This document describes tenant security features such as MAR, auto failover, and data security encryption.
As a database records data in it, to switch between multiple databases, the data in them must be in sync. Therefore, data sync is the foundation of database high availability scheme.
Currently, the open-source MySQL database supports async and semi-sync data replication modes. However, in both modes, if a node failure occurs, the data may be lost, incorrect, or messy; plus, the replication is serial, which has a low performance.
In Tencent Cloud's proprietary parallel multi-thread asynchronous replication (MAR, aka strong sync) scheme based on the MySQL protocol, when a request is initiated at the application layer, only after a secondary node successfully returns a message can the primary node respond to the application layer with a request success, ensuring that the primary and the secondary nodes have completely the same data.
When you perform MAR, the primary database will be hanged if it is disconnected from the secondary database or the secondary database fails. In this case, if there is only one primary or secondary database, the high availability scheme will be unavailable, because if only one single server is used, part of data will be lost completely when a failure occurs, which does not meet the requirements for finance-level data security.
Therefore, based on MAR, TDSQL provides a downgradable strong sync scheme, which is similar to the semi-sync technology of Google but has a different implementation scheme.
In addition, TDSQL MAR parallelizes the serial sync threads and introduces the worker thread capabilities, which greatly improve the performance. In the same cross-AZ (IDC with a latency of around 10–20 ms) test, the technical performance of MAR is around 5 times that of semi-sync replication on MySQL 5.6 and 1.5 times that of MariaDB Galera Cluster. In OLTP RW (mix read/write in primary/secondary architecture), its performance is 1.2 times that of async replication on MySQL 5.7. The comparison of the specific performance tested by the Intel® technical team is as shown below:
In production systems, high availability schemes are often required to ensure uninterrupted system operations. As the core of system data storage and services, the availability requirement for the database is higher than that for computing service resources.
The high availability scheme of TDSQL works by allowing the collaboration of multiple database services. In this way, if a database fails, another server will immediately take over its tasks, so the service will not be interrupted or be interrupted only for a very short period of time. This scheme is also called primary/secondary high availability.
Based on the general primary/secondary high availability, TDSQL further supports the following advanced features:
All TDSQL shards support the MAR-based high availability scheme. If the primary database fails, the system will automatically select the optimal secondary database immediately to take over the tasks. The switch process is imperceptible to users, the access IP remains unchanged, and 24/7 continuous monitoring is provided for the databases and underlying physical devices.
If a failure occurs, the system will automatically restart the database and relevant processes. If a node crashes and cannot be recovered, it will be automatically rebuilt from its backup files as shown below:
TDSQL complies with applicable Chinese information security standards and has earned many Chinese and international certifications on behalf of TencentDB.
TDSQL supports tablespace encryption (transparent encryption) and connection encryption (SSL connection encryption). In scenarios where Tencent Cloud Key Management Service (KMS) is not utilized, TDSQL supports the keyring service, enabling internal server components and plugins to securely store sensitive data for subsequent retrieval. This service provides a set of APIs for the encryption feature to call KMS.
SQL firewall is a security feature that filters out unauthorized SQL statements by analyzing the syntax of SQL statements sent by users. It works with SQL Engine to check whether an SQL statement is on the predefined list of unauthorized SQL statements so as to filter out and block it accordingly, which effectively prevents SQL injection attacks.
SQL firewall can be used together with Tencent Cloud services such as Web Application Firewall (WAF). Taking into account the business conditions and SQL complexity, there are no preset rules in TDSQL SQL firewall currently.
Security audit is one of the most important tracing methods; therefore, China's Cybersecurity Classified Protection Certification (Level 3) stipulates that an information system should support auditing. TDSQL provides audit capabilities at the following three layers to deliver complete security protection:
- In public cloud, all security audit features are configured by default.
- In private cloud, system operation logging (Chitu system) is configured by default, while database SQL audit and server operation audit features are optional.
TDSQL provides various open-source security schemes at the database kernel level, some of which have earned the recognition of the community. The following are some kernel security measures:
alter table ... drop partitioncommand, the database will not delete the tablespace file immediately; instead, it will rename the file, gradually shrink it on the backend, and finally delete it. This feature can avoid system performance fluctuation caused by I/O load surges in the server's file system when a large tablespace file is deleted in one single request.
When you terminate your TDSQL instance, all data (including backup data) stored in it will be destroyed. Tencent Cloud will not retain the data or actively recover your instance.
When deploying 1-DC disaster recovery, you should prevent the following failures for your database cluster:
Therefore, we recommend you satisfy at least the following requirements for 1-DC disaster recovery deployment:
2-region-3-DC deployment is to add a disaster recovery center based on 1-region-2-DC deployment. The two disaster recovery instances are synced over a data communication network (DCN) to ensure data consistency.