Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-25471

Document SST Node authentication options

    XMLWordPrintable

Details

    Description

      1. Pass joiner's authentication information to donor together with address
      in State Transfer Request. This allows joiner to authenticate donor on
      connection. Previously joiner would accept data from anywhere.

      2. Deprecate custom SSL configuration variables tca, tcert and tkey in favor
      of more familiar ssl-ca, ssl-cert and ssl-key. For backward compatibility
      tca, tcert and tkey are still supported.

      3. Allow falling back to server-wide SSL configuration in [mysqld] if no SSL
      configuration is found in [sst] section of the config file.

      4. Introduce ssl-mode variable in [sst] section that takes standard values
      and has following effects:

      • old-style SSL configuration present in [sst]: no effect
        otherwise:
      • ssl-mode=DISABLED or absent: retains old, backward compatible behavior
        and ignores any other SSL configuration
      • ssl-mode=VERIFY*: verify joiner's certificate and CN on donor,
        verify donor's secret on joiner
        (passed to donor via State Transfer Request)
        BACKWARD INCOMPATIBLE BEHAVIOR
      • anything else enables new SSL configuration convetions but does not
        require verification

      ssl-mode should be set to VERIFY only in a fully upgraded cluster.

      Examples:

      [mysqld]
      ssl-cert=/path/to/cert
      ssl-key=/path/to/key
      ssl-ca=/path/to/ca

      [sst]

      – server-wide SSL configuration is ignored, SST does not use SSL

      [mysqld]
      ssl-cert=/path/to/cert
      ssl-key=/path/to/key
      ssl-ca=/path/to/ca

      [sst]
      ssl-mode=REQUIRED

      – use server-wide SSL configuration for SST but don't attempt to
      verify the peer identity

      [sst]
      ssl-cert=/path/to/cert
      ssl-key=/path/to/key
      ssl-ca=/path/to/ca
      ssl-mode=VERIFY_CA

      – use SST-specific SSL configuration for SST and require verification
      on both sides

      Attachments

        Issue Links

          Activity

            People

              GeoffMontee Geoff Montee (Inactive)
              jplindst Jan Lindström (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.