octoleo/gh-ost
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Adding --ssl-insecure flag

Browse Source
This commit is contained in:
Matt Belisle 2019-02-04 14:46:08 -06:00
parent 5319157789
commit 79df0d1c5d
3 changed files with 32 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
go/base/context.go
View File

@ -94,15 +94,16 @@ type MigrationContext struct {
AliyunRDS bool AliyunRDS bool
GoogleCloudPlatform bool GoogleCloudPlatform bool
config ContextConfig config ContextConfig
configMutex *sync.Mutex configMutex *sync.Mutex
ConfigFile string ConfigFile string
CliUser string CliUser string
CliPassword string CliPassword string
UseTLS bool UseTLS bool
TLSCACertificate string TLSInsecureSkipVerify bool
CliMasterUser string TLSCACertificate string
CliMasterPassword string CliMasterUser string
CliMasterPassword string
HeartbeatIntervalMilliseconds int64 HeartbeatIntervalMilliseconds int64
defaultNumRetries int64 defaultNumRetries int64

4
go/cmd/gh-ost/main.go
View File

@ -57,6 +57,7 @@ func main() {
flag.BoolVar(&migrationContext.UseTLS, "ssl", false, "Enable SSL encrypted connections to MySQL hosts") flag.BoolVar(&migrationContext.UseTLS, "ssl", false, "Enable SSL encrypted connections to MySQL hosts")
flag.StringVar(&migrationContext.TLSCACertificate, "ssl-ca", "", "CA certificate in PEM format for TLS connections to MySQL hosts. Requires --ssl") flag.StringVar(&migrationContext.TLSCACertificate, "ssl-ca", "", "CA certificate in PEM format for TLS connections to MySQL hosts. Requires --ssl")
flag.StringVar(&migrationContext.TLSInsecureSkipVerify, "ssl-insecure", false, "Do not verify that the TLS connection is secure. Requires --ssl")
flag.StringVar(&migrationContext.DatabaseName, "database", "", "database name (mandatory)") flag.StringVar(&migrationContext.DatabaseName, "database", "", "database name (mandatory)")
flag.StringVar(&migrationContext.OriginalTableName, "table", "", "table name (mandatory)") flag.StringVar(&migrationContext.OriginalTableName, "table", "", "table name (mandatory)")
@ -201,6 +202,9 @@ func main() {
if migrationContext.TLSCACertificate != "" && !migrationContext.UseTLS { if migrationContext.TLSCACertificate != "" && !migrationContext.UseTLS {
log.Fatalf("--ssl-ca requires --ssl") log.Fatalf("--ssl-ca requires --ssl")
} }
if migrationContext.TLSInsecureSkipVerify && !migrationContext.UseTLS {
log.Fatalf("--ssl-insecure requires --ssl")
}
if *replicationLagQuery != "" { if *replicationLagQuery != "" {
log.Warningf("--replication-lag-query is deprecated") log.Warningf("--replication-lag-query is deprecated")
} }

28
go/mysql/connection.go
View File

@ -58,22 +58,30 @@ func (this *ConnectionConfig) Equals(other *ConnectionConfig) bool {
} }
func (this *ConnectionConfig) UseTLS(caCertificatePath string) error { func (this *ConnectionConfig) UseTLS(caCertificatePath string) error {
skipVerify := caCertificatePath == ""
var rootCertPool *x509.CertPool var rootCertPool *x509.CertPool
if !skipVerify { var err error
rootCertPool = x509.NewCertPool()
pem, err := ioutil.ReadFile(caCertificatePath) if !this.TLSInsecureSkipVerify {
if err != nil { if caCertificatePath == "" {
return err rootCertPool, err = x509.SystemCertPool()
} if err != nil {
if ok := rootCertPool.AppendCertsFromPEM(pem); !ok { return err
return errors.New("could not add ca certificate to cert pool") }
} else {
rootCertPool = x509.NewCertPool()
pem, err := ioutil.ReadFile(caCertificatePath)
if err != nil {
return err
}
if ok := rootCertPool.AppendCertsFromPEM(pem); !ok {
return errors.New("could not add ca certificate to cert pool")
}
} }
} }
this.tlsConfig = &tls.Config{ this.tlsConfig = &tls.Config{
RootCAs: rootCertPool, RootCAs: rootCertPool,
InsecureSkipVerify: skipVerify, InsecureSkipVerify: this.TLSInsecureSkipVerify,
} }
return mysql.RegisterTLSConfig(this.Key.StringCode(), this.tlsConfig) return mysql.RegisterTLSConfig(this.Key.StringCode(), this.tlsConfig)