Use SSL
CelerData clusters support secure connections encrypted by SSL. Unlike the traditional cleartext connections to DBMS, SSL connections provide endpoint verification and data encryption to ensure that the data transmitted between clients and CelerData clusters cannot be read by unauthorized users.
CelerData clusters use SSL certificates provided by the Certificate Authority Let's Encrypt, and supports authentication of up to the VERIFY_IDENTITY level.
Connections to CelerData clusters via API are encrypted by HTTPS, which secures the data loaded via Stream Load and exported using Spark connector and Flink connector. In addition, loading data via HTTPS encrypts the communication to both frontend and compute nodes.
Connect with the MySQL client
The MySQL client uses SSL by default when connecting to a CelerData cluster. The connection can be configured to any of these levels:
| SSL required (the default) | --ssl-mode=REQUIRED |
| SSL with CA verification | --ssl-mode=VERIFY_CA |
| SSL with CA and host name verification | --ssl-mode=VERIFY_IDENTITY |
mysql -h <cluster_endpoint> -P9030 --ssl-mode=<ssl_mode> \
[--ssl-ca=<ca_certificate_file>] \
-u <cluster_username> -p <cluster_password>
| Parameter | Description |
|---|---|
| cluster_endpoint | The endpoint of the CelerData cluster you want to connect to. You can view the endpoint of the cluster at the Connection properties section on the Overview tab of the cluster details page. See View CelerData clusters for more information. |
| ssl_mode | The SSL mode with which you want to connect to the CelerData cluster. CelerData clusters supports the following SSL modes:
|
| ca_certificate_file | The private CA certificate file that you want to use for verification. You need to specify the CA certificate file if you have specified the ssl_mode parameter as VERIFY_CA or VERIFY_IDENTITY and want to use a private CA certificate. You do not need to specify this item if you want to use a public trusted CA service and have specified the system root CA certificate. The default location for CA certificates on common operating systems are listed below. |
| cluster_username | The username used to connect to the cluster. |
| cluster_password | The password used to connect to the cluster. |
Default CA certificate location
If you want to connect to your CelerData cluster using a CA certificate for verification, you can either use public trusted CA services such as Google Trust Services, or prepare your own CA certificate.
If you want to use a public trusted CA service, you only need to specify the system root CA certificate:
- For Debian and Ubuntu:
/etc/ssl/certs/ca-certificates.crt - For Red Hat, CentOS, and Fedora:
/etc/pki/tls/certs/ca-bundle.crt - For macOS:
/opt/homebrew/etc/openssl@3/cert.pem
Load data into an SSL-enabled cluster using Stream Load
You can load data into an SSL-enabled cluster using Stream Load with the API encrypted by HTTPS.
curl -i -H "label:<label_name>" -H "column_separator:<column_separator>" \
-u <cluster_username>:<cluster_password> -T <data_file_name> \
-X PUT https://<cluster_endpoint>/api/<db_name>/<table_name>/_stream_load
| Parameter | Description |
|---|---|
| label_name | The label of the load job. This parameter is optional. The CelerData cluster automatically generates a label for the load job if you do not specify it. The cluster does not allow you to use one label to load a data batch multiple times. As such, the cluster prevents the same data from being repeatedly loaded. By default, the cluster retains the labels of load jobs that were successfully completed over the most recent three days. |
| column_separator | The characters that are used in the data file to separate fields. If you do not specify this parameter, this parameter defaults to \t, which indicates tab. Make sure that the column separator you specify by using this parameter is the same as the column separator used in the data file. NOTE For CSV data, you can use a UTF-8 string, such as a comma (,), tab, or pipe (|), whose length does not exceed 50 bytes as a text delimiter. |
| cluster_username | The username used to connect to the cluster. |
| cluster_password | The password used to connect to the cluster. |
| data_file_name | The name of the data file. You can optionally include the extension of the filename. |
| cluster_endpoint | The endpoint of the cluster. |
| db_name | The name of the destination database. |
| table_name | The name of the destination table. |