MDEV-26211: Cluster joiner node is failed to start when using TLS

This commit adds support for reading new SSL configuration options (ssl-ca, ssl-cert and ssl-key) if the [sst] section with old options (tca, tcert and tkey) is missing in the config file, even if not specified authentication mode via the ssl-mode option. Before this change, new parameters were read only if the ssl-mode option was present in the configuration file and it was not equal to the 'DISABLED' value. Also added diagnostics (information level) which warns the user that due to the presence of the tca, tcert and/or tkey parameters in the [sst] section, new SSL configuration options will be ignored (if their values do not match the old ones).
author: Julius Goryavsky <julius.goryavsky@mariadb.com> 2021-08-15 21:03:07 +0200
committer: Julius Goryavsky <julius.goryavsky@mariadb.com> 2021-08-15 21:03:07 +0200
commit: d1a948cfaaab67e699674af4c11efad3868a629d (patch)
tree: 5e112ff96cdd429c5d97b4ce3e0706ace666953f /scripts
parent: 3b29315fdeb496cc896bc5da0982a6ebbea91e23 (diff)
download: mariadb-git-d1a948cfaaab67e699674af4c11efad3868a629d.tar.gz
2 files changed, 66 insertions, 30 deletions
diff --git a/scripts/wsrep_sst_mariabackup.sh b/scripts/wsrep_sst_mariabackup.sh
index 46804c9dce4..562b9b929f2 100644
--- a/scripts/wsrep_sst_mariabackup.sh
+++ b/scripts/wsrep_sst_mariabackup.sh
@@ -166,7 +166,8 @@ get_keys()
     fi
 
     if [ -z "$ekey" -a ! -r "$ekeyfile" ]; then
-        wsrep_log_error "FATAL: Either key or keyfile must be readable"
+        wsrep_log_error "FATAL: Either key must be specified " \
+                        "or keyfile must be readable"
         exit 3
     fi
 
@@ -448,9 +449,30 @@ encgroups='--mysqld|sst|xtrabackup'
 
 check_server_ssl_config()
 {
-    tcert=$(parse_cnf "$encgroups" 'ssl-ca')
-    tpem=$(parse_cnf "$encgroups" 'ssl-cert')
-    tkey=$(parse_cnf "$encgroups" 'ssl-key')
+    # backward-compatible behavior:
+    tcert=$(parse_cnf 'sst' 'tca')
+    tpem=$(parse_cnf 'sst' 'tcert')
+    tkey=$(parse_cnf 'sst' 'tkey')
+    # reading new ssl configuration options:
+    local tcert2=$(parse_cnf "$encgroups" 'ssl-ca')
+    local tpem2=$(parse_cnf "$encgroups" 'ssl-cert')
+    local tkey2=$(parse_cnf "$encgroups" 'ssl-key')
+    # if there are no old options, then we take new ones:
+    if [ -z "$tcert" -a -z "$tpem" -a -z "$tkey" ]; then
+        tcert="$tcert2"
+        tpem="$tpem2"
+        tkey="$tkey2"
+    # checking for presence of the new-style SSL configuration:
+    elif [ -n "$tcert2" -o -n "$tpem2" -o -n "$tkey2" ]; then
+        if [ "$tcert" != "$tcert2" -o \
+             "$tpem"  != "$tpem2"  -o \
+             "$tkey"  != "$tkey2" ]
+        then
+            wsrep_log_info "new ssl configuration options (ssl-ca, ssl-cert " \
+                           "and ssl-key) are ignored by SST due to presence " \
+                           "of the tca, tcert and/or tkey in the [sst] section"
+        fi
+    fi
 }
 
 read_cnf()
@@ -463,18 +485,10 @@ read_cnf()
 
     if [ $encrypt -eq 0 -o $encrypt -ge 2 ]
     then
-        if [ "$tmode" != 'DISABLED' -o $encrypt -ge 2 ]
-        then
-            tcert=$(parse_cnf 'sst' 'tca')
-            tpem=$(parse_cnf 'sst' 'tcert')
-            tkey=$(parse_cnf 'sst' 'tkey')
+        if [ "$tmode" != 'DISABLED' -o $encrypt -ge 2 ]; then
+            check_server_ssl_config
         fi
         if [ "$tmode" != 'DISABLED' ]; then
-            # backward-incompatible behavior
-            if [ -z "$tpem" -a -z "$tkey" -a -z "$tcert" ]; then
-                # no old-style SSL config in [sst]
-                check_server_ssl_config
-            fi
             if [ 0 -eq $encrypt -a -n "$tpem" -a -n "$tkey" ]
             then
                 encrypt=3 # enable cert/key SSL encyption
@@ -489,7 +503,11 @@ read_cnf()
         ealgo=$(parse_cnf "$encgroups" 'encrypt-algo')
         eformat=$(parse_cnf "$encgroups" 'encrypt-format' 'openssl')
         ekey=$(parse_cnf "$encgroups" 'encrypt-key')
-        ekeyfile=$(parse_cnf "$encgroups" 'encrypt-key-file')
+        # The keyfile should be read only when the key
+        # is not specified or empty:
+        if [ -z "$ekey" ]; then
+            ekeyfile=$(parse_cnf "$encgroups" 'encrypt-key-file')
+        fi
     fi
 
     wsrep_log_info "SSL configuration: CA='$tcert', CERT='$tpem'," \
diff --git a/scripts/wsrep_sst_xtrabackup-v2.sh b/scripts/wsrep_sst_xtrabackup-v2.sh
index 9600848dc77..13a4a1d25c1 100644
--- a/scripts/wsrep_sst_xtrabackup-v2.sh
+++ b/scripts/wsrep_sst_xtrabackup-v2.sh
@@ -165,7 +165,8 @@ get_keys()
     fi
 
     if [ -z "$ekey" -a ! -r "$ekeyfile" ]; then
-        wsrep_log_error "FATAL: Either key or keyfile must be readable"
+        wsrep_log_error "FATAL: Either key must be specified " \
+                        "or keyfile must be readable"
         exit 3
     fi
 
@@ -450,9 +451,30 @@ encgroups='--mysqld|sst|xtrabackup'
 
 check_server_ssl_config()
 {
-    tcert=$(parse_cnf "$encgroups" 'ssl-ca')
-    tpem=$(parse_cnf "$encgroups" 'ssl-cert')
-    tkey=$(parse_cnf "$encgroups" 'ssl-key')
+    # backward-compatible behavior:
+    tcert=$(parse_cnf 'sst' 'tca')
+    tpem=$(parse_cnf 'sst' 'tcert')
+    tkey=$(parse_cnf 'sst' 'tkey')
+    # reading new ssl configuration options:
+    local tcert2=$(parse_cnf "$encgroups" 'ssl-ca')
+    local tpem2=$(parse_cnf "$encgroups" 'ssl-cert')
+    local tkey2=$(parse_cnf "$encgroups" 'ssl-key')
+    # if there are no old options, then we take new ones:
+    if [ -z "$tcert" -a -z "$tpem" -a -z "$tkey" ]; then
+        tcert="$tcert2"
+        tpem="$tpem2"
+        tkey="$tkey2"
+    # checking for presence of the new-style SSL configuration:
+    elif [ -n "$tcert2" -o -n "$tpem2" -o -n "$tkey2" ]; then
+        if [ "$tcert" != "$tcert2" -o \
+             "$tpem"  != "$tpem2"  -o \
+             "$tkey"  != "$tkey2" ]
+        then
+            wsrep_log_info "new ssl configuration options (ssl-ca, ssl-cert " \
+                           "and ssl-key) are ignored by SST due to presence " \
+                           "of the tca, tcert and/or tkey in the [sst] section"
+        fi
+    fi
 }
 
 read_cnf()
@@ -465,18 +487,10 @@ read_cnf()
 
     if [ $encrypt -eq 0 -o $encrypt -ge 2 ]
     then
-        if [ "$tmode" != 'DISABLED' -o $encrypt -ge 2 ]
-        then
-            tcert=$(parse_cnf 'sst' 'tca')
-            tpem=$(parse_cnf 'sst' 'tcert')
-            tkey=$(parse_cnf 'sst' 'tkey')
+        if [ "$tmode" != 'DISABLED' -o $encrypt -ge 2 ]; then
+            check_server_ssl_config
         fi
         if [ "$tmode" != 'DISABLED' ]; then
-            # backward-incompatible behavior
-            if [ -z "$tpem" -a -z "$tkey" -a -z "$tcert" ]; then
-                # no old-style SSL config in [sst]
-                check_server_ssl_config
-            fi
             if [ 0 -eq $encrypt -a -n "$tpem" -a -n "$tkey" ]
             then
                 encrypt=3 # enable cert/key SSL encyption
@@ -491,7 +505,11 @@ read_cnf()
         ealgo=$(parse_cnf "$encgroups" 'encrypt-algo')
         eformat=$(parse_cnf "$encgroups" 'encrypt-format' 'xbcrypt')
         ekey=$(parse_cnf "$encgroups" 'encrypt-key')
-        ekeyfile=$(parse_cnf "$encgroups" 'encrypt-key-file')
+        # The keyfile should be read only when the key
+        # is not specified or empty:
+        if [ -z "$ekey" ]; then
+            ekeyfile=$(parse_cnf "$encgroups" 'encrypt-key-file')
+        fi
     fi
 
     wsrep_log_info "SSL configuration: CA='$tcert', CERT='$tpem'," \
author	Julius Goryavsky <julius.goryavsky@mariadb.com>	2021-08-15 21:03:07 +0200
committer	Julius Goryavsky <julius.goryavsky@mariadb.com>	2021-08-15 21:03:07 +0200
commit	d1a948cfaaab67e699674af4c11efad3868a629d (patch)
tree	5e112ff96cdd429c5d97b4ce3e0706ace666953f /scripts
parent	3b29315fdeb496cc896bc5da0982a6ebbea91e23 (diff)
download	mariadb-git-d1a948cfaaab67e699674af4c11efad3868a629d.tar.gz