From 35d4be14d2a86a4f6e9d2f86673f2c781ac08499 Mon Sep 17 00:00:00 2001 From: Markus Makela Date: Tue, 13 Sep 2016 21:22:36 +0300 Subject: [PATCH] Make service and monitor permissions checks optional MaxScale shouldn't require the service and monitor user checks. It makes sense to disable the checks to speed up the startup process when the user knows that the permissions are OK. --- .../Getting-Started/Configuration-Guide.md | 38 +++++++++++++++++++ server/core/config.c | 5 +++ server/core/dbusers.c | 3 +- server/core/monitor.c | 5 +++ server/include/maxconfig.h | 1 + 5 files changed, 51 insertions(+), 1 deletion(-) diff --git a/Documentation/Getting-Started/Configuration-Guide.md b/Documentation/Getting-Started/Configuration-Guide.md index 33ea2ab46..cd8b50456 100644 --- a/Documentation/Getting-Started/Configuration-Guide.md +++ b/Documentation/Getting-Started/Configuration-Guide.md @@ -95,14 +95,26 @@ It should be noted that additional threads will be created to execute other inte The connection timeout in seconds for the MySQL connections to the backend server when user authentication data is fetched. Increasing the value of this parameter will cause MariaDB MaxScale to wait longer for a response from the backend server before aborting the authentication process. The default is 3 seconds. +``` +auth_connect_timeout=10 +``` + #### `auth_read_timeout` The read timeout in seconds for the MySQL connection to the backend database when user authentication data is fetched. Increasing the value of this parameter will cause MariaDB MaxScale to wait longer for a response from the backend server when user data is being actively fetched. If the authentication is failing and you either have a large number of database users and grants or the connection to the backend servers is slow, it is a good idea to increase this value. The default is 1 second. +``` +auth_read_timeout=10 +``` + #### `auth_write_timeout` The write timeout in seconds for the MySQL connection to the backend database when user authentication data is fetched. Currently MariaDB MaxScale does not write or modify the data in the backend server. The default is 2 seconds. +``` +auth_write_timeout=10 +``` + #### `ms_timestamp` Enable or disable the high precision timestamps in logfiles. Enabling this adds millisecond precision to all logfile timestamps. @@ -113,10 +125,28 @@ Enable or disable the high precision timestamps in logfiles. Enabling this adds ms_timestamp=1 ``` +#### `skip_permission_checks` + +Skip service and monitor user permission checks. This is useful when you know +the permissions are OK and you want to speed up the startup process. This +parameter takes a boolean value and is disabled by default. + +It is recommended to not disable the permission checks so that any missing +privileges are detected when maxscale is starting up. If you are experiencing a +slow startup of MaxScale due to large amounts of connection timeouts when +permissions are checked, disabling the permission checks could speed up the +startup process. + +``` +skip_permission_checks=true +``` + #### `syslog` + Enable or disable the logging of messages to *syslog*. By default logging to *syslog* is enabled. + ``` # Valid options are: # syslog=<0|1> @@ -127,9 +157,11 @@ To enable logging to syslog use the value 1 and to disable use the value 0. #### `maxlog` + Enable to disable to logging of messages to MariaDB MaxScale's log file. By default logging to *maxlog* is enabled. + ``` # Valid options are: # syslog=<0|1> @@ -140,6 +172,7 @@ To enable logging to the MariaDB MaxScale log file use the value 1 and to disable use the value 0. #### `log_to_shm` + Enable or disable the writing of the *maxscale.log* file to shared memory. If enabled, then the actual log file will be created under `/dev/shm` and a symbolic link to that file will be created in the *MaxScale* log directory. @@ -169,6 +202,7 @@ To enable logging to shared memory use the value 1 and to disable use the value 0. #### `log_warning` + Enable or disable the logging of messages whose syslog priority is *warning*. Messages of this priority are enabled by default. @@ -181,6 +215,7 @@ log_warning=0 To disable these messages use the value 0 and to enable them use the value 1. #### `log_notice` + Enable or disable the logging of messages whose syslog priority is *notice*. Messages of this priority provide information about the functioning of MariaDB MaxScale and are enabled by default. @@ -267,10 +302,12 @@ times in one second, the logging of that error is suppressed for the following 10 seconds. To disable log throttling, add an entry with an empty value + ``` log_throttling= ``` or one where any of the integers is 0. + ``` log_throttling=0, 0, 0 ``` @@ -358,6 +395,7 @@ An integer argument taking the following values: query_classifier=qc_sqlite query_classifier_args=log_unrecognized_statements=1 ``` + This will log all statements that cannot be parsed completely. This may be useful if you suspect that MariaDB MaxScale routes statements to the wrong server (e.g. to a slave instead of to a master). diff --git a/server/core/config.c b/server/core/config.c index b1cbb41e8..baaec3596 100644 --- a/server/core/config.c +++ b/server/core/config.c @@ -957,6 +957,10 @@ handle_global_item(const char *name, const char *value) { mxs_log_set_highprecision_enabled(config_truth_value((char*)value)); } + else if (strcmp(name, "skip_permission_checks") == 0) + { + gateway.skip_permission_checks = config_truth_value((char*)value); + } else if (strcmp(name, "auth_connect_timeout") == 0) { char* endptr; @@ -1301,6 +1305,7 @@ global_defaults() gateway.auth_conn_timeout = DEFAULT_AUTH_CONNECT_TIMEOUT; gateway.auth_read_timeout = DEFAULT_AUTH_READ_TIMEOUT; gateway.auth_write_timeout = DEFAULT_AUTH_WRITE_TIMEOUT; + gateway.skip_permission_checks = false; if (version_string != NULL) { gateway.version_string = MXS_STRDUP_A(version_string); diff --git a/server/core/dbusers.c b/server/core/dbusers.c index d49a9698e..7927e1a90 100644 --- a/server/core/dbusers.c +++ b/server/core/dbusers.c @@ -2689,7 +2689,8 @@ static bool check_server_permissions(SERVICE *service, SERVER* server, */ bool check_service_permissions(SERVICE* service) { - if (is_internal_service(service->routerModule)) + if (is_internal_service(service->routerModule) || + config_get_global_options()->skip_permission_checks) { return true; } diff --git a/server/core/monitor.c b/server/core/monitor.c index 3741c3071..e2143b319 100644 --- a/server/core/monitor.c +++ b/server/core/monitor.c @@ -543,6 +543,11 @@ bool check_monitor_permissions(MONITOR* monitor, const char* query) return false; } + if (config_get_global_options()->skip_permission_checks) + { + return true; + } + char *user = monitor->user; char *dpasswd = decryptPassword(monitor->password); GATEWAY_CONF* cnf = config_get_global_options(); diff --git a/server/include/maxconfig.h b/server/include/maxconfig.h index 2e7970657..684af2376 100644 --- a/server/include/maxconfig.h +++ b/server/include/maxconfig.h @@ -121,6 +121,7 @@ typedef struct unsigned int auth_conn_timeout; /**< Connection timeout for the user authentication */ unsigned int auth_read_timeout; /**< Read timeout for the user authentication */ unsigned int auth_write_timeout; /**< Write timeout for the user authentication */ + bool skip_permission_checks; /**< Skip service and monitor permission checks */ char qc_name[PATH_MAX]; /**< The name of the query classifier to load */ char* qc_args; /**< Arguments for the query classifier */ } GATEWAY_CONF;