You can configure IP address whitelists for Hologres in HoloWeb to perform access management. This ensures secure and stable operations in Hologres. This topic describes how to configure an IP address whitelist for Hologres.
Usage notes
When you configure an IP address whitelist in HoloWeb, take note of the following items:
Only Hologres V0.10.14 and later (except for V2.0.4 and V2.0.5) support the IP address whitelist feature. You can view the version of your Hologres instance on the instance details page in the Hologres console. You can also execute the
select hg_version()
statement to view the version of your Hologres instance. If the version of your Hologres instance is earlier than V0.10.14, join a DingTalk group to apply for an instance upgrade. For more information about how to join a DingTalk group, see Obtain online support for Hologres.If you do not configure an IP address whitelist after you purchase a Hologres instance, all IP addresses can access databases in the Hologres instance. For more information about how to purchase an instance, see Purchase a Hologres instance.
Only superusers can configure IP address whitelists for instances.
A whitelist takes effect for connections that are created after the whitelist is configured. Connections that are created before the whitelist is configured are not automatically disconnected based on the whitelist configuration. For more information about how to release a connection, see Release a connection.
To configure an IP address whitelist for an instance in HoloWeb, you must set the Logon Method parameter to Password-free Logon when you establish a connection to the instance. For more information about how to establish a connection to a Hologres instance, see the Connect to a Hologres instance step in the Connect to HoloWeb topic.
After you configure an IP address whitelist for an instance, DataStudio cannot be accessed. You must add the resource group of DataStudio to the IP address whitelist by following the instructions in Create an IP address whitelist in this topic.
If your Hologres instance is connected to Realtime Compute for Apache Flink but cannot be accessed from Realtime Compute for Apache Flink, query the IP address and CIDR block of Realtime Compute for Apache Flink and add them to the whitelist of the databases. For more information about how to obtain the IP address and CIDR block of Realtime Compute for Apache Flink, see the "How do I configure a whitelist?" section in Reference.
You cannot configure an IP address whitelist for a read-only secondary instance. You can configure an IP address whitelist only for a primary instance. The read-only secondary instances of the primary instance use the same whitelist configuration as the primary instance.
Create an IP address whitelist
Log on to the Hologres console. In the top navigation bar, select a region.
In the left-side navigation pane, click Go to HoloWeb to go to the HoloWeb page.
In the top navigation bar of the HoloWeb console, click Security Center. In the left-side navigation pane of the Security Center tab, click IP Address Whitelist.
In the upper-right corner, click Add IP Address to Whitelist. In the dialog box that appears, configure the parameters. The following table describes the parameters.
Parameter
Description
Group
The group name for the IP address whitelist.
If the Logon Method parameter is set to Password-free Logon for the connection that you create, the resource group of DataWorks Data Integration must be added to the IP address whitelist. Otherwise, the features of DataWorks Data Integration are unavailable. Select a group from the Group drop-down list.
Accessible Databases
The databases that can be accessed from the specified IP addresses. Select databases from the Accessible Databases drop-down list. To allow access to all self-managed databases, excluding system databases, in the current Hologres instance, select ALL.
Users Allowed
The users who can access the specified databases from the specified IP addresses. Select users from the Users Allowed drop-down list. To allow access from all users of the current Hologres instance, select ALL.
IP Address
The IP addresses from which the specified users can access the specified databases. Take note of the following items:
To specify all IP addresses, enter ALL.
You can specify an IP address. For example, you can enter 192.168.0.1 to allow the specified users to access the specified databases from 192.168.0.1.
You can specify a CIDR block. For example, you can enter 192.168.0.0/24 to allow the specified users to access the specified databases from IP addresses within the range of 192.168.0.1 to 192.168.0.255.
To specify multiple IP addresses, specify each IP address in a new line.
Click OK. After you create an IP address whitelist, the specified users are allowed to perform operations on the specified databases from the specified IP addresses.
Edit an IP address whitelist
After an IP address whitelist is created, only the IP addresses in the whitelist can be modified. To modify the authorized users and databases, you must create another IP address whitelist.
Only superusers can edit IP address whitelists.
In the top navigation bar of the HoloWeb console, click Security Center. In the left-side navigation pane of the Security Center tab, click IP Address Whitelist.
On the IP Address Whitelist page, find the whitelist that you want to modify and click Edit.
In the Edit IP Address in Whitelist dialog box, change the IP addresses. For more information about how to specify IP addresses for a whitelist, see the Create an IP address whitelist section in this topic.
Click OK.
Delete an IP address whitelist
You can delete IP address whitelists that are no longer needed. After you delete all IP address whitelists for a connection, no whitelist is available for the relevant instance and databases.
Only superusers can delete IP address whitelists.
In the top navigation bar of the HoloWeb console, click Security Center. In the left-side navigation pane of the Security Center tab, click IP Address Whitelist.
On the IP Address Whitelist page, find the whitelist that you want to delete and click Delete.
In the message that appears, click OK.
FAQ
What do I do if an error is reported when I configure an IP address whitelist?
Problem description: When I configure an IP address whitelist for a Hologres instance, the following error message is reported:
ERROR: commit ddl phase1 failed: DDLWrite is not allowed on replica
Cause: You cannot configure an IP address whitelist for a read-only secondary instance.
Solution: Configure an IP address whitelist for the primary instance with which the read-only secondary instance is associated. The primary instance and read-only secondary instance share the IP address whitelist configuration.