[CONJ-518] Support AWS RDS IAM Authentication with long living connection failover Created: 2017-08-29 Updated: 2019-08-30 Resolved: 2019-08-30 |
|
| Status: | Closed |
| Project: | MariaDB Connector/J |
| Component/s: | aurora, Failover |
| Affects Version/s: | 1.5.8 |
| Fix Version/s: | N/A |
| Type: | Task | Priority: | Minor |
| Reporter: | Jon Steinich | Assignee: | Diego Dupin |
| Resolution: | Duplicate | Votes: | 0 |
| Labels: | None | ||
| Issue Links: |
|
||||||||||||
| Description |
|
AWS added support for using IAM to authenticate to RDS a few months ago. RDS IAM Auth This can work for the initial connection, but effectively, the password changes every 15 minutes. AbstractConnectProtocol stores a password at connection creation time. This means that if the connection has been alive longer than 15 minutes and a failover occurs, then the reconnection attempt will fail as the stored password is no longer valid. When using a connection pool this can be worked around by setting the max lifespan to 15 minutes, but we have code with long running manually managed connections. I could also apply lifespan logic, but it would be preferable for the driver to handle that. The problem really extends to the UrlParser which also stores a password. Having some sort of user extensible password provider would likely be enough. |
| Comments |
| Comment by Andrew Lundgren [ 2018-01-03 ] |
|
Unless I am mistaken, active connections don't have to re-validate their passwords. Long running connections should not have issues after 15 minutes, but new connections created after 15 minutes fail because they no longer have a valid password. We worked around the cached password by scheduling a call to update the password on the Datasource every 10 minutes. Not ideal, but it works. |
| Comment by Diego Dupin [ 2019-08-30 ] |
|
closing since |