[#MXS-929] Dynamic Configuration of Firewall

[MXS-929] Dynamic Configuration of Firewall Created: 2016-10-18 Updated: 2016-11-29 Resolved: 2016-11-29
Status:	Closed
Project:	MariaDB MaxScale
Component/s:	dbfwfilter
Affects Version/s:	None
Fix Version/s:	2.1.0

Type:

New Feature

Priority:

Major

Reporter:

Johan Wikman

Assignee:

markus makela

Resolution:

Fixed

Votes:

Labels:

2.1-Requirement

Sprint:

2016-22

Description

Dynamic configuration of the firewall filter

The user should be able to modify the rules of the dbfwfilter. This is a likely scenario as security is not a static concept.

Example use case

The developer changes a name of a temporary table column and this is blocked by the firewall filter. The DBA then modifies the rules file and reloads it. MaxScale then uses the new rule file to block queries that do not match the temporary table column.

Required code changes

Each module needs to expose either an update or an extension entry point. Exposing an update entry point would allow for a more structured way of updating modules. Exposing a custom command entry point would allow modules to implement only the operations that they can and should do.

One option is to expose both an update and a custom command (an extension entry point in some sense) in the API.

It is also possible, that custom commands could be implemented as callbacks that are registered to the core by the modules. These callbacks could then be called via some common gateway. It would allow the modules to expose new commands and the diagnostic interface would be defined by the modules that are in use.

Benefits of custom module commands

Having an entry point in the API that allows modules to implement actions which aren't in the module API. For example, the qlafilter could rotate log files with a rotate logs entry point, the cache filter could drop caches and the schemarouter could reload all database maps.

Benefits of an update command

Being able to call a standard entry point would make it easier to implement runtime changes to modules. It would also guide the developer of a module to expect changes to the system. New modules could be designed with a more defined update policy which would make for a more dynamic user experience.

Benefits of custom callback registration

Registering a callback keeps the API definition small and compact. This lowers the threshold of developing new modules and makes the API easier to understand.

Implementation

The chosen design was the custom callback registration as it allows the greatest amount of flexibility. Modules can register different sorts of functions without breaking the module API.

Comments

Comment by markus makela [ 2016-11-29 ]

MaxScale 2.1 implements an interface that allows modules to register custom commands. This module command system makes it easier for module developers to add new functionality to modules without modifying the module APIs.

The dbfwfilter implements two module commands; rules and rules/reload.

The first one prints the current list of rules to a DCB and the second one reloads and optionally changes the rule file. The reloading of the rules is done immediately for all sessions.

Generated at Thu Feb 08 04:02:58 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.