In recent years, the power of open source software has become increasingly prominent, and the rapid development of open source software and open source projects cannot be separated from the support of the open source foundation. From financial support, legal assistance to operational governance, community culture, etc., the open source foundation plays an increasingly important role. The more important the role. More and more excellent open source projects have begun to donate to open source foundations, and the foundation can quickly promote the healthy and mature development of open source projects.
At the 2023 Open Atom Global Open Source Summit, which was successfully held in June this year, the Open Atom Open Source Foundation signed a donation agreement with ZTDBP. In this article, we will focus on the ZTDBP project, gain an in-depth understanding of the functions, application scenarios and development direction of the ZTDBP project after project donation, and explore the impact of the open source foundation on open source projects and the impact of open source projects on the community and industry.
Originated from operation and maintenance accidents
Protecting data security is an important issue
Q
Please briefly introduce the ZTDBP project, including project introduction, functions and application scenarios?
ZTDBP is an open source project dedicated to providing database communication authentication and protection capabilities in a cloud native environment. The project aims to enhance the communication security capabilities of the database through the following aspects: private agent authorization verification, MTLS communication identity verification, custom SQL interception, access control, and database access behavior recording.
In the ZTDBP project, private agent authorization verification is a very important security measure. Through this measure, the project can avoid the risk of database exposure to the public network, thereby protecting data security. The project also uses MTLS two-way identity verification and custom SQL interception to perform identity filtering, username and password information protection and access control based on the principle of least privilege on the data to further ensure data security.
In addition, the ZTDBP project also provides the function of recording database access behaviors. By recording database access behaviors and providing risk warnings, it helps enterprises discover and eliminate security risks in a timely manner and protect the integrity and availability of data. The recorded access behaviors can also Used for subsequent data analysis to improve the company's data security awareness and protection capabilities.
In short, the ZTDBP project is an efficient, safe, and reliable database protection infrastructure in a cloud-native environment. It aims to provide enterprises with comprehensive data security protection and ensure the security of their business and data.
Q
What was the original intention of the ZTDBP project? Please briefly describe the origin and development process of the project?
The ZTDBP project originated from an operation and maintenance accident. Because the operation and maintenance personnel did not follow internal procedures, they mistakenly cleared the service database of an internal test environment, which affected the testing of several projects. Although the subsequent data was recovered, it triggered the thinking that data security cannot completely rely on people and processes and systems. Moreover, because database access information is stored in environment variables, it is relatively difficult to obtain. For online environments, it is only based on the network. The location verification is consistent with the test environment except that it is more difficult to enter the intranet.
So how to protect data security more effectively has become an important issue that must be solved.
So we began to design and incubate this project, storing the database information of the service through confidential storage components such as vault; decoupling the control logic and permission control by separating the control plane and the data plane, as well as the actual data protection logic; and performing it through a private agent More fine-grained network isolation and stronger security verification.
First, it was used and function iterated internally. After the basic functions were stabilized, I came into contact with the Open Atom Open Source Foundation when I started to consider open source. While building basic open source projects, I also made project donations to the Open Atom Open Source Foundation. .
Non-invasive is a big hit
Adhere to zero trust technology thinking
Q
What are the main features and key functions of ZTDBP? Which of these features are developers’ favorite?
The main functional features of ZTDBP are:
• Protect sensitive information such as MySQL passwords: It allows the terminal service to successfully complete access to the database without touching the real database access address and password.
• Provide trusted access to data based on zero trust: prohibit unauthorized access through middleware, reducing security attacks reaching the database.
• Provide flexible authentication and authorization strategies: Grant permissions to different services/accounts based on the principle of least privilege, and facilitate dynamic control through the control plane.
• It is non-intrusive. Do not make any changes to the business service code and use the normal method to connect to the database. However, the user name and password are false identifiers. Check the data side and obtain the real connection information from the confidential storage.
Judging from the experience of internal promotion and use in projects, the non-intrusive method is the most popular because it does not bring additional workload to the business team, thus greatly reducing the resistance to promotion and use.
Q
What are the technical architecture and technology stacks used by ZTDBP? What were the reasons for choosing these technology stacks?
The back-end and middleware of the ZTDBP project use the Go language, and the front-end is developed using Vue; the overall technical architecture adopts the idea of zero trust, that is, never trust, always verify ; the data plane and the control plane are separated to decouple different functions. .
There are two main reasons why ZTDBP adopts these technology stacks. First , developers of these technology stacks are already proficient in using them. Second , many cloud native projects are developed using the Go language and have a relatively large number of libraries. There is no need to reinvent the wheel and can stand on the same page. Develop on the shoulders of those who came before us.
Q
What application scenarios is ZTDBP mainly used for? In which industries or fields is it currently widely used? Comparing similar projects in the industry, what are the main advantages, what are the shortcomings, and how will you continue to work on projects in the future?
ZTDBP is mainly used in the following two scenarios:
• Database access information protection scenario: Avoid exposure of database connection information through data plane security protection.
• Network isolation scenarios for resources using private proxies: avoid database direct exposure to the external network or increase network isolation on the internal network to enhance security.
ZTDBP is mainly used for database security protection. This project is used in the company's testing and formal environments to increase security protection. Current data security protection is mainly based on network location verification and focuses on network isolation protection, making it difficult to enter the intranet.
The advantage of ZTDBP is that it adopts the zero-trust concept to enable ubiquitous encryption and verification by default, enhances the security of data transmission and data access, enhances the storage security of database connection information, and provides flexible access policy control through the control plane. There are two main shortcomings of the project. On the one hand, ZTDBP has limited support for database types, which is also one of the main construction contents at present; on the other hand, due to the deployment of additional components, additional complexity increases, which is It is inevitable that the measures taken by ZTDBP are to enhance observability, make it easier to deploy and maintain, and reduce the mental burden of users.
Donate to the Open Atom Open Source Foundation
Seek better development
Q
Why decided to donate ZTDBP to the Open Atom Open Source Foundation? What is it about the foundation that attracts project parties?
On the one hand, we hope to promote the continued development of the project with a neutral identity; on the other hand, we hope to increase the influence of the project through the foundation. The Open Atom Open Source Foundation represents a spirit of social responsibility and knowledge sharing, which will further increase the social image of the project, thereby attracting more users and participants and enhancing the sustainability of the project. At the same time, we also hope to obtain more guidance on project incubation and development through the foundation.
Q
What significant progress has been made since the project was donated to the Open Atom Open Source Foundation?
We believe that there are several important developments as follows. First, with the help of the foundation, ZTDBP passed the compliance inspection, standardized the open source agreement of the project itself, detected the open source agreement of the reference library, and eliminated the risk of potential open source agreement conflicts. Secondly, the community code contribution process is also more standardized. In addition, ZTDBP actively promotes the project by participating in foundation exhibitions and other activities, thus gaining many potential users and developers who are interested in the project.
Q
Among the projects that are also donated to the Open Atom Open Source Foundation, which related open source projects or organizations do you hope to establish partnerships with, and why? Which projects do you think have developed better, and what can we learn from them?
We are more interested in the Pika project. ZTDBP is supporting the Redis database. Pika is a "large-capacity Redis-like storage", so it is possible in terms of combined use and technical exchanges. In addition, we believe that the development of OpenHarmony and openEuler is relatively good, the communities are very active, and they are worth learning in terms of community operations.
Q
How does ZTDBP ensure its activity in the open source community, and how does it give back to the open source community?
Our plan is to first complete the use and contribution documents, which can lower the threshold for use and contribution, and then attract more users and developers, thereby collecting more feedback and community contributions, and promoting the activity of the open source community develop.
There are many ways to give back to the open source community, not just contributing code, but also submitting bug reports and suggestions, participating in problem discussions, writing documentation tutorials, promoting and sharing projects and open source content, and more.
future outlook
Q
What are the future goals of ZTDBP? What is the roadmap for project releases? What are the key functions that need to be implemented?
The goal of the ZTDBP project is to become a mature database protection solution that provides key infrastructure components in a cloud-native environment. Currently, the product has been put into use internally. It is hoped that it can be polished and improved through the community in the future, and built more universally to provide better flexibility. The goal of this year's project is to release version 1.0 that is stable and can be used for enterprise production.
Key functions currently planned include:
• Add support for more types of databases including Redis;
• Increase the flexibility of Wasm authorization plug-in submission;
• Existing function enhancements include authorization granularity, indicator observation, privatized agent networking, etc.
Q
Is there anything you would like to share with users and developers who are interested in using and already contributing to the project?
The functional features of the ZTDBP project are non- intrusive and do not require any changes to the business code. The data plane uses a mechanism similar to Sidecar for data protection. The trial cost is relatively low and the resistance to promotion is relatively low. Everyone is welcome to understand and use ZTDBP.
Database communication authentication and protection are areas of great concern in today's cloud native architecture and big data applications. As a database communication protection project, ZTDBP demonstrates the power and power of open source software by joining the Open Atom Open Source Foundation and cooperating with other open source projects. The collaborative spirit of the open source community. At the same time, the foundation also provides a broader platform and resources for the good development of open source projects, and promotes the vigorous development of the open source community.
In the future, the foundation will continue to optimize the service system, promote the development of open source projects, cultivate open source talents, promote the prosperity of the open source ecosystem, and provide a comprehensive innovative development ecosystem for open source projects such as ZTDBP.