Reference Links

Introduction

You can refer to my research direction, which is about meeting zero-trust requirements in a database. The core of zero-trust mechanisms is essentially access control mechanisms. When it comes to Authentication (verifying who a person is), you gather all relevant context, including risks, and after careful consideration, you perform Authorization (granting access). Since our goal is to meet zero-trust requirements in a database…

We need to explore where the place for verification and authorization in the database is. It undoubtedly leads us to the Connection.
But what are the ways to intervene in the Connection?

  1. Intervening in Connection Pool via a Third Party

    • When discussing authentication and authorization, we often think about providing driver, username, password, and URL to establish a connection. The most common thing mentioned when establishing a connection is Connection Pool. In simple terms, it is an intermediate layer between the application and the data source when establishing a connection. This intermediate layer can perform many tasks, such as connection pooling, read/write separation, caching query results, and more. We want to perform authentication and authorization in this intermediate layer.
    • A simple way to intervene in Connection Pool is to modify some third-party packages used by applications, such as HikariDataSource used by Spring Boot.
  2. Using Database Proxy

    • I first encountered this term when looking at the source code of Hikari and found proxy connection settings. Later, I searched online, and AWS RDS Proxy immediately stood out. AWS RDS Proxy stands for Relational Database Service Proxy.
    • Database Proxy can also perform authentication and authorization. In essence, it acts as an intermediate layer between multiple applications and the database.
    • Similar to Connection Pool, it serves as an intermediate layer in the application, but its scope is broader because it is not limited to a single application but serves as the entry point for all applications’ database connections.

Using Database Proxy

AWS RDS Proxy

AWS RDS Proxy is an intermediate layer service that makes connections between applications and databases more stable. It also provides features such as connection pooling, read/write separation, caching query results, and more. AWS has many applications like AWS Lambda, Fargate, Amazon ECS, or EKS, where there is a significant and rapid need to open or close connections to the database server. Such operations can easily deplete the database’s memory and computational resources.

Connection Pooling: Reduces the impact on database memory and computational resources when establishing new connections.

This is where RDS Proxy comes into play. Amazon RDS Proxy instances maintain connection pools established between RDS database instances, reducing the impact on database memory and computational resources when establishing new connections. It allows applications to share these connections, improving the efficiency of the database and the scalability of applications.

1
2
3
4
5
6
7
public class MyHikariDataSource extends HikariDataSource {
@Override
public Connection getConnection() throws SQLException {
// You can do some settings here
return super.getConnection();
}
}

Point to your own class in config file

1
2
3
4
5
spring.datasource.type=com.test.dao.MyHikariDataSource    # point to your own class
spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver
spring.datasource.url=jdbc:mysql://127.0.0.1:3306/db
spring.datasource.username=USERNAME
spring.datasource.password=PASSWORD