add ssl

docs-2.0/7.data-security/4.ssl.md

@@ -0,0 +1,64 @@
+# SSL encryption
+
+Nebula Graph supports data transmission with SSL encryption between clients, the Graph service, the Meta service, and the Storage service. This topic describes how to enable SSL encryption.
+
+## Precaution
+
+Enabling SSL encryption will slightly affect the performance, such as causing operation latency.
+
+## Parameters
+
+| Parameter | Default value | Description |
+| ------------------ | ------- | ------------------------------|
+| `cert_path`        | -       | The path to the PEM certification. |
+| `key_path`         | -       | The path to the key certification. |
+| `password_path`    | -       | The path to the password file certification. |
+| `ca_path`          | -       | The path to the trusted CA file. |
+| `enable_ssl`       | `false`   | Whether to enable SSL encryption. |
+| `enable_graph_ssl` | `false`   | Whether to enable SSL encryption in the Graph service only. |
+| `enable_meta_ssl`  | `false`   | Whether to enable SSL encryption in the Meta service only. |
+
+## Certificate modes
+
+To use SSL encryption, SSL certificates are required. Nebula Graph supports two certificate modes.
+
+- Self-signed certificate mode
+
+  In this mode, users need to make the signed certificate by themselves and set `cert_path`, `key_path`, and `password_path` in the corresponding file according to encryption policies.
+
+- CA-signed certificate mode
+
+  In this mode, users need to apply for the signed certificate from a certificate authority and set `cert_path`, `key_path`, and `password_path` in the corresponding file according to encryption policies.
+
+## Encryption policies
+
+Nebula Graph supports three encryption policies. For details, see [Usage explanation](https://github.com/vesoft-inc/nebula/blob/a67d166b284cae1b534bf8d19c936ee38bf12e29/docs/rfcs/0001-ssl-transportation.md#usage-explanation).
+
+- Encrypt the data transmission between clients, the Graph service, the Meta service, and the Storage service.
+
+  Add `enable_ssl = true` to the configuration files of `nebula-graphd.conf`, `nebula-metad.conf`, and `nebula-storaged.conf`.
+
+- Encrypt the data transmission between clients and the Graph service.
+
+  This policy applies to the case that the clusters are set in the same server room. Only the port of the Graph service is open to the outside because other services can communicate over the internal network without encryption. Add `enable_graph_ssl = true` to the configuration file of `nebula-graphd.conf`.
+
+- Encrypt the data transmission related to the Meta service in the cluster.
+
+  This policy applies to transporting classified information to the Meta service. Add `enable_meta_ssl = true` to the configuration files of `nebula-graphd.conf`, `nebula-metad.conf`, and `nebula-storaged.conf`.
+
+## Steps
+
+1. Ensure the certificate mode and the encryption policy.
+
+2. Add the certificate configuration and the policy configuration in corresponding files.
+
+  For example, the three configuration files need to be set as follows when using a self-signed certificate and encrypt data transmission between clients, the Graph service, the Meta service, and the Storage service.
+
+  ```bash
+  --cert_path=xxxxxx
+  --key_path=xxxxx
+  --password_path=xxxxxx
+  --enable_ssl=true
+  ```
+
+3. Set the SSL and the trusted CA in clients. For code examples, see [nebula-test-run.py](https://github.com/vesoft-inc/nebula/blob/{{nebula.branch}}/tests/nebula-test-run.py).

mkdocs.yml

@@ -48,6 +48,7 @@ extra:
     master: master
     base20: 2.0
     base200: 2.0.0
+    branch: master
   version:
     method: mike
   social:
@@ -320,6 +321,7 @@ nav:
 #          - Use BR to back up data: 7.data-security/2.backup-restore/3.br-backup-data.md
 #          - Use BR to restore data: 7.data-security/2.backup-restore/4.br-restore-data.md
       - Manage snapshots: 7.data-security/3.manage-snapshot.md
+      - SSL: 7.data-security/4.ssl.md
 
   - Service Tuning:
     - Compaction: 8.service-tuning/compaction.md