* Add mysql_server_pool_conn_read_buffers flag and thread through to listener and connection
Signed-off-by: Brian Ramos <brirams@users.noreply.github.com>
* review feedback: code style
Signed-off-by: Brian Ramos <brirams@users.noreply.github.com>
* fix endtoend test
Signed-off-by: Brian Ramos <brirams@users.noreply.github.com>
* run benchmarks with read buffer pooling, too
Signed-off-by: Brian Ramos <brirams@users.noreply.github.com>
* update flag name to match new conventions
Signed-off-by: Brian Ramos <brirams@users.noreply.github.com>
* update 15.0.0 summary with reference to new flag
Signed-off-by: Brian Ramos <brirams@users.noreply.github.com>
* an attempt at cleaning up branch for rebasing
Signed-off-by: Brian Ramos <brirams@users.noreply.github.com>
Signed-off-by: Brian Ramos <brirams@users.noreply.github.com>
* [go/mysql] Move all authserver-related flags off of global flagset
Signed-off-by: Andrew Mason <andrew@planetscale.com>
* fix flag default value relied on by tests
Signed-off-by: Andrew Mason <andrew@planetscale.com>
* fix vtgate help test data
Signed-off-by: Andrew Mason <andrew@planetscale.com>
This commit replaces `ioutil.TempDir` with `t.TempDir` in tests. The
directory created by `t.TempDir` is automatically removed when the test
and all its subtests complete.
Prior to this commit, temporary directory created using `ioutil.TempDir`
needs to be removed manually by calling `os.RemoveAll`, which is omitted
in some tests. The error handling boilerplate e.g.
defer func() {
if err := os.RemoveAll(dir); err != nil {
t.Fatal(err)
}
}
is also tedious, but `t.TempDir` handles this for us nicely.
Reference: https://pkg.go.dev/testing#T.TempDir
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
This replaces the shelling out to OpenSSL with native Go crypto to
generate CAs, intermediates & leaf certificates.
There's some improvements over the original behavior for correctness and
performance reasons.
- First, this now uses ECDSA certificates with are a lot faster and
generating a private key for them is much faster as well.
- There were no real leaf certificates. Each certificate was also marked
as a CA which isn't correct usage of certificates. The changes here
ensure that a signed cert is now a proper leaf certificate. It also
adds an explicit separate method to generate an intermediate CA.
- Lifetime of the certificates generated is significantly reduces.
Before it was almost 10 years, now it is one day. These temporary test
certificates should not be used for anything long term, so a day is long
enough for testing and using them in CI setups.
- It was setting 127.0.0.1 as a DNS SAN which doesn't work. This now
adds 127.0.0.1 (and also ::1) as a proper IP SAN.
- The original OpenSSL certificates didn't setup bits like
x509.KeyUsageCRLSign even though basic usage was marked as critical.
This was technically in violation of the spec but a bunch of tools
accept it (although not Go's CRL generation logic).
The API otherwise is unchanged for the tlstest package so any users
shouldn't see any significant change, just a package that's a lot
faster.
Unscientific benchmark for the test runtime shows a huge improvement:
Before
```
go test ./go/vt/tlstest -count=1
ok vitess.io/vitess/go/vt/tlstest 8.024s
```
After
```
go test ./go/vt/tlstest -count=1
ok vitess.io/vitess/go/vt/tlstest 0.156s
```
Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com>
The io/ioutil package has been deprecated as of Go 1.16, see
https://golang.org/doc/go1.16#ioutil. This commit replaces the existing
io/ioutil functions with their new definitions in io and os packages.
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
In the case of for example vttablets connecting to an external MySQL,
the current TLS / SSL options don't provide the sometimes needed
flexibility.
The only way to provide any option(s) is through the `db_flags` and
setting that to the magic value if 2048 (the `CapabilityClientSSL` bit).
In this mode, it immediately moves to the strictest mode possible.
These changes make options available for Vitess users to more granularly
configure the SSL settings. It mimics the MySQL client with an SSL mode
flag that can be set to various values matching MySQL.
This flags replaces the magic constant for db_flags and allows more fine
grained control.
Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com>
This change implements a large refactor of the plugin authentication
mechanism. This refactor needed for a number of reasons:
- The current AuthServer interface is not well designed. Many of the
AuthServer implementations implement at least one if not multiple
methods as a panic() as they are unused or they implement something
never really called (like the salt generation). This indicates that
the current interface doesn't abstract things well.
- Adding `caching_sha2_password` as a server side mechanism would make
this interface problem worse. It would add even more methods that
would have emply implementations / panic().
- It is impossible right now for a plugin to support multiple
authentication mechanisms. The caching_sha2_password plugin allows for
caching of passwords and could be used to improve for example the LDAP
plugin. But we can't then still keep the `mysql_clear_password` as a
fallback for such an improvement in the LDAP plugin.
Based on these issues, I'm proposing this refactor. It allows for a
number of things that also make auth server implementations easier.
- An auth server can implement multiple auth methods. This allows for
the above mentioned optimization for the LDAP plugin and many other
improvements. Note that these improvements are not implemented here, but
it opens up the opportunity.
- There are helpers for all the already supported authentication
mechanisms plus basic support for caching_sha2_password. The last only
supports TLS connections or Unix sockets right now, since the full
authentication protocol is much complicated. The value of the latter
is also debatable in the context of Vitess. It depends on a TLS
certificate and private key also for the plain text full auth cycle
and in that case, TLS would already be available as well anyway. For
clients that want caching_sha2_password, switching those to enable TLS
seems like a much simpler solution.
- With the helpers, specific interfaces are provided that plugins can
implement. Those interfaces provide a simpler way than the complex
Negotiate from before which might need to read packets etc. For these
helpers, all reading / writing of the protocol is already dealt with and
not something auth server plugin writers need to be concerned with.
Given the above advantages, I think the current setup is a better
design and better fits what we'd want to use for authentication plugins.
Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com>
TLS 1.0 & TLS 1.1 are deprecated and shouldn't be used anymore. There
are however many older MySQL versions out there where the latest 5.6,
5.7 or 8.0 patch release isn't used which means they don't have a build
against OpenSSL with latest TLS support.
This means we can't easily change the minimum version to always be TLS
1.2, but the best possible option is to create flag instead.
The changes here add support for that flag. The default still is TLS
1.2 as the minimum version, but people who run against an older MySQL
can use a new flag to override this and still allow TLS 1.0 or TLS 1.1
if desired.
Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com>
Brian Ramos
Andrew Mason
Eng Zer Jun
Dirkjan Bussink
Hormoz Kheradmand
Evgenii Seliavka
huiqing
Sugu Sougoumarane
deepthi
tanjunchen
Dan Kozlowski
tpetr