应用场景
datax任务四json配置的,涉及到数据库连接的密码也是明文存储的,严格来说存在账户密码泄露的风险,因此本文主要讲解如何对密码进行加密
datax本身的支持
datax本身实际上支持对json中某个key的value加密,但是官方并没有详细的文档,毕竟开源让你免费用就不错了,公布不负有心人,通过对源码部分的阅读找到了如何使用加密的方式,本文将按照步骤讲解。
详细步骤
1. 下载源码找到com.alibaba.datax.core.util.SecretUtil 中的initKey()函数,用于获取公钥和私钥
请自己找到这个函数,并自己调用,将获取到的公钥和私钥保存下来
2.配置公钥和私钥
vim $DATAX_HOE/conf/.secret.properties```shell
#ds basicAuth config
auth.user=
auth.pass=
current.keyVersion=v1
# 公钥
current.publicKey=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCAdNyOSpqao0mRQFGsB2qYBq08ctgOHQE4KkTyVBQpjrfdn4aV6/oTvy6s7SONaRPhtjDaNPdUv4idPnyHD5lN0pbYR1z429TnUkdXiyYYG3LzLR6qaVT2+Dty8MVdMzhfNadDh9jayntJq84tOCFw9wh6chF7k7cYWssxuF+bmwIDAQAB
# 私钥
current.privateKey=MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAIB03I5KmpqjSZFAUawHapgGrTxy2A4dATgqRPJUFCmOt92fhpXr+hO/LqztI41pE+G2MNo091S/iJ0+fIcPmU3SlthHXPjb1OdSR1eLJhgbcvMtHqppVPb4O3LwxV0zOF81p0OH2NrKe0mrzi04IXD3CHpyEXuTtxhayzG4X5ubAgMBAAECgYBGc9GjmPdCaNwodgZVO5wS1VaeGL62vuG0VDqMTeDhCg1918iQ4WO/ANQws78UB9WHrc0NYI9mQ8ZBt8vEp6GEbT0FZd18GRHLJnl2yub/nrA0sQjCAnfqZvvb7Y14gs7a4YY23Wtkw/N2pY3qbzJyrIbz78PDs2r8jS380DaYgQJBAMmDyepVnP+oWkheW00o5OjgRzK5cosAGNym5B1W1fljJJaycflcc6GDw0oxJpfxSaKEjEcsEn+R+nc7qdJk1SMCQQCjMDW23JyYyN4Aedd15lWDtc2HbtNk5hGQ92SnCUr/qdQdnAt6EmjCk5/0+1Lh2TFO+hkx2Xo8GHfMWky2JrMpAkBX+IJzHEDXkuUm5poxCwMzboVmbXLFn5s66Fh5PmlW36MfbnM3Ctcn0V+1ydMxTZJ5sieTAnho3I9c8dznDkHFAkBtaK4qqqBnIw0MnqPhTQt6YdKpgZlDZajTW7pk7ysUXCV1sKBVOLB5/AXbdwDroPWZML7hmCCG2BTBsq0J1sp5AkEAtth0wUmfvDFL2oQjD2mVoHXTZJkspPuxYdXnnLB6QF6XHPYRDyA+2U0tEYgDIQfB2Ez05JpbPziuH4cChpgMcg==
current.service.username=
current.service.password=
3. 利用公钥运行下面的代码,对密码进行加密
import base64
from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_v1_5
from Crypto import RandomENCODING = 'utf-8'
KEY_ALGORITHM_RSA = 'RSA'def encrypt_rsa(data: str, public_key_str: str) -> str:"""使用RSA公钥加密数据:param data: 要加密的字符串数据:param public_key_str: Base64编码的公钥字符串:return: Base64编码的加密结果"""try:# 解码Base64公钥key_bytes = base64.b64decode(public_key_str)# 加载公钥public_key = RSA.import_key(key_bytes)# 创建加密器cipher = PKCS1_v1_5.new(public_key)# 加密数据encrypted_data = cipher.encrypt(data.encode(ENCODING))# 返回Base64编码的加密结果return base64.b64encode(encrypted_data).decode(ENCODING)except Exception as e:raise Exception("RSA加密出错") from e# 使用示例
if __name__ == "__main__":# 示例公钥(实际使用时替换为你的公钥)public_key = "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCAdNyOSpqao0mRQFGsB2qYBq08ctgOHQE4KkTyVBQpjrfdn4aV6/oTvy6s7SONaRPhtjDaNPdUv4idPnyHD5lN0pbYR1z429TnUkdXiyYYG3LzLR6qaVT2+Dty8MVdMzhfNadDh9jayntJq84tOCFw9wh6chF7k7cYWssxuF+bmwIDAQAB"data_to_encrypt = "mysqlgame123"try:encrypted = encrypt_rsa(data_to_encrypt, public_key)print(f"加密结果: {encrypted}")except Exception as e:print(f"加密失败: {str(e)}")
4. 按要求配置json任务文件
- 要求一:要求被加密的key以*开头
- 要求二:将第三步加密后的密码放在一下*password中
- 要求三:settining中的keyVersion和.secret.properties中的current.keyVersion保持一致
{"job": {"setting": {"speed": {"channel": 2},"errorLimit": {"record": 0,"percentage": 0},"keyVersion":"v1"},"content": [{"reader": {"name": "mysqlreader","parameter": {"username": "数据库用户名","*password": "此处就是第三步中对明文密码进行加密后的密文密码","column": ["列1","列2"],"splitPk": "","where": "","connection": [{"table": ["表名"],"jdbcUrl": ["jdbc:mysql://ip:3306/库名?serverTimezone=Asia/Shanghai"]}]}},"writer": {"name": "streamwriter","parameter": {"print": true,"encoding": "UTF-8"}}}]}
}
~
)
)