*: move config file option require_secure_transport to sysvar#34261
*: move config file option require_secure_transport to sysvar#34261ti-chi-bot merged 11 commits intopingcap:masterfrom
Conversation
|
[REVIEW NOTIFICATION] This pull request has been approved by:
To complete the pull request process, please ask the reviewers in the list to review by filling The full list of commands accepted by this bot can be found here. DetailsReviewer can indicate their review by submitting an approval review. |
|
Please review @morgo |
| ts.runTestLoadDataForListColumnPartition2(t) | ||
| } | ||
|
|
||
| func TestInvalidTLS(t *testing.T) { |
There was a problem hiding this comment.
to check for the invalid server credential
|
Code Coverage Details: https://codecov.io/github/pingcap/tidb/commit/a3a9ae711009a69c4fc553fcbddfc7faa912f29d |
| ) | ||
|
|
||
| // RequireSecureTransport Process global variables | ||
| var RequireSecureTransport = atomic.NewBool(false) |
There was a problem hiding this comment.
added util/tls package to remove the import dependency to add the atomic value.
There was a problem hiding this comment.
So the -require-secure-transport flag gets removed as well? I think that's good. However this doesn't seem to be noted in the release notes line of the description of this PR.
Looks like we need to be more careful when switching this on on a running server as it seems to allow one to set global require_secure_transport=on when TLS is not enabled. This leaves UNIX sockets as the remaining option. But we probably don't check if we actually listen on a UNIX socket. This would lock us out of the server completely.
Also this seems not to work as intended with UNIX sockets:
[dvaneeden@dve-carbon ~]$ mysql -u root -S /tmp/tidb-4000.sock
ERROR 3159 (HY000): Connections using insecure transport are prohibited while --require_secure_transport=ON.
A possible fix would be to only allow one to set this variable from a secure (TLS or socket) connection.
I'm not sure I understand this point. The release note is: (Replaced does imply removal).
OK that's a bug we'll need to fix. I think we can do it in this PR.
Agree |
Without this PR the require secure transport feature can be enabled by:
With this PR the only option is:
I think the changelog entry correctly states that the configuration file option gets replaced by the global variable. However it doesn't say anything about the replacement/removal of the flag for the |
OK! I understand now. I've changed the release note message to:
|
|
@Alkaagr81 please fix conflicts. Thx! |
dveeden
left a comment
There was a problem hiding this comment.
Somehow it looks like it is not considering a socket connection as secure when setting the variable.
mysql> \s
--------------
mysql Ver 8.0.29 for Linux on x86_64 (MySQL Community Server - GPL)
Connection id: 407
Current database:
Current user: root@localhost
SSL: Not in use
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 5.7.25-TiDB-v6.1.0-alpha-439-g0db763f3a TiDB Server (Apache License 2.0) Community Edition, MySQL 5.7 compatible
Protocol version: 10
Connection: Localhost via UNIX socket
Server characterset: utf8mb4
Db characterset: utf8mb4
Client characterset: utf8mb4
Conn. characterset: utf8mb4
UNIX socket: /tmp/tidb.sock
Binary data as: Hexadecimal
Uptime: 44 sec
Threads: 0 Questions: 0 Slow queries: 0 Opens: 0 Flush tables: 0 Open tables: 0 Queries per second avg: 0.000
--------------
mysql> set global require_secure_transport=1;
ERROR 1105 (HY000): require_secure_transport can only be set to ON if the connection issuing the change is secure
I actually thought that was a good behavior, since it requires you to prove connection security is configured correctly. This helps reduce misconfiguration/lockouts. We can revisit in future if required. |
|
/merge |
|
This pull request has been accepted and is ready to merge. DetailsCommit hash: 0db763f |
I see your point, and this would indeed ensure TLS is working before we enable Happy to see this merged, this is very useful. |
| "alter-primary-key": {}, // use NONCLUSTERED keyword instead | ||
| "enable-streaming": {}, | ||
| "performance.mem-profile-interval": {}, | ||
| "require-secure-transport": {}, |
There was a problem hiding this comment.
It should be 'security.require-secure-transport', see #34771
What problem does this PR solve?
Issue Number: ref #33769
Fixes #26065
Problem Summary:
The option
require-secure-transporthas historically been a config option. But based on requirements from cloud & PM it should instead be a sysvar.What is changed and how it works?
Remove them from the config list and add them to global sysvars.
Check List
Tests
Side effects
Previously, if TLS certificates were provided by in configuration they were not validated unless
require-secure-transportwas set. They are now always validated, and the tidb-server will refuse to start if they are invalid. This helps prevent a misconfiguration where TLS downgrades could occur, and duplicates Fail server startup when opening TLS context fails #26065 (it does not affect users who specify no TLS certs).This might be a bit confusing during upgrade for users who have previously set
require-secure-transport(most users haven't). It needs to be documented in the release notes that it has been replaced with the system variablerequire_secure_transport.Documentation
Release note
Please refer to Release Notes Language Style Guide to write a quality release note.