The Distributed SQL Blog

Thoughts on distributed databases, open source, and cloud native

Announcing YugabyteDB 2.12: Seamless Security and Better Manageability

Last November, we announced the general availability of YugabyteDB 2.11, a major release which extends PostgreSQL compatibility of the open source distributed SQL database. All these features are readily available in this stable release for any production environment.

In addition to making these features GA, YugabyteDB 2.12 introduces several new capabilities and significant improvements towards seamless security and better manageability.

Seamless security

Building customer trust is a top priority at Yugabyte. To maintain customer confidence in our security posture and in the security features we provide, we work diligently to continuously improve security processes and controls, as well as provide our customers the right features to secure the data. In the new 2.12 release, we are delivering a set of key security benefits and features:

  • Manage YugabyteDB encryption keys with HashiCorp Vault for a centralized, cloud-agnostic key management service (KMS).
  • Deliver seamless Yugabyte Platform authentication via LDAP.
  • Simplify auditing with Imperva Cloud Data Protection integration.

Better manageability

Yugabyte Platform includes a powerful graphical user interface for managing fleets of database clusters deployed across zones, regions, and clouds from one place. YugabyteDB’s users rely on the Yugabyte Platform console to deliver YugabyteDB as a private DBaaS through streamlined operations and consolidated monitoring. In the 2.12 release, we are delivering key features to improve manageability:

  • Simplify xCluster Replication with new UI in Yugabyte Platform.
  • Utilize enhanced alerting to silence alerts during routine maintenance.

In the following sections, we go over the new YugabyteDB 2.12 capabilities in more detail.

Manage YugabyteDB encryption keys with HashiCorp Vault

Yugabyte and HashiCorp announced a technical partnership to offer a common blueprint for simplifying secrets management, safely automating dynamic secrets delivery, and controlling standardized workflows in multi-cloud environments adaptable to the needs of any enterprise.

But customers running Yugabyte Platform may choose to “bring your own key” and enable database-level encryption for sensitive workloads. All databases and snapshot backups use strong volume (disk) encryption to protect data at rest.

Organizations need a consistent workflow for distribution and lifecycle management of cryptographic keys in various KMS providers. More specifically, it allows organizations to maintain centralized control of their keys in Vault while still taking advantage of cryptographic capabilities native to the KMS providers.

With our cloud-first and platform-agnostic approach, HashiCorp Vault and Yugabyte Platform make it easy to programmatically manage secrets across cloud providers and platforms.

Two types of encryption keys

There are two types of keys to encrypt data in YugabyteDB:

  • Universe key: Top level symmetric key used to encrypt other keys (see data keys below) that are common to the cluster.
  • Data key: Symmetric key used to encrypt the data. There is one data key generated per flushed file.

For each universe (or cluster), there is a top level universe key that encrypts a group of data keys. But the data keys are responsible for encrypting the actual data. The user controls the universe keys, while data keys are internal to the database. Encryption at rest uses universe keys to encrypt and decrypt universe data keys.

YugabyteDB 2.12 universe keys.

You can use Yugabyte Platform to create KMS configurations for generating the required universe keys for one or more YugabyteDB universes.

With the 2.12 release, encryption at rest in Yugabyte Platform supports the use of HashiCorp Vault as a KMS. You can follow this link for how to configure HashiCorp Vault as a KMS provider for Yugabyte Platform. In addition to secret token-based access for dev/testing environments, users can configure TLS-based or IAM-based access mandated for production environments.

Yugabyte Platform authentication via LDAP

YugabyteDB already supports Lightweight Directory Access Protocol (LDAP) Authentication in both YSQL and YCQL APIs. However, in this release Yugabyte Platform added support for authentication via LDAP.

A customer’s LDAP server over TLS manages user authentication and authorization against Yugabyte Platform universes. But a single LDAP configuration applies to all database universes within Yugabyte Platform. The integration with LDAP enables you to use your LDAP server for authentication purposes instead of having to create user accounts on Yugabyte Platform.

LDAP authentication is similar to a direct password authentication, except that it employs the LDAP protocol to verify the password. This means that only users who already exist in the database and have appropriate permissions can be authenticated via LDAP.

YugabyteDB 2.12 LDAP authentication.

Since Yugabyte Platform and the LDAP server are synchronized during login, Yugabyte Platform always uses the up-to-date credentials and roles information, such as role and password changes, as well as removal of users deleted in the LDAP server. If configured by the LDAP server, Yugabyte Platform can prevent the user from being able to change their password.

YugabyteDB + Imperva integration

YugabyteDB is also now natively integrated with Imperva’s Cloud Data Protection (CDP) and listed on their website. Imperva’s CDP is built for modern multi-cloud, DBaaS and hybrid database environments. This data-centric security platform simplifies security and compliance of your data in any database, no matter where hosted. We are pleased to be able to integrate YugabyteDB with both renowned organizations and to continue to bring YugabyteDB to a wider audience.

In addition to the above security features, we are also delivering key features to improve the manageability of Yugabyte Platform.

Managing xCluster replication with Yugabyte Platform

In YugabyteDB 2.12, Yugabyte Platform allows users to set up xCluster replication between clusters in two data centers. These clusters are completely independent, which can be scaled and managed without any dependencies.

Replicating your data across data centers provides several benefits:

  • Brings data closer to your users or application server to reduce latency and response time.
  • Provides your mission-critical applications with the tolerance to withstand datacenter or region outages.

xCluster with Yugabyte Platform provides benefits like easy xCluster replication setup. It also ensures setup correctness and monitors or tracks xCluster replication.

Managing xCluster Replication in YugabyteDB 2.12

Yugabyte Platform allows you to use its UI or API to manage asynchronous replication between independent YugabyteDB clusters. You can perform deployment via unidirectional (master-follower) or bidirectional (multi-master) asynchronous replication between two data centers. Within the concept of replication, universes break down into the following categories:

  • A source universe contains the original data that is subject to replication.
  • A target universe is the recipient of the replicated data. A one source universe can replicate to one or more target universes.

For additional information on setting up asynchronous replication in Yugabyte Platform, Please follow this documentation link.

Maintenance windows – silence alerts during routine maintenance

In our last stable release, we announced the alerts and notifications feature to get notified in real time about database alerts. Users can set alert policies based on their universe metrics. Alert policies notify you when a performance metric rises above or falls below a threshold you set. Please refer to this blog post, where I walk through how this feature works.

Why do you need maintenance windows?

Your organization might have some planned or ad-hoc periods of time during which your system undergoes maintenance activities that can cause service disruption. During such periods, you don’t want to receive notifications that your services are down. Additionally, such periods shouldn’t be taken into account when monitoring the availability of your system. To avoid such situations, you can exclude these periods by defining maintenance windows.

In addition to maintenance window support, we also added support for PagerDuty and Webhooks as new notification channels.

With Yugabyte Platform monitoring and custom alerts, you can track dozens of key indicators and stay ahead of issues. You can also view historic data to create operational baselines and support capacity planning, as well as monitor real-time performance for load spikes, live, and slow queries.

What’s coming roadmap

At Yugabyte, we strive to be fully transparent with our customers and user community, and to that end we always share our product roadmap. Here are some notable features you can expect in upcoming releases:

Additionally, please note that the current roadmap is subject to change as we finalize our planning for the next releases.

Get started

Finally, we’re thrilled to be able to deliver these enterprise-grade features in the newest version of our flagship product – YugabyteDB 2.12. We invite you to learn more and try it out:

  • YugabyteDB 2.12 is available to download. You can install the release in just a few minutes.
  • Join us in Slack for interactions with the broader YugabyteDB community and real-time discussions with our engineering teams.

Related Posts