Version: Latest-3.5

SSL Authentication

From v3.4.1 onwards, StarRocks supports secure connections encrypted by SSL. Unlike the traditional cleartext connections to DBMS, SSL connections provide endpoint verification and data encryption to ensure that the data transmitted between clients and StarRocks cannot be read by unauthorized users.

Enable SSL authentication

Configure FE nodes

To enable SSL authentication in StarRocks, configure the following parameters in the FE configuration file fe.conf:

ssl_keystore_location: Specifies the path to the keystore file that stores the SSL certificate and key.
ssl_keystore_password: The password for accessing the keystore file. StarRocks requires this password to read the keystore file.
ssl_key_password: The password for accessing the key. StarRocks requires this password to retrieve the key from the keystore.
ssl_force_secure_transport: Whether to force SSL authentication. Default value: FALSE. If this item is set to TRUE, the system will reject connections that are not encrypted with SSL.

Example:

ssl_keystore_location = // Path to the keystore file  
ssl_keystore_password = // Password for the keystore file  
ssl_key_password = // Password for accessing the key  

Generate SSL certificate

In a production environment, it is recommended to use certificates provided by certificate authorities.

In a development environment, you can generate a custom SSL certificate. Use the following command to generate an SSL certificate:

keytool -genkeypair -alias starrocks \
    -keypass <ssl_key_password> \
    -keyalg RSA -keysize 1024 -validity 365 \
    -keystore <ssl_keystore_location> \
    -storepass <ssl_keystore_password>

Parameters:

-keypass: The key password, corresponding to ssl_key_password in fe.conf.
-storepass: The keystore file password, corresponding to ssl_keystore_password in fe.conf.
-keystore: The storage path of the keystore file, corresponding to ssl_keystore_location in fe.conf.

Enable SSL on client

StarRocks is compatible with the MySQL protocol. For MySQL clients, SSL authentication is enabled by default.

For JDBC connections, add the following options:

useSSL=true
verifyServerCertificate=false

Disable SSL authentication

To disable SSL authentication, follow these steps:

MySQL client: Add the option --ssl-mode=DISABLED.
JDBC: Remove useSSL=true and verifyServerCertificate=false.

LDAP authentication

See Authentication methods for detailed instructions on enabling LDAP authentication.

For JDBC connections, since StarRocks supports SSL authentication, you do not need to customize AuthPlugin. You can use the built-in MysqlClearPasswordPlugin.

When using JDBC 5 with LDAP authentication, configure the following settings:

authenticationPlugins: com.mysql.jdbc.authentication.MysqlClearPasswordPlugin
defaultAuthenticationPlugin: com.mysql.jdbc.authentication.MysqlClearPasswordPlugin
disabledAuthenticationPlugins: com.mysql.jdbc.authentication.MysqlNativePasswordPlugin

When using JDBC 8 with LDAP authentication, configure the following settings:

authenticationPlugins: com.mysql.cj.protocol.a.authentication.MysqlClearPasswordPlugin
defaultAuthenticationPlugin: com.mysql.cj.protocol.a.authentication.MysqlClearPasswordPlugin
disabledAuthenticationPlugins: com.mysql.cj.protocol.a.authentication.MysqlNativePasswordPlugin

FAQ

Q1: When I connect to StarRocks using DBeaver, an error is returned "Unable to load authentication plugin 'mysql_native_password'".

A: You need to upgrade JDBC 5 to version 5.1.46 or later.

Enable SSL authentication​

Configure FE nodes​

Generate SSL certificate​

Enable SSL on client​

Disable SSL authentication​

LDAP authentication​

FAQ​

Q1: When I connect to StarRocks using DBeaver, an error is returned "Unable to load authentication plugin 'mysql_native_password'".​

What did you think of this doc?