Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

*: support reload tls used by mysql protocol in place (#14749) #15080

Merged
merged 4 commits into from
Mar 5, 2020
Merged

*: support reload tls used by mysql protocol in place (#14749) #15080

merged 4 commits into from
Mar 5, 2020

Conversation

sre-bot
Copy link
Contributor

@sre-bot sre-bot commented Mar 3, 2020

cherry-pick #14749 to release-3.0

What problem does this PR solve?

ref #14666

preliminary support reload tls used by mysql protocol

this PR doesn't try to full support mysql's dynamic modify "ssl_ca/ssl_key/ssl_cert" value, but can reload tls used old file path specified by old "ssl_ca/ssl_key/ssl_cert" value(so ssl_cert/ssl_ca/ssl_key keep read-only after this PR).

so user can:

  1. start TiDB with ssl-ca, ssl-key and ssl-cert config like https://pingcap.com/docs/stable/reference/security/cert-based-authentication/#install-openssl
  2. replace new file specified in ssl-ca, ssl-key and ssl-cert
  3. use super user(here need new priv in following pr) to execute alter instance reload tls

then all new db connection will use new cert file, old connection will keep work just like mysql does

What is changed and how it works?

  • extract common method LoadTLSCertificates
  • make server.tlsConfig can be atomic swap
  • let alter instance reload tls do reload

Check List

Tests

  • Unit test
  • Integration test

Code changes

  • impl change

Side effects

  • n/a

Related changes

  • 4.0 only

Release note

  • support reload tls used by mysql protocol in place.

This change is Reviewable

@lysu @sre-bot
cherry pick pingcap#14749 to release-3.0
393c274 
Signed-off-by: sre-bot <sre-bot@pingcap.com>
@sre-bot
Copy link
Contributor Author

sre-bot commented Mar 3, 2020

/run-all-tests

@sre-bot sre-bot mentioned this pull request Mar 3, 2020
Merged
@sre-bot sre-bot added component/server security Everything related with security type/3.0 cherry-pick type/enhancement The issue or PR belongs to an enhancement. labels Mar 3, 2020
@lysu
Copy link
Contributor

lysu commented Mar 3, 2020

/run-all-tests

lysu
lysu reviewed Mar 3, 2020
View reviewed changes
server/server.go

tlsConfig, err := util.LoadTLSCertificates(s.cfg.Security.SSLCA, s.cfg.Security.SSLKey, s.cfg.Security.SSLCert)
if err != nil {
logutil.Logger(context.Background()).Error("secure connection cert/key/ca load fail", zap.Error(err))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

differ to master, it doesn't return error to compatible with old 3.0

@lysu
Copy link
Contributor

lysu commented Mar 3, 2020

/run-all-tests

@lysu
Copy link
Contributor

lysu commented Mar 3, 2020

@jackysp @tiancaiamao conflict has be resolved and keep compatible with old 3.0 keep work if tls config is wrong, PTAL if free

jackysp
jackysp reviewed Mar 3, 2020
View reviewed changes
Copy link
Member

@jackysp jackysp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jackysp jackysp added the status/LGT1 Indicates that a PR has LGTM 1. label Mar 3, 2020
@tiancaiamao
Copy link
Contributor

LGTM

@tiancaiamao tiancaiamao added status/LGT2 Indicates that a PR has LGTM 2. and removed status/LGT1 Indicates that a PR has LGTM 1. labels Mar 4, 2020
@jackysp
Copy link
Member

jackysp commented Mar 4, 2020

/merge

@ngaut ngaut added the status/can-merge Indicates a PR has been approved by a committer. label Mar 4, 2020
@sre-bot
Copy link
Contributor Author

sre-bot commented Mar 4, 2020

Your auto merge job has been accepted, waiting for 15092

@sre-bot
Copy link
Contributor Author

sre-bot commented Mar 4, 2020

/run-all-tests

@sre-bot
Copy link
Contributor Author

sre-bot commented Mar 4, 2020

@sre-bot merge failed.

imtbkcat
imtbkcat approved these changes Mar 4, 2020
View reviewed changes
Copy link

@imtbkcat imtbkcat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@imtbkcat
Copy link

imtbkcat commented Mar 4, 2020

/merge

@sre-bot
Copy link
Contributor Author

sre-bot commented Mar 4, 2020

Sorry @imtbkcat, you don't have permission to trigger auto merge event on this branch.

@lysu
Copy link
Contributor

lysu commented Mar 4, 2020

/merge

@sre-bot
Copy link
Contributor Author

sre-bot commented Mar 4, 2020

Sorry @lysu, you don't have permission to trigger auto merge event on this branch.

@lysu lysu requested a review from jackysp March 5, 2020 13:25
@lysu
Copy link
Contributor

lysu commented Mar 5, 2020

/rebuild

@jackysp
Copy link
Member

jackysp commented Mar 5, 2020

/merge

@sre-bot
Copy link
Contributor Author

sre-bot commented Mar 5, 2020

/run-all-tests

@sre-bot sre-bot merged commit 819603f into pingcap:release-3.0 Mar 5, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lysu lysu lysu left review comments

@tiancaiamao tiancaiamao tiancaiamao approved these changes

@imtbkcat imtbkcat imtbkcat approved these changes

@jackysp jackysp Awaiting requested review from jackysp

Assignees
No one assigned
Labels
component/server security Everything related with security status/can-merge Indicates a PR has been approved by a committer. status/LGT2 Indicates that a PR has LGTM 2. type/enhancement The issue or PR belongs to an enhancement.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@sre-bot @lysu @tiancaiamao @jackysp @imtbkcat @ngaut