Merge branch 'master' into named-panic

This commit is contained in:
Shlomi Noach 2019-03-06 12:47:06 +02:00 committed by GitHub
commit 766040d83f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 49 additions and 20 deletions

View File

@ -197,6 +197,14 @@ Allows `gh-ost` to connect to the MySQL servers using encrypted connections, but
`--ssl-ca=/path/to/ca-cert.pem`: ca certificate file (in PEM format) to use for server certificate verification. If specified, the default system ca cert pool will not be used for verification, only the ca cert provided here. Requires `--ssl`. `--ssl-ca=/path/to/ca-cert.pem`: ca certificate file (in PEM format) to use for server certificate verification. If specified, the default system ca cert pool will not be used for verification, only the ca cert provided here. Requires `--ssl`.
### ssl-cert
`--ssl-cert=/path/to/ssl-cert.crt`: SSL public key certificate file (in PEM format).
### ssl-key
`--ssl-key=/path/to/ssl-key.key`: SSL private key file (in PEM format).
### test-on-replica ### test-on-replica
Issue the migration on a replica; do not modify data on master. Useful for validating, testing and benchmarking. See [`testing-on-replica`](testing-on-replica.md) Issue the migration on a replica; do not modify data on master. Useful for validating, testing and benchmarking. See [`testing-on-replica`](testing-on-replica.md)

View File

@ -102,6 +102,8 @@ type MigrationContext struct {
UseTLS bool UseTLS bool
TLSAllowInsecure bool TLSAllowInsecure bool
TLSCACertificate string TLSCACertificate string
TLSCertificate string
TLSKey string
CliMasterUser string CliMasterUser string
CliMasterPassword string CliMasterPassword string
@ -703,7 +705,7 @@ func (this *MigrationContext) ApplyCredentials() {
func (this *MigrationContext) SetupTLS() error { func (this *MigrationContext) SetupTLS() error {
if this.UseTLS { if this.UseTLS {
return this.InspectorConnectionConfig.UseTLS(this.TLSCACertificate, this.TLSAllowInsecure) return this.InspectorConnectionConfig.UseTLS(this.TLSCACertificate, this.TLSCertificate, this.TLSKey, this.TLSAllowInsecure)
} }
return nil return nil
} }

View File

@ -57,6 +57,8 @@ func main() {
flag.BoolVar(&migrationContext.UseTLS, "ssl", false, "Enable SSL encrypted connections to MySQL hosts") flag.BoolVar(&migrationContext.UseTLS, "ssl", false, "Enable SSL encrypted connections to MySQL hosts")
flag.StringVar(&migrationContext.TLSCACertificate, "ssl-ca", "", "CA certificate in PEM format for TLS connections to MySQL hosts. Requires --ssl") flag.StringVar(&migrationContext.TLSCACertificate, "ssl-ca", "", "CA certificate in PEM format for TLS connections to MySQL hosts. Requires --ssl")
flag.StringVar(&migrationContext.TLSCertificate, "ssl-cert", "", "Certificate in PEM format for TLS connections to MySQL hosts. Requires --ssl")
flag.StringVar(&migrationContext.TLSKey, "ssl-key", "", "Key in PEM format for TLS connections to MySQL hosts. Requires --ssl")
flag.BoolVar(&migrationContext.TLSAllowInsecure, "ssl-allow-insecure", false, "Skips verification of MySQL hosts' certificate chain and host name. Requires --ssl") flag.BoolVar(&migrationContext.TLSAllowInsecure, "ssl-allow-insecure", false, "Skips verification of MySQL hosts' certificate chain and host name. Requires --ssl")
flag.StringVar(&migrationContext.DatabaseName, "database", "", "database name (mandatory)") flag.StringVar(&migrationContext.DatabaseName, "database", "", "database name (mandatory)")
@ -205,6 +207,12 @@ func main() {
if migrationContext.TLSCACertificate != "" && !migrationContext.UseTLS { if migrationContext.TLSCACertificate != "" && !migrationContext.UseTLS {
log.Fatalf("--ssl-ca requires --ssl") log.Fatalf("--ssl-ca requires --ssl")
} }
if migrationContext.TLSCertificate != "" && !migrationContext.UseTLS {
log.Fatalf("--ssl-cert requires --ssl")
}
if migrationContext.TLSKey != "" && !migrationContext.UseTLS {
log.Fatalf("--ssl-key requires --ssl")
}
if migrationContext.TLSAllowInsecure && !migrationContext.UseTLS { if migrationContext.TLSAllowInsecure && !migrationContext.UseTLS {
log.Fatalf("--ssl-allow-insecure requires --ssl") log.Fatalf("--ssl-allow-insecure requires --ssl")
} }

View File

@ -16,6 +16,10 @@ import (
"github.com/go-sql-driver/mysql" "github.com/go-sql-driver/mysql"
) )
const (
TLS_CONFIG_KEY = "ghost"
)
// ConnectionConfig is the minimal configuration required to connect to a MySQL server // ConnectionConfig is the minimal configuration required to connect to a MySQL server
type ConnectionConfig struct { type ConnectionConfig struct {
Key InstanceKey Key InstanceKey
@ -57,34 +61,41 @@ func (this *ConnectionConfig) Equals(other *ConnectionConfig) bool {
return this.Key.Equals(&other.Key) || this.ImpliedKey.Equals(other.ImpliedKey) return this.Key.Equals(&other.Key) || this.ImpliedKey.Equals(other.ImpliedKey)
} }
func (this *ConnectionConfig) UseTLS(caCertificatePath string, allowInsecure bool) error { func (this *ConnectionConfig) UseTLS(caCertificatePath, clientCertificate, clientKey string, allowInsecure bool) error {
var rootCertPool *x509.CertPool var rootCertPool *x509.CertPool
var certs []tls.Certificate
var err error var err error
if !allowInsecure { if caCertificatePath == "" {
if caCertificatePath == "" { rootCertPool, err = x509.SystemCertPool()
rootCertPool, err = x509.SystemCertPool() if err != nil {
if err != nil { return err
return err
}
} else {
rootCertPool = x509.NewCertPool()
pem, err := ioutil.ReadFile(caCertificatePath)
if err != nil {
return err
}
if ok := rootCertPool.AppendCertsFromPEM(pem); !ok {
return errors.New("could not add ca certificate to cert pool")
}
} }
} else {
rootCertPool = x509.NewCertPool()
pem, err := ioutil.ReadFile(caCertificatePath)
if err != nil {
return err
}
if ok := rootCertPool.AppendCertsFromPEM(pem); !ok {
return errors.New("could not add ca certificate to cert pool")
}
}
if clientCertificate != "" || clientKey != "" {
cert, err := tls.LoadX509KeyPair(clientCertificate, clientKey)
if err != nil {
return err
}
certs = []tls.Certificate{cert}
} }
this.tlsConfig = &tls.Config{ this.tlsConfig = &tls.Config{
Certificates: certs,
RootCAs: rootCertPool, RootCAs: rootCertPool,
InsecureSkipVerify: allowInsecure, InsecureSkipVerify: allowInsecure,
} }
return mysql.RegisterTLSConfig(this.Key.StringCode(), this.tlsConfig) return mysql.RegisterTLSConfig(TLS_CONFIG_KEY, this.tlsConfig)
} }
func (this *ConnectionConfig) TLSConfig() *tls.Config { func (this *ConnectionConfig) TLSConfig() *tls.Config {
@ -103,7 +114,7 @@ func (this *ConnectionConfig) GetDBUri(databaseName string) string {
// simplify construction of the DSN below. // simplify construction of the DSN below.
tlsOption := "false" tlsOption := "false"
if this.tlsConfig != nil { if this.tlsConfig != nil {
tlsOption = this.Key.StringCode() tlsOption = TLS_CONFIG_KEY
} }
return fmt.Sprintf("%s:%s@tcp(%s:%d)/%s?interpolateParams=%t&autocommit=true&charset=utf8mb4,utf8,latin1&tls=%s", this.User, this.Password, hostname, this.Key.Port, databaseName, interpolateParams, tlsOption) return fmt.Sprintf("%s:%s@tcp(%s:%d)/%s?interpolateParams=%t&autocommit=true&charset=utf8mb4,utf8,latin1&tls=%s", this.User, this.Password, hostname, this.Key.Port, databaseName, interpolateParams, tlsOption)
} }

View File

@ -80,5 +80,5 @@ func TestGetDBUriWithTLSSetup(t *testing.T) {
c.tlsConfig = &tls.Config{} c.tlsConfig = &tls.Config{}
uri := c.GetDBUri("test") uri := c.GetDBUri("test")
test.S(t).ExpectEquals(uri, "gromit:penguin@tcp(myhost:3306)/test?interpolateParams=true&autocommit=true&charset=utf8mb4,utf8,latin1&tls=myhost:3306") test.S(t).ExpectEquals(uri, "gromit:penguin@tcp(myhost:3306)/test?interpolateParams=true&autocommit=true&charset=utf8mb4,utf8,latin1&tls=ghost")
} }