Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug Report: --db_ssl_mode=preferred wrongly ignored on replication settings when unix domain sockets are used #17216

Open
arthurschreiber opened this issue Nov 12, 2024 · 1 comment
Open

Bug Report: --db_ssl_mode=preferred wrongly ignored on replication settings when unix domain sockets are used #17216

arthurschreiber opened this issue Nov 12, 2024 · 1 comment
Labels
Component: VTTablet Type: Bug

Comments

@arthurschreiber
Copy link
Contributor

arthurschreiber commented Nov 12, 2024
edited
Loading

Overview of the Issue

  • Our replication user connections on MySQL require SSL.
  • Other user accounts do not use / require SSL (this includes things like vt_app), because they are connecting via unix domain sockets and those are deemed "secure" even without TLS/SSL encryption.

We provide MySQL configuration to vttablet via CLI arguments like this:

    --db_socket "/var/run/mysqld/mysqld.sock" \
    --db_ssl_mode preferred \
    --db_allprivs_user "${VTTABLET_ALLPRIVS_USER}" \
    --db_allprivs_use_ssl=false \
    --db_app_user "${VTTABLET_APP_USER}" \
    --db_app_use_ssl=false \
    --db_appdebug_user "${VTTABLET_APPDEBUG_USER}" \
    --db_appdebug_use_ssl=false \
    --db_dba_user "${VTTABLET_DBA_USER}" \
    --db_dba_use_ssl=false \
    --db_filtered_user "${VTTABLET_FILTERED_USER}" \
    --db_filtered_use_ssl=false \
    --db_repl_user "${MYSQL_REPL_USER}" \
    --db_repl_use_ssl=true

When vttablet sets up replication configuration via mysqlFlavor.setReplicationSourceCommand, it calls out to *ConnParams.SslEnabled() to check whether TLS should be enabled in the replication configuration.

*ConnParams.SslEnabled() returns false if a unix domain socket is configured via --db_socket and --db_ssl_mode is set to preferred to simulate what MySQL is doing when connecting to a unix domain socket.

This behaviour is correct when connections actually end up going over a domain socket. MySQL replica connections never go over the domain socket, they always use the hostname and port of the primary, so checking *ConnParams.SslEnabled() (which uses the global connection settings and sees that a socket is configured) is wrong in the context of the MySQL replication configuration.

Workaround

We're currently setting --db_ssl_mode=required to work around this.

Suggested Fix

Don't call SslEnabled in mysqlFlavor.setReplicationSourceCommand, instead call *ConnParams.EffectiveSslMode and enable SSL/TLS unless it's disabled.

Reproduction Steps

n/a

Binary Version

v18 and later

Operating System and Environment details

n/a

Log Fragments

n/a
@arthurschreiber arthurschreiber added Type: Bug Needs Triage This issue needs to be correctly labelled and triaged Component: VTTablet and removed Needs Triage This issue needs to be correctly labelled and triaged labels Nov 12, 2024
@arthurschreiber
Copy link
Contributor Author

I also noticed that mysqlFlavor.catchupToGTIDCommands follows another slightly different set of rules to configure SSL / TLS connections. I think that probably should be fixed to simply call to mysqlFlavor.setReplicationSourceCommand to follow the same rules.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Component: VTTablet Type: Bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@arthurschreiber