Mysql proxy filter

[rshriram]

This filter contains the logic to decode the mysql wire protocol and SQL queries (SQL99 only).
The code is based on our internal version at VMware. The SQL parser can be found at https://github.com/rshriram/sql-parser. Its a cleaned up version of Hyrise SQL parser. I am keeping the code as a separate library as importing the sources into envoy will cause a lot of changes to the code.

Signed-off-by: Giorgio Valentini gvalentini@vmware.com
Signed-off-by: Deepa Kalani dkalani@vmware.com
Signed-off-by: Shriram Rajagopalan shriramr@vmware.com
Signed-off-by: Venil Noronha veniln@vmware.com

[mattklein123]

@rshriram what's the high level plan here for this? Can you provide some context on what this will do before we start thinking about reviewing? Note also that we have the older MySQL HC PR from AirBnb which was never finished.

[rshriram]

@mattklein123 this filter by itself is useful for decoding the connection phase of the mysql wire protocol (https://dev.mysql.com/doc/dev/mysql-server/latest/PAGE_PROTOCOL.html#protocol_overview) . It will emit stats like the database accessed (not the tables), the user, active sessions, failed login sessions, etc. So, the current PR by itself carries a decent amount of utility.

In order to decode the SQL queries in the command phase (https://dev.mysql.com/doc/dev/mysql-server/latest/page_protocol_command_phase.html), we need a full fledged SQL parser based on lex/yacc etc. The code we have internally doesn't use such a parser. It extracts only the pieces we want. Thats unlikely to be useful to the rest of the community.

The MySQL health check stuff can be written on top of this code. IIRC, the mysql health check stuff was doing some minimal protocol processing just enough to decode the simple mysql ping queries, while this provides a full fledged parser for the connection phase.

[rshriram]

ping.. any comments on this?

[dio]

Overall this is very interesting. As @mattklein123 comment, let's have this: #3502 to be built based on this?

Just curious, since it has WIP prefix, do you think you want to add more features in this PR?

[rshriram]

@dio that’s my plan. Once this is in, we can build #3502 on top of this.

I put it as wip thinking there will be major changes to the design. Will remove.

[dio]

@rshriram cool. Apart from what the clang_tidy has found and that "multiple definitions of ..." when linking MysqlTestUtils in coverage CI (I think either to split the interface and the impl in the different files or put the impl directly in *.h should fix that?), I think this PR is good (tried it manually and it works great).

[rshriram]

@mattklein123 / @lizan
the coverage is missing for getters and setters, or empty virtual functions. I have added more tests for the parts that matter (length encoded integer and the fallback to plain tcp proxy if there is a decoder error)

[rshriram]

/retest

[repokitteh-read-only]

🔨 rebuilding ci/circleci: coverage (failed build)

🐱

Caused by: a #4975 (comment) was created by @rshriram.

see: more, trace.

[dio]

Thanks! I'll defer to Lizan and Matt.

[lizan]

@rshriram re: empty virtual functions, are they supposed not to be called? If so add NOT_IMPLEMENTED_GCOVR_EXCL_LINE, if not some test should cover them.

[mattklein123]

Thanks, this is super cool. I skimmed the code and it seems fine to go in as an experimental filter.

Some doc requests, otherwise will defer to @lizan on any remaining code changes.

/wait

[mattklein123]

Can you add an experimental warning like we do for other new filters? Also, can you add a release note that introduces experimental MySQL support?

Optimally, can you also add a config snippet that shows how to setup the filter? That's typically done now for new filters and it makes it easier on new users.

It would also be super sweet if in a follow up you could add a docker compose example of getting all of this running so that people can use a sample app w/ mysql and actually see this all work.

[rshriram]

I took a look at other filters. There is no mention of experimental in their docs. The proto stuff however has experimental tag. is that what you meant?

[rshriram]

I added proto status experimental to the protos. And added config snippets along with some RBAC examples as well.

[rshriram]

@lizan / @mattklein123 I have added the docs with config samples, version history, and the experimental warning. The docker compose example would have to wait until we have access logging for MySQL.

[mattklein123]

LGTM with small version history at nit. Will defer to @lizan for final review and merge. Thank you for working on this! Super cool.

[mattklein123]

nit: alpha order and also I would call this "mysql:"

[doodlesbykumbi]

Hi @rshriram. Why does the buffer need draining here ?
I tried out the filter with SSL and it hangs after draining for both onData and onWrite.
Taking out this line altogether results in a build that works as intended.

[rshriram]

I was merely following the logic in mongo filter, that did the same.

void ProxyFilter::doDecode(Buffer::Instance& buffer) {
  if (!sniffing_ ||
      !runtime_.snapshot().featureEnabled(MongoRuntimeConfig::get().ProxyEnabled, 100)) {
    // Safety measure just to make sure that if we have a decoding error we keep going and lose
    // stats. This can be removed once we are more confident of this code.
    buffer.drain(buffer.length());
    return;
  }