Improve SSL support
Related issue: https://github.com/github/gh-ost/issues/521 - Add --ssl-cert and --ssl-key options to specify SSL public/private key files - Allow combining --ssl-allow-insecure with other --ssl* flags. `mysql.RegisterTLSConfig` allows combining the corresponding parameters in the `tls.Config` it receives, so gh-ost should allow this. I found being able to pass --ssl-allow-insecure along with --ssl-ca, --ssl-cert, and --ssl-key useful in testing. - Use the same TLS config everywhere. Since the CLI only supports a single set of --ssl* configuration parameters, this should be fine -- `mysql.RegisterTLSConfig` documentation indicates the TLS config given will not be modified, so it can safely be used in many goroutines provided we also do not modify it. The previous implementation did not work when the TLS config was duplicated, which happens when gh-ost walks up the replication chain trying to find the master. This is because, when the config is duplicated, we must call `RegisterTLSConfig` again with the new config. This config is exactly the same, so it's easiest to side-step the issue by registering the TLS config once and using it everywhere.
This commit is contained in:
parent
a8fae9818d
commit
b4da7cfbfb
@ -189,6 +189,14 @@ Allows `gh-ost` to connect to the MySQL servers using encrypted connections, but
|
|||||||
|
|
||||||
`--ssl-ca=/path/to/ca-cert.pem`: ca certificate file (in PEM format) to use for server certificate verification. If specified, the default system ca cert pool will not be used for verification, only the ca cert provided here. Requires `--ssl`.
|
`--ssl-ca=/path/to/ca-cert.pem`: ca certificate file (in PEM format) to use for server certificate verification. If specified, the default system ca cert pool will not be used for verification, only the ca cert provided here. Requires `--ssl`.
|
||||||
|
|
||||||
|
### ssl-cert
|
||||||
|
|
||||||
|
`--ssl-cert=/path/to/ssl-cert.crt`: SSL public key certificate file (in PEM format).
|
||||||
|
|
||||||
|
### ssl-key
|
||||||
|
|
||||||
|
`--ssl-key=/path/to/ssl-key.key`: SSL private key file (in PEM format).
|
||||||
|
|
||||||
### test-on-replica
|
### test-on-replica
|
||||||
|
|
||||||
Issue the migration on a replica; do not modify data on master. Useful for validating, testing and benchmarking. See [`testing-on-replica`](testing-on-replica.md)
|
Issue the migration on a replica; do not modify data on master. Useful for validating, testing and benchmarking. See [`testing-on-replica`](testing-on-replica.md)
|
||||||
|
@ -102,6 +102,8 @@ type MigrationContext struct {
|
|||||||
UseTLS bool
|
UseTLS bool
|
||||||
TLSAllowInsecure bool
|
TLSAllowInsecure bool
|
||||||
TLSCACertificate string
|
TLSCACertificate string
|
||||||
|
TLSCertificate string
|
||||||
|
TLSKey string
|
||||||
CliMasterUser string
|
CliMasterUser string
|
||||||
CliMasterPassword string
|
CliMasterPassword string
|
||||||
|
|
||||||
@ -702,7 +704,7 @@ func (this *MigrationContext) ApplyCredentials() {
|
|||||||
|
|
||||||
func (this *MigrationContext) SetupTLS() error {
|
func (this *MigrationContext) SetupTLS() error {
|
||||||
if this.UseTLS {
|
if this.UseTLS {
|
||||||
return this.InspectorConnectionConfig.UseTLS(this.TLSCACertificate, this.TLSAllowInsecure)
|
return this.InspectorConnectionConfig.UseTLS(this.TLSCACertificate, this.TLSCertificate, this.TLSKey, this.TLSAllowInsecure)
|
||||||
}
|
}
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
@ -57,6 +57,8 @@ func main() {
|
|||||||
|
|
||||||
flag.BoolVar(&migrationContext.UseTLS, "ssl", false, "Enable SSL encrypted connections to MySQL hosts")
|
flag.BoolVar(&migrationContext.UseTLS, "ssl", false, "Enable SSL encrypted connections to MySQL hosts")
|
||||||
flag.StringVar(&migrationContext.TLSCACertificate, "ssl-ca", "", "CA certificate in PEM format for TLS connections to MySQL hosts. Requires --ssl")
|
flag.StringVar(&migrationContext.TLSCACertificate, "ssl-ca", "", "CA certificate in PEM format for TLS connections to MySQL hosts. Requires --ssl")
|
||||||
|
flag.StringVar(&migrationContext.TLSCertificate, "ssl-cert", "", "Certificate in PEM format for TLS connections to MySQL hosts. Requires --ssl")
|
||||||
|
flag.StringVar(&migrationContext.TLSKey, "ssl-key", "", "Key in PEM format for TLS connections to MySQL hosts. Requires --ssl")
|
||||||
flag.BoolVar(&migrationContext.TLSAllowInsecure, "ssl-allow-insecure", false, "Skips verification of MySQL hosts' certificate chain and host name. Requires --ssl")
|
flag.BoolVar(&migrationContext.TLSAllowInsecure, "ssl-allow-insecure", false, "Skips verification of MySQL hosts' certificate chain and host name. Requires --ssl")
|
||||||
|
|
||||||
flag.StringVar(&migrationContext.DatabaseName, "database", "", "database name (mandatory)")
|
flag.StringVar(&migrationContext.DatabaseName, "database", "", "database name (mandatory)")
|
||||||
@ -204,6 +206,12 @@ func main() {
|
|||||||
if migrationContext.TLSCACertificate != "" && !migrationContext.UseTLS {
|
if migrationContext.TLSCACertificate != "" && !migrationContext.UseTLS {
|
||||||
log.Fatalf("--ssl-ca requires --ssl")
|
log.Fatalf("--ssl-ca requires --ssl")
|
||||||
}
|
}
|
||||||
|
if migrationContext.TLSCertificate != "" && !migrationContext.UseTLS {
|
||||||
|
log.Fatalf("--ssl-cert requires --ssl")
|
||||||
|
}
|
||||||
|
if migrationContext.TLSKey != "" && !migrationContext.UseTLS {
|
||||||
|
log.Fatalf("--ssl-key requires --ssl")
|
||||||
|
}
|
||||||
if migrationContext.TLSAllowInsecure && !migrationContext.UseTLS {
|
if migrationContext.TLSAllowInsecure && !migrationContext.UseTLS {
|
||||||
log.Fatalf("--ssl-allow-insecure requires --ssl")
|
log.Fatalf("--ssl-allow-insecure requires --ssl")
|
||||||
}
|
}
|
||||||
|
@ -16,6 +16,10 @@ import (
|
|||||||
"github.com/go-sql-driver/mysql"
|
"github.com/go-sql-driver/mysql"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
TLS_CONFIG_KEY = "ghost"
|
||||||
|
)
|
||||||
|
|
||||||
// ConnectionConfig is the minimal configuration required to connect to a MySQL server
|
// ConnectionConfig is the minimal configuration required to connect to a MySQL server
|
||||||
type ConnectionConfig struct {
|
type ConnectionConfig struct {
|
||||||
Key InstanceKey
|
Key InstanceKey
|
||||||
@ -57,34 +61,41 @@ func (this *ConnectionConfig) Equals(other *ConnectionConfig) bool {
|
|||||||
return this.Key.Equals(&other.Key) || this.ImpliedKey.Equals(other.ImpliedKey)
|
return this.Key.Equals(&other.Key) || this.ImpliedKey.Equals(other.ImpliedKey)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (this *ConnectionConfig) UseTLS(caCertificatePath string, allowInsecure bool) error {
|
func (this *ConnectionConfig) UseTLS(caCertificatePath, clientCertificate, clientKey string, allowInsecure bool) error {
|
||||||
var rootCertPool *x509.CertPool
|
var rootCertPool *x509.CertPool
|
||||||
|
var certs []tls.Certificate
|
||||||
var err error
|
var err error
|
||||||
|
|
||||||
if !allowInsecure {
|
if caCertificatePath == "" {
|
||||||
if caCertificatePath == "" {
|
rootCertPool, err = x509.SystemCertPool()
|
||||||
rootCertPool, err = x509.SystemCertPool()
|
if err != nil {
|
||||||
if err != nil {
|
return err
|
||||||
return err
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
rootCertPool = x509.NewCertPool()
|
|
||||||
pem, err := ioutil.ReadFile(caCertificatePath)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
if ok := rootCertPool.AppendCertsFromPEM(pem); !ok {
|
|
||||||
return errors.New("could not add ca certificate to cert pool")
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
} else {
|
||||||
|
rootCertPool = x509.NewCertPool()
|
||||||
|
pem, err := ioutil.ReadFile(caCertificatePath)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
if ok := rootCertPool.AppendCertsFromPEM(pem); !ok {
|
||||||
|
return errors.New("could not add ca certificate to cert pool")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if clientCertificate != "" || clientKey != "" {
|
||||||
|
cert, err := tls.LoadX509KeyPair(clientCertificate, clientKey)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
certs = []tls.Certificate{cert}
|
||||||
}
|
}
|
||||||
|
|
||||||
this.tlsConfig = &tls.Config{
|
this.tlsConfig = &tls.Config{
|
||||||
|
Certificates: certs,
|
||||||
RootCAs: rootCertPool,
|
RootCAs: rootCertPool,
|
||||||
InsecureSkipVerify: allowInsecure,
|
InsecureSkipVerify: allowInsecure,
|
||||||
}
|
}
|
||||||
|
|
||||||
return mysql.RegisterTLSConfig(this.Key.StringCode(), this.tlsConfig)
|
return mysql.RegisterTLSConfig(TLS_CONFIG_KEY, this.tlsConfig)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (this *ConnectionConfig) TLSConfig() *tls.Config {
|
func (this *ConnectionConfig) TLSConfig() *tls.Config {
|
||||||
@ -103,7 +114,7 @@ func (this *ConnectionConfig) GetDBUri(databaseName string) string {
|
|||||||
// simplify construction of the DSN below.
|
// simplify construction of the DSN below.
|
||||||
tlsOption := "false"
|
tlsOption := "false"
|
||||||
if this.tlsConfig != nil {
|
if this.tlsConfig != nil {
|
||||||
tlsOption = this.Key.StringCode()
|
tlsOption = TLS_CONFIG_KEY
|
||||||
}
|
}
|
||||||
return fmt.Sprintf("%s:%s@tcp(%s:%d)/%s?interpolateParams=%t&autocommit=true&charset=utf8mb4,utf8,latin1&tls=%s", this.User, this.Password, hostname, this.Key.Port, databaseName, interpolateParams, tlsOption)
|
return fmt.Sprintf("%s:%s@tcp(%s:%d)/%s?interpolateParams=%t&autocommit=true&charset=utf8mb4,utf8,latin1&tls=%s", this.User, this.Password, hostname, this.Key.Port, databaseName, interpolateParams, tlsOption)
|
||||||
}
|
}
|
||||||
|
@ -80,5 +80,5 @@ func TestGetDBUriWithTLSSetup(t *testing.T) {
|
|||||||
c.tlsConfig = &tls.Config{}
|
c.tlsConfig = &tls.Config{}
|
||||||
|
|
||||||
uri := c.GetDBUri("test")
|
uri := c.GetDBUri("test")
|
||||||
test.S(t).ExpectEquals(uri, "gromit:penguin@tcp(myhost:3306)/test?interpolateParams=true&autocommit=true&charset=utf8mb4,utf8,latin1&tls=myhost:3306")
|
test.S(t).ExpectEquals(uri, "gromit:penguin@tcp(myhost:3306)/test?interpolateParams=true&autocommit=true&charset=utf8mb4,utf8,latin1&tls=ghost")
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user