dc7f7b6fb4
973b983 Merge branch 'release-2.0.0' into develop 255dd23 Make spinlock functions take const argument 6e23bab Fix bitmask reallocation 338c189 Rename and clean up slavelag filter 3ea8f28 Fix possible NULL pointer dereference bfe6738 MXS-830: Add module information to logged messages 1fad962 Fix strncat usage d38997a Adjust log throttling policy 0be4e4b Add hashtable_item_strcasecmp 726100e Take hashtable convenience functions into use 5e7744a Fix typo in maxadmin.md c5778c8 Merge branch 'release-2.0.0' into develop b5762af Move from tmpnam to mkstemp d6f2c71 Add convenience functions to hashtable 359058a MXS-825: Add support for --execdir 636347c Enable runtime reconfiguration of log throttling ef9fba9 Improve log throttling documentation aef917a Implement log throttling e3a5349 Remove shardrouter.c 8051e80 Remove custom qc_sqlite allocation functions fd34d60 Initial implementation of the learning firewall a8752a8 Removed "filestem option" from example 1ef2519 Removed "filestem option" from example 0815cc8 Cleanup spinlock.h ab4dc99 Clean up hashtable.h ef2c078 Add prototypes for hashtable copy and free functions fb5cfaf Add 'log_throttling' configuration entry 300d823 Add proper prototypes for hashtable hash and cmp functions 1c649aa qc_mysqlembedded: Include skygw_...h without path. d276160 Add missing RPM scripts e70e644 Fix HTTPAuth installation 1b2b389 Combine utils into the server directory 3ff9913 Add missing utils headers to devel package 407efb2 Fix minor packaging problems 99aa6ad Split MaxScale into core, experimental and devel packages 1290386 Merge branch 'develop' of ssh://github.com/mariadb-corporation/maxscale-new into develop e59f148 Make scripts POSIX sh compatible 7319266 Fixed SHOW SLAVE STATUS in bonlog router f8d760a Update Binlogrouter.md 0a904ed Update Replication-Proxy-Binlog-Router-Tutorial.md 75d4202 Update Replication-Proxy-Binlog-Router-Tutorial.md b8651fc Add missing newline in listmanager.h c7ad047 Add note about user data caches to release notes 70ccc2b Merge branch 'release-2.0.0' into develop 575d1b6 Mistake - dummy session needs list markers set. 8364508 Merge branch 'develop' into binlog_server_semisync 868b902 Update MaxScale limitations 2c8b327 Store listener caches in separate directories 6e183ec Create unique user data caches for each listeners f643685 Don't free orphaned tee filter sessions 4179afa Allow binlogrouter to be used without a listener 7ad79af Add function for freeing a listener 677a0a2 Move authentication data from services to listeners 4f12af7 Merge remote-tracking branch 'origin/MXS-677' into develop 1419b81 Semi-Sync support to binlog server: code review updtate 0ea0f01 Semi-Sync support to binlog server: added missing routine 4aad909 Semi-Sync support to binlog server b824e1e Add authenticator support to httpd.c 705a688 Change tabs to spaces d0c419e Change method of adding list fields to e.g. DCB 25504fc Document the changed routing priority of hints 41666d1 Remove use_ssl_if_enabled global option a3584e9 Make routing hints have highest priority 34a1d24 Updated document with new binlog router option 01eedc5 Updated documentation with SSL usage 8a4c0f6 Update Replication-Proxy-Binlog-Router-Tutorial.md 4e374aa Update Replication-Proxy-Binlog-Router-Tutorial.md f3f3c57 Update Replication-Proxy-Binlog-Router-Tutorial.md 617b79f Binlog Server: error messages typo fix fa8dfae Binlog Server: error messages review 1b8819c Fix freeing of schemarouter session memory 07f49e1 MXS-788: new code review fix 1fd3b09 MXS-788: show services now displays SSL info 6ca2584 MXS-788 code review fix ae6a7d0 MXS-788 code review 43d3474 Master server SSL connection 90b2377 Use correct variable in listmanager pre-allocation 9a5b238 Fix listmanager pre-allocation 9c78625 Fix a memory leak when backend authentication fails e59a966 Fix hang in list_find_free ff30223 Fix freeing of shared data in schemarouter fc8f9d3 Add missing include in luafilter ecf7f53 Add missing NULL value to filter parameter array 636d849 Update memory allocation approach f0d1d38 Add new allocation functions 97d00a0 Fix writing of uninitialized data to logs e72c9b2 Merge branch 'release-2.0.0' into develop cf2b712 Merge branch 'release-2.0.0' into develop 8917c5c Change the logic behind valid list entry checks c10deff Improve documentation about version_string f59f1f7 Merge branch 'develop' of ssh://github.com/mariadb-corporation/maxscale-new into develop c88edb3 Backend authentication failure improvement abd5bee Revert "Backend authentication failure improvement" 5bb3107 Backend authentication failure improvement b7f434a Add new allocation functions 3f022fa Fix stupid mistake 99c4317 Merge remote-tracking branch 'origin/MXS-677' into develop 3c1ded6 Added connection/authentication failure error reporting in SHOW SLAVE STATUS 0a60f7b Tidy up and deal with review points. ba103ff blr_slave.c: Update strncpy usage 467331e blr_master.c: Strncpy usage updates d2b7c0c Merge remote-tracking branch 'origin/develop-nullauth-merge' into develop 5a8c1d0 qc: Measure execution time at the right place. bccdb93 Merge branch 'NullAuthDeny' into develop 2e6511c Add 5.5.5 prefix to all version strings that lack it 314655a Improve DCB and session initialization and list handling e1c43f0 MXS-655: Make MaxScale logging logrotate(8) compatible ce36afd MXS-626: Don't log a header unless maxlog enabled dcd47a7 blr_file.c: Replace uses of strncpy 6b8f576 bls_slave.c: Replace strncpy with memcpy 68a0039 Add list preallocation, tidy up, simplify init. cb37d1b Fix copyright etc headers. 11a400d Tidy; comment; fix bad copies and mistakes. 7e36ec4 Add list manager files. c4794e3 Initial code for list manager. 1b42e25 Merge remote-tracking branch 'origin/MXS-765' into develop d50f617 Fix problems, extend tests, respond to review. dcb4a91 Filter test folder removed 0b60dbe Add a couple of comments. 83cdba0 Fix overwriting problem. ba5d353 Fix overwriting problem. 53671cb Small fixes in response to review. 173d049 blr.c: Review strncpy usage 4ff6ef2 binlog_common.c: Replace strncpy with memcpy f238e03 maxbinlogcheck.s: Replace strncpy 9807f8d harness: Replace unnecessary use of strncpy 8c7fe6a avro: Modify strncpy usage 9b8008e Small improvements. b7f784f Fix mistakes in testqueuemanager.c cc26962 Restore missing poll.c code; add testqueuemanager.c. 2e91806 Format the filter harness 22059e6 Initial implementation connection queueing. c604dc2 readwritesplit.c: Improve COM_INIT_DB handling 454d920 schemarouter.c: Replace strncpy with strcpy 8e85d66 sharding_common.c: Too long a database name handled explicitly 77f4446 Astyle schemarouter 491f7c2 maxinfo.c: Replace strncpy with memcpy 6b98105 maxinfo: Reformat with astyle c1dbf08 Handle oversize user and database names 5fa4a0f Merge branch 'develop' of ssh://github.com/mariadb-corporation/maxscale-new into develop 706963b BLR_DBUSERS_TAIL new var in blr.h d75b9af Tweak comments, remove trailing blanks. ab2400a Optimise statistics gathering by inline & simpler fns. fb59ddc Remove unnecessary strncpy/strncat usage in Binlog Server bdcd551 resultset.c: Change strncpy to memcpy c6b1c5e Reject rather than cut too long a path 6d8f112 Remove unnecessary strncpy/strncat usage 18bf5ed Remove unnecessary strncpy usage dc0e2db Make maxpasswd more userfriendly c9c8695 Fix calculation of padded_len in encryptPassword 2cfd2c6 dbusers.c: Check strncpy usage 7ab9342 Make more thorough checks in secrets_readKeys be7d593 Format cli.c debugcli.c testroute.c webserver.c 1ee5efb config.c: Check usage of strncpy 3043b12 gq_utils.c: Unnecessary use of strncpy removed 77874ac Add help to maxkeys 38392a3 Update secrets_writeKeys documentation 2d1325c Make SSL optional in MaxScale's own communication bda00da Fix avro build failures b2cb31a Add more OOM macros 41ccf17 Fix strdup usage a48f732 Fix realloc calls 20771f6 Add forgotten extern "C" block 8faf35a Add maxscale allocation functions bb47890 Add macros for OOM logging afea388 Fix silly mistakes. 6dafd22 Make deny default for null auth; move code from common to auth.
666 lines
18 KiB
C
666 lines
18 KiB
C
/*
|
|
* Copyright (c) 2016 MariaDB Corporation Ab
|
|
*
|
|
* Use of this software is governed by the Business Source License included
|
|
* in the LICENSE.TXT file and at www.mariadb.com/bsl.
|
|
*
|
|
* Change Date: 2019-07-01
|
|
*
|
|
* On the date above, in accordance with the Business Source License, use
|
|
* of this software will be governed by version 2 or later of the General
|
|
* Public License.
|
|
*/
|
|
|
|
/**
|
|
* @file cdc_auth.c
|
|
*
|
|
* CDC Authentication module for handling the checking of clients credentials
|
|
* in the CDC protocol.
|
|
*
|
|
* @verbatim
|
|
* Revision History
|
|
* Date Who Description
|
|
* 11/03/2016 Massimiliano Pinto Initial version
|
|
*
|
|
* @endverbatim
|
|
*/
|
|
|
|
#include <gw_authenticator.h>
|
|
#include <cdc.h>
|
|
#include <modutil.h>
|
|
#include <users.h>
|
|
#include <sys/stat.h>
|
|
#include <maxscale/alloc.h>
|
|
|
|
/* Allowed time interval (in seconds) after last update*/
|
|
#define CDC_USERS_REFRESH_TIME 30
|
|
/* Max number of load calls within the time interval */
|
|
#define CDC_USERS_REFRESH_MAX_PER_TIME 4
|
|
|
|
|
|
MODULE_INFO info =
|
|
{
|
|
MODULE_API_AUTHENTICATOR,
|
|
MODULE_GA,
|
|
GWAUTHENTICATOR_VERSION,
|
|
"The CDC client to MaxScale authenticator implementation"
|
|
};
|
|
|
|
static char *version_str = "V1.0.0";
|
|
static int cdc_load_users_init = 0;
|
|
|
|
static int cdc_auth_set_protocol_data(DCB *dcb, GWBUF *buf);
|
|
static bool cdc_auth_is_client_ssl_capable(DCB *dcb);
|
|
static int cdc_auth_authenticate(DCB *dcb);
|
|
static void cdc_auth_free_client_data(DCB *dcb);
|
|
|
|
static int cdc_set_service_user(SERV_LISTENER *listener);
|
|
static int cdc_read_users(USERS *users, char *usersfile);
|
|
static int cdc_load_users(SERV_LISTENER *listener);
|
|
static int cdc_refresh_users(SERV_LISTENER *listener);
|
|
static int cdc_replace_users(SERV_LISTENER *listener);
|
|
|
|
extern char *gw_bin2hex(char *out, const uint8_t *in, unsigned int len);
|
|
extern void gw_sha1_str(const uint8_t *in, int in_len, uint8_t *out);
|
|
extern char *create_hex_sha1_sha1_passwd(char *passwd);
|
|
extern char *decryptPassword(char *crypt);
|
|
|
|
|
|
/*
|
|
* The "module object" for mysql client authenticator module.
|
|
*/
|
|
static GWAUTHENTICATOR MyObject =
|
|
{
|
|
cdc_auth_set_protocol_data, /* Extract data into structure */
|
|
cdc_auth_is_client_ssl_capable, /* Check if client supports SSL */
|
|
cdc_auth_authenticate, /* Authenticate user credentials */
|
|
cdc_auth_free_client_data, /* Free the client data held in DCB */
|
|
};
|
|
|
|
static int cdc_auth_check(
|
|
DCB *dcb,
|
|
CDC_protocol *protocol,
|
|
char *username,
|
|
uint8_t *auth_data,
|
|
unsigned int *flags
|
|
);
|
|
|
|
static int cdc_auth_set_client_data(
|
|
CDC_session *client_data,
|
|
CDC_protocol *protocol,
|
|
uint8_t *client_auth_packet,
|
|
int client_auth_packet_size
|
|
);
|
|
|
|
/**
|
|
* Implementation of the mandatory version entry point
|
|
*
|
|
* @return version string of the module
|
|
*/
|
|
char* version()
|
|
{
|
|
return version_str;
|
|
}
|
|
|
|
/**
|
|
* The module initialisation routine, called when the module
|
|
* is first loaded.
|
|
*/
|
|
void ModuleInit()
|
|
{
|
|
}
|
|
|
|
/**
|
|
* The module entry point routine. It is this routine that
|
|
* must populate the structure that is referred to as the
|
|
* "module object", this is a structure with the set of
|
|
* external entry points for this module.
|
|
*
|
|
* @return The module object
|
|
*/
|
|
GWAUTHENTICATOR* GetModuleObject()
|
|
{
|
|
return &MyObject;
|
|
}
|
|
|
|
/**
|
|
* @brief Function to easily call authentication check.
|
|
*
|
|
* @param dcb Request handler DCB connected to the client
|
|
* @param protocol The protocol structure for the connection
|
|
* @param username String containing username
|
|
* @param auth_data The encrypted password for authentication
|
|
* @return Authentication status
|
|
* @note Authentication status codes are defined in cdc.h
|
|
*/
|
|
static int cdc_auth_check(DCB *dcb, CDC_protocol *protocol, char *username, uint8_t *auth_data,
|
|
unsigned int *flags)
|
|
{
|
|
char *user_password;
|
|
|
|
if (!cdc_load_users_init)
|
|
{
|
|
/* Load db users or set service user */
|
|
if (cdc_load_users(dcb->listener) < 1)
|
|
{
|
|
cdc_set_service_user(dcb->listener);
|
|
}
|
|
|
|
cdc_load_users_init = 1;
|
|
}
|
|
|
|
user_password = users_fetch(dcb->listener->users, username);
|
|
|
|
if (!user_password)
|
|
{
|
|
return CDC_STATE_AUTH_FAILED;
|
|
}
|
|
else
|
|
{
|
|
/* compute SHA1 of auth_data */
|
|
uint8_t sha1_step1[SHA_DIGEST_LENGTH] = "";
|
|
char hex_step1[2 * SHA_DIGEST_LENGTH + 1] = "";
|
|
|
|
gw_sha1_str(auth_data, SHA_DIGEST_LENGTH, sha1_step1);
|
|
gw_bin2hex(hex_step1, sha1_step1, SHA_DIGEST_LENGTH);
|
|
|
|
if (memcmp(user_password, hex_step1, SHA_DIGEST_LENGTH) == 0)
|
|
{
|
|
return CDC_STATE_AUTH_OK;
|
|
}
|
|
else
|
|
{
|
|
return CDC_STATE_AUTH_FAILED;
|
|
}
|
|
}
|
|
}
|
|
|
|
/**
|
|
* @brief Authenticates a CDC user who is a client to MaxScale.
|
|
*
|
|
* @param dcb Request handler DCB connected to the client
|
|
* @return Authentication status
|
|
* @note Authentication status codes are defined in cdc.h
|
|
*/
|
|
static int
|
|
cdc_auth_authenticate(DCB *dcb)
|
|
{
|
|
CDC_protocol *protocol = DCB_PROTOCOL(dcb, CDC_protocol);
|
|
CDC_session *client_data = (CDC_session *)dcb->data;
|
|
int auth_ret;
|
|
|
|
if (0 == strlen(client_data->user))
|
|
{
|
|
auth_ret = CDC_STATE_AUTH_ERR;
|
|
}
|
|
else
|
|
{
|
|
MXS_DEBUG("Receiving connection from '%s'",
|
|
client_data->user);
|
|
|
|
auth_ret = cdc_auth_check(dcb, protocol, client_data->user, client_data->auth_data, client_data->flags);
|
|
|
|
/* On failed authentication try to reload user table */
|
|
if (CDC_STATE_AUTH_OK != auth_ret && 0 == cdc_refresh_users(dcb->listener))
|
|
{
|
|
/* Call protocol authentication */
|
|
auth_ret = cdc_auth_check(dcb, protocol, client_data->user, client_data->auth_data, client_data->flags);
|
|
}
|
|
|
|
/* on successful authentication, set user into dcb field */
|
|
if (CDC_STATE_AUTH_OK == auth_ret)
|
|
{
|
|
dcb->user = MXS_STRDUP_A(client_data->user);
|
|
}
|
|
else if (dcb->service->log_auth_warnings)
|
|
{
|
|
MXS_NOTICE("%s: login attempt for user '%s', authentication failed.",
|
|
dcb->service->name, client_data->user);
|
|
}
|
|
}
|
|
|
|
return auth_ret;
|
|
}
|
|
|
|
/**
|
|
* @brief Transfer data from the authentication request to the DCB.
|
|
*
|
|
* The request handler DCB has a field called data that contains protocol
|
|
* specific information. This function examines a buffer containing CDC
|
|
* authentication data and puts it into a structure that is referred to
|
|
* by the DCB. If the information in the buffer is invalid, then a failure
|
|
* code is returned. A call to cdc_auth_set_client_data does the
|
|
* detailed work.
|
|
*
|
|
* @param dcb Request handler DCB connected to the client
|
|
* @param buffer Pointer to pointer to buffer containing data from client
|
|
* @return Authentication status
|
|
* @note Authentication status codes are defined in cdc.h
|
|
*/
|
|
static int
|
|
cdc_auth_set_protocol_data(DCB *dcb, GWBUF *buf)
|
|
{
|
|
uint8_t *client_auth_packet = GWBUF_DATA(buf);
|
|
CDC_protocol *protocol = NULL;
|
|
CDC_session *client_data = NULL;
|
|
int client_auth_packet_size = 0;
|
|
|
|
protocol = DCB_PROTOCOL(dcb, CDC_protocol);
|
|
CHK_PROTOCOL(protocol);
|
|
if (dcb->data == NULL)
|
|
{
|
|
if (NULL == (client_data = (CDC_session *)MXS_CALLOC(1, sizeof(CDC_session))))
|
|
{
|
|
return CDC_STATE_AUTH_ERR;
|
|
}
|
|
dcb->data = client_data;
|
|
}
|
|
else
|
|
{
|
|
client_data = (CDC_session *)dcb->data;
|
|
}
|
|
|
|
client_auth_packet_size = gwbuf_length(buf);
|
|
|
|
return cdc_auth_set_client_data(client_data, protocol, client_auth_packet,
|
|
client_auth_packet_size);
|
|
}
|
|
|
|
/**
|
|
* @brief Transfer detailed data from the authentication request to the DCB.
|
|
*
|
|
* The caller has created the data structure pointed to by the DCB, and this
|
|
* function fills in the details. If problems are found with the data, the
|
|
* return code indicates failure.
|
|
*
|
|
* @param client_data The data structure for the DCB
|
|
* @param protocol The protocol structure for this connection
|
|
* @param client_auth_packet The data from the buffer received from client
|
|
* @param client_auth_packet size An integer giving the size of the data
|
|
* @return Authentication status
|
|
* @note Authentication status codes are defined in cdc.h
|
|
*/
|
|
static int
|
|
cdc_auth_set_client_data(CDC_session *client_data,
|
|
CDC_protocol *protocol,
|
|
uint8_t *client_auth_packet,
|
|
int client_auth_packet_size)
|
|
{
|
|
int rval = CDC_STATE_AUTH_ERR;
|
|
int decoded_size = client_auth_packet_size / 2;
|
|
char decoded_buffer[decoded_size + 1]; // Extra for terminating null
|
|
|
|
/* decode input data */
|
|
if (client_auth_packet_size <= CDC_USER_MAXLEN)
|
|
{
|
|
gw_hex2bin((uint8_t*)decoded_buffer, (const char *)client_auth_packet,
|
|
client_auth_packet_size);
|
|
decoded_buffer[decoded_size] = '\0';
|
|
char *tmp_ptr = strchr(decoded_buffer, ':');
|
|
|
|
if (tmp_ptr)
|
|
{
|
|
size_t user_len = tmp_ptr - decoded_buffer;
|
|
*tmp_ptr++ = '\0';
|
|
size_t auth_len = decoded_size - (tmp_ptr - decoded_buffer);
|
|
|
|
if (user_len <= CDC_USER_MAXLEN && auth_len == SHA_DIGEST_LENGTH)
|
|
{
|
|
strcpy(client_data->user, decoded_buffer);
|
|
memcpy(client_data->auth_data, tmp_ptr, auth_len);
|
|
rval = CDC_STATE_AUTH_OK;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
MXS_ERROR("Authentication failed, the decoded client authentication "
|
|
"packet is malformed. Expected <username>:SHA1(<password>)");
|
|
}
|
|
}
|
|
else
|
|
{
|
|
MXS_ERROR("Authentication failed, client authentication packet length "
|
|
"exceeds the maximum allowed length of %d bytes.", CDC_USER_MAXLEN);
|
|
}
|
|
|
|
return rval;
|
|
}
|
|
|
|
/**
|
|
* @brief Determine whether the client is SSL capable
|
|
*
|
|
* The authentication request from the client will indicate whether the client
|
|
* is expecting to make an SSL connection. The information has been extracted
|
|
* in the previous functions.
|
|
*
|
|
* @param dcb Request handler DCB connected to the client
|
|
* @return Boolean indicating whether client is SSL capable
|
|
*/
|
|
static bool
|
|
cdc_auth_is_client_ssl_capable(DCB *dcb)
|
|
{
|
|
return false;
|
|
}
|
|
|
|
/**
|
|
* @brief Free the client data pointed to by the passed DCB.
|
|
*
|
|
* Currently all that is required is to free the storage pointed to by
|
|
* dcb->data. But this is intended to be implemented as part of the
|
|
* authentication API at which time this code will be moved into the
|
|
* CDC authenticator. If the data structure were to become more complex
|
|
* the mechanism would still work and be the responsibility of the authenticator.
|
|
* The DCB should not know authenticator implementation details.
|
|
*
|
|
* @param dcb Request handler DCB connected to the client
|
|
*/
|
|
static void
|
|
cdc_auth_free_client_data(DCB *dcb)
|
|
{
|
|
MXS_FREE(dcb->data);
|
|
}
|
|
|
|
/*
|
|
* Add the service user to CDC dbusers (service->users)
|
|
* via cdc_users_alloc
|
|
*
|
|
* @param service The current service
|
|
* @return 0 on success, 1 on failure
|
|
*/
|
|
static int
|
|
cdc_set_service_user(SERV_LISTENER *listener)
|
|
{
|
|
SERVICE *service = listener->service;
|
|
char *dpwd = NULL;
|
|
char *newpasswd = NULL;
|
|
char *service_user = NULL;
|
|
char *service_passwd = NULL;
|
|
|
|
if (serviceGetUser(service, &service_user, &service_passwd) == 0)
|
|
{
|
|
MXS_ERROR("failed to get service user details for service %s",
|
|
service->name);
|
|
|
|
return 1;
|
|
}
|
|
|
|
dpwd = decryptPassword(service->credentials.authdata);
|
|
|
|
if (!dpwd)
|
|
{
|
|
MXS_ERROR("decrypt password failed for service user %s, service %s",
|
|
service_user,
|
|
service->name);
|
|
|
|
return 1;
|
|
}
|
|
|
|
newpasswd = create_hex_sha1_sha1_passwd(dpwd);
|
|
|
|
if (!newpasswd)
|
|
{
|
|
MXS_ERROR("create hex_sha1_sha1_password failed for service user %s",
|
|
service_user);
|
|
|
|
MXS_FREE(dpwd);
|
|
return 1;
|
|
}
|
|
|
|
/* add service user */
|
|
(void)users_add(listener->users, service->credentials.name, newpasswd);
|
|
|
|
MXS_FREE(newpasswd);
|
|
MXS_FREE(dpwd);
|
|
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* Load AVRO users into (service->users)
|
|
*
|
|
* @param service The current service
|
|
* @return -1 on failure, 0 for no users found, > 0 for found users
|
|
*/
|
|
static int
|
|
cdc_load_users(SERV_LISTENER *listener)
|
|
{
|
|
SERVICE *service = listener->service;
|
|
int loaded = -1;
|
|
char path[PATH_MAX + 1] = "";
|
|
|
|
/* File path for router cached authentication data */
|
|
snprintf(path, PATH_MAX, "%s/%s/cdcusers", get_datadir(), service->name);
|
|
|
|
/* Allocate users table */
|
|
if (listener->users == NULL)
|
|
{
|
|
listener->users = users_alloc();
|
|
}
|
|
|
|
/* Try loading authentication data from file cache */
|
|
loaded = cdc_read_users(listener->users, path);
|
|
|
|
if (loaded == -1)
|
|
{
|
|
MXS_ERROR("Service %s, Unable to read AVRO users information from %s."
|
|
" No AVRO user added to service users table. Service user is still allowed to connect.",
|
|
service->name,
|
|
path);
|
|
}
|
|
|
|
/* At service start last update is set to CDC_USERS_REFRESH_TIME seconds
|
|
* earlier. This way MaxScale could try reloading users just after startup.
|
|
*/
|
|
service->rate_limit.last = time(NULL) - CDC_USERS_REFRESH_TIME;
|
|
service->rate_limit.nloads = 1;
|
|
|
|
return loaded;
|
|
}
|
|
|
|
/**
|
|
* Load the AVRO users
|
|
*
|
|
* @param service Current service
|
|
* @param usersfile File with users
|
|
* @return -1 on error or users loaded (including 0)
|
|
*/
|
|
|
|
static int
|
|
cdc_read_users(USERS *users, char *usersfile)
|
|
{
|
|
FILE *fp;
|
|
int loaded = 0;
|
|
char *avro_user;
|
|
char *user_passwd;
|
|
/* user maxlen ':' password hash '\n' '\0' */
|
|
char read_buffer[CDC_USER_MAXLEN + 1 + SHA_DIGEST_LENGTH + 1 + 1];
|
|
char *all_users_data = NULL;
|
|
struct stat statb;
|
|
int fd;
|
|
int filelen = 0;
|
|
unsigned char hash[SHA_DIGEST_LENGTH] = "";
|
|
|
|
int max_line_size = sizeof(read_buffer) - 1;
|
|
|
|
if ((fp = fopen(usersfile, "r")) == NULL)
|
|
{
|
|
return -1;
|
|
}
|
|
|
|
fd = fileno(fp);
|
|
|
|
if (fstat(fd, &statb) == 0)
|
|
{
|
|
filelen = statb.st_size;
|
|
}
|
|
|
|
if ((all_users_data = MXS_MALLOC(filelen + 1)) == NULL)
|
|
{
|
|
return -1;
|
|
}
|
|
|
|
*all_users_data = '\0';
|
|
|
|
while (!feof(fp))
|
|
{
|
|
if (fgets(read_buffer, max_line_size, fp) != NULL)
|
|
{
|
|
char *tmp_ptr = read_buffer;
|
|
/* append data for hash */
|
|
strcat(all_users_data, read_buffer);
|
|
|
|
if ((tmp_ptr = strchr(read_buffer, ':')) != NULL)
|
|
{
|
|
*tmp_ptr++ = '\0';
|
|
avro_user = read_buffer;
|
|
user_passwd = tmp_ptr;
|
|
if ((tmp_ptr = strchr(user_passwd, '\n')) != NULL)
|
|
{
|
|
*tmp_ptr = '\0';
|
|
}
|
|
|
|
/* add user */
|
|
users_add(users, avro_user, user_passwd);
|
|
|
|
loaded++;
|
|
}
|
|
}
|
|
}
|
|
|
|
/* compute SHA1 digest for users' data */
|
|
SHA1((const unsigned char *) all_users_data, strlen(all_users_data), hash);
|
|
|
|
memcpy(users->cksum, hash, SHA_DIGEST_LENGTH);
|
|
|
|
MXS_FREE(all_users_data);
|
|
|
|
fclose(fp);
|
|
|
|
return loaded;
|
|
}
|
|
|
|
|
|
/**
|
|
* * Refresh the database users for the service
|
|
* * This function replaces the MySQL users used by the service with the latest
|
|
* * version found on the backend servers. There is a limit on how often the users
|
|
* * can be reloaded and if this limit is exceeded, the reload will fail.
|
|
* * @param service Service to reload
|
|
* * @return 0 on success and 1 on error
|
|
* */
|
|
static int
|
|
cdc_refresh_users(SERV_LISTENER *listener)
|
|
{
|
|
int ret = 1;
|
|
SERVICE *service = listener->service;
|
|
|
|
/* check for another running getUsers request */
|
|
if (!spinlock_acquire_nowait(&service->users_table_spin))
|
|
{
|
|
MXS_DEBUG("%s: [service_refresh_users] failed to get get lock for "
|
|
"loading new users' table: another thread is loading users",
|
|
service->name);
|
|
|
|
return 1;
|
|
}
|
|
|
|
/* check if refresh rate limit has exceeded */
|
|
if ((time(NULL) < (service->rate_limit.last + CDC_USERS_REFRESH_TIME)) ||
|
|
(service->rate_limit.nloads > CDC_USERS_REFRESH_MAX_PER_TIME))
|
|
{
|
|
spinlock_release(&service->users_table_spin);
|
|
MXS_ERROR("%s: Refresh rate limit exceeded for load of users' table.",
|
|
service->name);
|
|
|
|
return 1;
|
|
}
|
|
|
|
service->rate_limit.nloads++;
|
|
|
|
/* update time and counter */
|
|
if (service->rate_limit.nloads > CDC_USERS_REFRESH_MAX_PER_TIME)
|
|
{
|
|
service->rate_limit.nloads = 1;
|
|
service->rate_limit.last = time(NULL);
|
|
}
|
|
|
|
ret = cdc_replace_users(listener);
|
|
|
|
/* remove lock */
|
|
spinlock_release(&service->users_table_spin);
|
|
|
|
if (ret >= 0)
|
|
{
|
|
return 0;
|
|
}
|
|
else
|
|
{
|
|
return 1;
|
|
}
|
|
}
|
|
|
|
/* Replace the user/passwd in the servicei users tbale from a db file.
|
|
* The replacement is succesful only if the users' table checksums differ
|
|
*
|
|
* @param service The current service
|
|
* @return -1 on any error or the number of users inserted (0 means no users at all)
|
|
* */
|
|
static int
|
|
cdc_replace_users(SERV_LISTENER *listener)
|
|
{
|
|
SERVICE *service = listener->service;
|
|
int i;
|
|
USERS *newusers, *oldusers;
|
|
char path[PATH_MAX + 1] = "";
|
|
|
|
/* File path for router cached authentication data */
|
|
snprintf(path, PATH_MAX, "%s/%s/cdcusers", get_datadir(), service->name);
|
|
|
|
if ((newusers = users_alloc()) == NULL)
|
|
{
|
|
return -1;
|
|
}
|
|
|
|
|
|
/* load users */
|
|
i = cdc_read_users(newusers, path);
|
|
|
|
if (i <= 0)
|
|
{
|
|
users_free(newusers);
|
|
return i;
|
|
}
|
|
|
|
spinlock_acquire(&listener->lock);
|
|
oldusers = listener->users;
|
|
|
|
/* digest compare */
|
|
if (oldusers != NULL && memcmp(oldusers->cksum, newusers->cksum,
|
|
SHA_DIGEST_LENGTH) == 0)
|
|
{
|
|
/* same data, nothing to do */
|
|
MXS_DEBUG("%lu [cdc_replace_users] users' tables not switched, checksum is the same",
|
|
pthread_self());
|
|
|
|
/* free the new table */
|
|
users_free(newusers);
|
|
i = 0;
|
|
}
|
|
else
|
|
{
|
|
/* replace the service with effective new data */
|
|
MXS_DEBUG("%lu [cdc_replace_users] users' tables replaced, checksum differs",
|
|
pthread_self());
|
|
listener->users = newusers;
|
|
}
|
|
|
|
spinlock_release(&listener->lock);
|
|
|
|
if (i && oldusers)
|
|
{
|
|
/* free the old table */
|
|
users_free(oldusers);
|
|
}
|
|
return i;
|
|
}
|