diff options
author | Alexey Yurchenko <alexey.yurchenko@galeracluster.com> | 2021-05-06 04:03:07 +0200 |
---|---|---|
committer | Julius Goryavsky <julius.goryavsky@mariadb.com> | 2021-05-06 04:03:07 +0200 |
commit | 54d7ba96093475240c666d2964384d358d9f9b54 (patch) | |
tree | 8ff058e637e4fba60fd29d078fec8dc543233c45 /mysql-test | |
parent | cf67ca48d6731ba43dcde385991ae1efaff40675 (diff) | |
download | mariadb-git-54d7ba96093475240c666d2964384d358d9f9b54.tar.gz |
MDEV-25418: Improve mariabackup SST script compliance with native MariaDB SSL practices
and configuration.
1. Pass joiner's authentication information to donor together with address
in State Transfer Request. This allows joiner to authenticate donor on
connection. Previously joiner would accept data from anywhere.
2. Deprecate custom SSL configuration variables tca, tcert and tkey in favor
of more familiar ssl-ca, ssl-cert and ssl-key. For backward compatibility
tca, tcert and tkey are still supported.
3. Allow falling back to server-wide SSL configuration in [mysqld] if no SSL
configuration is found in [sst] section of the config file.
4. Introduce ssl-mode variable in [sst] section that takes standard values
and has following effects:
- old-style SSL configuration present in [sst]: no effect
otherwise:
- ssl-mode=DISABLED or absent: retains old, backward compatible behavior
and ignores any other SSL configuration
- ssl-mode=VERIFY*: verify joiner's certificate and CN on donor,
verify donor's secret on joiner
(passed to donor via State Transfer Request)
BACKWARD INCOMPATIBLE BEHAVIOR
- anything else enables new SSL configuration convetions but does not
require verification
ssl-mode should be set to VERIFY only in a fully upgraded cluster.
Examples:
[mysqld]
ssl-cert=/path/to/cert
ssl-key=/path/to/key
ssl-ca=/path/to/ca
[sst]
-- server-wide SSL configuration is ignored, SST does not use SSL
[mysqld]
ssl-cert=/path/to/cert
ssl-key=/path/to/key
ssl-ca=/path/to/ca
[sst]
ssl-mode=REQUIRED
-- use server-wide SSL configuration for SST but don't attempt to
verify the peer identity
[sst]
ssl-cert=/path/to/cert
ssl-key=/path/to/key
ssl-ca=/path/to/ca
ssl-mode=VERIFY_CA
-- use SST-specific SSL configuration for SST and require verification
on both sides
Signed-off-by: Julius Goryavsky <julius.goryavsky@mariadb.com>
Diffstat (limited to 'mysql-test')
5 files changed, 55 insertions, 2 deletions
diff --git a/mysql-test/suite/galera/r/galera_sst_mariabackup_encrypt_with_key.result b/mysql-test/suite/galera/r/galera_sst_mariabackup_encrypt_with_key.result index 990e0a29506..8048cafecd8 100644 --- a/mysql-test/suite/galera/r/galera_sst_mariabackup_encrypt_with_key.result +++ b/mysql-test/suite/galera/r/galera_sst_mariabackup_encrypt_with_key.result @@ -1,3 +1,4 @@ SELECT 1; 1 1 +include/assert_grep.inc [Using openssl based encryption with socat] diff --git a/mysql-test/suite/galera/r/galera_sst_mariabackup_encrypt_with_key_server.result b/mysql-test/suite/galera/r/galera_sst_mariabackup_encrypt_with_key_server.result new file mode 100644 index 00000000000..8048cafecd8 --- /dev/null +++ b/mysql-test/suite/galera/r/galera_sst_mariabackup_encrypt_with_key_server.result @@ -0,0 +1,4 @@ +SELECT 1; +1 +1 +include/assert_grep.inc [Using openssl based encryption with socat] diff --git a/mysql-test/suite/galera/t/galera_sst_mariabackup_encrypt_with_key.test b/mysql-test/suite/galera/t/galera_sst_mariabackup_encrypt_with_key.test index 4449ea43c43..523d44102dd 100644 --- a/mysql-test/suite/galera/t/galera_sst_mariabackup_encrypt_with_key.test +++ b/mysql-test/suite/galera/t/galera_sst_mariabackup_encrypt_with_key.test @@ -1,6 +1,8 @@ # -# This test checks that key and cert encryption options can be passed to mariabackup via the my.cnf file -# Initial SST happens via mariabackup, so there is not much to do in the body of the test +# This test checks that key and cert encryption options can be passed to +# mariabackup via the my.cnf file +# Initial SST happens via mariabackup, so there is not much to do in the body +# of the test # --source include/big_test.inc @@ -12,3 +14,11 @@ SELECT 1; --let $wait_condition = SELECT VARIABLE_VALUE = 2 FROM INFORMATION_SCHEMA.GLOBAL_STATUS WHERE VARIABLE_NAME = 'wsrep_cluster_size'; --source include/wait_condition.inc + +# Confirm that transfer was SSL-encrypted +--let $assert_text = Using openssl based encryption with socat +--let $assert_select = Using openssl based encryption with socat: with key and crt +--let $assert_count = 1 +--let $assert_file = $MYSQLTEST_VARDIR/log/mysqld.1.err +--let $assert_only_after = CURRENT_TEST +--source include/assert_grep.inc diff --git a/mysql-test/suite/galera/t/galera_sst_mariabackup_encrypt_with_key_server.cnf b/mysql-test/suite/galera/t/galera_sst_mariabackup_encrypt_with_key_server.cnf new file mode 100644 index 00000000000..12fca48e065 --- /dev/null +++ b/mysql-test/suite/galera/t/galera_sst_mariabackup_encrypt_with_key_server.cnf @@ -0,0 +1,13 @@ +!include ../galera_2nodes.cnf + +[mysqld] +wsrep_sst_method=mariabackup +wsrep_sst_auth="root:" +wsrep_debug=ON + +ssl-cert=@ENV.MYSQL_TEST_DIR/std_data/client-cert.pem +ssl-key=@ENV.MYSQL_TEST_DIR/std_data/client-key.pem +ssl-ca=@ENV.MYSQL_TEST_DIR/std_data/cacert.pem + +[sst] +ssl-mode=VERIFY_CA
\ No newline at end of file diff --git a/mysql-test/suite/galera/t/galera_sst_mariabackup_encrypt_with_key_server.test b/mysql-test/suite/galera/t/galera_sst_mariabackup_encrypt_with_key_server.test new file mode 100644 index 00000000000..19ebd0cf51e --- /dev/null +++ b/mysql-test/suite/galera/t/galera_sst_mariabackup_encrypt_with_key_server.test @@ -0,0 +1,25 @@ +# +# This test checks that if SST SSL is not explicitly donfigured mariabackup SST +# uses server SSL configuration if present. +# Initial SST happens via mariabackup, so there is not much to do in the body +# of the test +# + +--source include/big_test.inc +--source include/galera_cluster.inc +--source include/have_innodb.inc +--source include/have_mariabackup.inc +--source include/have_ssl_communication.inc + +SELECT 1; + +--let $wait_condition = SELECT VARIABLE_VALUE = 2 FROM INFORMATION_SCHEMA.GLOBAL_STATUS WHERE VARIABLE_NAME = 'wsrep_cluster_size'; +--source include/wait_condition.inc + +# Confirm that transfer was SSL-encrypted +--let $assert_text = Using openssl based encryption with socat +--let $assert_select = Using openssl based encryption with socat: with key and c +--let $assert_count = 1 +--let $assert_file = $MYSQLTEST_VARDIR/log/mysqld.1.err +--let $assert_only_after = CURRENT_TEST +--source include/assert_grep.inc |