Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-25471

Document SST Node authentication options

    XMLWordPrintable

    Details

      Description

      1. Pass joiner's authentication information to donor together with address
      in State Transfer Request. This allows joiner to authenticate donor on
      connection. Previously joiner would accept data from anywhere.

      2. Deprecate custom SSL configuration variables tca, tcert and tkey in favor
      of more familiar ssl-ca, ssl-cert and ssl-key. For backward compatibility
      tca, tcert and tkey are still supported.

      3. Allow falling back to server-wide SSL configuration in [mysqld] if no SSL
      configuration is found in [sst] section of the config file.

      4. Introduce ssl-mode variable in [sst] section that takes standard values
      and has following effects:

      • old-style SSL configuration present in [sst]: no effect
        otherwise:
      • ssl-mode=DISABLED or absent: retains old, backward compatible behavior
        and ignores any other SSL configuration
      • ssl-mode=VERIFY*: verify joiner's certificate and CN on donor,
        verify donor's secret on joiner
        (passed to donor via State Transfer Request)
        BACKWARD INCOMPATIBLE BEHAVIOR
      • anything else enables new SSL configuration convetions but does not
        require verification

      ssl-mode should be set to VERIFY only in a fully upgraded cluster.

      Examples:

      [mysqld]
      ssl-cert=/path/to/cert
      ssl-key=/path/to/key
      ssl-ca=/path/to/ca

      [sst]

      – server-wide SSL configuration is ignored, SST does not use SSL

      [mysqld]
      ssl-cert=/path/to/cert
      ssl-key=/path/to/key
      ssl-ca=/path/to/ca

      [sst]
      ssl-mode=REQUIRED

      – use server-wide SSL configuration for SST but don't attempt to
      verify the peer identity

      [sst]
      ssl-cert=/path/to/cert
      ssl-key=/path/to/key
      ssl-ca=/path/to/ca
      ssl-mode=VERIFY_CA

      – use SST-specific SSL configuration for SST and require verification
      on both sides

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              GeoffMontee Geoff Montee
              Reporter:
              jplindst Jan Lindström
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Git Integration