• Alexey Yurchenko's avatar
    MDEV-25359 : Improve mariabackup SST script compliance with native MariaDB SSL... · fd9ca569
    Alexey Yurchenko authored
    MDEV-25359 : Improve mariabackup SST script compliance with native MariaDB SSL practices and configuration.
    
    1. Pass joiner's authentication information to donor together with address
       in State Transfer Request. This allows joiner to authenticate donor on
       connection. Previously joiner would accept data from anywhere.
    
    2. Deprecate custom SSL configuration variables tca, tcert and tkey in favor
       of more familiar ssl-ca, ssl-cert and ssl-key. For backward compatibility
       tca, tcert and tkey are still supported.
    
    3. Allow falling back to server-wide SSL configuration in [mysqld] if no SSL
       configuration is found in [sst] section of the config file.
    
    4. Introduce ssl-mode variable in [sst] section that takes standard values
       and has following effects:
        - old-style SSL configuration present in [sst]: no effect
          otherwise:
        - ssl-mode=DISABLED or absent: retains old, backward compatible behavior
          and ignores any other SSL configuration
        - ssl-mode=VERIFY*: verify joiner's certificate and CN on donor,
                            verify donor's secret on joiner
                            (passed to donor via State Transfer Request)
                            BACKWARD INCOMPATIBLE BEHAVIOR
        - anything else enables new SSL configuration convetions but does not
          require verification
    
        ssl-mode should be set to VERIFY only in a fully upgraded cluster.
    
        Examples:
    
        [mysqld]
        ssl-cert=/path/to/cert
        ssl-key=/path/to/key
        ssl-ca=/path/to/ca
    
        [sst]
    
         -- server-wide SSL configuration is ignored, SST does not use SSL
    
        [mysqld]
        ssl-cert=/path/to/cert
        ssl-key=/path/to/key
        ssl-ca=/path/to/ca
    
        [sst]
        ssl-mode=REQUIRED
    
         -- use server-wide SSL configuration for SST but don't attempt to
            verify the peer identity
    
        [sst]
        ssl-cert=/path/to/cert
        ssl-key=/path/to/key
        ssl-ca=/path/to/ca
        ssl-mode=VERIFY_CA
    
         -- use SST-specific SSL configuration for SST and require verification
            on both sides
    Reviewed-by: default avatarJan Lindström <jan.lindstrom@mariadb.com>
    fd9ca569
wsrep_sst.cc 54.4 KB