Add support for SSL #521
Comments
|
We have been looking into this as well. One option Percona mentioned to me was to define the SSL options in the my.cnf and set the user you use to require SSL. I haven't had a chance to test this yet but it has been on my radar. You may also need to setup the existing replication user the same way. For what it's worth, I've also been thinking about this in the context of orchestrator (failing over replication using SSL when that happens) |
That won't work for gh-ost as it doesn't use the standard mysql client to connect |
|
Ah that makes sense. That might only work for orchestrator issuing |
|
Well, |
|
Any update on this request @shlomi-noach? If no one has started on this, is there perhaps a sample PR from orchestrator that you could link here that we might use to add SSL support in? Thanks! |
|
@wesleyk I have no immediate plan to work on this. Relevant |
|
Sounds good, thanks for the PRs! |
|
We experienced a recent need for SSL support while using the gh-ost tool on AWS RDS instances. I've submitted #705 as an initial pass of what I think is the minimum support we need for our use case. While it doesn't cover every ssl setting that users might want to select, it can provide at least a starting point to adding in some level of SSL/TLS support into gh-ost. |
|
@shlomi-noach I am also interested in SSL support. I tried @brandonbodnar-wk's patch last week, and had to make some further changes to get SSL to work in my use case. The specific issue I have found is it does not seem like SSL options passed to the CLI are properly used in all places we connect to MySQL; this was causing errors while gh-ost was trying to walk from the replica up to the master: Full disclosure, I edited the output above to remove actual hostnames and replace them with host1 and host2. Error is coming from attempting to use a TLS config called "host1" when |
|
Interesting @RafeKettler. I'll admit, I have not tested the patch for ssl support on mysql setups other than with AWS RDS, which I know acts differently than other setups in gh-ost. |
Related issue: github#521 - Add --ssl-cert and --ssl-key options to specify SSL public/private key files - Allow combining --ssl-allow-insecure with other --ssl* flags. `mysql.RegisterTLSConfig` allows combining the corresponding parameters in the `tls.Config` it receives, so gh-ost should allow this. I found being able to pass --ssl-allow-insecure along with --ssl-ca, --ssl-cert, and --ssl-key useful in testing. - Use the same TLS config everywhere. Since the CLI only supports a single set of --ssl* configuration parameters, this should be fine -- `mysql.RegisterTLSConfig` documentation indicates the TLS config given will not be modified, so it can safely be used in many goroutines provided we also do not modify it. The previous implementation did not work when the TLS config was duplicated, which happens when gh-ost walks up the replication chain trying to find the master. This is because, when the config is duplicated, we must call `RegisterTLSConfig` again with the new config. This config is exactly the same, so it's easiest to side-step the issue by registering the TLS config once and using it everywhere.
Related issue: github#521 - Add --ssl-cert and --ssl-key options to specify SSL public/private key files - Allow combining --ssl-allow-insecure with other --ssl* flags. `mysql.RegisterTLSConfig` allows combining the corresponding parameters in the `tls.Config` it receives, so gh-ost should allow this. I found being able to pass --ssl-allow-insecure along with --ssl-ca, --ssl-cert, and --ssl-key useful in testing. - Use the same TLS config everywhere. Since the CLI only supports a single set of --ssl* configuration parameters, this should be fine -- `mysql.RegisterTLSConfig` documentation indicates the TLS config given will not be modified, so it can safely be used in many goroutines provided we also do not modify it. The previous implementation did not work when the TLS config was duplicated, which happens when gh-ost walks up the replication chain trying to find the master. This is because, when the config is duplicated, we must call `RegisterTLSConfig` again with the new config. This config is exactly the same, so it's easiest to side-step the issue by registering the TLS config once and using it everywhere.
Related issue: github#521 - Add --ssl-cert and --ssl-key options to specify SSL public/private key files - Allow combining --ssl-allow-insecure with other --ssl* flags. `mysql.RegisterTLSConfig` allows combining the corresponding parameters in the `tls.Config` it receives, so gh-ost should allow this. I found being able to pass --ssl-allow-insecure along with --ssl-ca, --ssl-cert, and --ssl-key useful in testing. - Use the same TLS config everywhere. Since the CLI only supports a single set of --ssl* configuration parameters, this should be fine -- `mysql.RegisterTLSConfig` documentation indicates the TLS config given will not be modified, so it can safely be used in many goroutines provided we also do not modify it. The previous implementation did not work when the TLS config was duplicated, which happens when gh-ost walks up the replication chain trying to find the master. This is because, when the config is duplicated, we must call `RegisterTLSConfig` again with the new config. This config is exactly the same, so it's easiest to side-step the issue by registering the TLS config once and using it everywhere.
|
I opened PR #716 to address the issues I mentioned. @shlomi-noach mind taking a look when you get a chance? @brandonbodnar-wk would also love your feedback, especially on whether this breaks your usage of gh-ost on RDS :) |
I came across some use cases where strict compliance rules enforce that all connections to the db's need to use SSL. It would be nice if gh-ost supported that option.
It looks like go-mysql-driver already has support (go-sql-driver/mysql#89)
Also for reference: https://dev.mysql.com/doc/refman/5.7/en/using-encrypted-connections.html
The text was updated successfully, but these errors were encountered: