QStudio
Query kdb+ Servers and Chart Results.
Kdb User Permissions Security
Out of the box kdb provides severely limited authentication and access controls. It is up to the user to modify the default setup to satisfy these requirements when needed. We will consider typical security requirements and how we can implement them.
Contents
Implementing Password Access Control in kdb+
Default Kdb Security
Command Line kdb Options
Kdb provides a number of command line options for restricting access, these include:
| -U | Specify a username / password file that contains the list of permitted users and their passwords. |
|---|---|
| -u | Same as -U however further restricted that q process can not access files above it's current directory. |
| -b | Connected clients cannot write to the database, for them it is read only. |
| -T | Enforce a timeout in seconds on all client queries. |
Using -u to Password Protect Access
Here we demonstrate protecting a kdb server using an md5 encrypted password file. Notice the client process cannot open a connection without specifying the correct username and password as set in our file.
Server |
Client |
When running with -u it also restricts what files can be accessed, which system commands can be run. However as demonstrated in the video, these can be worked around by a malicious user for example by overriding the timer .z.ts function to run the commands as console.
Server started with "q -u ../userpass.txt -p 5000". Then from client call:
Customized Authentication using .z.pw
Event Handlers
The second feature kdb exposes for handling security are event handlers. You can override special functions to handle authentication and client calls. These would allow denying users access on an extremely customizable level. important event handlers include:
| .z.pw | PassWord authentication. First arg is username symbol, second is password string. |
|---|---|
| .z.pg | Synchronous or Get call handler, x argument is the incoming message. |
| .z.ps | Asynchronous or Set call handler, x argument is the incoming message. |
| .z.po | Port Open, called when a new connection is made. |
| .z.pc | Port Close, called when an existing connection is closed. |
Complete details on kdb event handlers and a video guide to using them are available on the IPC tutorial.
As you can see kdb provides extremely powerful hooks into their system to implement security but it is very much up to you to write that code.
Basic Example of .z.pw
Server |
Client |
Try tunning user-table.q as the server script, to see an example of having a user table to control access using .z.pw
Restricting what commands a user can run
Our example file restricted-querys.q allows running a server that restricts users to only running selected functions.
Server |
Client |
Authentication, Authorization and Accounting
AAA is a common acronym in computer security that refers to:
In this tutorial we covered
- How to authenticate users in kdb+ using a password file or by overriding .z.pw.
- That event handlers could be overridden to provide authorization controls.
- The last area, accounting we did not touch in this article, commonly this is implemented at the OS level or by command line options to restrict resources. Accounting can also include auditing which means logging all calls/connections by users. This topic will be covered more in other areas of the course.
Latest Functional in kdb+ 3.4
The latest versions of kdb include new functionality useful for security:
- SSL - can use both incoming and outgoing encrypted connections using Secure Sockets Layer(SSL)/Transport Layer Security(TLS). .
- reval - Read-only eval of parse tree. The new keyword reval, backed by -24!, behaves similarly to eval (-6!), but evaluates the parse tree in read-only mode, as if the cmd line option -b were active for the duration of the reval call. This should prove useful for access control.