summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJulius Goryavsky <julius.goryavsky@mariadb.com>2021-03-09 13:40:06 +0100
committerJulius Goryavsky <julius.goryavsky@mariadb.com>2021-03-09 13:48:10 +0100
commit4544d8f65a12dc6fc5c8bca37a515f0553d825ba (patch)
tree356b2bd49928e76e148a4c210661387942228e21
parent4020e4aee0b3477f31d1fb0d797b84171b22d483 (diff)
parent2dce82f1c2e7d2566f19c5e28290bdaabbd5f9bf (diff)
downloadmariadb-git-bb-10.2-ssl.tar.gz
Merge branch 'sst-ssl-fixes-10.2' of https://github.com/codership/mariadb-server into bb-10.2-sslbb-10.2-ssl
-rw-r--r--mysql-test/suite/galera/r/galera_sst_mariabackup_encrypt_with_key.result1
-rw-r--r--mysql-test/suite/galera/r/galera_sst_mariabackup_encrypt_with_key_server.result4
-rw-r--r--mysql-test/suite/galera/t/galera_sst_mariabackup_encrypt_with_key.test14
-rw-r--r--mysql-test/suite/galera/t/galera_sst_mariabackup_encrypt_with_key_server.cnf13
-rw-r--r--mysql-test/suite/galera/t/galera_sst_mariabackup_encrypt_with_key_server.test25
-rw-r--r--scripts/wsrep_sst_common.sh44
-rw-r--r--scripts/wsrep_sst_mariabackup.sh138
-rw-r--r--sql/wsrep_sst.cc95
8 files changed, 259 insertions, 75 deletions
diff --git a/mysql-test/suite/galera/r/galera_sst_mariabackup_encrypt_with_key.result b/mysql-test/suite/galera/r/galera_sst_mariabackup_encrypt_with_key.result
index 990e0a29506..8048cafecd8 100644
--- a/mysql-test/suite/galera/r/galera_sst_mariabackup_encrypt_with_key.result
+++ b/mysql-test/suite/galera/r/galera_sst_mariabackup_encrypt_with_key.result
@@ -1,3 +1,4 @@
SELECT 1;
1
1
+include/assert_grep.inc [Using openssl based encryption with socat]
diff --git a/mysql-test/suite/galera/r/galera_sst_mariabackup_encrypt_with_key_server.result b/mysql-test/suite/galera/r/galera_sst_mariabackup_encrypt_with_key_server.result
new file mode 100644
index 00000000000..8048cafecd8
--- /dev/null
+++ b/mysql-test/suite/galera/r/galera_sst_mariabackup_encrypt_with_key_server.result
@@ -0,0 +1,4 @@
+SELECT 1;
+1
+1
+include/assert_grep.inc [Using openssl based encryption with socat]
diff --git a/mysql-test/suite/galera/t/galera_sst_mariabackup_encrypt_with_key.test b/mysql-test/suite/galera/t/galera_sst_mariabackup_encrypt_with_key.test
index 4449ea43c43..523d44102dd 100644
--- a/mysql-test/suite/galera/t/galera_sst_mariabackup_encrypt_with_key.test
+++ b/mysql-test/suite/galera/t/galera_sst_mariabackup_encrypt_with_key.test
@@ -1,6 +1,8 @@
#
-# This test checks that key and cert encryption options can be passed to mariabackup via the my.cnf file
-# Initial SST happens via mariabackup, so there is not much to do in the body of the test
+# This test checks that key and cert encryption options can be passed to
+# mariabackup via the my.cnf file
+# Initial SST happens via mariabackup, so there is not much to do in the body
+# of the test
#
--source include/big_test.inc
@@ -12,3 +14,11 @@ SELECT 1;
--let $wait_condition = SELECT VARIABLE_VALUE = 2 FROM INFORMATION_SCHEMA.GLOBAL_STATUS WHERE VARIABLE_NAME = 'wsrep_cluster_size';
--source include/wait_condition.inc
+
+# Confirm that transfer was SSL-encrypted
+--let $assert_text = Using openssl based encryption with socat
+--let $assert_select = Using openssl based encryption with socat: with key and crt
+--let $assert_count = 1
+--let $assert_file = $MYSQLTEST_VARDIR/log/mysqld.1.err
+--let $assert_only_after = CURRENT_TEST
+--source include/assert_grep.inc
diff --git a/mysql-test/suite/galera/t/galera_sst_mariabackup_encrypt_with_key_server.cnf b/mysql-test/suite/galera/t/galera_sst_mariabackup_encrypt_with_key_server.cnf
new file mode 100644
index 00000000000..12fca48e065
--- /dev/null
+++ b/mysql-test/suite/galera/t/galera_sst_mariabackup_encrypt_with_key_server.cnf
@@ -0,0 +1,13 @@
+!include ../galera_2nodes.cnf
+
+[mysqld]
+wsrep_sst_method=mariabackup
+wsrep_sst_auth="root:"
+wsrep_debug=ON
+
+ssl-cert=@ENV.MYSQL_TEST_DIR/std_data/client-cert.pem
+ssl-key=@ENV.MYSQL_TEST_DIR/std_data/client-key.pem
+ssl-ca=@ENV.MYSQL_TEST_DIR/std_data/cacert.pem
+
+[sst]
+ssl-mode=VERIFY_CA \ No newline at end of file
diff --git a/mysql-test/suite/galera/t/galera_sst_mariabackup_encrypt_with_key_server.test b/mysql-test/suite/galera/t/galera_sst_mariabackup_encrypt_with_key_server.test
new file mode 100644
index 00000000000..19ebd0cf51e
--- /dev/null
+++ b/mysql-test/suite/galera/t/galera_sst_mariabackup_encrypt_with_key_server.test
@@ -0,0 +1,25 @@
+#
+# This test checks that if SST SSL is not explicitly donfigured mariabackup SST
+# uses server SSL configuration if present.
+# Initial SST happens via mariabackup, so there is not much to do in the body
+# of the test
+#
+
+--source include/big_test.inc
+--source include/galera_cluster.inc
+--source include/have_innodb.inc
+--source include/have_mariabackup.inc
+--source include/have_ssl_communication.inc
+
+SELECT 1;
+
+--let $wait_condition = SELECT VARIABLE_VALUE = 2 FROM INFORMATION_SCHEMA.GLOBAL_STATUS WHERE VARIABLE_NAME = 'wsrep_cluster_size';
+--source include/wait_condition.inc
+
+# Confirm that transfer was SSL-encrypted
+--let $assert_text = Using openssl based encryption with socat
+--let $assert_select = Using openssl based encryption with socat: with key and c
+--let $assert_count = 1
+--let $assert_file = $MYSQLTEST_VARDIR/log/mysqld.1.err
+--let $assert_only_after = CURRENT_TEST
+--source include/assert_grep.inc
diff --git a/scripts/wsrep_sst_common.sh b/scripts/wsrep_sst_common.sh
index f5adf0b0fd8..a6f439b5348 100644
--- a/scripts/wsrep_sst_common.sh
+++ b/scripts/wsrep_sst_common.sh
@@ -25,6 +25,7 @@ WSREP_SST_OPT_DATA=""
WSREP_SST_OPT_AUTH=${WSREP_SST_OPT_AUTH:-}
WSREP_SST_OPT_USER=${WSREP_SST_OPT_USER:-}
WSREP_SST_OPT_PSWD=${WSREP_SST_OPT_PSWD:-}
+WSREP_SST_OPT_REMOTE_AUTH=${WSREP_SST_OPT_REMOTE_AUTH:-}
WSREP_SST_OPT_DEFAULT=""
WSREP_SST_OPT_EXTRA_DEFAULT=""
WSREP_SST_OPT_SUFFIX_DEFAULT=""
@@ -34,6 +35,7 @@ INNODB_DATA_HOME_DIR_ARG=""
INNODB_LOG_GROUP_HOME_ARG=""
INNODB_UNDO_DIR_ARG=""
LOG_BIN_ARG=""
+readonly WSREP_SST_OPT_REMOTE_AUTH
while [ $# -gt 0 ]; do
case "$1" in
@@ -121,7 +123,8 @@ case "$1" in
WSREP_SST_OPT_BYPASS=1
;;
'--datadir')
- readonly WSREP_SST_OPT_DATA="$2"
+ # strip trailing '/'
+ readonly WSREP_SST_OPT_DATA="${2%/}"
shift
;;
'--innodb-data-home-dir')
@@ -320,12 +323,22 @@ readonly WSREP_SST_OPT_AUTH
# Splitting AUTH into potential user:password pair
if ! wsrep_auth_not_set
then
- WSREP_SST_OPT_USER="${WSREP_SST_OPT_AUTH%%:*}"
+ WSREP_SST_OPT_USER="${WSREP_SST_OPT_AUTH%:*}"
WSREP_SST_OPT_PSWD="${WSREP_SST_OPT_AUTH##*:}"
fi
readonly WSREP_SST_OPT_USER
readonly WSREP_SST_OPT_PSWD
+if [ -n "$WSREP_SST_OPT_REMOTE_AUTH" ]
+then
+ # Split auth string at the last ':'
+ readonly WSREP_SST_OPT_REMOTE_USER="${WSREP_SST_OPT_REMOTE_AUTH%:*}"
+ readonly WSREP_SST_OPT_REMOTE_PSWD="${WSREP_SST_OPT_REMOTE_AUTH##*:}"
+else
+ readonly WSREP_SST_OPT_REMOTE_USER=
+ readonly WSREP_SST_OPT_REMOTE_PSWD=
+fi
+
if [ -n "${WSREP_SST_OPT_DATA:-}" ]
then
SST_PROGRESS_FILE="$WSREP_SST_OPT_DATA/sst_in_progress"
@@ -385,6 +398,19 @@ wsrep_check_programs()
return $ret
}
+# Generate a string equivalent to 16 random bytes
+wsrep_gen_secret()
+{
+ if [ -x /usr/bin/openssl ]
+ then
+ echo `/usr/bin/openssl rand -hex 16`
+ else
+ printf "%04x%04x%04x%04x%04x%04x%04x%04x" \
+ $RANDOM $RANDOM $RANDOM $RANDOM \
+ $RANDOM $RANDOM $RANDOM $RANDOM
+ fi
+}
+
#
# user can specify mariabackup specific settings that will be used during sst
# process like encryption, etc.....
@@ -396,14 +422,22 @@ wsrep_check_programs()
parse_cnf()
{
local group=$1
- local var=$2
+ local var=${2//_/-} # normalize variable name by replacing all '_' with '-'
local reval=""
- # normalize the variable names specified in cnf file (user can use _ or - for example log-bin or log_bin)
+ # first normalize output variable names specified in cnf file:
+ # user can use _ or - (for example log-bin or log_bin) and/or prefix
+ # variable with --loose-
# then search for needed variable
# finally get the variable value (if variables has been specified multiple time use the last value only)
- reval=$($MY_PRINT_DEFAULTS "${group}" | awk -v var="${var}" 'BEGIN { OFS=FS="=" } { gsub(/_/,"-",$1); if ( $1=="--"var) lastval=substr($0,length($1)+2) } END { print lastval}')
+ reval=$($MY_PRINT_DEFAULTS "${group}" | \
+ awk -v var="${var}" 'BEGIN { OFS=FS="=" } \
+ { sub(/^--loose/,"-",$0); \
+ gsub(/_/,"-",$1); \
+ if ( $1=="--"var) \
+ lastval=substr($0,length($1)+2) } \
+ END { print lastval}')
# use default if we haven't found a value
if [ -z "$reval" ]; then
diff --git a/scripts/wsrep_sst_mariabackup.sh b/scripts/wsrep_sst_mariabackup.sh
index 231cf6e3702..c8c26e7bbd4 100644
--- a/scripts/wsrep_sst_mariabackup.sh
+++ b/scripts/wsrep_sst_mariabackup.sh
@@ -37,6 +37,7 @@ REMOTEIP=""
tcert=""
tpem=""
tkey=""
+tmode="DISABLED"
sockopt=""
progress=""
ttime=0
@@ -72,6 +73,8 @@ xtmpdir=""
scomp=""
sdecomp=""
+readonly SECRET_TAG="secret"
+
# Required for backup locks
# For backup locks it is 1 sent by joiner
# 5.6.21 PXC and later can't donate to an older joiner
@@ -264,24 +267,30 @@ get_transfer()
exit 22
fi
stagemsg+="-OpenSSL-Encrypted-3"
- if [[ "$WSREP_SST_OPT_ROLE" == "joiner" ]];then
- if [[ -z $tcert ]];then
+ if [[ -z $tcert ]];then
+ # no verification
+ if [[ "$WSREP_SST_OPT_ROLE" == "joiner" ]];then
wsrep_log_info "Decrypting with cert=${tpem}, key=${tkey}, verify=0"
tcmd="socat -u openssl-listen:${TSST_PORT},reuseaddr,cert=${tpem},key=${tkey},verify=0${sockopt} stdio"
else
- wsrep_log_info "Decrypting with cert=${tpem}, key=${tkey}, cafile=${tcert}"
- tcmd="socat -u openssl-listen:${TSST_PORT},reuseaddr,cert=${tpem},key=${tkey},cafile=${tcert}${sockopt} stdio"
- fi
- else
- if [[ -z $tcert ]];then
wsrep_log_info "Encrypting with cert=${tpem}, key=${tkey}, verify=0"
tcmd="socat -u stdio openssl-connect:${REMOTEIP}:${TSST_PORT},cert=${tpem},key=${tkey},verify=0${sockopt}"
+ fi
+ else
+ # CA verification
+ if [[ "$WSREP_SST_OPT_ROLE" == "joiner" ]];then
+ wsrep_log_info "Decrypting with cert=${tpem}, key=${tkey}, cafile=${tcert}"
+ tcmd="socat -u openssl-listen:${TSST_PORT},reuseaddr,cert=${tpem},key=${tkey},cafile=${tcert}${sockopt} stdio"
else
+ if [ -n "$WSREP_SST_OPT_REMOTE_USER" ]; then
+ CN_option=",commonname=$WSREP_SST_OPT_REMOTE_USER"
+ else
+ CN_option=""
+ fi
wsrep_log_info "Encrypting with cert=${tpem}, key=${tkey}, cafile=${tcert}"
- tcmd="socat -u stdio openssl-connect:${REMOTEIP}:${TSST_PORT},cert=${tpem},key=${tkey},cafile=${tcert}${sockopt}"
+ tcmd="socat -u stdio openssl-connect:${REMOTEIP}:${TSST_PORT},cert=${tpem},key=${tkey},cafile=${tcert}${CN_option}${sockopt}"
fi
fi
-
else
if [[ "$WSREP_SST_OPT_ROLE" == "joiner" ]];then
tcmd="socat -u TCP-LISTEN:${TSST_PORT},reuseaddr${sockopt} stdio"
@@ -290,7 +299,6 @@ get_transfer()
fi
fi
fi
-
}
parse_cnf()
@@ -298,10 +306,17 @@ parse_cnf()
local group=$1
local var=$2
# print the default settings for given group using my_print_default.
+ # remove possible 'loose' variable name prefix
# normalize the variable names specified in cnf file (user can use _ or - for example log-bin or log_bin)
# then grep for needed variable
# finally get the variable value (if variables has been specified multiple time use the last value only)
- reval=$($MY_PRINT_DEFAULTS $group | awk -F= '{if ($1 ~ /_/) { gsub(/_/,"-",$1); print $1"="$2 } else { print $0 }}' | grep -- "--$var=" | cut -d= -f2- | tail -1)
+ reval=$($MY_PRINT_DEFAULTS $group | \
+ awk -F= '{ sub(/^--loose/,"-",$0); \
+ if ($1 ~ /_/) \
+ { gsub(/_/,"-",$1); print $1"="$2 } \
+ else \
+ { print $0 }}' | \
+ grep -- "--$var=" | cut -d= -f2- | tail -1)
if [[ -z $reval ]];then
[[ -n $3 ]] && reval=$3
fi
@@ -351,6 +366,24 @@ adjust_progress()
fi
}
+check_server_ssl_config()
+{
+ local section=$1
+ tcert=$(parse_cnf $section ssl-ca "")
+ tpem=$(parse_cnf $section ssl-cert "")
+ tkey=$(parse_cnf $section ssl-key "")
+ if [ 0 -eq $encrypt -a -n "$tpem" -a -n "$tkey" ]
+ then
+ encrypt=3 # enable cert/key SSL encyption
+
+ # avoid CA verification if not set explicitly:
+ # nodes may happen to have different CA if self-generated
+ # zeroing up tcert does the trick
+ local mode=$(parse_cnf SST ssl-mode "")
+ [[ ${tmode} = *VERIFY* ]] || tcert=""
+ fi
+}
+
read_cnf()
{
sfmt=$(parse_cnf sst streamfmt "xbstream")
@@ -359,6 +392,26 @@ read_cnf()
tpem=$(parse_cnf sst tcert "")
tkey=$(parse_cnf sst tkey "")
encrypt=$(parse_cnf sst encrypt 0)
+ tmode=$(parse_cnf sst ssl-mode "DISABLED" | tr [:lower:] [:upper:])
+
+ if [ -z "$tpem" -a -z "$tkey" -a -z "$tcert" ]
+ then # no old-style SSL config in [sst]
+ if [ "$tmode" != "DISABLED" ]
+ then # backward-incompatible behavior
+ check_server_ssl_config "sst"
+ if [ -z "$tpem" -a -z "$tkey" -a -z "$tcert" ]
+ then # no new-stype SSL config in [sst], try server-wide SSL config
+ check_server_ssl_config "mysqld.$WSREP_SST_OPT_SUFFIX_VALUE"
+ if [ -z "$tpem" -a -z "$tkey" -a -z "$tcert" ]
+ then
+ check_server_ssl_config "mysqld"
+ fi
+ fi
+ fi
+ fi
+ wsrep_log_info "SSL configuration: CA='"$tcert"', CERT='"$tpem"'," \
+ "KEY='"$tkey"', MODE='"$tmode"', encrypt="$encrypt
+
sockopt=$(parse_cnf sst sockopt "")
progress=$(parse_cnf sst progress "")
rebuild=$(parse_cnf sst rebuild 0)
@@ -404,7 +457,7 @@ read_cnf()
if [[ $encrypt -eq 1 ]]; then
wsrep_log_error "Xtrabackup-based encryption is currently not" \
- "supported with MariaBackup"
+ "supported with MariaBackup"
exit 2
fi
}
@@ -631,8 +684,8 @@ recv_joiner()
popd 1>/dev/null
if [[ ${RC[0]} -eq 124 ]];then
- wsrep_log_error "Possible timeout in receiving first data from "
- "donor in gtid stage: exit codes: ${RC[@]}"
+ wsrep_log_error "Possible timeout in receiving first data from " \
+ "donor in gtid stage: exit codes: ${RC[@]}"
exit 32
fi
@@ -644,12 +697,27 @@ recv_joiner()
fi
done
- if [[ $checkf -eq 1 && ! -r "${MAGIC_FILE}" ]];then
- # this message should cause joiner to abort
- wsrep_log_error "xtrabackup process ended without creating '${MAGIC_FILE}'"
- wsrep_log_info "Contents of datadir"
- wsrep_log_info "$(ls -l ${dir}/*)"
- exit 32
+ if [[ $checkf -eq 1 ]]; then
+ if [[ ! -r "${MAGIC_FILE}" ]];then
+ # this message should cause joiner to abort
+ wsrep_log_error "receiving process ended without creating " \
+ "'${MAGIC_FILE}'"
+ wsrep_log_info "Contents of datadir"
+ wsrep_log_info "$(ls -l ${dir}/*)"
+ exit 32
+ fi
+
+ # check donor supplied secret
+ SECRET=$(grep "$SECRET_TAG " ${MAGIC_FILE} 2>/dev/null | cut -d ' ' -f 2)
+ if [[ $SECRET != $MY_SECRET ]]; then
+ wsrep_log_error "Donor does not know my secret!"
+ wsrep_log_info "Donor:'$SECRET', my:'$MY_SECRET'"
+ exit 32
+ fi
+
+ # remove secret from magic file
+ grep -v "$SECRET_TAG " ${MAGIC_FILE} > ${MAGIC_FILE}.new
+ mv ${MAGIC_FILE}.new ${MAGIC_FILE}
fi
}
@@ -665,10 +733,9 @@ send_donor()
set -e
popd 1>/dev/null
-
for ecode in "${RC[@]}";do
if [[ $ecode -ne 0 ]];then
- wsrep_log_error "Error while getting data from donor node: " \
+ wsrep_log_error "Error while sending data to joiner node: " \
"exit codes: ${RC[@]}"
exit 32
fi
@@ -891,6 +958,11 @@ then
# (separated by a space).
echo "${WSREP_SST_OPT_GTID} ${WSREP_SST_OPT_GTID_DOMAIN_ID}" > "${MAGIC_FILE}"
+ if [[ -n ${WSREP_SST_OPT_REMOTE_PSWD} ]]; then
+ # Let joiner know that we know its secret
+ echo "$SECRET_TAG ${WSREP_SST_OPT_REMOTE_PSWD}" >> ${MAGIC_FILE}
+ fi
+
ttcmd="$tcmd"
if [[ $encrypt -eq 1 ]];then
@@ -1003,7 +1075,6 @@ then
stagemsg="Joiner-Recv"
-
sencrypted=1
nthreads=1
@@ -1025,7 +1096,26 @@ then
fi
fi
- wait_for_listen ${SST_PORT} ${ADDR} ${MODULE} &
+ if [[ "$tmode" = *"VERIFY"* ]]
+ then # backward-incompatible behavior
+ if [ -n "$tpem" ]
+ then
+ # find out my Common Name
+ wsrep_check_programs openssl
+ CN=$(openssl x509 -noout -subject -in $tpem | \
+ tr "," "\n" | grep "CN =" | cut -d= -f2 | sed s/^\ // | \
+ sed s/\ %//)
+ else
+ CN=""
+ fi
+ MY_SECRET=$(wsrep_gen_secret)
+ # Add authentication data to address
+ ADDR="$CN:$MY_SECRET@$ADDR"
+ else
+ MY_SECRET="" # for check down in recv_joiner()
+ fi # tmode == *VERIFY*
+
+ wait_for_listen ${SST_PORT} "${ADDR}" ${MODULE} &
trap sig_joiner_cleanup HUP PIPE INT TERM
trap cleanup_joiner EXIT
diff --git a/sql/wsrep_sst.cc b/sql/wsrep_sst.cc
index f4092b9b8a7..38560c7c663 100644
--- a/sql/wsrep_sst.cc
+++ b/sql/wsrep_sst.cc
@@ -637,49 +637,30 @@ err:
return NULL;
}
-#define WSREP_SST_AUTH_ENV "WSREP_SST_OPT_AUTH"
+#define WSREP_SST_AUTH_ENV "WSREP_SST_OPT_AUTH"
+#define WSREP_SST_REMOTE_AUTH_ENV "WSREP_SST_OPT_REMOTE_AUTH"
+#define DATA_HOME_DIR_ENV "INNODB_DATA_HOME_DIR"
-static int sst_append_auth_env(wsp::env& env, const char* sst_auth)
+static int sst_append_env_var(wsp::env& env,
+ const char* const var,
+ const char* const val)
{
- int const sst_auth_size= strlen(WSREP_SST_AUTH_ENV) + 1 /* = */
- + (sst_auth ? strlen(sst_auth) : 0) + 1 /* \0 */;
+ int const env_str_size= strlen(var) + 1 /* = */
+ + (val ? strlen(val) : 0) + 1 /* \0 */;
- wsp::string sst_auth_str(sst_auth_size); // for automatic cleanup on return
- if (!sst_auth_str()) return -ENOMEM;
+ wsp::string env_str(env_str_size); // for automatic cleanup on return
+ if (!env_str()) return -ENOMEM;
- int ret= snprintf(sst_auth_str(), sst_auth_size, "%s=%s",
- WSREP_SST_AUTH_ENV, sst_auth ? sst_auth : "");
+ int ret= snprintf(env_str(), env_str_size, "%s=%s", var, val ? val : "");
- if (ret < 0 || ret >= sst_auth_size)
+ if (ret < 0 || ret >= env_str_size)
{
- WSREP_ERROR("sst_append_auth_env(): snprintf() failed: %d", ret);
+ WSREP_ERROR("sst_append_env_var(): snprintf(%s=%s) failed: %d",
+ var, val, ret);
return (ret < 0 ? ret : -EMSGSIZE);
}
- env.append(sst_auth_str());
- return -env.error();
-}
-
-#define DATA_HOME_DIR_ENV "INNODB_DATA_HOME_DIR"
-
-static int sst_append_data_dir(wsp::env& env, const char* data_dir)
-{
- int const data_dir_size= strlen(DATA_HOME_DIR_ENV) + 1 /* = */
- + (data_dir ? strlen(data_dir) : 0) + 1 /* \0 */;
-
- wsp::string data_dir_str(data_dir_size); // for automatic cleanup on return
- if (!data_dir_str()) return -ENOMEM;
-
- int ret= snprintf(data_dir_str(), data_dir_size, "%s=%s",
- DATA_HOME_DIR_ENV, data_dir ? data_dir : "");
-
- if (ret < 0 || ret >= data_dir_size)
- {
- WSREP_ERROR("sst_append_data_dir(): snprintf() failed: %d", ret);
- return (ret < 0 ? ret : -EMSGSIZE);
- }
-
- env.append(data_dir_str());
+ env.append(env_str());
return -env.error();
}
@@ -1090,7 +1071,7 @@ static ssize_t sst_prepare_other (const char* method,
return -env.error();
}
- if ((ret= sst_append_auth_env(env, sst_auth)))
+ if ((ret= sst_append_env_var(env, WSREP_SST_AUTH_ENV, sst_auth)))
{
WSREP_ERROR("sst_prepare_other(): appending auth failed: %d", ret);
return ret;
@@ -1098,7 +1079,7 @@ static ssize_t sst_prepare_other (const char* method,
if (data_home_dir)
{
- if ((ret= sst_append_data_dir(env, data_home_dir)))
+ if ((ret= sst_append_env_var(env, DATA_HOME_DIR_ENV, data_home_dir)))
{
WSREP_ERROR("sst_prepare_other(): appending data "
"directory failed: %d", ret);
@@ -1275,12 +1256,12 @@ ssize_t wsrep_sst_prepare (void** msg)
*msg = malloc (msg_len);
if (NULL != *msg) {
- char* const method_ptr(reinterpret_cast<char*>(*msg));
+ char* const method_ptr(static_cast<char*>(*msg));
strcpy (method_ptr, wsrep_sst_method);
char* const addr_ptr(method_ptr + method_len + 1);
strcpy (addr_ptr, addr_out);
- WSREP_INFO ("Prepared SST request: %s|%s", method_ptr, addr_ptr);
+ WSREP_DEBUG("Prepared SST request: %s|%s", method_ptr, addr_ptr);
}
else {
WSREP_ERROR("Failed to allocate SST request of size %zu. Can't continue.",
@@ -1733,6 +1714,7 @@ static int sst_donate_other (const char* method,
"wsrep_sst_%s "
WSREP_SST_OPT_ROLE " 'donor' "
WSREP_SST_OPT_ADDR " '%s' "
+ WSREP_SST_OPT_LPORT " '%u' "
WSREP_SST_OPT_SOCKET " '%s' "
WSREP_SST_OPT_DATA " '%s' "
"%s"
@@ -1740,7 +1722,8 @@ static int sst_donate_other (const char* method,
WSREP_SST_OPT_GTID_DOMAIN_ID " '%d'"
"%s"
"%s",
- method, addr, mysqld_unix_port, mysql_real_data_home,
+ method, addr, mysqld_port, mysqld_unix_port,
+ mysql_real_data_home,
wsrep_defaults_file,
uuid, (long long) seqno, wsrep_gtid_domain_id,
binlog_opt_val,
@@ -1820,7 +1803,21 @@ wsrep_cb_status_t wsrep_sst_donate_cb (void* app_ctx, void* recv_ctx,
const char* data = method + method_len + 1;
- if (check_request_str(data, address_char))
+ /* check for auth@addr separator */
+ const char* addr= strrchr(data, '@');
+ wsp::string remote_auth;
+ if (addr)
+ {
+ remote_auth.set(strndup(data, addr - data));
+ addr++;
+ }
+ else
+ {
+ // no auth part
+ addr= data;
+ }
+
+ if (check_request_str(addr, address_char))
{
WSREP_ERROR("Bad SST address string. SST canceled.");
return WSREP_CB_FAILURE;
@@ -1841,15 +1838,25 @@ wsrep_cb_status_t wsrep_sst_donate_cb (void* app_ctx, void* recv_ctx,
}
int ret;
- if ((ret= sst_append_auth_env(env, sst_auth_real)))
+ if ((ret= sst_append_env_var(env, WSREP_SST_AUTH_ENV, sst_auth_real)))
{
WSREP_ERROR("wsrep_sst_donate_cb(): appending auth env failed: %d", ret);
return WSREP_CB_FAILURE;
}
+ if (remote_auth())
+ {
+ if ((ret= sst_append_env_var(env, WSREP_SST_REMOTE_AUTH_ENV,remote_auth())))
+ {
+ WSREP_ERROR("wsrep_sst_donate_cb(): appending remote auth env failed: "
+ "%d", ret);
+ return WSREP_CB_FAILURE;
+ }
+ }
+
if (data_home_dir)
{
- if ((ret= sst_append_data_dir(env, data_home_dir)))
+ if ((ret= sst_append_env_var(env, DATA_HOME_DIR_ENV, data_home_dir)))
{
WSREP_ERROR("wsrep_sst_donate_cb(): appending data "
"directory failed: %d", ret);
@@ -1859,12 +1866,12 @@ wsrep_cb_status_t wsrep_sst_donate_cb (void* app_ctx, void* recv_ctx,
if (!strcmp (WSREP_SST_MYSQLDUMP, method))
{
- ret = sst_donate_mysqldump(data, &current_gtid->uuid, uuid_str,
+ ret = sst_donate_mysqldump(addr, &current_gtid->uuid, uuid_str,
current_gtid->seqno, bypass, env());
}
else
{
- ret = sst_donate_other(method, data, uuid_str,
+ ret = sst_donate_other(method, addr, uuid_str,
current_gtid->seqno, bypass, env());
}