[FEAT MERGE] rpc authentication improvement

deps/oblib/src/lib/CMakeLists.txt

@@ -263,6 +263,7 @@ ob_set_subtarget(oblib_lib utility
   utility/ob_backtrace.cpp
   utility/ob_proto_trans_util.cpp
   utility/ob_unify_serialize.cpp
+  utility/ob_rpc_authentication_utility.cpp
 )
 
 ob_set_subtarget(oblib_lib ash

deps/oblib/src/lib/utility/ob_rpc_authentication_utility.cpp

@@ -0,0 +1,92 @@
+/**
+ * Copyright (c) 2021 OceanBase
+ * OceanBase CE is licensed under Mulan PubL v2.
+ * You can use this software according to the terms and conditions of the Mulan PubL v2.
+ * You may obtain a copy of Mulan PubL v2 at:
+ *          http://license.coscl.org.cn/MulanPubL-2.0
+ * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND,
+ * EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT,
+ * MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE.
+ * See the Mulan PubL v2 for more details.
+ */
+#define USING_LOG_PREFIX LIB
+#include "rpc/obrpc/ob_rpc_packet.h"
+#include "lib/ob_errno.h"
+#include "lib/utility/ob_print_utils.h"
+
+using namespace oceanbase::obrpc;
+
+namespace oceanbase
+{
+namespace common
+{
+extern "C" {
+int ob_decode_pcode(const char *buf, const int64_t data_len, int64_t *pos, uint32_t *val)
+{
+  int ret = (NULL != buf  && NULL != pos && data_len - *pos  >= 4) ? OB_SUCCESS : OB_DESERIALIZE_ERROR;
+  if (OB_SUCC(ret)) {
+    *val = ((static_cast<uint32_t>(*(buf + (*pos)++))) & 0xff) << 24;
+    *val |= ((static_cast<uint32_t>(*(buf + (*pos)++))) & 0xff) << 16;
+    *val |= ((static_cast<uint32_t>(*(buf + (*pos)++))) & 0xff) << 8;
+    *val |= ((static_cast<uint32_t>(*(buf + (*pos)++))) & 0xff);
+  }
+  return ret;
+}
+
+int ob_is_bypass_pcode(uint32_t pcode)
+{
+  //table_api pcode directly bypass
+  int bret = 0;
+  if (pcode >= OB_TABLE_API_LOGIN &&  pcode <= OB_TABLE_API_MOVE) { //table_api
+    bret = 1;
+  }
+  #ifdef OB_BUILD_ARBITRATION
+    else if (OB_CREATE_ARB == pcode || OB_DELETE_ARB == pcode
+           || OB_LOG_FORCE_CLEAR_ARB_CLUSTER_INFO == pcode
+           || OB_ARB_CLUSTER_OP == pcode) { //arb
+    bret = 1;
+  }
+  #endif
+    else if (OB_SET_MEMBER_LIST == pcode || OB_ARB_GC_NOTIFY == pcode
+           || OB_SET_CONFIG == pcode) { //arb
+    bret = 1;
+  } else if (pcode >= OB_LOG_PUSH_REQ && pcode <= OB_LOG_BATCH_FETCH_RESP) { //arb
+    bret = 1;
+  } else if (OB_LOG_REQ_START_LSN_BY_TS == pcode || OB_LS_FETCH_LOG2 == pcode
+            ||OB_LS_FETCH_MISSING_LOG == pcode) { //libcdc or standby cluster
+    bret = 1;
+  }
+  return bret;
+}
+
+int ob_is_tableapi_pcode(uint32_t pcode)
+{
+  int bret = 0;
+  if (pcode >= OB_TABLE_API_LOGIN &&  pcode <= OB_TABLE_API_MOVE) { //table_api
+    bret = 1;
+  }
+  return bret;
+}
+
+int ob_judge_is_tableapi_pcode_from_raw_packet(const char *buf, ssize_t data_len)
+{
+  int bret = 0;
+  int ret = OB_SUCCESS;
+  if (NULL != buf) {
+    int demand_length = OB_NET_HEADER_LENGTH + 4;
+    if (data_len >= demand_length && 0 == memcmp(buf, ObRpcPacket::MAGIC_HEADER_FLAG,
+        sizeof(ObRpcPacket::MAGIC_HEADER_FLAG))) {
+      int64_t pos = 0;
+      uint32_t pcode = 0;
+      if (OB_SUCC(ob_decode_pcode(buf + OB_NET_HEADER_LENGTH, 4, &pos, &pcode))) {
+        if (ob_is_tableapi_pcode(pcode)) {
+          bret = 1;
+        }
+      }
+    }
+  }
+  return bret;
+}
+}
+}
+}

deps/oblib/src/lib/utility/utility.cpp

@@ -1903,6 +1903,52 @@ int64_t get_level3_cache_size()
   return l3_cache_size;
 }
 
+int extract_cert_expired_time(const char* cert, const int64_t cert_len, int64_t &expired_time)
+{
+  int ret = OB_SUCCESS;
+  STACK_OF(X509_INFO)  *chain = NULL;
+  BIO *cbio = NULL;
+  if (OB_ISNULL(cert)) {
+    ret = OB_INVALID_ARGUMENT;
+    LOG_WARN("public cert from kms is null!", K(ret));
+  } else if (OB_ISNULL(cbio = BIO_new_mem_buf((void*)cert, cert_len))) {
+    ret = OB_ALLOCATE_MEMORY_FAILED;
+    LOG_WARN("BIO_new_mem_buf failed", K(ret));
+  } else if (OB_ISNULL(chain = PEM_X509_INFO_read_bio(cbio, NULL, NULL, NULL))) {
+    ret = OB_INVALID_ARGUMENT;
+    LOG_WARN("PEM_X509_INFO_read_bio failed", K(ret));
+  } else {
+    ASN1_TIME *notAfter = NULL;
+    X509_INFO *x509_info = NULL;
+    if (OB_ISNULL(x509_info = sk_X509_INFO_value(chain, 0))) {
+      ret = OB_INVALID_ARGUMENT;
+      LOG_WARN("get app cert failed!", K(ret));
+    } else if (OB_ISNULL((notAfter = X509_get_notAfter(x509_info->x509)))) {
+      ret = OB_INVALID_ARGUMENT;
+      LOG_WARN("X509_get_notAfter failed",K(ret));
+    } else {
+      struct tm tm1;
+      memset (&tm1, 0, sizeof (tm1));
+      tm1.tm_year = (notAfter->data[ 0] - '0') * 10 + (notAfter->data[ 1] - '0') + 100;
+      tm1.tm_mon  = (notAfter->data[ 2] - '0') * 10 + (notAfter->data[ 3] - '0') - 1;
+      tm1.tm_mday = (notAfter->data[ 4] - '0') * 10 + (notAfter->data[ 5] - '0');
+      tm1.tm_hour = (notAfter->data[ 6] - '0') * 10 + (notAfter->data[ 7] - '0');
+      tm1.tm_min  = (notAfter->data[ 8] - '0') * 10 + (notAfter->data[ 9] - '0');
+      tm1.tm_sec  = (notAfter->data[10] - '0') * 10 + (notAfter->data[11] - '0');
+      time_t expired_time_t = mktime(&tm1);
+      expired_time_t += (int)(mktime(localtime(&expired_time_t)) - mktime(gmtime(&expired_time_t)));
+      expired_time = expired_time_t * 1000000;
+    }
+  }
+  if (NULL != cbio) {
+    BIO_free(cbio);
+  }
+  if (NULL != chain) {
+    sk_X509_INFO_pop_free(chain, X509_INFO_free);
+  }
+  return ret;
+}
+
 
 } // end namespace common
 } // end namespace oceanbase

deps/oblib/src/lib/utility/utility.h

@@ -1310,6 +1310,8 @@ void call_dtor(T *&ptr)
 //      OB_IO_ERROR Error executing system call
 //      OB_SUCCESS successfully executed
 int is_dir_empty(const char *dirname, bool &is_empty);
+
+int extract_cert_expired_time(const char* cert, const int64_t cert_len, int64_t &expired_time);
 } // end namespace common
 } // end namespace oceanbase
 

deps/oblib/src/rpc/obrpc/ob_poc_rpc_server.cpp

@@ -22,7 +22,9 @@ extern "C" {
 };
 #include "rpc/obrpc/ob_rpc_endec.h"
 #define cfgi(k, v) atoi(getenv(k)?:v)
-
+extern "C" {
+int ussl_check_pcode_mismatch_connection(int fd, uint32_t pcode);
+};
 namespace oceanbase
 {
 namespace obrpc
@@ -57,59 +59,64 @@ int ObPocServerHandleContext::create(int64_t resp_id, const char* buf, int64_t s
   } else {
     ObCurTraceId::set(tmp_pkt.get_trace_id());
     obrpc::ObRpcPacketCode pcode = tmp_pkt.get_pcode();
-    auto &set = obrpc::ObRpcPacketSet::instance();
-    const char* pcode_label = set.label_of_idx(set.idx_of_pcode(pcode));
-    const int64_t pool_size = sizeof(ObPocServerHandleContext) + sizeof(ObRequest) + sizeof(ObRpcPacket) + alloc_payload_sz;
-    int64_t tenant_id = tmp_pkt.get_tenant_id();
-    if (OB_UNLIKELY(tmp_pkt.get_group_id() == OBCG_ELECTION)) {
-      tenant_id = OB_SERVER_TENANT_ID;
-    }
-    timeguard.click();
-    ObRpcMemPool* pool = ObRpcMemPool::create(tenant_id, pcode_label, pool_size);
-    void *temp = NULL;
-
-#ifdef ERRSIM
-    THIS_WORKER.set_module_type(tmp_pkt.get_module_type());
-#endif
-
-    if (OB_ISNULL(pool)) {
-      ret = common::OB_ALLOCATE_MEMORY_FAILED;
-      RPC_LOG(WARN, "create memory pool failed", K(tenant_id), K(pcode_label));
-    } else if (OB_ISNULL(temp = pool->alloc(sizeof(ObPocServerHandleContext) + sizeof(ObRequest)))){
-      ret = common::OB_ALLOCATE_MEMORY_FAILED;
-      RPC_LOG(WARN, "pool allocate memory failed", K(tenant_id), K(pcode_label));
+    if (OB_UNLIKELY(ussl_check_pcode_mismatch_connection(pn_get_fd(resp_id), pcode))) {
+      ret = OB_UNKNOWN_CONNECTION;
+      RPC_LOG(WARN, "rpc bypass connection received none bypass pcode", K(pcode), K(ret));
     } else {
-      int64_t resp_expired_abs_us = ObTimeUtility::current_time() + tmp_pkt.get_timeout();
-      ctx = new(temp)ObPocServerHandleContext(*pool, resp_id, resp_expired_abs_us);
-      ctx->set_peer_unsafe();
-      req = new(ctx + 1)ObRequest(ObRequest::OB_RPC, ObRequest::TRANSPORT_PROTO_POC);
+      auto &set = obrpc::ObRpcPacketSet::instance();
+      const char* pcode_label = set.label_of_idx(set.idx_of_pcode(pcode));
+      const int64_t pool_size = sizeof(ObPocServerHandleContext) + sizeof(ObRequest) + sizeof(ObRpcPacket) + alloc_payload_sz;
+      int64_t tenant_id = tmp_pkt.get_tenant_id();
+      if (OB_UNLIKELY(tmp_pkt.get_group_id() == OBCG_ELECTION)) {
+        tenant_id = OB_SERVER_TENANT_ID;
+      }
       timeguard.click();
-      ObRpcPacket* pkt = (ObRpcPacket*)pool->alloc(sizeof(ObRpcPacket) + alloc_payload_sz);
-      if (NULL == pkt) {
-        RPC_LOG(WARN, "pool allocate rpc packet memory failed", K(tenant_id), K(pcode_label));
-        ret = common::OB_ALLOCATE_MEMORY_FAILED;
-      } else {
-        MEMCPY(reinterpret_cast<void *>(pkt), reinterpret_cast<void *>(&tmp_pkt), sizeof(ObRpcPacket));
-        const char* packet_data = NULL;
-        if (alloc_payload_sz > 0) {
-          packet_data = reinterpret_cast<char *>(pkt + 1);
-          MEMCPY(const_cast<char*>(packet_data), tmp_pkt.get_cdata(), tmp_pkt.get_clen());
-        } else {
-          packet_data = tmp_pkt.get_cdata();
-        }
-        int64_t receive_ts = ObTimeUtility::current_time();
-        pkt->set_receive_ts(receive_ts);
-        pkt->set_content(packet_data, tmp_pkt.get_clen());
-        req->set_server_handle_context(ctx);
-        req->set_packet(pkt);
-        req->set_receive_timestamp(pkt->get_receive_ts());
-        req->set_request_arrival_time(pkt->get_receive_ts());
-        req->set_arrival_push_diff(common::ObTimeUtility::current_time());
+      ObRpcMemPool* pool = ObRpcMemPool::create(tenant_id, pcode_label, pool_size);
+      void *temp = NULL;
 
-        const int64_t fly_ts = receive_ts - pkt->get_timestamp();
-        if (fly_ts > oceanbase::common::OB_MAX_PACKET_FLY_TS && TC_REACH_TIME_INTERVAL(100 * 1000)) {
-          RPC_LOG(WARN, "PNIO packet wait too much time between proxy and server_cb", "pcode", pkt->get_pcode(),
-                  "fly_ts", fly_ts, "send_timestamp", pkt->get_timestamp());
+  #ifdef ERRSIM
+      THIS_WORKER.set_module_type(tmp_pkt.get_module_type());
+  #endif
+
+      if (OB_ISNULL(pool)) {
+        ret = common::OB_ALLOCATE_MEMORY_FAILED;
+        RPC_LOG(WARN, "create memory pool failed", K(tenant_id), K(pcode_label));
+      } else if (OB_ISNULL(temp = pool->alloc(sizeof(ObPocServerHandleContext) + sizeof(ObRequest)))){
+        ret = common::OB_ALLOCATE_MEMORY_FAILED;
+        RPC_LOG(WARN, "pool allocate memory failed", K(tenant_id), K(pcode_label));
+      } else {
+        int64_t resp_expired_abs_us = ObTimeUtility::current_time() + tmp_pkt.get_timeout();
+        ctx = new(temp)ObPocServerHandleContext(*pool, resp_id, resp_expired_abs_us);
+        ctx->set_peer_unsafe();
+        req = new(ctx + 1)ObRequest(ObRequest::OB_RPC, ObRequest::TRANSPORT_PROTO_POC);
+        timeguard.click();
+        ObRpcPacket* pkt = (ObRpcPacket*)pool->alloc(sizeof(ObRpcPacket) + alloc_payload_sz);
+        if (NULL == pkt) {
+          RPC_LOG(WARN, "pool allocate rpc packet memory failed", K(tenant_id), K(pcode_label));
+          ret = common::OB_ALLOCATE_MEMORY_FAILED;
+        } else {
+          MEMCPY(reinterpret_cast<void *>(pkt), reinterpret_cast<void *>(&tmp_pkt), sizeof(ObRpcPacket));
+          const char* packet_data = NULL;
+          if (alloc_payload_sz > 0) {
+            packet_data = reinterpret_cast<char *>(pkt + 1);
+            MEMCPY(const_cast<char*>(packet_data), tmp_pkt.get_cdata(), tmp_pkt.get_clen());
+          } else {
+            packet_data = tmp_pkt.get_cdata();
+          }
+          int64_t receive_ts = ObTimeUtility::current_time();
+          pkt->set_receive_ts(receive_ts);
+          pkt->set_content(packet_data, tmp_pkt.get_clen());
+          req->set_server_handle_context(ctx);
+          req->set_packet(pkt);
+          req->set_receive_timestamp(pkt->get_receive_ts());
+          req->set_request_arrival_time(pkt->get_receive_ts());
+          req->set_arrival_push_diff(common::ObTimeUtility::current_time());
+
+          const int64_t fly_ts = receive_ts - pkt->get_timestamp();
+          if (fly_ts > oceanbase::common::OB_MAX_PACKET_FLY_TS && TC_REACH_TIME_INTERVAL(100 * 1000)) {
+            RPC_LOG(WARN, "PNIO packet wait too much time between proxy and server_cb", "pcode", pkt->get_pcode(),
+                    "fly_ts", fly_ts, "send_timestamp", pkt->get_timestamp());
+          }
         }
       }
     }

deps/oblib/src/rpc/obrpc/ob_rpc_net_handler.cpp

@@ -30,6 +30,10 @@ using namespace oceanbase::common;
 using namespace oceanbase::common::serialization;
 using namespace oceanbase::rpc::frame;
 
+extern "C" {
+int ussl_check_pcode_mismatch_connection(int fd, uint32_t pcode);
+};
+
 namespace oceanbase
 {
 namespace obrpc
@@ -193,15 +197,22 @@ void *ObRpcNetHandler::decode(easy_message_t *ms)
         LOG_ERROR("failed to decode", K(easy_conn), KP(ms), K(is_current_normal_mode), K(ret));
       } else {
         if (NULL != pkt) {
-          const int64_t receive_ts = common::ObClockGenerator::getClock();
-          const int64_t fly_ts = receive_ts - pkt->get_timestamp();
-          if (!pkt->is_resp() && fly_ts > common::OB_MAX_PACKET_FLY_TS && TC_REACH_TIME_INTERVAL(100 * 1000)) {
-            LOG_WARN_RET(common::OB_ERR_TOO_MUCH_TIME, "packet fly cost too much time", "pcode", pkt->get_pcode(),
-                    "fly_ts", fly_ts, "send_timestamp", pkt->get_timestamp(), "connection", easy_connection_str(ms->c));
-          }
-          pkt->set_receive_ts(receive_ts);
-          if (receive_ts - start_ts > common::OB_MAX_PACKET_DECODE_TS && TC_REACH_TIME_INTERVAL(100 * 1000)) {
-            LOG_WARN_RET(OB_ERR_TOO_MUCH_TIME, "packet decode cost too much time", "pcode", pkt->get_pcode(), "connection", easy_connection_str(ms->c));
+          uint32_t pcode = pkt->get_pcode();
+          if (OB_UNLIKELY(ussl_check_pcode_mismatch_connection(ms->c->fd, pcode))) {
+            pkt = NULL;
+            ms->status = EASY_ERROR;
+            LOG_WARN_RET(common::OB_BAD_ADDRESS, "enable bypass connection received other RPC, disconnect", K(pcode));
+          } else {
+            const int64_t receive_ts = common::ObClockGenerator::getClock();
+            const int64_t fly_ts = receive_ts - pkt->get_timestamp();
+            if (!pkt->is_resp() && fly_ts > common::OB_MAX_PACKET_FLY_TS && TC_REACH_TIME_INTERVAL(100 * 1000)) {
+              LOG_WARN_RET(common::OB_ERR_TOO_MUCH_TIME, "packet fly cost too much time", "pcode", pkt->get_pcode(),
+                      "fly_ts", fly_ts, "send_timestamp", pkt->get_timestamp(), "connection", easy_connection_str(ms->c));
+            }
+            pkt->set_receive_ts(receive_ts);
+            if (receive_ts - start_ts > common::OB_MAX_PACKET_DECODE_TS && TC_REACH_TIME_INTERVAL(100 * 1000)) {
+              LOG_WARN_RET(OB_ERR_TOO_MUCH_TIME, "packet decode cost too much time", "pcode", pkt->get_pcode(), "connection", easy_connection_str(ms->c));
+            }
           }
         } else {
           //receive data is not enough

deps/oblib/src/rpc/pnio/interface/group.c

@@ -588,3 +588,17 @@ int dispatch_accept_fd_to_certain_group(int fd, uint64_t gid)
   }
   return ret;
 }
+
+PN_API int pn_get_fd(uint64_t req_id)
+{
+  int fd = -1;
+  pn_resp_ctx_t* ctx = (typeof(ctx))req_id;
+  if (unlikely(NULL == ctx)) {
+    rk_warn("invalid arguments, req_id=%p", ctx);
+  } else {
+    pkts_t* pkts = &ctx->pn->pkts;
+    pkts_sk_t* sock = (typeof(sock))idm_get(&pkts->sk_map, ctx->sock_id);
+    fd = sock->fd;
+  }
+  return fd;
+}

deps/oblib/src/rpc/pnio/interface/group.h

@@ -78,6 +78,7 @@ PN_API uint64_t pn_get_rxbytes(int grp_id);
 PN_API int dispatch_accept_fd_to_certain_group(int fd, uint64_t gid);
 PN_API void pn_stop(uint64_t gid);
 PN_API void pn_wait(uint64_t gid);
+PN_API int pn_get_fd(uint64_t req_id);
 extern int64_t pnio_keepalive_timeout;
 pn_comm_t* get_current_pnio();
 void pn_release(pn_comm_t* pn_comm);

deps/ussl-hook/loop/auth-methods.c

@@ -15,6 +15,7 @@ int g_ussl_client_auth_methods = USSL_AUTH_NONE;
 int g_ussl_server_auth_methods = USSL_AUTH_NONE |
                                  USSL_AUTH_SSL_HANDSHAKE |
                                  USSL_AUTH_SSL_IO;
+int g_ussl_enable_bypass_flag = 0;
 
 void set_server_auth_methods(const int methods)
 {
@@ -45,4 +46,13 @@ int get_client_auth_methods()
   return ATOMIC_LOAD(&g_ussl_client_auth_methods);
 }
 
+void ussl_set_auth_bypass_flag(int enable)
+{
+  g_ussl_enable_bypass_flag = enable;
+}
+
+int ussl_get_auth_bypass_flag()
+{
+  return g_ussl_enable_bypass_flag;
+}
 

deps/ussl-hook/loop/auth-methods.h

@@ -20,5 +20,8 @@ extern int get_server_auth_methods();
 extern void set_client_auth_methods(const int methods);
 extern int get_client_auth_methods();
 
+extern void ussl_set_auth_bypass_flag(int enable);
+extern int ussl_get_auth_bypass_flag();
+
 
 #endif // USSL_HOOK_LOOP_AUTH_METHODS_

deps/ussl-hook/loop/handle-event.c

@@ -31,6 +31,32 @@ enum ServerNegoStage {
   SERVER_ACK_NEGO_AND_SSL = 3,
 };
 
+enum ob_rpc_connection_type {
+  OB_CONNECTION_COMMON_TYPE,
+  OB_CONNECTION_AUTH_BYPASS_TYPE,
+};
+
+static const int MAX_FD_NUM = 1024 * 1024;
+static uint8_t gs_connection_type_arr[MAX_FD_NUM];
+
+int ussl_set_rpc_connection_type(int fd, int type)
+{
+  int ret = 0;
+  if (fd >= 0 && fd < MAX_FD_NUM) {
+    gs_connection_type_arr[fd] = type;
+  } else {
+    ret = -ERANGE;
+  }
+  return ret;
+}
+
+void ussl_reset_rpc_connection_type(int fd)
+{
+  if (fd >= 0 && fd < MAX_FD_NUM) {
+    gs_connection_type_arr[fd] = 0;
+  }
+}
+
 static void auth_type_to_str(int auth_type, char *buf, size_t len)
 {
   if (USSL_AUTH_NONE == auth_type) {
@@ -326,9 +352,28 @@ static int acceptfd_handle_first_readable_event(acceptfd_sk_t *s)
     } else if (is_local_ip_address(src_addr)) {
       ussl_log_info("local ip address:%s, need dispatch", src_addr);
       need_dispatch = 1;
+    } else if (is_net_keepalive_connection(rbytes, buf)) {
+      need_dispatch = 1;
+      ussl_log_info("net keepalive negotation message, need dispatch, src:%s, fd:%d", src_addr, s->fd);
     } else {
-      need_dispatch = is_net_keepalive_connection(rbytes, buf);
-      ussl_log_info("easy negotation message, need dispatch:%d, src:%s, fd:%d", need_dispatch, src_addr, s->fd);
+      //if enable rpc auth bypass, all connections are allowed, including tableapi, liboblog,
+      //else, only tableapi connections are allowed
+      if (ussl_get_auth_bypass_flag()) {
+        ussl_log_info("rpc auth enable bypass, need dispatch, src:%s, fd:%d", src_addr, s->fd);
+        need_dispatch = 1;
+      } else {
+        if (ob_judge_is_tableapi_pcode_from_raw_packet(buf, rbytes)) {
+          ussl_log_info("tableapi connection, need dispatch, src:%s, fd:%d", src_addr, s->fd);
+          need_dispatch = 1;
+        }
+      }
+      if (need_dispatch) {
+        if (0 == ussl_set_rpc_connection_type(s->fd, OB_CONNECTION_AUTH_BYPASS_TYPE)) {
+        } else {
+          ussl_log_warn("ussl_set_rpc_connection_type failed, need close, src:%s, fd:%d", src_addr, s->fd);
+          need_dispatch = 0;
+        }
+      }
     }
     if (need_dispatch) {
       err = EUCLEAN;
@@ -375,6 +420,14 @@ static int acceptfd_handle_first_readable_event(acceptfd_sk_t *s)
             s->fd_info.client_gid = nego_message->client_gid;
             ussl_log_info("auth mothod is NONE, the fd will be dispatched, fd:%d, src_addr:%s", s->fd,
                           src_addr);
+          } else if (ussl_get_auth_bypass_flag()) {
+            if (0 == ussl_set_rpc_connection_type(s->fd, OB_CONNECTION_AUTH_BYPASS_TYPE)) {
+              err = EUCLEAN;
+              ussl_log_warn("enable bypass connection, allow connect, src:%s, fd:%d", src_addr, s->fd);
+            } else {
+              err = EUCLEAN;
+              s->has_error = 1;
+            }
           } else {
             err = EUCLEAN;
             s->has_error = 1;
@@ -387,7 +440,7 @@ static int acceptfd_handle_first_readable_event(acceptfd_sk_t *s)
             if (-1 == ssl_config_ctx_id) {
               err = EUCLEAN;
               s->has_error = 1;
-              ussl_log_error("ssl config not configured!");
+              ussl_log_warn("ssl config not configured or not load completely!");
             } else {
               negotiation_message_t nego_message_ack;
               nego_message_ack.type = nego_message->type;
@@ -449,4 +502,14 @@ int acceptfd_sk_handle_event(acceptfd_sk_t *s)
     }
   }
   return ret;
+}
+
+int ussl_check_pcode_mismatch_connection(int fd, uint32_t pcode)
+{
+  int ret = 0;
+  if (fd >= 0 && fd < MAX_FD_NUM) {
+    ret = (gs_connection_type_arr[fd] & OB_CONNECTION_AUTH_BYPASS_TYPE) &&
+          !ob_is_bypass_pcode(pcode);
+  }
+  return ret;
 }

deps/ussl-hook/loop/handle-event.h

@@ -19,4 +19,7 @@ extern int clientfd_sk_handle_event(clientfd_sk_t *s);
 extern int acceptfd_sk_handle_event(acceptfd_sk_t *s);
 extern void ussl_get_peer_addr(int fd, char *buf, int len);
 extern int is_net_keepalive_connection(ssize_t rbytes, char *buf);
+extern int ob_judge_is_tableapi_pcode_from_raw_packet(const char *buf, ssize_t data_len);
+extern int ob_is_bypass_pcode(uint32_t pcode);
+extern void ussl_reset_rpc_connection_type(int fd);
 #endif // USSL_HOOK_LOOP_HANDLE_EVENT_

deps/ussl-hook/loop/ussl_listenfd.c

@@ -36,6 +36,7 @@ void ussl_on_accept(int fd, ussl_sf_t *sf, ussl_eloop_t *ep)
       add_to_timeout_list(&accept_sk->timeout_link);
       char src_addr[IP_STRING_MAX_LEN] = {0};
       ussl_get_peer_addr(fd, src_addr, IP_STRING_MAX_LEN);
+      ussl_reset_rpc_connection_type(fd);
       ussl_log_info("accept new connection, fd:%d, src_addr:%s", fd, src_addr);
     }
   }

deps/ussl-hook/ssl/ssl_config.c

@@ -228,6 +228,7 @@ static int ob_ssl_set_verify_mode_and_load_CA(SSL_CTX *ctx, const ssl_config_ite
     } else {
       SSL_CTX_set_cert_store(ctx, x509_store);
     }
+
     if (NULL != bio) {
       BIO_free(bio);
     }
@@ -851,3 +852,12 @@ ssize_t writev_regard_ssl(int fildes, const struct iovec *iov, int iovcnt)
   }
   return wbytes;
 }
+
+SSL_CTX* ussl_get_server_ctx(int ctx_id)
+{
+  SSL_CTX *ctx = NULL;
+  pthread_rwlock_rdlock(&g_ssl_ctx_rwlock);
+  ctx = gs_ssl_ctx_array[ctx_id][SSL_ROLE_SERVER];
+  pthread_rwlock_unlock(&g_ssl_ctx_rwlock);
+  return ctx;
+}

deps/ussl-hook/ssl/ssl_config.h

@@ -25,6 +25,7 @@ int fd_enable_ssl_for_server(int fd, int ctx_id, int type);
 int fd_enable_ssl_for_client(int fd, int ctx_id, int type);
 void fd_disable_ssl(int fd);
 int ssl_do_handshake(int fd);
+SSL_CTX* ussl_get_server_ctx(int ctx_id);
 ssize_t read_regard_ssl(int fd, char *buf, size_t nbytes);
 ssize_t write_regard_ssl(int fd, const void *buf, size_t nbytes);
 ssize_t writev_regard_ssl(int fildes, const struct iovec *iov, int iovcnt);

deps/ussl-hook/ussl-hook.c

@@ -37,6 +37,7 @@ static __thread int ussl_server_ctx_id = -1;
 static uint64_t global_gid_arr[USSL_MAX_FD_NUM];
 static int global_client_ctx_id_arr[USSL_MAX_FD_NUM];
 static int global_send_negotiation_arr[USSL_MAX_FD_NUM];
+
 int is_ussl_bg_thread_started = 0;
 static int ussl_is_stopped = 0;
 
@@ -278,6 +279,7 @@ ssize_t ussl_write(int fd, const void *buf, size_t nbytes)
 
 int ussl_close(int fd)
 {
+  ussl_reset_rpc_connection_type(fd);
   fd_disable_ssl(fd);
   return libc_close(fd);
 }

deps/ussl-hook/ussl-hook.h

@@ -79,5 +79,4 @@ typedef struct ssl_config_item_t
 
 extern int ob_epoll_wait(int __epfd, struct epoll_event *__events,
 		                     int __maxevents, int __timeout);
-
 #endif // USSL_HOOK_USSL_HOOK_

src/observer/ob_srv_network_frame.cpp

@@ -27,6 +27,7 @@
 extern "C" {
 #include "ussl-hook.h"
 #include "auth-methods.h"
+SSL_CTX* ussl_get_server_ctx(int ctx_id);
 }
 #include <sys/types.h>
 #include <sys/stat.h>
@@ -373,6 +374,115 @@ static int create_ssl_ctx(int ctx_id, int is_from_file, int is_sm, const char *c
   return ret;
 }
 
+namespace oceanbase {
+static int ob_add_client_CA_list(SSL_CTX *ctx, const char *cert, int cert_length)
+{
+  int ret = OB_SUCCESS;
+  if (OB_ISNULL(ctx) || OB_ISNULL(cert)) {
+    ret = OB_INVALID_ARGUMENT;
+    LOG_ERROR("invalid argument", KP(ctx), KP(cert));
+  } else {
+    STACK_OF(X509_INFO) *chain = NULL;
+    X509_STORE *ca_store = NULL;
+    X509_INFO *x509_info = NULL;
+    BIO *cbio = NULL;
+    if (OB_ISNULL(cbio = BIO_new_mem_buf((void*)cert, cert_length))) {
+      ret = OB_ALLOCATE_MEMORY_FAILED;
+      LOG_ERROR("BIO_new_mem_buf failed", K(ret));
+    } else if (OB_ISNULL(chain = PEM_X509_INFO_read_bio(cbio, NULL, NULL, NULL))) {
+      ret = OB_ERR_UNEXPECTED;
+      int len = strlen(cert);
+      common::ObString err_reason = common::ObString::make_string(ERR_reason_error_string(ERR_get_error()));
+      LOG_ERROR("PEM_X509_INFO_read_bio failed", K(ret), K(cert), K(len), K(err_reason));
+    } else if (OB_ISNULL(ca_store = SSL_CTX_get_cert_store(ctx))) {
+      ret = OB_ERR_UNEXPECTED;
+      LOG_ERROR("SSL_CTX_get_cert_store failed", K(ret));
+    } else {
+      for (int64_t i = 0; i < sk_X509_INFO_num(chain) && OB_SUCC(ret); i++) {
+        x509_info = sk_X509_INFO_value(chain, i);
+        if (OB_ISNULL(x509_info)) {
+          ret = OB_INVALID_ARGUMENT;
+          LOG_WARN("x509_info is NULL", K(i), K(ret));
+        } else if (!SSL_CTX_add_client_CA(ctx, x509_info->x509)) {
+          ret = OB_ERR_UNEXPECTED;
+          LOG_WARN("SSL_CTX_add_client_CA failed", K(ret), K(i));
+        } else if (!X509_STORE_add_cert(ca_store, x509_info->x509)) {
+          ret = OB_ERR_UNEXPECTED;
+          LOG_WARN("X509_STORE_add_cert failed", K(ret), K(i));
+        }
+      }
+    }
+    if (NULL != cbio) {
+      BIO_free(cbio);
+    }
+    if (NULL != chain) {
+      sk_X509_INFO_pop_free(chain, X509_INFO_free);
+    }
+  }
+  return ret;
+}
+
+static int ob_add_client_CA_list_from_sys_table(SSL_CTX *ctx)
+{
+  int ret = OB_SUCCESS;
+  uint64_t data_version = 0;
+  if (OB_ISNULL(ctx)) {
+    ret = OB_INVALID_ARGUMENT;
+    LOG_ERROR("ctx is NULL", K(ret));
+  } else if (OB_FAIL(GET_MIN_DATA_VERSION(OB_SYS_TENANT_ID, data_version))) {
+    LOG_WARN("get min data_version with sys tenant id failed", KR(ret));
+  } else if (data_version < DATA_VERSION_4_3_0_0) {
+    LOG_WARN("tenant data version is too low, skip load", KR(ret), KR(data_version));
+  } else {
+    MTL_SWITCH(OB_SYS_TENANT_ID) {
+      ObMySQLProxy *mysql_proxy = GCTX.sql_proxy_;
+      if (OB_ISNULL(mysql_proxy)) {
+        ret = OB_NOT_INIT;
+        LOG_WARN("mysql proxy is not inited", K(ret));
+      } else {
+        int sql_len = 0;
+        char sql[OB_SHORT_SQL_LENGTH];
+        const char *table_name = share::OB_ALL_TRUSTED_ROOT_CERTIFICATE_TNAME;
+        sql_len = snprintf(sql, OB_SHORT_SQL_LENGTH,
+                          "SELECT content FROM %s",
+                          table_name);
+        if (sql_len >= OB_SHORT_SQL_LENGTH || sql_len <= 0) {
+          ret = OB_SIZE_OVERFLOW;
+          LOG_WARN("failed to format sql, buffer size not enough", K(ret));
+        } else {
+          SMART_VAR(ObMySQLProxy::MySQLResult, res) {
+            common::sqlclient::ObMySQLResult *result = NULL;
+            if (OB_FAIL(mysql_proxy->read(res, OB_SYS_TENANT_ID, sql))) {
+              LOG_WARN("failed to read data", K(ret));
+            } else if (OB_ISNULL(result = res.get_result())) {
+              ret = OB_ERR_UNEXPECTED;
+              LOG_WARN("failed to get result", K(ret));
+            } else {
+              ObString cert_content;
+              while (OB_SUCC(ret) && OB_SUCC(result->next())) {
+                if (OB_FAIL(result->get_varchar(0l, cert_content))) {
+                  LOG_WARN("failed to get content", K(ret));
+                } else if (OB_FAIL(ob_add_client_CA_list(ctx, cert_content.ptr(), cert_content.length()))) {
+                  LOG_WARN("failed to ob_add_client_CA_list", K(ret), K(cert_content.length()));
+                }
+              }
+              if (OB_ITER_END == ret) {
+                ret = OB_SUCCESS;
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+  if (OB_TENANT_NOT_IN_SERVER == ret && SS_SERVING != GCTX.status_) {
+    ret = OB_SUCCESS;
+    LOG_WARN("observice is not serving do not load CA from sys table");
+  }
+  return ret;
+}
+}
+
 int ObSrvNetworkFrame::reload_ssl_config()
 {
   int ret = common::OB_SUCCESS;
@@ -384,9 +494,13 @@ int ObSrvNetworkFrame::reload_ssl_config()
     const char *intl_file[3] = {OB_SSL_CA_FILE, OB_SSL_CERT_FILE, OB_SSL_KEY_FILE};
     const char *sm_file[5] = {OB_SSL_CA_FILE, OB_SSL_SM_SIGN_CERT_FILE, OB_SSL_SM_SIGN_KEY_FILE, OB_SSL_SM_ENC_CERT_FILE,
     OB_SSL_SM_ENC_KEY_FILE};
-    const uint64_t new_hash_value = ssl_config.empty()
+    const uint64_t file_or_kms_hash_value = ssl_config.empty()
         ? get_ssl_file_hash(intl_file, sm_file, file_exist)
         : ssl_config.hash();
+    const uint64_t sys_table_cerfificate_hash = get_root_certificate_table_hash();
+    uint64_t new_hash_value = common::murmurhash(&sys_table_cerfificate_hash,
+                                                sizeof(sys_table_cerfificate_hash),
+                                                file_or_kms_hash_value);
     if (ssl_config.empty() && !file_exist) {
       ret = OB_INVALID_CONFIG;
       LOG_WARN("ssl file not available", K(new_hash_value));
@@ -500,7 +614,9 @@ int ObSrvNetworkFrame::reload_ssl_config()
               const int OB_EASY_RPC_SSL_CTX_ID = 0;
               if (OB_FAIL(create_ssl_ctx(OB_EASY_RPC_SSL_CTX_ID, !use_bkmi, use_sm,
                                           ca_cert, public_cert, private_key, NULL, NULL))) {
-                LOG_ERROR("create ssl ctx failed", K(OB_EASY_RPC_SSL_CTX_ID));
+                LOG_ERROR("create ssl ctx failed", K(OB_EASY_RPC_SSL_CTX_ID), K(ret));
+              } else if (OB_FAIL(ob_add_client_CA_list_from_sys_table(ussl_get_server_ctx(OB_EASY_RPC_SSL_CTX_ID)))) {
+                LOG_WARN("add client CA to SSL_CTX failed",  K(ret));
               }
             }
           }
@@ -646,6 +762,7 @@ int ObSrvNetworkFrame::reload_rpc_auth_method()
     }
   }
   set_server_auth_methods(server_auth_methods);
+  ussl_set_auth_bypass_flag(GCONF.enable_rpc_authentication_bypass);
   return ret;
 }
 
@@ -706,4 +823,64 @@ int ObSrvNetworkFrame::net_endpoint_set_ingress(const ObNetEndpointKey &endpoint
     }
   }
   return ret;
-}
+}
+
+uint64_t ObSrvNetworkFrame::get_root_certificate_table_hash()
+{
+  int ret = OB_SUCCESS;
+  uint64_t hash_value = 0;
+  int64_t  row_count = 0;
+  int64_t  last_modify_time = 0;
+  uint64_t data_version = 0;
+  if (OB_FAIL(GET_MIN_DATA_VERSION(OB_SYS_TENANT_ID, data_version))) {
+    LOG_WARN("get min data_version with sys tenant id failed", KR(ret));
+  } else if (data_version < DATA_VERSION_4_3_0_0) {
+    ret = OB_NOT_SUPPORTED;
+    LOG_WARN("tenant data version is too low", KR(ret), K(data_version));
+  } else {
+    MTL_SWITCH(OB_SYS_TENANT_ID) {
+      ObMySQLProxy *mysql_proxy = GCTX.sql_proxy_;
+      if (OB_ISNULL(mysql_proxy)) {
+        ret = OB_NOT_INIT;
+        LOG_WARN("mysql proxy is not inited", K(ret));
+      } else {
+        int sql_len = 0;
+        char sql[OB_SHORT_SQL_LENGTH];
+        const char *table_name = share::OB_ALL_TRUSTED_ROOT_CERTIFICATE_TNAME;
+        sql_len = snprintf(sql, OB_SHORT_SQL_LENGTH,
+                            "SELECT count(*), max(gmt_modified) "
+                            "FROM %s",
+                            table_name);
+        if (sql_len >= OB_SHORT_SQL_LENGTH || sql_len <= 0) {
+          ret = OB_SIZE_OVERFLOW;
+          LOG_WARN("failed to format sql, buffer size not enough", K(ret));
+        } else {
+          SMART_VAR(ObMySQLProxy::MySQLResult, res) {
+            common::sqlclient::ObMySQLResult *result = NULL;
+            if (OB_FAIL(mysql_proxy->read(res, OB_SYS_TENANT_ID, sql))) {
+              LOG_WARN("failed to read data", K(ret));
+            } else if (OB_ISNULL(result = res.get_result())) {
+              ret = OB_ERR_UNEXPECTED;
+              LOG_WARN("failed to get result", K(ret));
+            } else {
+              while (OB_SUCC(ret) && OB_SUCC(result->next())) {
+                if (OB_FAIL(result->get_int(0l, row_count))) {
+                  LOG_WARN("failed to get row_count", K(ret));
+                } else if (OB_FAIL(result->get_timestamp("max(gmt_modified)", NULL, last_modify_time))) {
+                  LOG_WARN("failed to get modify_time", K(ret));
+                }
+              }
+              if (OB_ITER_END == ret) {
+                ret = OB_SUCCESS;
+              }
+            }
+          }
+        }
+        if (OB_SUCC(ret)) {
+        hash_value = common::murmurhash(&row_count, sizeof(row_count), last_modify_time);
+        }
+      }
+    }
+  }
+  return hash_value;
+}

src/observer/ob_srv_network_frame.h

@@ -83,6 +83,7 @@ public:
   int net_endpoint_set_ingress(const ObNetEndpointKey &endpoint_key, int64_t assigned_bw);
 
 private:
+  uint64_t get_root_certificate_table_hash();
   ObGlobalContext &gctx_;
 
   ObSrvXlator xlator_;

src/pl/CMakeLists.txt

@@ -53,6 +53,7 @@ ob_set_subtarget(ob_pl sys_package
   sys_package/ob_dbms_user_define_rule.cpp
   sys_package/ob_dbms_workload_repository.cpp
   sys_package/ob_pl_dbms_resource_manager.cpp
+  sys_package/ob_pl_dbms_trusted_certificate_manager.cpp
 )
 
 ob_set_subtarget(ob_pl dblink

src/pl/ob_pl_interface_pragma.h

@@ -65,6 +65,7 @@
 #endif
 #include "pl/sys_package/ob_dbms_session.h"
 #include "pl/sys_package/ob_dbms_workload_repository.h"
+#include "pl/sys_package/ob_pl_dbms_trusted_certificate_manager.h"
 
 #ifdef INTERFACE_DEF
   INTERFACE_DEF(INTERFACE_START, "TEST", (ObPLInterfaceImpl::call))
@@ -681,6 +682,11 @@
   // end of dbms_workload_repository
   /****************************************************************************/
 
+  // start of dbms_trusted_certificate_manager
+  INTERFACE_DEF(INTERFACE_DBMS_ADD_TRUSTED_CERTIFICATE, "ADD_TRUSTED_CERTIFICATE", (ObPlDBMSTrustedCertificateManager::add_trusted_certificate))
+  INTERFACE_DEF(INTERFACE_DBMS_DELETE_TRUSTED_CERTIFICATE, "DELETE_TRUSTED_CERTIFICATE", (ObPlDBMSTrustedCertificateManager::delete_trusted_certificate))
+  INTERFACE_DEF(INTERFACE_DBMS_UPDATE_TRUSTED_CERTIFICATE, "UPDATE_TRUSTED_CERTIFICATE", (ObPlDBMSTrustedCertificateManager::update_trusted_certificate))
+  // end of end of dbms_workload_repository
   INTERFACE_DEF(INTERFACE_END, "INVALID", (nullptr))
 #endif
 

src/pl/ob_pl_package_manager.cpp

@@ -273,7 +273,8 @@ static ObSysPackageFile mysql_sys_package_file_table[] = {
   {"dbms_spm", "dbms_spm_mysql.sql", "dbms_spm_body_mysql.sql"},
 #endif
   {"dbms_udr", "dbms_udr_mysql.sql", "dbms_udr_body_mysql.sql"},
-  {"dbms_workload_repository", "dbms_workload_repository_mysql.sql", "dbms_workload_repository_body_mysql.sql"}
+  {"dbms_workload_repository", "dbms_workload_repository_mysql.sql", "dbms_workload_repository_body_mysql.sql"},
+  {"dbms_trusted_certificate_manager", "dbms_trusted_certificate_manager_mysql.sql", "dbms_trusted_certificate_manager_body_mysql.sql"},
 };
 
 int ObPLPackageManager::load_sys_package(ObMySQLProxy &sql_proxy, ObString &package_name, ObCompatibilityMode compa_mode)

src/pl/sys_package/ob_pl_dbms_trusted_certificate_manager.cpp

@@ -0,0 +1,232 @@
+/**
+ * Copyright (c) 2021 OceanBase
+ * OceanBase CE is licensed under Mulan PubL v2.
+ * You can use this software according to the terms and conditions of the Mulan PubL v2.
+ * You may obtain a copy of Mulan PubL v2 at:
+ *          http://license.coscl.org.cn/MulanPubL-2.0
+ * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND,
+ * EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT,
+ * MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE.
+ * See the Mulan PubL v2 for more details.
+ */
+
+#define USING_LOG_PREFIX PL
+#include "ob_pl_dbms_trusted_certificate_manager.h"
+#include "share/ob_errno.h"
+#include "lib/utility/ob_macro_utils.h"
+#include "lib/utility/utility.h"
+#include "share/inner_table/ob_inner_table_schema_constants.h"
+
+using namespace oceanbase::common;
+using namespace oceanbase::share;
+using namespace oceanbase::pl;
+using namespace oceanbase::sql;
+
+int ObPlDBMSTrustedCertificateManager::check_data_version_and_privilege(ObExecContext &ctx)
+{
+  int ret = OB_SUCCESS;
+  uint64_t data_version = 0;
+  ObSQLSessionInfo *session = ctx.get_my_session();
+  if (OB_ISNULL(session)) {
+    ret = OB_ERR_UNEXPECTED;
+    LOG_WARN("session is null", K(ret));
+  } else if (!is_sys_tenant(session->get_effective_tenant_id())) {
+    ret = OB_ERR_NO_PRIVILEGE;
+    LOG_WARN("only sys tenant can operate", K(ret));
+  } else if (OB_FAIL(GET_MIN_DATA_VERSION(session->get_effective_tenant_id(),
+              data_version))) {
+    LOG_WARN("fail to get tenant data version", KR(ret));
+  } else if (data_version < DATA_VERSION_4_3_0_0) {
+    ret = OB_NOT_SUPPORTED;
+    LOG_WARN("tenant data version is too low for add trusted certificate",
+              KR(ret),
+              K(session->get_effective_tenant_id()),
+              K(data_version));
+    LOG_USER_ERROR(OB_NOT_SUPPORTED, "version is less than 4.3.0, trusted certificate manager not supported");
+  }
+  return ret;
+}
+
+int ObPlDBMSTrustedCertificateManager::add_trusted_certificate(
+    sql::ObExecContext &ctx,
+    sql::ParamStore &params,
+    common::ObObj &result)
+{
+  enum {
+    COMMON_NAME = 0,
+    DESCRIPTION = 1,
+    CONTENT
+  };
+  int ret = OB_SUCCESS;
+  if (OB_FAIL(check_data_version_and_privilege(ctx))) {
+    LOG_WARN("check_data_version_and_privilege failed", K(ret));
+  } else {
+    ObString common_name;
+    ObString description;
+    ObString content;
+    //check cert content validity
+    for (int64_t i = 0; OB_SUCC(ret) && i < params.count(); i++) {
+      ObObj &obj = params.at(i);
+      switch(i) {
+        case COMMON_NAME: {
+          if (OB_FAIL(obj.get_string(common_name))) {
+            LOG_WARN("failed to get content string", K(ret));
+          }
+          break;
+        }
+        case DESCRIPTION: {
+          if (OB_FAIL(obj.get_string(description))) {
+            LOG_WARN("failed to get description string", K(ret));
+          }
+          break;
+        }
+        case CONTENT: {
+          int64_t cert_expired_time = 0;
+          if (OB_FAIL(obj.get_string(content))) {
+            LOG_WARN("failed to get cert string", K(ret));
+          } else if (OB_FAIL(extract_cert_expired_time(content.ptr(), content.length(),
+                    cert_expired_time))) {
+            LOG_WARN("failed to extract cert expired time", K(ret));
+            LOG_USER_ERROR(OB_INVALID_ARGUMENT, "cert content, please check");
+          }
+          break;
+        }
+        default:
+          break;
+      }
+    }
+    if (OB_SUCC(ret)) {
+      int64_t affected_rows = 0;
+      ObSqlString sql;
+      ObMySQLProxy *mysql_proxy = GCTX.sql_proxy_;
+      if (OB_ISNULL(mysql_proxy)) {
+        ret = OB_NOT_INIT;
+        LOG_WARN("mysql proxy is not inited", K(ret));
+      } else if (OB_FAIL(sql.assign_fmt(INSERT_ALL_TRUSTED_ROOT_CERTIFICAT_SQL,
+                          share::OB_ALL_TRUSTED_ROOT_CERTIFICATE_TNAME,
+                          common_name.length(), common_name.ptr(),
+                          description.length(), description.ptr(),
+                          content.length(), content.ptr()))) {
+        LOG_WARN("format sql failed", KR(ret), K(sql));
+      } else if (OB_FAIL(mysql_proxy->write(OB_SYS_TENANT_ID, sql.ptr(), affected_rows))) {
+        LOG_WARN("execute sql fail", KR(ret), K(sql));
+      }
+    }
+  }
+  return ret;
+}
+
+int ObPlDBMSTrustedCertificateManager::delete_trusted_certificate(
+    sql::ObExecContext &ctx,
+    sql::ParamStore &params,
+    common::ObObj &result)
+{
+  enum {
+    COMMON_NAME = 0,
+  };
+  int ret = OB_SUCCESS;
+  if (OB_FAIL(check_data_version_and_privilege(ctx))) {
+    LOG_WARN("check_data_version_and_privilege failed", K(ret));
+  } else {
+    ObString common_name;
+    for (int64_t i = 0; OB_SUCC(ret) && i < params.count(); i++) {
+      ObObj &obj = params.at(i);
+      switch(i) {
+        case COMMON_NAME: {
+          if (OB_FAIL(obj.get_string(common_name))) {
+            LOG_WARN("failed to get content string", K(ret));
+          }
+          break;
+        }
+        default:
+          break;
+      }
+    }
+    if (OB_SUCC(ret)) {
+      int64_t affected_rows = 0;
+      ObSqlString sql;
+      ObMySQLProxy *mysql_proxy = GCTX.sql_proxy_;
+      if (OB_ISNULL(mysql_proxy)) {
+        ret = OB_NOT_INIT;
+        LOG_WARN("mysql proxy is not inited", K(ret));
+      } else if (OB_FAIL(sql.assign_fmt(DELETE_ALL_TRUSTED_ROOT_CERTIFICAT_SQL,
+                          share::OB_ALL_TRUSTED_ROOT_CERTIFICATE_TNAME,
+                          common_name.length(), common_name.ptr()))) {
+        LOG_WARN("format sql failed", KR(ret), K(sql));
+      } else if (OB_FAIL(mysql_proxy->write(OB_SYS_TENANT_ID, sql.ptr(), affected_rows))) {
+        LOG_WARN("execute sql fail", KR(ret), K(sql));
+      }
+    }
+  }
+  return ret;
+}
+
+
+int ObPlDBMSTrustedCertificateManager::update_trusted_certificate(
+    sql::ObExecContext &ctx,
+    sql::ParamStore &params,
+    common::ObObj &result)
+{
+  enum {
+    COMMON_NAME = 0,
+    DESCRIPTION = 1,
+    CONTENT
+  };
+  int ret = OB_SUCCESS;
+  if (OB_FAIL(check_data_version_and_privilege(ctx))) {
+    LOG_WARN("check_data_version_and_privilege failed", K(ret));
+  } else {
+    ObString common_name;
+    ObString description;
+    ObString content;
+    //check cert content validity
+    for (int64_t i = 0; OB_SUCC(ret) && i < params.count(); i++) {
+      ObObj &obj = params.at(i);
+      switch(i) {
+        case COMMON_NAME: {
+          if (OB_FAIL(obj.get_string(common_name))) {
+            LOG_WARN("failed to get content string", K(ret));
+          }
+          break;
+        }
+        case DESCRIPTION: {
+          if (OB_FAIL(obj.get_string(description))) {
+            LOG_WARN("failed to get description string", K(ret));
+          }
+          break;
+        }
+        case CONTENT: {
+          int64_t cert_expired_time = 0;
+          if (OB_FAIL(obj.get_string(content))) {
+            LOG_WARN("failed to get cert string", K(ret));
+          } else if (OB_FAIL(extract_cert_expired_time(content.ptr(), content.length(),
+                    cert_expired_time))) {
+            LOG_WARN("failed to extract cert expired time", K(ret));
+            LOG_USER_ERROR(OB_INVALID_ARGUMENT, "cert content, please check");
+          }
+          break;
+        }
+        default:
+          break;
+      }
+    }
+    if (OB_SUCC(ret)) {
+      int64_t affected_rows = 0;
+      ObSqlString sql;
+      ObMySQLProxy *mysql_proxy = GCTX.sql_proxy_;
+      if (OB_ISNULL(mysql_proxy)) {
+        ret = OB_NOT_INIT;
+        LOG_WARN("mysql proxy is not inited", K(ret));
+      } else if (OB_FAIL(sql.assign_fmt(UPDATE_ALL_TRUSTED_ROOT_CERTIFICAT_SQL,
+                          share::OB_ALL_TRUSTED_ROOT_CERTIFICATE_TNAME,
+                          description.length(), description.ptr(),
+                          content.length(), content.ptr(),
+                          common_name.length(), common_name.ptr()))) {
+        LOG_WARN("format sql failed", KR(ret), K(sql));
+      } else if (OB_FAIL(mysql_proxy->write(OB_SYS_TENANT_ID, sql.ptr(), affected_rows))) {
+        LOG_WARN("execute sql fail", KR(ret), K(sql));
+      }
+    }
+  }
+  return ret;
+}

src/pl/sys_package/ob_pl_dbms_trusted_certificate_manager.h

@@ -0,0 +1,64 @@
+/**
+ * Copyright (c) 2021 OceanBase
+ * OceanBase CE is licensed under Mulan PubL v2.
+ * You can use this software according to the terms and conditions of the Mulan PubL v2.
+ * You may obtain a copy of Mulan PubL v2 at:
+ *          http://license.coscl.org.cn/MulanPubL-2.0
+ * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND,
+ * EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT,
+ * MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE.
+ * See the Mulan PubL v2 for more details.
+ */
+
+#ifndef OCEANBASE_SRC_PL_SYS_PACKAGE_DBMS_TRUSTED_CERTIFICATE_MANAGER_PL_H_
+#define OCEANBASE_SRC_PL_SYS_PACKAGE_DBMS_TRUSTED_CERTIFICATE_MANAGER_PL_H_
+
+#include "sql/engine/ob_exec_context.h"
+
+namespace oceanbase
+{
+namespace pl
+{
+
+#define INSERT_ALL_TRUSTED_ROOT_CERTIFICAT_SQL " \
+  insert into %s                       \
+  (common_name, description, content)  \
+  values ('%.*s', '%.*s', '%.*s')      \
+  "
+
+#define DELETE_ALL_TRUSTED_ROOT_CERTIFICAT_SQL " \
+  delete from %s             \
+  where common_name='%.*s'   \
+  "
+#define UPDATE_ALL_TRUSTED_ROOT_CERTIFICAT_SQL "     \
+  update %s set description='%.*s', content='%.*s'   \
+  where common_name='%.*s'                           \
+  "
+
+class ObPlDBMSTrustedCertificateManager
+{
+public:
+  ObPlDBMSTrustedCertificateManager() {}
+  virtual ~ObPlDBMSTrustedCertificateManager() {}
+public:
+  static int add_trusted_certificate(
+          sql::ObExecContext &ctx,
+          sql::ParamStore &params,
+          common::ObObj &result);
+  static int delete_trusted_certificate(
+          sql::ObExecContext &ctx,
+          sql::ParamStore &params,
+          common::ObObj &result);
+  static int update_trusted_certificate(
+          sql::ObExecContext &ctx,
+          sql::ParamStore &params,
+          common::ObObj &result);
+private:
+  static int check_data_version_and_privilege(ObExecContext &ctx);
+  DISALLOW_COPY_AND_ASSIGN(ObPlDBMSTrustedCertificateManager);
+};
+
+}
+}
+
+#endif

src/share/inner_table/ob_inner_table_schema.21501_21550.cpp

@@ -25,6 +25,56 @@ using namespace common;
 namespace share
 {
 
+int ObInnerTableSchema::dba_ob_trusted_root_certificate_schema(ObTableSchema &table_schema)
+{
+  int ret = OB_SUCCESS;
+  uint64_t column_id = OB_APP_MIN_COLUMN_ID - 1;
+
+  //generated fields:
+  table_schema.set_tenant_id(OB_SYS_TENANT_ID);
+  table_schema.set_tablegroup_id(OB_INVALID_ID);
+  table_schema.set_database_id(OB_SYS_DATABASE_ID);
+  table_schema.set_table_id(OB_DBA_OB_TRUSTED_ROOT_CERTIFICATE_TID);
+  table_schema.set_rowkey_split_pos(0);
+  table_schema.set_is_use_bloomfilter(false);
+  table_schema.set_progressive_merge_num(0);
+  table_schema.set_rowkey_column_num(0);
+  table_schema.set_load_type(TABLE_LOAD_TYPE_IN_DISK);
+  table_schema.set_table_type(SYSTEM_VIEW);
+  table_schema.set_index_type(INDEX_TYPE_IS_NOT);
+  table_schema.set_def_type(TABLE_DEF_TYPE_INTERNAL);
+
+  if (OB_SUCC(ret)) {
+    if (OB_FAIL(table_schema.set_table_name(OB_DBA_OB_TRUSTED_ROOT_CERTIFICATE_TNAME))) {
+      LOG_ERROR("fail to set table_name", K(ret));
+    }
+  }
+
+  if (OB_SUCC(ret)) {
+    if (OB_FAIL(table_schema.set_compress_func_name(OB_DEFAULT_COMPRESS_FUNC_NAME))) {
+      LOG_ERROR("fail to set compress_func_name", K(ret));
+    }
+  }
+  table_schema.set_part_level(PARTITION_LEVEL_ZERO);
+  table_schema.set_charset_type(ObCharset::get_default_charset());
+  table_schema.set_collation_type(ObCharset::get_default_collation(ObCharset::get_default_charset()));
+
+  if (OB_SUCC(ret)) {
+    if (OB_FAIL(table_schema.set_view_definition(R"__(   SELECT    common_name AS COMMON_NAME,   description AS DESCRIPTION,   EXTRACT_CERT_EXPIRED_TIME(content) AS CERT_EXPIRED_TIME   FROM     oceanbase.__all_trusted_root_certificate   )__"))) {
+      LOG_ERROR("fail to set view_definition", K(ret));
+    }
+  }
+  table_schema.set_index_using_type(USING_BTREE);
+  table_schema.set_row_store_type(ENCODING_ROW_STORE);
+  table_schema.set_store_format(OB_STORE_FORMAT_DYNAMIC_MYSQL);
+  table_schema.set_progressive_merge_round(1);
+  table_schema.set_storage_format_version(3);
+  table_schema.set_tablet_id(0);
+
+  table_schema.set_max_used_column_id(column_id);
+  return ret;
+}
+
 int ObInnerTableSchema::cdb_index_usage_schema(ObTableSchema &table_schema)
 {
   int ret = OB_SUCCESS;

src/share/inner_table/ob_inner_table_schema.501_550.cpp

@@ -0,0 +1,167 @@
+/**
+ * Copyright (c) 2021 OceanBase
+ * OceanBase CE is licensed under Mulan PubL v2.
+ * You can use this software according to the terms and conditions of the Mulan PubL v2.
+ * You may obtain a copy of Mulan PubL v2 at:
+ *          http://license.coscl.org.cn/MulanPubL-2.0
+ * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND,
+ * EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT,
+ * MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE.
+ * See the Mulan PubL v2 for more details.
+ */
+
+#define USING_LOG_PREFIX SHARE_SCHEMA
+#include "ob_inner_table_schema.h"
+
+#include "share/schema/ob_schema_macro_define.h"
+#include "share/schema/ob_schema_service_sql_impl.h"
+#include "share/schema/ob_table_schema.h"
+#include "share/scn.h"
+
+namespace oceanbase
+{
+using namespace share::schema;
+using namespace common;
+namespace share
+{
+
+int ObInnerTableSchema::all_trusted_root_certificate_schema(ObTableSchema &table_schema)
+{
+  int ret = OB_SUCCESS;
+  uint64_t column_id = OB_APP_MIN_COLUMN_ID - 1;
+
+  //generated fields:
+  table_schema.set_tenant_id(OB_SYS_TENANT_ID);
+  table_schema.set_tablegroup_id(OB_SYS_TABLEGROUP_ID);
+  table_schema.set_database_id(OB_SYS_DATABASE_ID);
+  table_schema.set_table_id(OB_ALL_TRUSTED_ROOT_CERTIFICATE_TID);
+  table_schema.set_rowkey_split_pos(0);
+  table_schema.set_is_use_bloomfilter(false);
+  table_schema.set_progressive_merge_num(0);
+  table_schema.set_rowkey_column_num(1);
+  table_schema.set_load_type(TABLE_LOAD_TYPE_IN_DISK);
+  table_schema.set_table_type(SYSTEM_TABLE);
+  table_schema.set_index_type(INDEX_TYPE_IS_NOT);
+  table_schema.set_def_type(TABLE_DEF_TYPE_INTERNAL);
+
+  if (OB_SUCC(ret)) {
+    if (OB_FAIL(table_schema.set_table_name(OB_ALL_TRUSTED_ROOT_CERTIFICATE_TNAME))) {
+      LOG_ERROR("fail to set table_name", K(ret));
+    }
+  }
+
+  if (OB_SUCC(ret)) {
+    if (OB_FAIL(table_schema.set_compress_func_name(OB_DEFAULT_COMPRESS_FUNC_NAME))) {
+      LOG_ERROR("fail to set compress_func_name", K(ret));
+    }
+  }
+  table_schema.set_part_level(PARTITION_LEVEL_ZERO);
+  table_schema.set_charset_type(ObCharset::get_default_charset());
+  table_schema.set_collation_type(ObCharset::get_default_collation(ObCharset::get_default_charset()));
+
+  if (OB_SUCC(ret)) {
+    ObObj gmt_create_default;
+    ObObj gmt_create_default_null;
+
+    gmt_create_default.set_ext(ObActionFlag::OP_DEFAULT_NOW_FLAG);
+    gmt_create_default_null.set_null();
+    ADD_COLUMN_SCHEMA_TS_T("gmt_create", //column_name
+      ++column_id, //column_id
+      0, //rowkey_id
+      0, //index_id
+      0, //part_key_pos
+      ObTimestampType,  //column_type
+      CS_TYPE_BINARY,//collation_type
+      0, //column length
+      -1, //column_precision
+      6, //column_scale
+      true,//is nullable
+      false, //is_autoincrement
+      false, //is_on_update_for_timestamp
+      gmt_create_default_null,
+      gmt_create_default)
+  }
+
+  if (OB_SUCC(ret)) {
+    ObObj gmt_modified_default;
+    ObObj gmt_modified_default_null;
+
+    gmt_modified_default.set_ext(ObActionFlag::OP_DEFAULT_NOW_FLAG);
+    gmt_modified_default_null.set_null();
+    ADD_COLUMN_SCHEMA_TS_T("gmt_modified", //column_name
+      ++column_id, //column_id
+      0, //rowkey_id
+      0, //index_id
+      0, //part_key_pos
+      ObTimestampType,  //column_type
+      CS_TYPE_BINARY,//collation_type
+      0, //column length
+      -1, //column_precision
+      6, //column_scale
+      true,//is nullable
+      false, //is_autoincrement
+      true, //is_on_update_for_timestamp
+      gmt_modified_default_null,
+      gmt_modified_default)
+  }
+
+  if (OB_SUCC(ret)) {
+    ADD_COLUMN_SCHEMA("common_name", //column_name
+      ++column_id, //column_id
+      1, //rowkey_id
+      0, //index_id
+      0, //part_key_pos
+      ObVarcharType, //column_type
+      CS_TYPE_INVALID, //column_collation_type
+      256, //column_length
+      -1, //column_precision
+      -1, //column_scale
+      false, //is_nullable
+      false); //is_autoincrement
+  }
+
+  if (OB_SUCC(ret)) {
+    ADD_COLUMN_SCHEMA("description", //column_name
+      ++column_id, //column_id
+      0, //rowkey_id
+      0, //index_id
+      0, //part_key_pos
+      ObVarcharType, //column_type
+      CS_TYPE_INVALID, //column_collation_type
+      256, //column_length
+      -1, //column_precision
+      -1, //column_scale
+      false, //is_nullable
+      false); //is_autoincrement
+  }
+
+  if (OB_SUCC(ret)) {
+    ADD_COLUMN_SCHEMA("content", //column_name
+      ++column_id, //column_id
+      0, //rowkey_id
+      0, //index_id
+      0, //part_key_pos
+      ObLongTextType, //column_type
+      CS_TYPE_INVALID, //column_collation_type
+      0, //column_length
+      -1, //column_precision
+      -1, //column_scale
+      false, //is_nullable
+      false); //is_autoincrement
+  }
+  table_schema.set_index_using_type(USING_BTREE);
+  table_schema.set_row_store_type(ENCODING_ROW_STORE);
+  table_schema.set_store_format(OB_STORE_FORMAT_DYNAMIC_MYSQL);
+  table_schema.set_progressive_merge_round(1);
+  table_schema.set_storage_format_version(3);
+  table_schema.set_tablet_id(OB_ALL_TRUSTED_ROOT_CERTIFICATE_TID);
+  table_schema.set_aux_lob_meta_tid(OB_ALL_TRUSTED_ROOT_CERTIFICATE_AUX_LOB_META_TID);
+  table_schema.set_aux_lob_piece_tid(OB_ALL_TRUSTED_ROOT_CERTIFICATE_AUX_LOB_PIECE_TID);
+
+  table_schema.set_max_used_column_id(column_id);
+  return ret;
+}
+
+
+} // end namespace share
+} // end namespace oceanbase

src/share/inner_table/ob_inner_table_schema.50501_50550.cpp

@@ -0,0 +1,165 @@
+/**
+ * Copyright (c) 2021 OceanBase
+ * OceanBase CE is licensed under Mulan PubL v2.
+ * You can use this software according to the terms and conditions of the Mulan PubL v2.
+ * You may obtain a copy of Mulan PubL v2 at:
+ *          http://license.coscl.org.cn/MulanPubL-2.0
+ * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND,
+ * EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT,
+ * MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE.
+ * See the Mulan PubL v2 for more details.
+ */
+
+#define USING_LOG_PREFIX SHARE_SCHEMA
+#include "ob_inner_table_schema.h"
+
+#include "share/schema/ob_schema_macro_define.h"
+#include "share/schema/ob_schema_service_sql_impl.h"
+#include "share/schema/ob_table_schema.h"
+#include "share/scn.h"
+
+namespace oceanbase
+{
+using namespace share::schema;
+using namespace common;
+namespace share
+{
+
+int ObInnerTableSchema::all_trusted_root_certificate_aux_lob_meta_schema(ObTableSchema &table_schema)
+{
+  int ret = OB_SUCCESS;
+  uint64_t column_id = OB_APP_MIN_COLUMN_ID - 1;
+
+  //generated fields:
+  table_schema.set_tenant_id(OB_SYS_TENANT_ID);
+  table_schema.set_tablegroup_id(OB_SYS_TABLEGROUP_ID);
+  table_schema.set_database_id(OB_SYS_DATABASE_ID);
+  table_schema.set_table_id(OB_ALL_TRUSTED_ROOT_CERTIFICATE_AUX_LOB_META_TID);
+  table_schema.set_rowkey_split_pos(0);
+  table_schema.set_is_use_bloomfilter(false);
+  table_schema.set_progressive_merge_num(0);
+  table_schema.set_rowkey_column_num(2);
+  table_schema.set_load_type(TABLE_LOAD_TYPE_IN_DISK);
+  table_schema.set_table_type(AUX_LOB_META);
+  table_schema.set_index_type(INDEX_TYPE_IS_NOT);
+  table_schema.set_def_type(TABLE_DEF_TYPE_INTERNAL);
+
+  if (OB_SUCC(ret)) {
+    if (OB_FAIL(table_schema.set_table_name(OB_ALL_TRUSTED_ROOT_CERTIFICATE_AUX_LOB_META_TNAME))) {
+      LOG_ERROR("fail to set table_name", K(ret));
+    }
+  }
+
+  if (OB_SUCC(ret)) {
+    if (OB_FAIL(table_schema.set_compress_func_name(OB_DEFAULT_COMPRESS_FUNC_NAME))) {
+      LOG_ERROR("fail to set compress_func_name", K(ret));
+    }
+  }
+  table_schema.set_part_level(PARTITION_LEVEL_ZERO);
+  table_schema.set_charset_type(ObCharset::get_default_charset());
+  table_schema.set_collation_type(ObCharset::get_default_collation(ObCharset::get_default_charset()));
+
+  if (OB_SUCC(ret)) {
+    ADD_COLUMN_SCHEMA("lob_id", //column_name
+      ++column_id, //column_id
+      1, //rowkey_id
+      0, //index_id
+      0, //part_key_pos
+      ObVarcharType, //column_type
+      CS_TYPE_BINARY, //column_collation_type
+      16, //column_length
+      -1, //column_precision
+      -1, //column_scale
+      false, //is_nullable
+      false); //is_autoincrement
+  }
+
+  if (OB_SUCC(ret)) {
+    ADD_COLUMN_SCHEMA("seq_id", //column_name
+      ++column_id, //column_id
+      2, //rowkey_id
+      0, //index_id
+      0, //part_key_pos
+      ObVarcharType, //column_type
+      CS_TYPE_BINARY, //column_collation_type
+      8192, //column_length
+      -1, //column_precision
+      -1, //column_scale
+      false, //is_nullable
+      false); //is_autoincrement
+  }
+
+  if (OB_SUCC(ret)) {
+    ADD_COLUMN_SCHEMA("binary_len", //column_name
+      ++column_id, //column_id
+      0, //rowkey_id
+      0, //index_id
+      0, //part_key_pos
+      ObUInt32Type, //column_type
+      CS_TYPE_INVALID, //column_collation_type
+      sizeof(uint32_t), //column_length
+      -1, //column_precision
+      -1, //column_scale
+      false, //is_nullable
+      false); //is_autoincrement
+  }
+
+  if (OB_SUCC(ret)) {
+    ADD_COLUMN_SCHEMA("char_len", //column_name
+      ++column_id, //column_id
+      0, //rowkey_id
+      0, //index_id
+      0, //part_key_pos
+      ObUInt32Type, //column_type
+      CS_TYPE_INVALID, //column_collation_type
+      sizeof(uint32_t), //column_length
+      -1, //column_precision
+      -1, //column_scale
+      false, //is_nullable
+      false); //is_autoincrement
+  }
+
+  if (OB_SUCC(ret)) {
+    ADD_COLUMN_SCHEMA("piece_id", //column_name
+      ++column_id, //column_id
+      0, //rowkey_id
+      0, //index_id
+      0, //part_key_pos
+      ObUInt64Type, //column_type
+      CS_TYPE_INVALID, //column_collation_type
+      sizeof(uint64_t), //column_length
+      -1, //column_precision
+      -1, //column_scale
+      false, //is_nullable
+      false); //is_autoincrement
+  }
+
+  if (OB_SUCC(ret)) {
+    ADD_COLUMN_SCHEMA("lob_data", //column_name
+      ++column_id, //column_id
+      0, //rowkey_id
+      0, //index_id
+      0, //part_key_pos
+      ObVarcharType, //column_type
+      CS_TYPE_BINARY, //column_collation_type
+      262144, //column_length
+      -1, //column_precision
+      -1, //column_scale
+      false, //is_nullable
+      false); //is_autoincrement
+  }
+  table_schema.set_index_using_type(USING_BTREE);
+  table_schema.set_row_store_type(ENCODING_ROW_STORE);
+  table_schema.set_store_format(OB_STORE_FORMAT_DYNAMIC_MYSQL);
+  table_schema.set_progressive_merge_round(1);
+  table_schema.set_storage_format_version(3);
+  table_schema.set_tablet_id(OB_ALL_TRUSTED_ROOT_CERTIFICATE_AUX_LOB_META_TID);
+  table_schema.set_data_table_id(OB_ALL_TRUSTED_ROOT_CERTIFICATE_TID);
+
+  table_schema.set_max_used_column_id(column_id);
+  return ret;
+}
+
+
+} // end namespace share
+} // end namespace oceanbase

src/share/inner_table/ob_inner_table_schema.60501_60550.cpp

@@ -0,0 +1,120 @@
+/**
+ * Copyright (c) 2021 OceanBase
+ * OceanBase CE is licensed under Mulan PubL v2.
+ * You can use this software according to the terms and conditions of the Mulan PubL v2.
+ * You may obtain a copy of Mulan PubL v2 at:
+ *          http://license.coscl.org.cn/MulanPubL-2.0
+ * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND,
+ * EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT,
+ * MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE.
+ * See the Mulan PubL v2 for more details.
+ */
+
+#define USING_LOG_PREFIX SHARE_SCHEMA
+#include "ob_inner_table_schema.h"
+
+#include "share/schema/ob_schema_macro_define.h"
+#include "share/schema/ob_schema_service_sql_impl.h"
+#include "share/schema/ob_table_schema.h"
+#include "share/scn.h"
+
+namespace oceanbase
+{
+using namespace share::schema;
+using namespace common;
+namespace share
+{
+
+int ObInnerTableSchema::all_trusted_root_certificate_aux_lob_piece_schema(ObTableSchema &table_schema)
+{
+  int ret = OB_SUCCESS;
+  uint64_t column_id = OB_APP_MIN_COLUMN_ID - 1;
+
+  //generated fields:
+  table_schema.set_tenant_id(OB_SYS_TENANT_ID);
+  table_schema.set_tablegroup_id(OB_SYS_TABLEGROUP_ID);
+  table_schema.set_database_id(OB_SYS_DATABASE_ID);
+  table_schema.set_table_id(OB_ALL_TRUSTED_ROOT_CERTIFICATE_AUX_LOB_PIECE_TID);
+  table_schema.set_rowkey_split_pos(0);
+  table_schema.set_is_use_bloomfilter(false);
+  table_schema.set_progressive_merge_num(0);
+  table_schema.set_rowkey_column_num(1);
+  table_schema.set_load_type(TABLE_LOAD_TYPE_IN_DISK);
+  table_schema.set_table_type(AUX_LOB_PIECE);
+  table_schema.set_index_type(INDEX_TYPE_IS_NOT);
+  table_schema.set_def_type(TABLE_DEF_TYPE_INTERNAL);
+
+  if (OB_SUCC(ret)) {
+    if (OB_FAIL(table_schema.set_table_name(OB_ALL_TRUSTED_ROOT_CERTIFICATE_AUX_LOB_PIECE_TNAME))) {
+      LOG_ERROR("fail to set table_name", K(ret));
+    }
+  }
+
+  if (OB_SUCC(ret)) {
+    if (OB_FAIL(table_schema.set_compress_func_name(OB_DEFAULT_COMPRESS_FUNC_NAME))) {
+      LOG_ERROR("fail to set compress_func_name", K(ret));
+    }
+  }
+  table_schema.set_part_level(PARTITION_LEVEL_ZERO);
+  table_schema.set_charset_type(ObCharset::get_default_charset());
+  table_schema.set_collation_type(ObCharset::get_default_collation(ObCharset::get_default_charset()));
+
+  if (OB_SUCC(ret)) {
+    ADD_COLUMN_SCHEMA("piece_id", //column_name
+      ++column_id, //column_id
+      1, //rowkey_id
+      0, //index_id
+      0, //part_key_pos
+      ObUInt64Type, //column_type
+      CS_TYPE_INVALID, //column_collation_type
+      sizeof(uint64_t), //column_length
+      -1, //column_precision
+      -1, //column_scale
+      false, //is_nullable
+      false); //is_autoincrement
+  }
+
+  if (OB_SUCC(ret)) {
+    ADD_COLUMN_SCHEMA("data_len", //column_name
+      ++column_id, //column_id
+      0, //rowkey_id
+      0, //index_id
+      0, //part_key_pos
+      ObUInt32Type, //column_type
+      CS_TYPE_INVALID, //column_collation_type
+      sizeof(uint32_t), //column_length
+      -1, //column_precision
+      -1, //column_scale
+      false, //is_nullable
+      false); //is_autoincrement
+  }
+
+  if (OB_SUCC(ret)) {
+    ADD_COLUMN_SCHEMA("lob_data", //column_name
+      ++column_id, //column_id
+      0, //rowkey_id
+      0, //index_id
+      0, //part_key_pos
+      ObVarcharType, //column_type
+      CS_TYPE_BINARY, //column_collation_type
+      32, //column_length
+      -1, //column_precision
+      -1, //column_scale
+      false, //is_nullable
+      false); //is_autoincrement
+  }
+  table_schema.set_index_using_type(USING_BTREE);
+  table_schema.set_row_store_type(ENCODING_ROW_STORE);
+  table_schema.set_store_format(OB_STORE_FORMAT_DYNAMIC_MYSQL);
+  table_schema.set_progressive_merge_round(1);
+  table_schema.set_storage_format_version(3);
+  table_schema.set_tablet_id(OB_ALL_TRUSTED_ROOT_CERTIFICATE_AUX_LOB_PIECE_TID);
+  table_schema.set_data_table_id(OB_ALL_TRUSTED_ROOT_CERTIFICATE_TID);
+
+  table_schema.set_max_used_column_id(column_id);
+  return ret;
+}
+
+
+} // end namespace share
+} // end namespace oceanbase

src/share/inner_table/ob_inner_table_schema.h

@@ -558,6 +558,7 @@ public:
   static int all_import_table_task_history_schema(share::schema::ObTableSchema &table_schema);
   static int all_aux_stat_schema(share::schema::ObTableSchema &table_schema);
   static int all_index_usage_info_schema(share::schema::ObTableSchema &table_schema);
+  static int all_trusted_root_certificate_schema(share::schema::ObTableSchema &table_schema);
   static int tenant_virtual_all_table_schema(share::schema::ObTableSchema &table_schema);
   static int tenant_virtual_table_column_schema(share::schema::ObTableSchema &table_schema);
   static int tenant_virtual_table_index_schema(share::schema::ObTableSchema &table_schema);
@@ -1583,6 +1584,7 @@ public:
   static int dba_ob_aux_statistics_schema(share::schema::ObTableSchema &table_schema);
   static int cdb_ob_aux_statistics_schema(share::schema::ObTableSchema &table_schema);
   static int dba_index_usage_schema(share::schema::ObTableSchema &table_schema);
+  static int dba_ob_trusted_root_certificate_schema(share::schema::ObTableSchema &table_schema);
   static int cdb_index_usage_schema(share::schema::ObTableSchema &table_schema);
   static int dba_synonyms_schema(share::schema::ObTableSchema &table_schema);
   static int dba_objects_ora_schema(share::schema::ObTableSchema &table_schema);
@@ -2274,6 +2276,7 @@ public:
   static int all_import_table_task_history_aux_lob_meta_schema(share::schema::ObTableSchema &table_schema);
   static int all_aux_stat_aux_lob_meta_schema(share::schema::ObTableSchema &table_schema);
   static int all_index_usage_info_aux_lob_meta_schema(share::schema::ObTableSchema &table_schema);
+  static int all_trusted_root_certificate_aux_lob_meta_schema(share::schema::ObTableSchema &table_schema);
   static int all_table_aux_lob_piece_schema(share::schema::ObTableSchema &table_schema);
   static int all_column_aux_lob_piece_schema(share::schema::ObTableSchema &table_schema);
   static int all_ddl_operation_aux_lob_piece_schema(share::schema::ObTableSchema &table_schema);
@@ -2540,6 +2543,7 @@ public:
   static int all_import_table_task_history_aux_lob_piece_schema(share::schema::ObTableSchema &table_schema);
   static int all_aux_stat_aux_lob_piece_schema(share::schema::ObTableSchema &table_schema);
   static int all_index_usage_info_aux_lob_piece_schema(share::schema::ObTableSchema &table_schema);
+  static int all_trusted_root_certificate_aux_lob_piece_schema(share::schema::ObTableSchema &table_schema);
   static int all_virtual_ash_all_virtual_ash_i1_schema(share::schema::ObTableSchema &table_schema);
   static int all_virtual_sql_plan_monitor_all_virtual_sql_plan_monitor_i1_schema(share::schema::ObTableSchema &table_schema);
   static int all_virtual_sql_audit_all_virtual_sql_audit_i1_schema(share::schema::ObTableSchema &table_schema);
@@ -3010,6 +3014,7 @@ const schema_create_func sys_table_schema_creators [] = {
   ObInnerTableSchema::all_import_table_task_history_schema,
   ObInnerTableSchema::all_aux_stat_schema,
   ObInnerTableSchema::all_index_usage_info_schema,
+  ObInnerTableSchema::all_trusted_root_certificate_schema,
   NULL,};
 
 const schema_create_func virtual_table_schema_creators [] = {
@@ -4132,6 +4137,7 @@ const schema_create_func sys_view_schema_creators [] = {
   ObInnerTableSchema::dba_ob_aux_statistics_schema,
   ObInnerTableSchema::cdb_ob_aux_statistics_schema,
   ObInnerTableSchema::dba_index_usage_schema,
+  ObInnerTableSchema::dba_ob_trusted_root_certificate_schema,
   ObInnerTableSchema::cdb_index_usage_schema,
   ObInnerTableSchema::dba_synonyms_schema,
   ObInnerTableSchema::dba_objects_ora_schema,
@@ -11658,6 +11664,14 @@ LOBMapping const lob_aux_table_mappings [] = {
     ObInnerTableSchema::all_index_usage_info_aux_lob_piece_schema
   },
 
+  {
+    OB_ALL_TRUSTED_ROOT_CERTIFICATE_TID,
+    OB_ALL_TRUSTED_ROOT_CERTIFICATE_AUX_LOB_META_TID,
+    OB_ALL_TRUSTED_ROOT_CERTIFICATE_AUX_LOB_PIECE_TID,
+    ObInnerTableSchema::all_trusted_root_certificate_aux_lob_meta_schema,
+    ObInnerTableSchema::all_trusted_root_certificate_aux_lob_piece_schema
+  },
+
 };
 
 static inline bool get_sys_table_lob_aux_table_id(const uint64_t tid, uint64_t& meta_tid, uint64_t& piece_tid)
@@ -11695,12 +11709,12 @@ static inline int get_sys_table_lob_aux_schema(const uint64_t tid,
 }
 
 const int64_t OB_CORE_TABLE_COUNT = 4;
-const int64_t OB_SYS_TABLE_COUNT = 263;
+const int64_t OB_SYS_TABLE_COUNT = 264;
 const int64_t OB_VIRTUAL_TABLE_COUNT = 746;
-const int64_t OB_SYS_VIEW_COUNT = 795;
-const int64_t OB_SYS_TENANT_TABLE_COUNT = 1809;
+const int64_t OB_SYS_VIEW_COUNT = 796;
+const int64_t OB_SYS_TENANT_TABLE_COUNT = 1811;
 const int64_t OB_CORE_SCHEMA_VERSION = 1;
-const int64_t OB_BOOTSTRAP_SCHEMA_VERSION = 1812;
+const int64_t OB_BOOTSTRAP_SCHEMA_VERSION = 1814;
 
 } // end namespace share
 } // end namespace oceanbase

src/share/inner_table/ob_inner_table_schema.lob.cpp

@@ -21,7 +21,7 @@ inner_lob_map_t inner_lob_map;
 bool lob_mapping_init()
 {
   int ret = OB_SUCCESS;
-  if (OB_FAIL(inner_lob_map.create(266, ObModIds::OB_INNER_LOB_HASH_SET))) {
+  if (OB_FAIL(inner_lob_map.create(267, ObModIds::OB_INNER_LOB_HASH_SET))) {
     SERVER_LOG(WARN, "fail to create inner lob map", K(ret));
   } else {
     for (int64_t i = 0; OB_SUCC(ret) && i < ARRAYSIZEOF(lob_aux_table_mappings); ++i) {

src/share/inner_table/ob_inner_table_schema_constants.h

@@ -294,6 +294,7 @@ const uint64_t OB_ALL_IMPORT_TABLE_TASK_TID = 479; // "__all_import_table_task"
 const uint64_t OB_ALL_IMPORT_TABLE_TASK_HISTORY_TID = 480; // "__all_import_table_task_history"
 const uint64_t OB_ALL_AUX_STAT_TID = 494; // "__all_aux_stat"
 const uint64_t OB_ALL_INDEX_USAGE_INFO_TID = 495; // "__all_index_usage_info"
+const uint64_t OB_ALL_TRUSTED_ROOT_CERTIFICATE_TID = 502; // "__all_trusted_root_certificate"
 const uint64_t OB_TENANT_VIRTUAL_ALL_TABLE_TID = 10001; // "__tenant_virtual_all_table"
 const uint64_t OB_TENANT_VIRTUAL_TABLE_COLUMN_TID = 10002; // "__tenant_virtual_table_column"
 const uint64_t OB_TENANT_VIRTUAL_TABLE_INDEX_TID = 10003; // "__tenant_virtual_table_index"
@@ -1319,6 +1320,7 @@ const uint64_t OB_V_OB_TENANT_RUNTIME_INFO_TID = 21478; // "V$OB_TENANT_RUNTIME_
 const uint64_t OB_DBA_OB_AUX_STATISTICS_TID = 21497; // "DBA_OB_AUX_STATISTICS"
 const uint64_t OB_CDB_OB_AUX_STATISTICS_TID = 21498; // "CDB_OB_AUX_STATISTICS"
 const uint64_t OB_DBA_INDEX_USAGE_TID = 21499; // "DBA_INDEX_USAGE"
+const uint64_t OB_DBA_OB_TRUSTED_ROOT_CERTIFICATE_TID = 21509; // "DBA_OB_TRUSTED_ROOT_CERTIFICATE"
 const uint64_t OB_CDB_INDEX_USAGE_TID = 21513; // "CDB_INDEX_USAGE"
 const uint64_t OB_DBA_SYNONYMS_TID = 25001; // "DBA_SYNONYMS"
 const uint64_t OB_DBA_OBJECTS_ORA_TID = 25002; // "DBA_OBJECTS_ORA"
@@ -2010,6 +2012,7 @@ const uint64_t OB_ALL_IMPORT_TABLE_TASK_AUX_LOB_META_TID = 50479; // "__all_impo
 const uint64_t OB_ALL_IMPORT_TABLE_TASK_HISTORY_AUX_LOB_META_TID = 50480; // "__all_import_table_task_history_aux_lob_meta"
 const uint64_t OB_ALL_AUX_STAT_AUX_LOB_META_TID = 50494; // "__all_aux_stat_aux_lob_meta"
 const uint64_t OB_ALL_INDEX_USAGE_INFO_AUX_LOB_META_TID = 50495; // "__all_index_usage_info_aux_lob_meta"
+const uint64_t OB_ALL_TRUSTED_ROOT_CERTIFICATE_AUX_LOB_META_TID = 50502; // "__all_trusted_root_certificate_aux_lob_meta"
 const uint64_t OB_ALL_TABLE_AUX_LOB_PIECE_TID = 60003; // "__all_table_aux_lob_piece"
 const uint64_t OB_ALL_COLUMN_AUX_LOB_PIECE_TID = 60004; // "__all_column_aux_lob_piece"
 const uint64_t OB_ALL_DDL_OPERATION_AUX_LOB_PIECE_TID = 60005; // "__all_ddl_operation_aux_lob_piece"
@@ -2276,6 +2279,7 @@ const uint64_t OB_ALL_IMPORT_TABLE_TASK_AUX_LOB_PIECE_TID = 60479; // "__all_imp
 const uint64_t OB_ALL_IMPORT_TABLE_TASK_HISTORY_AUX_LOB_PIECE_TID = 60480; // "__all_import_table_task_history_aux_lob_piece"
 const uint64_t OB_ALL_AUX_STAT_AUX_LOB_PIECE_TID = 60494; // "__all_aux_stat_aux_lob_piece"
 const uint64_t OB_ALL_INDEX_USAGE_INFO_AUX_LOB_PIECE_TID = 60495; // "__all_index_usage_info_aux_lob_piece"
+const uint64_t OB_ALL_TRUSTED_ROOT_CERTIFICATE_AUX_LOB_PIECE_TID = 60502; // "__all_trusted_root_certificate_aux_lob_piece"
 const uint64_t OB_ALL_VIRTUAL_PLAN_CACHE_STAT_ALL_VIRTUAL_PLAN_CACHE_STAT_I1_TID = 14999; // "__all_virtual_plan_cache_stat"
 const uint64_t OB_ALL_VIRTUAL_SESSION_EVENT_ALL_VIRTUAL_SESSION_EVENT_I1_TID = 14998; // "__all_virtual_session_event"
 const uint64_t OB_ALL_VIRTUAL_SESSION_WAIT_ALL_VIRTUAL_SESSION_WAIT_I1_TID = 14997; // "__all_virtual_session_wait"
@@ -2733,6 +2737,7 @@ const char *const OB_ALL_IMPORT_TABLE_TASK_TNAME = "__all_import_table_task";
 const char *const OB_ALL_IMPORT_TABLE_TASK_HISTORY_TNAME = "__all_import_table_task_history";
 const char *const OB_ALL_AUX_STAT_TNAME = "__all_aux_stat";
 const char *const OB_ALL_INDEX_USAGE_INFO_TNAME = "__all_index_usage_info";
+const char *const OB_ALL_TRUSTED_ROOT_CERTIFICATE_TNAME = "__all_trusted_root_certificate";
 const char *const OB_TENANT_VIRTUAL_ALL_TABLE_TNAME = "__tenant_virtual_all_table";
 const char *const OB_TENANT_VIRTUAL_TABLE_COLUMN_TNAME = "__tenant_virtual_table_column";
 const char *const OB_TENANT_VIRTUAL_TABLE_INDEX_TNAME = "__tenant_virtual_table_index";
@@ -3758,6 +3763,7 @@ const char *const OB_V_OB_TENANT_RUNTIME_INFO_TNAME = "V$OB_TENANT_RUNTIME_INFO"
 const char *const OB_DBA_OB_AUX_STATISTICS_TNAME = "DBA_OB_AUX_STATISTICS";
 const char *const OB_CDB_OB_AUX_STATISTICS_TNAME = "CDB_OB_AUX_STATISTICS";
 const char *const OB_DBA_INDEX_USAGE_TNAME = "DBA_INDEX_USAGE";
+const char *const OB_DBA_OB_TRUSTED_ROOT_CERTIFICATE_TNAME = "DBA_OB_TRUSTED_ROOT_CERTIFICATE";
 const char *const OB_CDB_INDEX_USAGE_TNAME = "CDB_INDEX_USAGE";
 const char *const OB_DBA_SYNONYMS_TNAME = "DBA_SYNONYMS";
 const char *const OB_DBA_OBJECTS_ORA_TNAME = "DBA_OBJECTS";
@@ -4449,6 +4455,7 @@ const char *const OB_ALL_IMPORT_TABLE_TASK_AUX_LOB_META_TNAME = "__all_import_ta
 const char *const OB_ALL_IMPORT_TABLE_TASK_HISTORY_AUX_LOB_META_TNAME = "__all_import_table_task_history_aux_lob_meta";
 const char *const OB_ALL_AUX_STAT_AUX_LOB_META_TNAME = "__all_aux_stat_aux_lob_meta";
 const char *const OB_ALL_INDEX_USAGE_INFO_AUX_LOB_META_TNAME = "__all_index_usage_info_aux_lob_meta";
+const char *const OB_ALL_TRUSTED_ROOT_CERTIFICATE_AUX_LOB_META_TNAME = "__all_trusted_root_certificate_aux_lob_meta";
 const char *const OB_ALL_TABLE_AUX_LOB_PIECE_TNAME = "__all_table_aux_lob_piece";
 const char *const OB_ALL_COLUMN_AUX_LOB_PIECE_TNAME = "__all_column_aux_lob_piece";
 const char *const OB_ALL_DDL_OPERATION_AUX_LOB_PIECE_TNAME = "__all_ddl_operation_aux_lob_piece";
@@ -4715,6 +4722,7 @@ const char *const OB_ALL_IMPORT_TABLE_TASK_AUX_LOB_PIECE_TNAME = "__all_import_t
 const char *const OB_ALL_IMPORT_TABLE_TASK_HISTORY_AUX_LOB_PIECE_TNAME = "__all_import_table_task_history_aux_lob_piece";
 const char *const OB_ALL_AUX_STAT_AUX_LOB_PIECE_TNAME = "__all_aux_stat_aux_lob_piece";
 const char *const OB_ALL_INDEX_USAGE_INFO_AUX_LOB_PIECE_TNAME = "__all_index_usage_info_aux_lob_piece";
+const char *const OB_ALL_TRUSTED_ROOT_CERTIFICATE_AUX_LOB_PIECE_TNAME = "__all_trusted_root_certificate_aux_lob_piece";
 const char *const OB_ALL_VIRTUAL_PLAN_CACHE_STAT_ALL_VIRTUAL_PLAN_CACHE_STAT_I1_TNAME = "__idx_11003_all_virtual_plan_cache_stat_i1";
 const char *const OB_ALL_VIRTUAL_SESSION_EVENT_ALL_VIRTUAL_SESSION_EVENT_I1_TNAME = "__idx_11013_all_virtual_session_event_i1";
 const char *const OB_ALL_VIRTUAL_SESSION_WAIT_ALL_VIRTUAL_SESSION_WAIT_I1_TNAME = "__idx_11014_all_virtual_session_wait_i1";

src/share/inner_table/ob_inner_table_schema_def.py

@@ -6429,7 +6429,22 @@ def_table_schema(
 # 499 :__all_transfer_partition_task_history
 # 500 : __all_tenant_snapshot_create_job
 # 501 : __wr_sqltext
-# 502 : __all_trusted_root_certificate
+
+def_table_schema(
+  owner = 'tony.wzh',
+  table_name = '__all_trusted_root_certificate',
+  table_id = '502',
+  table_type = 'SYSTEM_TABLE',
+  gm_columns = ['gmt_create', 'gmt_modified'],
+  rowkey_columns = [
+    ('common_name', 'varchar:256'),
+  ],
+  normal_columns = [
+    ('description', 'varchar:256'),
+    ('content', 'longtext', 'false'),
+  ],
+)
+
 # 503 : __all_audit_log_filter
 # 504 : __all_audit_log_user
 # 505 : __all_column_privilege
@@ -13249,7 +13264,6 @@ def_table_schema(**gen_iterate_virtual_table_def(
 # 12452: __all_virtual_transfer_partition_task_history
 # 12453: __all_virtual_tenant_snapshot_create_job
 # 12454: __all_virtual_wr_sqltext
-# 12455: __all_virtual_trusted_root_certificate_info
 # 12456: __all_virtual_dbms_lock_allocated
 # 12457: __all_virtual_sharing_storage_compaction_info
 # 12458: __all_virtual_ls_snapshot_in_storage_node
@@ -30406,7 +30420,26 @@ def_table_schema(
 #21506 CDB_WR_SQLTEXT
 #21507 GV$OB_ACTIVE_SESSION_HISTORY
 #21508 V$OB_ACTIVE_SESSION_HISTORY
-#21509 GV$OB_TRUSTED_ROOT_CERTIFICATE
+
+def_table_schema(
+  owner          = 'tony.wzh',
+  table_name     = 'DBA_OB_TRUSTED_ROOT_CERTIFICATE',
+  table_id       = '21509',
+  table_type     = 'SYSTEM_VIEW',
+  gm_columns     = [],
+  rowkey_columns = [],
+  normal_columns = [],
+  in_tenant_space = False,
+  view_definition = """
+  SELECT
+  common_name AS COMMON_NAME,
+  description AS DESCRIPTION,
+  EXTRACT_CERT_EXPIRED_TIME(content) AS CERT_EXPIRED_TIME
+  FROM
+    oceanbase.__all_trusted_root_certificate
+  """.replace("\n", " "),
+)
+
 #21510 DBA_OB_CLONE_PROGRESS
 #21511 mysql.role_edges
 #21512 mysql.default_roles

src/share/inner_table/sys_package/dbms_trusted_certificate_manager_body_mysql.sql

@@ -0,0 +1,22 @@
+#package_name: dbms_trusted_certificate_manager
+#author: tony.wzh
+
+CREATE OR REPLACE PACKAGE BODY dbms_trusted_certificate_manager
+
+  PROCEDURE ADD_TRUSTED_CERTIFICATE(
+    COMMON_NAME VARCHAR(256),
+    DESCRIPTION VARCHAR(256),
+    CONTENT     LONGTEXT);
+  PRAGMA INTERFACE(C, ADD_TRUSTED_CERTIFICATE);
+
+  PROCEDURE DELETE_TRUSTED_CERTIFICATE(
+    COMMON_NAME VARCHAR(256));
+  PRAGMA INTERFACE(C, DELETE_TRUSTED_CERTIFICATE);
+
+  PROCEDURE UPDATE_TRUSTED_CERTIFICATE(
+    COMMON_NAME  VARCHAR(256),
+    DESCRIPTION  VARCHAR(256),
+    CONTENT      LONGTEXT);
+  PRAGMA INTERFACE(C, UPDATE_TRUSTED_CERTIFICATE);
+
+END dbms_trusted_certificate_manager;

src/share/inner_table/sys_package/dbms_trusted_certificate_manager_mysql.sql

@@ -0,0 +1,19 @@
+#package_name: dbms_trusted_certificate_manager
+#author: tony.wzh
+--only support SYS tenant
+
+CREATE OR REPLACE PACKAGE dbms_trusted_certificate_manager AUTHID CURRENT_USER
+
+  PROCEDURE ADD_TRUSTED_CERTIFICATE(
+    COMMON_NAME VARCHAR(256),
+    DESCRIPTION VARCHAR(256),
+    CONTENT     LONGTEXT);
+
+  PROCEDURE DELETE_TRUSTED_CERTIFICATE(COMMON_NAME VARCHAR(256));
+
+  PROCEDURE UPDATE_TRUSTED_CERTIFICATE(
+    COMMON_NAME VARCHAR(256),
+    DESCRIPTION VARCHAR(256),
+    CONTENT     LONGTEXT);
+
+END dbms_trusted_certificate_manager;

src/share/parameter/ob_parameter_seed.ipp

@@ -1783,3 +1783,7 @@ DEF_STR_WITH_CHECKER(_iut_stat_collection_type, OB_TENANT_PARAMETER, "SAMPLE",
 DEF_INT(optimizer_index_cost_adj, OB_TENANT_PARAMETER, "0", "[0,100]",
         "adjust costing of index scan",
         ObParameterAttr(Section::TENANT, Source::DEFAULT, EditLevel::DYNAMIC_EFFECTIVE));
+DEF_BOOL(enable_rpc_authentication_bypass, OB_CLUSTER_PARAMETER, "True",
+        "specifies whether allow arbitration service, standby cluster, OMS service to connect "
+        "cluster and provide service when rpc authentication is turned on.",
+        ObParameterAttr(Section::OBSERVER, Source::DEFAULT, EditLevel::DYNAMIC_EFFECTIVE));

src/sql/CMakeLists.txt

@@ -648,6 +648,7 @@ ob_set_subtarget(ob_sql engine_expr
   engine/expr/ob_expr_xmlcast.cpp
   engine/expr/ob_expr_update_xml.cpp
   engine/expr/ob_expr_temp_table_ssid.cpp
+  engine/expr/ob_expr_extract_cert_expired_time.cpp
 )
 
 ob_set_subtarget(ob_sql engine_join

src/sql/engine/expr/ob_expr_eval_functions.cpp

@@ -335,6 +335,7 @@
 #include "ob_expr_initcap.h"
 #include "ob_expr_temp_table_ssid.h"
 #include "ob_expr_align_date4cmp.h"
+#include "ob_expr_extract_cert_expired_time.h"
 
 namespace oceanbase
 {
@@ -1097,7 +1098,8 @@ static ObExpr::EvalFunc g_expr_eval_functions[] = {
   eval_questionmark_decint2nmb,                                       /* 658 */
   eval_questionmark_nmb2decint_eqcast,                                /* 659 */
   eval_questionmark_decint2decint_eqcast,                             /* 660 */
-  eval_questionmark_decint2decint_normalcast                          /* 661 */
+  eval_questionmark_decint2decint_normalcast,                         /* 661 */
+  ObExprExtractExpiredTime::eval_extract_cert_expired_time,           /* 662 */
 };
 
 static ObExpr::EvalBatchFunc g_expr_eval_batch_functions[] = {

src/sql/engine/expr/ob_expr_extract_cert_expired_time.cpp

@@ -0,0 +1,112 @@
+/**
+ * Copyright (c) 2021 OceanBase
+ * OceanBase CE is licensed under Mulan PubL v2.
+ * You can use this software according to the terms and conditions of the Mulan PubL v2.
+ * You may obtain a copy of Mulan PubL v2 at:
+ *          http://license.coscl.org.cn/MulanPubL-2.0
+ * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND,
+ * EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT,
+ * MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE.
+ * See the Mulan PubL v2 for more details.
+ */
+
+#define USING_LOG_PREFIX SQL_ENG
+
+#include "ob_expr_extract_cert_expired_time.h"
+#include "lib/utility/utility.h"
+#include "sql/session/ob_sql_session_info.h"
+#include "sql/engine/ob_exec_context.h"
+
+using namespace oceanbase::share;
+using namespace oceanbase::common;
+
+namespace oceanbase {
+namespace sql {
+
+ObExprExtractExpiredTime::ObExprExtractExpiredTime(common::ObIAllocator& alloc)
+    : ObFuncExprOperator(alloc,
+                         T_FUN_SYS_EXTRACT_CERT_EXPIRED_TIME,
+                         N_EXTRACT_CERT_EXPIRED_TIME,
+                         1,
+                         NOT_VALID_FOR_GENERATED_COL,
+                         NOT_ROW_DIMENSION)
+{
+}
+
+ObExprExtractExpiredTime::~ObExprExtractExpiredTime() {}
+
+int ObExprExtractExpiredTime::calc_result_type1(ObExprResType &type,
+                              ObExprResType &text,
+                              common::ObExprTypeCtx &type_ctx)  const
+{
+  UNUSED(type_ctx);
+  int ret = OB_SUCCESS;
+  if (text.is_null()) {
+    type.set_null();
+  } else {
+    if (!is_type_valid(text.get_type())) {
+      ret = OB_INVALID_ARGUMENT_NUM;
+      LOG_WARN("the param is not castable", K(text), K(ret));
+    } else {
+      type.set_timestamp();
+      type.set_scale(common::MAX_SCALE_FOR_TEMPORAL);
+    }
+  }
+  return ret;
+}
+
+int ObExprExtractExpiredTime::eval_extract_cert_expired_time(const ObExpr &expr, ObEvalCtx &ctx,
+                                                              ObDatum &res)
+{
+  int ret = OB_SUCCESS;
+  if (OB_UNLIKELY(expr.arg_cnt_ != 1)
+      || OB_ISNULL(expr.args_)
+      || OB_ISNULL(expr.args_[0])) {
+    ret = OB_INVALID_ARGUMENT;
+    LOG_WARN("invalid argument", K(ret));
+  } else {
+    ObDatum *arg = NULL;
+    int64_t expired_time = 0;
+    ObObjTypeClass in_tc = ob_obj_type_class(expr.args_[0]->datum_meta_.type_);
+    if (!ob_is_castable_type_class(in_tc)) {
+      res.set_null();
+    } else if (OB_FAIL(expr.eval_param_value(ctx, arg))) {
+      LOG_WARN("eval arg failed", K(ret));
+    } else if (arg->is_null()) {
+      res.set_null();
+    } else if (in_tc != ObTextTC) {
+      const ObString &arg_str = arg->get_string();
+      if (OB_FAIL(extract_cert_expired_time(arg_str.ptr(), arg_str.length(), expired_time))) {
+        LOG_WARN("failed to extract expired time", K(ret), K(*arg), K(in_tc));
+      } else {
+        res.set_timestamp(expired_time);
+      }
+    } else {
+      ObEvalCtx::TempAllocGuard alloc_guard(ctx);
+      ObIAllocator &tmp_alloc = alloc_guard.get_allocator();
+      ObString text_str;
+      if (OB_FAIL(ObTextStringHelper::get_string(expr, tmp_alloc,
+                  0, arg, text_str))) {
+        LOG_WARN("failed to read realdata", K(ret));
+      } else if (OB_FAIL(extract_cert_expired_time(text_str.ptr(), text_str.length(), expired_time))) {
+        LOG_WARN("failed to extract expired time", K(ret), K(*arg), K(in_tc));
+      } else {
+        res.set_timestamp(expired_time);
+      }
+    }
+  }
+  return ret;
+}
+
+int ObExprExtractExpiredTime::cg_expr(ObExprCGCtx &expr_cg_ctx, const ObRawExpr &raw_expr,
+                       ObExpr &rt_expr) const
+{
+  int ret = OB_SUCCESS;
+  UNUSED(expr_cg_ctx);
+  UNUSED(raw_expr);
+  rt_expr.eval_func_ = eval_extract_cert_expired_time;
+  return ret;
+}
+
+}
+}

src/sql/engine/expr/ob_expr_extract_cert_expired_time.h

@@ -0,0 +1,37 @@
+/**
+ * Copyright (c) 2021 OceanBase
+ * OceanBase CE is licensed under Mulan PubL v2.
+ * You can use this software according to the terms and conditions of the Mulan PubL v2.
+ * You may obtain a copy of Mulan PubL v2 at:
+ *          http://license.coscl.org.cn/MulanPubL-2.0
+ * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND,
+ * EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT,
+ * MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE.
+ * See the Mulan PubL v2 for more details.
+ */
+
+#ifndef OCEANBASE_SQL_ENGINE_EXPR_OB_EXTRACT_CERT_EXPIRED_TIME_H
+#define OCEANBASE_SQL_ENGINE_EXPR_OB_EXTRACT_CERT_EXPIRED_TIME_H
+#include "sql/engine/expr/ob_expr_operator.h"
+namespace oceanbase {
+namespace sql {
+
+class ObExprExtractExpiredTime : public ObFuncExprOperator
+{
+public:
+  ObExprExtractExpiredTime();
+  explicit ObExprExtractExpiredTime(common::ObIAllocator& alloc);
+  virtual ~ObExprExtractExpiredTime();
+  virtual int calc_result_type1(ObExprResType &type,
+              ObExprResType &text,
+              common::ObExprTypeCtx &type_ctx) const;
+  static int eval_extract_cert_expired_time(const ObExpr &expr, ObEvalCtx &ctx, ObDatum &res);
+  virtual int cg_expr(ObExprCGCtx &expr_cg_ctx, const ObRawExpr &raw_expr,
+                       ObExpr &rt_expr) const override;
+private:
+  DISALLOW_COPY_AND_ASSIGN(ObExprExtractExpiredTime);
+};
+
+}
+}
+#endif

src/sql/engine/expr/ob_expr_operator_factory.cpp

@@ -403,6 +403,7 @@
 #include "sql/engine/expr/ob_expr_update_xml.h"
 #include "sql/engine/expr/ob_expr_temp_table_ssid.h"
 #include "sql/engine/expr/ob_expr_align_date4cmp.h"
+#include "sql/engine/expr/ob_expr_extract_cert_expired_time.h"
 
 using namespace oceanbase::common;
 namespace oceanbase
@@ -999,6 +1000,7 @@ void ObExprOperatorFactory::register_expr_operators()
     REG_OP(ObExprRandstr);
     REG_OP(ObExprPrefixPattern);
     REG_OP(ObExprAlignDate4Cmp);
+    REG_OP(ObExprExtractExpiredTime);
   }();
 // 注册oracle系统函数
   REG_OP_ORCL(ObExprSysConnectByPath);

tools/deploy/mysql_test/r/mysql/information_schema.result

@@ -2989,6 +2989,7 @@ select * from information_schema.statistics where table_schema in ('oceanbase',
 | def           | oceanbase    | __all_tenant_user_failed_login_stat       |          0 | oceanbase    | PRIMARY                            |            2 | user_id                 | A         |        NULL |     NULL | NULL   |          | BTREE      |         |               | YES        | NULL       |
 | def           | oceanbase    | __all_transfer_task                       |          0 | oceanbase    | PRIMARY                            |            1 | task_id                 | A         |        NULL |     NULL | NULL   |          | BTREE      |         |               | YES        | NULL       |
 | def           | oceanbase    | __all_transfer_task_history               |          0 | oceanbase    | PRIMARY                            |            1 | task_id                 | A         |        NULL |     NULL | NULL   |          | BTREE      |         |               | YES        | NULL       |
+| def           | oceanbase    | __all_trusted_root_certificate            |          0 | oceanbase    | PRIMARY                            |            1 | common_name             | A         |        NULL |     NULL | NULL   |          | BTREE      |         |               | YES        | NULL       |
 | def           | oceanbase    | __all_type                                |          0 | oceanbase    | PRIMARY                            |            1 | tenant_id               | A         |        NULL |     NULL | NULL   |          | BTREE      |         |               | YES        | NULL       |
 | def           | oceanbase    | __all_type                                |          0 | oceanbase    | PRIMARY                            |            2 | type_id                 | A         |        NULL |     NULL | NULL   |          | BTREE      |         |               | YES        | NULL       |
 | def           | oceanbase    | __all_type                                |          1 | oceanbase    | idx_db_type_name                   |            1 | database_id             | A         |        NULL |     NULL | NULL   |          | BTREE      |         |               | YES        | NULL       |

tools/deploy/mysql_test/test_suite/inner_table/r/mysql/all_virtual_sys_parameter_stat.result

@@ -90,6 +90,7 @@ enable_record_trace_id
 enable_record_trace_log
 enable_rereplication
 enable_rich_error_msg
+enable_rpc_authentication_bypass
 enable_sql_audit
 enable_sql_extension
 enable_sql_operator_dump

tools/deploy/mysql_test/test_suite/inner_table/r/mysql/desc_sys_views_in_sys.result

@@ -8031,6 +8031,14 @@ LAST_USED	varchar(128)	NO		NULL
 select /*+QUERY_TIMEOUT(60000000)*/ count(*) as cnt from (select * from oceanbase.DBA_INDEX_USAGE limit 1);
 cnt
 1
+desc oceanbase.DBA_OB_TRUSTED_ROOT_CERTIFICATE;
+Field	Type	Null	Key	Default	Extra
+COMMON_NAME	varchar(256)	NO		NULL	
+DESCRIPTION	varchar(256)	NO		NULL	
+CERT_EXPIRED_TIME	timestamp(6)	NO		NULL	
+select /*+QUERY_TIMEOUT(60000000)*/ count(*) as cnt from (select * from oceanbase.DBA_OB_TRUSTED_ROOT_CERTIFICATE limit 1);
+cnt
+1
 desc oceanbase.CDB_INDEX_USAGE;
 Field	Type	Null	Key	Default	Extra
 CON_ID	bigint(20)	NO		NULL	

tools/deploy/mysql_test/test_suite/inner_table/r/mysql/inner_table_overall.result

@@ -266,6 +266,7 @@ select 0xffffffffff & table_id, table_name, table_type, database_id, part_num fr
 480	__all_import_table_task_history	0	201001	1
 494	__all_aux_stat	0	201001	1
 495	__all_index_usage_info	0	201001	1
+502	__all_trusted_root_certificate	0	201001	1
 10001	__tenant_virtual_all_table	2	201001	1
 10002	__tenant_virtual_table_column	2	201001	1
 10003	__tenant_virtual_table_index	2	201001	1
@@ -1041,6 +1042,7 @@ select 0xffffffffff & table_id, table_name, table_type, database_id, part_num fr
 21497	DBA_OB_AUX_STATISTICS	1	201001	1
 21498	CDB_OB_AUX_STATISTICS	1	201001	1
 21499	DBA_INDEX_USAGE	1	201001	1
+21509	DBA_OB_TRUSTED_ROOT_CERTIFICATE	1	201001	1
 21513	CDB_INDEX_USAGE	1	201001	1
 check sys table count and table_id range success
 check count and table_id range for virtual table success