Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-25359

Improve mariabackup SST script compliance with native MariaDB SSL practicies

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 10.2, 10.3, 10.4, 10.5
    • Fix Version/s: 10.6.0
    • Component/s: Galera
    • Labels:
      None

      Description

      • Pass joiner's authentication information to donor together with address in State Transfer Request. This allows joiner to authenticate donor on connection. Previously joiner would accept data from anywhere.
      • Deprecate custom SSL configuration variables tca, tcert and tkey in favor of more familiar ssl-ca, ssl-cert and ssl-key. For backward compatibility tca, tcert and tkey are still supported.
      • Allow falling back to server-wide SSL configuration in [mysqld] if no SSL configuration is found in [sst] section of the config file.
      • Introduce ssl-mode variable in [sst] section that takes standard values and has following effects:
        • old-style SSL configuration present in [sst]: no effect
        • otherwise:
        • ssl-mode=DISABLED or absent: retains old, backward compatible behavior and ignores any other SSL configuration
        • ssl-mode=VERIFY*: verify joiner's certificate and CN on donor, verify donor's secret on joiner (passed to donor via State Transfer Request)
        • BACKWARD INCOMPATIBLE BEHAVIOR
        • anything else enables new SSL configuration conventions but does not require verification ssl-mode should be set to VERIFY only in a fully upgraded cluster.

        Attachments

          Activity

            People

            Assignee:
            jplindst Jan Lindström
            Reporter:
            jplindst Jan Lindström
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: