diff options
6 files changed, 106 insertions, 46 deletions
diff --git a/mysql-test/suite/galera/r/galera_sst_mariabackup_encrypt_with_key.result b/mysql-test/suite/galera/r/galera_sst_mariabackup_encrypt_with_key.result index 990e0a29506..8048cafecd8 100644 --- a/mysql-test/suite/galera/r/galera_sst_mariabackup_encrypt_with_key.result +++ b/mysql-test/suite/galera/r/galera_sst_mariabackup_encrypt_with_key.result @@ -1,3 +1,4 @@ SELECT 1; 1 1 +include/assert_grep.inc [Using openssl based encryption with socat] diff --git a/mysql-test/suite/galera/r/galera_sst_mariabackup_encrypt_with_key_server.result b/mysql-test/suite/galera/r/galera_sst_mariabackup_encrypt_with_key_server.result new file mode 100644 index 00000000000..8048cafecd8 --- /dev/null +++ b/mysql-test/suite/galera/r/galera_sst_mariabackup_encrypt_with_key_server.result @@ -0,0 +1,4 @@ +SELECT 1; +1 +1 +include/assert_grep.inc [Using openssl based encryption with socat] diff --git a/mysql-test/suite/galera/t/galera_sst_mariabackup_encrypt_with_key.test b/mysql-test/suite/galera/t/galera_sst_mariabackup_encrypt_with_key.test index 4449ea43c43..523d44102dd 100644 --- a/mysql-test/suite/galera/t/galera_sst_mariabackup_encrypt_with_key.test +++ b/mysql-test/suite/galera/t/galera_sst_mariabackup_encrypt_with_key.test @@ -1,6 +1,8 @@ # -# This test checks that key and cert encryption options can be passed to mariabackup via the my.cnf file -# Initial SST happens via mariabackup, so there is not much to do in the body of the test +# This test checks that key and cert encryption options can be passed to +# mariabackup via the my.cnf file +# Initial SST happens via mariabackup, so there is not much to do in the body +# of the test # --source include/big_test.inc @@ -12,3 +14,11 @@ SELECT 1; --let $wait_condition = SELECT VARIABLE_VALUE = 2 FROM INFORMATION_SCHEMA.GLOBAL_STATUS WHERE VARIABLE_NAME = 'wsrep_cluster_size'; --source include/wait_condition.inc + +# Confirm that transfer was SSL-encrypted +--let $assert_text = Using openssl based encryption with socat +--let $assert_select = Using openssl based encryption with socat: with key and crt +--let $assert_count = 1 +--let $assert_file = $MYSQLTEST_VARDIR/log/mysqld.1.err +--let $assert_only_after = CURRENT_TEST +--source include/assert_grep.inc diff --git a/mysql-test/suite/galera/t/galera_sst_mariabackup_encrypt_with_key_server.cnf b/mysql-test/suite/galera/t/galera_sst_mariabackup_encrypt_with_key_server.cnf new file mode 100644 index 00000000000..12fca48e065 --- /dev/null +++ b/mysql-test/suite/galera/t/galera_sst_mariabackup_encrypt_with_key_server.cnf @@ -0,0 +1,13 @@ +!include ../galera_2nodes.cnf + +[mysqld] +wsrep_sst_method=mariabackup +wsrep_sst_auth="root:" +wsrep_debug=ON + +ssl-cert=@ENV.MYSQL_TEST_DIR/std_data/client-cert.pem +ssl-key=@ENV.MYSQL_TEST_DIR/std_data/client-key.pem +ssl-ca=@ENV.MYSQL_TEST_DIR/std_data/cacert.pem + +[sst] +ssl-mode=VERIFY_CA
\ No newline at end of file diff --git a/mysql-test/suite/galera/t/galera_sst_mariabackup_encrypt_with_key_server.test b/mysql-test/suite/galera/t/galera_sst_mariabackup_encrypt_with_key_server.test new file mode 100644 index 00000000000..19ebd0cf51e --- /dev/null +++ b/mysql-test/suite/galera/t/galera_sst_mariabackup_encrypt_with_key_server.test @@ -0,0 +1,25 @@ +# +# This test checks that if SST SSL is not explicitly donfigured mariabackup SST +# uses server SSL configuration if present. +# Initial SST happens via mariabackup, so there is not much to do in the body +# of the test +# + +--source include/big_test.inc +--source include/galera_cluster.inc +--source include/have_innodb.inc +--source include/have_mariabackup.inc +--source include/have_ssl_communication.inc + +SELECT 1; + +--let $wait_condition = SELECT VARIABLE_VALUE = 2 FROM INFORMATION_SCHEMA.GLOBAL_STATUS WHERE VARIABLE_NAME = 'wsrep_cluster_size'; +--source include/wait_condition.inc + +# Confirm that transfer was SSL-encrypted +--let $assert_text = Using openssl based encryption with socat +--let $assert_select = Using openssl based encryption with socat: with key and c +--let $assert_count = 1 +--let $assert_file = $MYSQLTEST_VARDIR/log/mysqld.1.err +--let $assert_only_after = CURRENT_TEST +--source include/assert_grep.inc diff --git a/sql/wsrep_sst.cc b/sql/wsrep_sst.cc index f4092b9b8a7..38560c7c663 100644 --- a/sql/wsrep_sst.cc +++ b/sql/wsrep_sst.cc @@ -637,49 +637,30 @@ err: return NULL; } -#define WSREP_SST_AUTH_ENV "WSREP_SST_OPT_AUTH" +#define WSREP_SST_AUTH_ENV "WSREP_SST_OPT_AUTH" +#define WSREP_SST_REMOTE_AUTH_ENV "WSREP_SST_OPT_REMOTE_AUTH" +#define DATA_HOME_DIR_ENV "INNODB_DATA_HOME_DIR" -static int sst_append_auth_env(wsp::env& env, const char* sst_auth) +static int sst_append_env_var(wsp::env& env, + const char* const var, + const char* const val) { - int const sst_auth_size= strlen(WSREP_SST_AUTH_ENV) + 1 /* = */ - + (sst_auth ? strlen(sst_auth) : 0) + 1 /* \0 */; + int const env_str_size= strlen(var) + 1 /* = */ + + (val ? strlen(val) : 0) + 1 /* \0 */; - wsp::string sst_auth_str(sst_auth_size); // for automatic cleanup on return - if (!sst_auth_str()) return -ENOMEM; + wsp::string env_str(env_str_size); // for automatic cleanup on return + if (!env_str()) return -ENOMEM; - int ret= snprintf(sst_auth_str(), sst_auth_size, "%s=%s", - WSREP_SST_AUTH_ENV, sst_auth ? sst_auth : ""); + int ret= snprintf(env_str(), env_str_size, "%s=%s", var, val ? val : ""); - if (ret < 0 || ret >= sst_auth_size) + if (ret < 0 || ret >= env_str_size) { - WSREP_ERROR("sst_append_auth_env(): snprintf() failed: %d", ret); + WSREP_ERROR("sst_append_env_var(): snprintf(%s=%s) failed: %d", + var, val, ret); return (ret < 0 ? ret : -EMSGSIZE); } - env.append(sst_auth_str()); - return -env.error(); -} - -#define DATA_HOME_DIR_ENV "INNODB_DATA_HOME_DIR" - -static int sst_append_data_dir(wsp::env& env, const char* data_dir) -{ - int const data_dir_size= strlen(DATA_HOME_DIR_ENV) + 1 /* = */ - + (data_dir ? strlen(data_dir) : 0) + 1 /* \0 */; - - wsp::string data_dir_str(data_dir_size); // for automatic cleanup on return - if (!data_dir_str()) return -ENOMEM; - - int ret= snprintf(data_dir_str(), data_dir_size, "%s=%s", - DATA_HOME_DIR_ENV, data_dir ? data_dir : ""); - - if (ret < 0 || ret >= data_dir_size) - { - WSREP_ERROR("sst_append_data_dir(): snprintf() failed: %d", ret); - return (ret < 0 ? ret : -EMSGSIZE); - } - - env.append(data_dir_str()); + env.append(env_str()); return -env.error(); } @@ -1090,7 +1071,7 @@ static ssize_t sst_prepare_other (const char* method, return -env.error(); } - if ((ret= sst_append_auth_env(env, sst_auth))) + if ((ret= sst_append_env_var(env, WSREP_SST_AUTH_ENV, sst_auth))) { WSREP_ERROR("sst_prepare_other(): appending auth failed: %d", ret); return ret; @@ -1098,7 +1079,7 @@ static ssize_t sst_prepare_other (const char* method, if (data_home_dir) { - if ((ret= sst_append_data_dir(env, data_home_dir))) + if ((ret= sst_append_env_var(env, DATA_HOME_DIR_ENV, data_home_dir))) { WSREP_ERROR("sst_prepare_other(): appending data " "directory failed: %d", ret); @@ -1275,12 +1256,12 @@ ssize_t wsrep_sst_prepare (void** msg) *msg = malloc (msg_len); if (NULL != *msg) { - char* const method_ptr(reinterpret_cast<char*>(*msg)); + char* const method_ptr(static_cast<char*>(*msg)); strcpy (method_ptr, wsrep_sst_method); char* const addr_ptr(method_ptr + method_len + 1); strcpy (addr_ptr, addr_out); - WSREP_INFO ("Prepared SST request: %s|%s", method_ptr, addr_ptr); + WSREP_DEBUG("Prepared SST request: %s|%s", method_ptr, addr_ptr); } else { WSREP_ERROR("Failed to allocate SST request of size %zu. Can't continue.", @@ -1733,6 +1714,7 @@ static int sst_donate_other (const char* method, "wsrep_sst_%s " WSREP_SST_OPT_ROLE " 'donor' " WSREP_SST_OPT_ADDR " '%s' " + WSREP_SST_OPT_LPORT " '%u' " WSREP_SST_OPT_SOCKET " '%s' " WSREP_SST_OPT_DATA " '%s' " "%s" @@ -1740,7 +1722,8 @@ static int sst_donate_other (const char* method, WSREP_SST_OPT_GTID_DOMAIN_ID " '%d'" "%s" "%s", - method, addr, mysqld_unix_port, mysql_real_data_home, + method, addr, mysqld_port, mysqld_unix_port, + mysql_real_data_home, wsrep_defaults_file, uuid, (long long) seqno, wsrep_gtid_domain_id, binlog_opt_val, @@ -1820,7 +1803,21 @@ wsrep_cb_status_t wsrep_sst_donate_cb (void* app_ctx, void* recv_ctx, const char* data = method + method_len + 1; - if (check_request_str(data, address_char)) + /* check for auth@addr separator */ + const char* addr= strrchr(data, '@'); + wsp::string remote_auth; + if (addr) + { + remote_auth.set(strndup(data, addr - data)); + addr++; + } + else + { + // no auth part + addr= data; + } + + if (check_request_str(addr, address_char)) { WSREP_ERROR("Bad SST address string. SST canceled."); return WSREP_CB_FAILURE; @@ -1841,15 +1838,25 @@ wsrep_cb_status_t wsrep_sst_donate_cb (void* app_ctx, void* recv_ctx, } int ret; - if ((ret= sst_append_auth_env(env, sst_auth_real))) + if ((ret= sst_append_env_var(env, WSREP_SST_AUTH_ENV, sst_auth_real))) { WSREP_ERROR("wsrep_sst_donate_cb(): appending auth env failed: %d", ret); return WSREP_CB_FAILURE; } + if (remote_auth()) + { + if ((ret= sst_append_env_var(env, WSREP_SST_REMOTE_AUTH_ENV,remote_auth()))) + { + WSREP_ERROR("wsrep_sst_donate_cb(): appending remote auth env failed: " + "%d", ret); + return WSREP_CB_FAILURE; + } + } + if (data_home_dir) { - if ((ret= sst_append_data_dir(env, data_home_dir))) + if ((ret= sst_append_env_var(env, DATA_HOME_DIR_ENV, data_home_dir))) { WSREP_ERROR("wsrep_sst_donate_cb(): appending data " "directory failed: %d", ret); @@ -1859,12 +1866,12 @@ wsrep_cb_status_t wsrep_sst_donate_cb (void* app_ctx, void* recv_ctx, if (!strcmp (WSREP_SST_MYSQLDUMP, method)) { - ret = sst_donate_mysqldump(data, ¤t_gtid->uuid, uuid_str, + ret = sst_donate_mysqldump(addr, ¤t_gtid->uuid, uuid_str, current_gtid->seqno, bypass, env()); } else { - ret = sst_donate_other(method, data, uuid_str, + ret = sst_donate_other(method, addr, uuid_str, current_gtid->seqno, bypass, env()); } |