echo "Start to deliver cert to $1" >> ${logFile}
scpCmd="scp -q ${curDir}/certificate/ca.pem ${curDir}/certificate/client.key ${curDir}/certificate/client.pem root@$1:/home/${user}/sslcrt"
executeRemoteCmd "${scpCmd}" ${root_pwd}
sshCmd="ssh -t root@$1 \"chown -R ${user}:${user_group} /home/${user}/sslcrt\""
executeRemoteCmd "${sshCmd}" ${root_pwd}
shift
done
echo "End to genCertificate" >> ${logFile}
}
genCertificate
[*]赋予脚本实行权限,并copy 高斯安装目次下的certificate目次到setup目次下
chmod +x /setup/genCertificate_client.sh
cp -r /data/GaussDBInstaller/certificate /setup/
[*]运行脚本genCertificate_client.sh
./genCertificate_client.sh
[*]从python步伐的客户端运行 scp 下令,copy 文件到 test2.py的目次下
scp 10.201.65.207:/setup/certificate/ca.pem /setup/
scp 10.201.65.207:/setup/certificate/client.key /setup/
scp 10.201.65.207:/setup/certificate/client.crt /setup/
[*]运行 test2.py
提示输入Enter PEM pass phrase,这里为我们 step11 中配置的客户端用户密码 。
输入密码后 test2.py运行成功
https://i-blog.csdnimg.cn/blog_migrate/66fadbdfdd16526ce02d3c3205b9f3d0.png
[*] 在真实应用中我们不可能每次输入密码,修改 client key 为不需要每次输入密码
openssl rsa -in client.key -out client.key.unsecure
[*]修改步伐毗连,并运行test2.py,不需要输入密码,python步伐运行成功
修改毗连为
conn = psycopg2.connect(dbname="db_tpcc", user="tpcc_user", password="password", host="10.201.65.207", port=30100,sslmode="verify-ca", sslcert="client.crt",sslkey="client.key.unsecure",sslrootcert="ca.pem")
python3 test2.py
https://i-blog.csdnimg.cn/blog_migrate/3e83851c700eacffffab2ce990ce6b7e.png
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!更多信息从访问主页:qidao123.com:ToB企服之家,中国第一个企服评测及商务社交产业平台。
页:
[1]