Currently, CBH provides standard and professional editions. The standard edition provides the following asset specifications: 10, 20, 50, 100, 200, 500, 1,000, 5,000, and 10,000. The professional edition provides the following asset specifications: 10, 20, 50, 100, 200, 500, 1,000, 5,000, and 10,000.
For more details, see What Are the Editions of the CBH Service?
Differences on Specifications
CBH provides the following asset specifications: 50, 100, 200, 500, 1,000, 2,000, 5,000, and 10,000. For details about specifications, see Table 1.
Asset Quantity | Max. Concurrent Connections | CPUs | Memory | System Disk | Data Disk |
|---|---|---|---|---|---|
50 | 50 | 4 vCPUs | 8 GB | 100 GB | 500 GB |
100 | 100 | 4 vCPUs | 8 GB | 100 GB | 1,000 GB |
200 | 200 | 4 vCPUs | 8 GB | 100 GB | 1,000 GB |
500 | 500 | 8 vCPUs | 16 GB | 100 GB | 2,000 GB |
1,000 | 1,000 | 8 vCPUs | 16 GB | 100 GB | 2,000 GB |
2,000 | 1,500 | 8 vCPUs | 16 GB | 100 GB | 2,000 GB |
5,000 | 2,000 | 16 vCPUs | 32 GB | 100 GB | 3,000 GB |
10,000 | 2,000 | 16 vCPUs | 32 GB | 100 GB | 4,000 GB |
Количество одновременных соединений в Table 1 includes only connections established by O&M clients that use character-based protocols (such as SSH or MySQL client). Connections established by O&M clients that use graphic-based protocols (such as H5 web and RDP client) is not included, which is only one-third of this number.
Function Details and Edition Differences
Both editions provide identity authentication, permission control, account management, and operation audit. Apart from those functions, the enhanced edition also provides automatic O&M and database O&M audit.
For details about functions supported by different editions, see Table 2.
Function Module | Function | Description | Standard Edition | Professional Edition |
|---|---|---|---|---|
Profile | Basic Info | You can view details about the current login user and change the name, phone number, email address, and password. | √ | √ |
Mobile OTP | You can get guidance for binding a mobile phone token and generating a dynamic password. | √ | √ | |
SSH Pubkey | You can view information about all public keys, and add and manage SSH public keys. | √ | √ | |
My Permission | You can view the permissions the logged-in user has. | √ | √ | |
My Log | You can check logs of instance logins, operations, and resource logins by the logged-in user. | √ | √ | |
Basic system information | Dashboard | The dashboard displays the running status of the bastion host, including sessions, tickets, login status, operation status, host types, application types, and system status. | √ | √ |
Download Center | You can download some remote login tools and local player tools. | √ | √ | |
Messages | After alarm rules are configured, an alarm is generated when an alarm rule is triggered. | √ | √ | |
System | This area displays system details, such as the system ID, credential, version in use, and release date. You can also update credentials and HA keys and obtain service codes in this module. | √ | √ | |
Authentication management | MFA | You can log in to the bastion host using an account (username and password), mobile phone token, SMS message, USB key, or OTP token.
| √ | √ |
Remote authentication | You can configure remote authentication to use CBH centrally manage all accounts. CBH also allows you to authenticate user identities through AD, RADIUS, LDAP, Azure AD, and SAML remote authentication. | Supported | √ | |
System accounts | User management | You can create, import, export, and delete accounts, configure user groups, and manage account login restrictions. | √ | √ |
User group management | Users can be managed by group. You can assign permissions to all users in a group at a time. You can create, delete, and edit a user group. | √ | √ | |
Role management | You can associate users with roles and assign operation and access permissions to the roles, including department administrators, policy administrators, audit administrators, and operation engineers. Only the admin account can add roles and modify the permissions of the roles. | √ | √ | |
Resource account management | A resource account is used to log in to a resource managed by a bastion host instance. Multiple resource accounts can be created for a resource. The username and password of a resource account in CBH must be the same as those of the original account that the resource belongs to. Otherwise, the logins to the resource may fail, and no operations can be done for the resource through the bastion host. | √ | √ | |
Resource account group management | You can manage resource accounts by group. You can authorize and verify resource accounts in batches by authorizing account groups. You can create, delete, and maintain account groups and manage account group information. | √ | √ | |
Resource | Host resource management | You can add host resources to a bastion host by creating, automatically discovering, importing, or cloning host resources. You can view details about all host resources and manage them through the bastion host centrally. | √ | √ |
Application resource management | You can import and create application resources through an application server. Then, you can view details about all application resources and manage them through the bastion host centrally. Note that you need to create the application server first. | √ | √ | |
Cloud resource management | You can import and create application resources through a Kubernetes server. Then, you can view details about all container resources and manage them through the bastion host centrally. Note that you need to create the Kubernetes server first. | × | √ | |
Resource OS type management | You can add tags to OS types and then group and manage resources by those tags. With OS type tags, you can change server passwords, store password change parameters, and run password rules for resources of a certain OS type at the same time. | √ | √ | |
System policies | ACL rules | This type of rule controls who can access which resources. ACL rules are associated with users or user groups. An ACL rule can restrict file transfer, file management, and login time. ACL rules can also be associated with resource accounts. | √ | √ |
Command rules |
| √ | √ | |
Database control rules |
| × | √ | |
Password rules | This type of rule is associated with resource accounts of hosts, so that a user can change passwords of resource accounts associated with a policy at the same time. | √ | √ | |
Account synchronization rules | This type of rule helps synchronize host resource account details. Synchronization rules are associated with resource accounts. You can execute a synchronization rule to synchronize details of all resource accounts the rule is associated with at the same time. | × | √ | |
Resource operation | Host resource operation | You can log in to host resources through browsers and clients and perform operations such as operation session sharing, file transfer, file management, and preset commands. | √ | √ |
Application resource operation | You can log in to application resources using a browser and perform operations such as operation session sharing, file transfer, and file management. | √ | √ | |
Cloud service resource operation | You can log in to container resources using a browser and perform operations, including operation session sharing. | × | √ | |
Operation script management | You can import and edit scripts to be executed on the bastion host to complete complex or repetitive tasks, improving efficiency. | × | √ | |
Fast operation | You can directly run preset commands and scripts and transfer files on the bastion host for quick resource operation. Logs of all operations are provided. | × | √ | |
Operation task management | You can customize manual, scheduled, or scheduled operation tasks for commands, scripts, and file transfer. All task operation logs are provided. | × | √ | |
System audit | Live session audit | Все текущие сеансы регистрируются. Вы можете просмотреть ресурс, тип, аккаунт и исходный IP‑адрес любого сеанса. | √ | √ |
Аудит исторических сеансов | Все закрытые исторические сеансы регистрируются. Вы можете просмотреть ресурс, тип, аккаунт и исходный IP‑адрес любого сеанса. | √ | √ | |
Аудит системных логов | Все входы в bastion host и операции на нём регистрируются подробно. Вы можете проверить, кто входил в систему с какого IP‑адреса и в какое время, а также какие конкретные функции и операции выполнялись после каждого входа. | √ | √ | |
Аудит отчётов об операциях | Отчёт об операции собирает статистику о времени операции, количестве обращений к ресурсам, длительности сеанса, статусе доступа исходного IP‑адреса, совместной работе в сеансе, двух‑лицевой авторизации, перехвате команд, количестве символьных команд и числе переданных файлов по времени, пользователю и ресурсу. | √ | √ | |
Аудит системного отчета | Системный отчет собирает статистику по контролю работы системы, работе ресурсов, исходным IP‑адресам, режиму входа, аномальным входам, сеансам и статусу. | √ | √ | |
Тикет | ACL тикеты | Если у вас нет разрешения на доступ к ресурсу, вы можете создать тикет для запроса разрешения. Такие разрешения включают передачу файлов, управление файлами, аудит клавиатуры. Этот тип разрешения действителен для конкретной учетной записи ресурса в фиксированном временном промежутке. | √ | √ |
Управление тикетами контроля команд | Если у вас нет разрешения на выполнение команд для работы с определённым ресурсом, вы можете создать тикет для запроса разрешения на ресурс. Этот тип разрешения действителен для конкретной учётной записи ресурса в фиксированном временном промежутке. | √ | √ | |
Управление тикетами базы данных | Если у вас нет разрешения выполнять операции над ресурсом базы данных, вы можете отправить тикет для запроса разрешения. Этот тип разрешения действителен для конкретной учетной записи ресурса в фиксированном временном диапазоне. | × | √ | |
Управление одобрением тикетов | На этой странице отображаются сведения обо всех тикетах. Вы можете просматривать тикеты на этой странице. | √ | √ | |
Конфигурация тикета | Вы можете настроить область применения, способ подачи, срок действия и процесс одобрения тикета. | √ | √ | |
Конфигурация системы | Безопасность | Вы можете настроить максимальное количество неправильных попыток ввода пароля, зомби‑пользователей, период смены пароля, тайм‑аут входа, сертификат, слой прокси‑безопасности, токен мобильного телефона, USB‑ключ, проверку, уведомление об истечении срока действия и ограничение сеансов. | √ | √ |
Network | You can view the network interface list, DNS, and default gateway details of the bastion host, and configure static routes. | √ | √ | |
HA | If the bastion host is deployed in primary/standby mode, you can enable or disable HA. | √ | √ | |
Port | You can check operation, web console, and SSH console ports in use. You can also change the port if needed, which is not recommended. | √ | √ | |
Outgoing | You can configure the way to send alarms. Currently, email, SMS, and LTS are supported. After the LTS agent is installed, LTS can send bastion host logs to the server. | √ | √ | |
Alarm | You can configure the alarm mode and level for different message types, including the login status, user operations, resource operation events, and operation activities. | √ | √ | |
Theme | The default logo of the bastion host can be customized. | √ | √ | |
Bastion host system maintenance | Data storage maintenance | You can view the usage of the system and data disks, modify the web disk space, customize the log storage period, and delete logs automatically or manually. | √ | √ |
Log backup | You can back up logs to a local PC, OBS server, syslog server, or FTP/SFTP server. | √ | √ | |
System maintenance | Вы можете просмотреть состояние системы, настроить системный адрес и время, выполнить Бэкап и восстановление операционной системы, просмотреть информацию об авторизации и диагностировать сеть и систему. | √ | √ |