hcq/oceanbase
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

liboblog support ssl - observer part

Browse Source
This commit is contained in:
zb0
2021-09-09 10:16:49 +08:00
committed by wangzelin.wzl
parent 807a7c0bc0
commit 751ce2ac1b
8 changed files with 104 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
deps/oblib/src/rpc/frame/ob_net_easy.cpp vendored
View File

@ -303,22 +303,13 @@ int ObNetEasy::set_easy_keepalive(int easy_keepalive_enabled)
return OB_SUCCESS; return OB_SUCCESS;
} }
int ObNetEasy::load_ssl_config(const bool use_bkmi, const bool use_sm, const common::ObString& cert, int ObNetEasy::load_ssl_config(const bool use_bkmi,
const common::ObString& public_cert, const common::ObString& private_key) const bool use_sm,
const char *ca_ptr,
const char *cert_ptr,
const char *key_ptr)
{ {
int ret = OB_SUCCESS; int ret = OB_SUCCESS;
const char* ca_ptr = NULL;
const char* cert_ptr = NULL;
const char* key_ptr = NULL;
if (use_bkmi) {
ca_ptr = cert.ptr();
cert_ptr = public_cert.ptr();
key_ptr = private_key.ptr();
} else {
ca_ptr = OB_SSL_CA_FILE;
cert_ptr = OB_SSL_CERT_FILE;
key_ptr = OB_SSL_KEY_FILE;
}
const int from_file = use_bkmi ? 0 : 1; const int from_file = use_bkmi ? 0 : 1;
const int use_babassl = use_sm ? 1 : 0; const int use_babassl = use_sm ? 1 : 0;
if (EASY_OK != (easy_ssl_ob_config_load(mysql_eio_, ca_ptr, cert_ptr, key_ptr, from_file, use_babassl, 0))) { if (EASY_OK != (easy_ssl_ob_config_load(mysql_eio_, ca_ptr, cert_ptr, key_ptr, from_file, use_babassl, 0))) {

7
deps/oblib/src/rpc/frame/ob_net_easy.h vendored
View File

@ -79,8 +79,11 @@ public:
int add_mysql_listen(const uint32_t port, ObReqHandler& handler, ObReqTransport*& transport); int add_mysql_listen(const uint32_t port, ObReqHandler& handler, ObReqTransport*& transport);
int add_mysql_unix_listen(const char* path, ObReqHandler& handler); int add_mysql_unix_listen(const char* path, ObReqHandler& handler);
int set_easy_keepalive(int easy_keepalive_enabled); int set_easy_keepalive(int easy_keepalive_enabled);
int load_ssl_config(const bool use_bkmi, const bool use_sm, const common::ObString& cert, int load_ssl_config(const bool use_bkmi,
const common::ObString& public_cert, const common::ObString& private_key); const bool use_sm,
const char *cert,
const char *public_cert,
const char *private_key);
void on_ioth_start(); void on_ioth_start();

11
deps/oblib/src/rpc/frame/ob_req_transport.cpp vendored
View File

@ -148,7 +148,7 @@ int ObReqTransport::AsyncCB::on_error(int)
} }
ObReqTransport::ObReqTransport(easy_io_t* eio, easy_io_handler_pt* handler) ObReqTransport::ObReqTransport(easy_io_t* eio, easy_io_handler_pt* handler)
: eio_(eio), handler_(handler), sgid_(0), bucket_count_(0) : eio_(eio), handler_(handler), sgid_(0), bucket_count_(0), enable_use_ssl_(false)
{ {
// empty // empty
} }
@ -230,8 +230,11 @@ int ObReqTransport::create_session(easy_session_t*& session, const ObAddr& addr,
session->timeout = static_cast<ev_tstamp>(timeout / 1000); session->timeout = static_cast<ev_tstamp>(timeout / 1000);
bool use_ssl = false; bool use_ssl = false;
if (NULL != handler_ && 1 == handler_->is_ssl && 0 == handler_->is_ssl_opt && NULL != eio_ && NULL != eio_->ssl) { if (NULL != handler_ && 1 == handler_->is_ssl && 0 == handler_->is_ssl_opt
if (ssl_invited_nodes.empty() || 0 == ssl_invited_nodes.case_compare("NONE")) { && NULL != eio_ && NULL != eio_->ssl) {
if (enable_use_ssl_) {
use_ssl = true;
} else if (ssl_invited_nodes.empty() || 0 == ssl_invited_nodes.case_compare("NONE")) {
//nothing //nothing
} else if (0 == ssl_invited_nodes.case_compare("ALL")) { } else if (0 == ssl_invited_nodes.case_compare("ALL")) {
use_ssl = true; use_ssl = true;
@ -246,7 +249,7 @@ int ObReqTransport::create_session(easy_session_t*& session, const ObAddr& addr,
} }
} }
} }
LOG_DEBUG("rpc connection session create", K(local_addr), "dest", addr, K(use_ssl), K(ssl_invited_nodes)); LOG_DEBUG("rpc connection session create", K(local_addr), "dest", addr, K(use_ssl), K(ssl_invited_nodes), K(enable_use_ssl_));
if (use_ssl) { if (use_ssl) {
session->packet_id |= (EASY_CONNECT_SSL | EASY_CONNECT_SSL_OB); session->packet_id |= (EASY_CONNECT_SSL | EASY_CONNECT_SSL_OB);

6
deps/oblib/src/rpc/frame/ob_req_transport.h vendored
View File

@ -238,6 +238,11 @@ public:
{ {
bucket_count_ = bucket_cnt; bucket_count_ = bucket_cnt;
} }
void enable_use_ssl()
{
enable_use_ssl_ = true;
}
template <typename T> template <typename T>
int create_request(Request<T>& req, const ObAddr& addr, int64_t size, int64_t timeout, const ObAddr& local_addr, int create_request(Request<T>& req, const ObAddr& addr, int64_t size, int64_t timeout, const ObAddr& local_addr,
const common::ObString& ssl_invited_nodes, const AsyncCB* cb = NULL) const; const common::ObString& ssl_invited_nodes, const AsyncCB* cb = NULL) const;
@ -269,6 +274,7 @@ private:
easy_io_handler_pt* handler_; easy_io_handler_pt* handler_;
int32_t sgid_; int32_t sgid_;
int32_t bucket_count_; // Control the number of buckets of batch_rpc_eio int32_t bucket_count_; // Control the number of buckets of batch_rpc_eio
bool enable_use_ssl_; // External client support enable ssl
}; // end of class ObReqTransport }; // end of class ObReqTransport
template <typename T> template <typename T>

21
deps/oblib/src/rpc/obrpc/ob_net_client.cpp vendored
View File

@ -75,6 +75,27 @@ int ObNetClient::init()
return ret; return ret;
} }
int ObNetClient::load_ssl_config(const char *ca_cert,
const char *public_cert,
const char *private_key)
{
int ret = OB_SUCCESS;
bool use_bkmi = false;
bool use_sm = false;
if (OB_ISNULL(ca_cert) || OB_ISNULL(public_cert) || OB_ISNULL(private_key)) {
ret = OB_INVALID_ARGUMENT;
OB_LOG(ERROR, "invalid argument", K(ret));
} else if (OB_FAIL(net_.load_ssl_config(use_bkmi, use_sm, ca_cert, public_cert, private_key))) {
OB_LOG(ERROR, "ObNetEasy load_ssl_config failed", K(ret), K(use_bkmi), K(use_sm));
} else {
set_pkt_handler_ssl_opt();
set_transport_ssl_opt();
LOG_INFO("ObNetClient load_ssl_config succ", K(use_bkmi), K(use_sm));
}
return ret;
}
int ObNetClient::init(const ObNetOptions opts) int ObNetClient::init(const ObNetOptions opts)
{ {
return init_(opts); return init_(opts);

16
deps/oblib/src/rpc/obrpc/ob_net_client.h vendored
View File

@ -36,6 +36,22 @@ public:
void destroy(); void destroy();
int get_proxy(ObRpcProxy& proxy); int get_proxy(ObRpcProxy& proxy);
int load_ssl_config(const char *ca_cert,
const char *public_cert,
const char *private_key);
void set_pkt_handler_ssl_opt()
{
pkt_handler_.ez_handler()->is_ssl = 1;
pkt_handler_.ez_handler()->is_ssl_opt = 0;
}
void set_transport_ssl_opt()
{
if (NULL != transport_) {
transport_->enable_use_ssl();
}
}
private: private:
int init_(const rpc::frame::ObNetOptions opts); int init_(const rpc::frame::ObNetOptions opts);

37
src/observer/ob_srv_network_frame.cpp
View File

@ -178,7 +178,7 @@ int ObSrvNetworkFrame::reload_config()
return ret; return ret;
} }
int extract_expired_time(const char* const cert_file, int64_t& expired_time) int ObSrvNetworkFrame::extract_expired_time(const char *const cert_file, int64_t &expired_time)
{ {
int ret = OB_SUCCESS; int ret = OB_SUCCESS;
X509 *cert = NULL; X509 *cert = NULL;
@ -211,14 +211,18 @@ int extract_expired_time(const char* const cert_file, int64_t& expired_time)
return ret; return ret;
} }
uint64_t ObSrvNetworkFrame::get_ssl_file_hash(bool& file_exist) uint64_t ObSrvNetworkFrame::get_ssl_file_hash(const char *ca_cert_file,
const char *ssl_cert_file,
const char *ssl_key_file,
bool &file_exist)
{ {
file_exist = false; file_exist = false;
uint64_t hash_value = 0; uint64_t hash_value = 0;
struct stat tmp_buf[3]; struct stat tmp_buf[3];
if (0 == stat(OB_SSL_CA_FILE, tmp_buf + 0) && 0 == stat(OB_SSL_CERT_FILE, tmp_buf + 1) && if (0 == stat(ca_cert_file, tmp_buf + 0)
0 == stat(OB_SSL_KEY_FILE, tmp_buf + 2)) { && 0 == stat(ssl_cert_file, tmp_buf + 1)
&& 0 == stat(ssl_key_file, tmp_buf + 2)) {
file_exist = true; file_exist = true;
hash_value = murmurhash(&(tmp_buf[0].st_mtime), sizeof(tmp_buf[0].st_mtime), hash_value); hash_value = murmurhash(&(tmp_buf[0].st_mtime), sizeof(tmp_buf[0].st_mtime), hash_value);
hash_value = murmurhash(&(tmp_buf[1].st_mtime), sizeof(tmp_buf[1].st_mtime), hash_value); hash_value = murmurhash(&(tmp_buf[1].st_mtime), sizeof(tmp_buf[1].st_mtime), hash_value);
@ -236,17 +240,22 @@ int ObSrvNetworkFrame::reload_ssl_config()
ObString ssl_config(GCONF.ssl_external_kms_info.str()); ObString ssl_config(GCONF.ssl_external_kms_info.str());
bool file_exist = false; bool file_exist = false;
const uint64_t new_hash_value = ssl_config.empty() ? get_ssl_file_hash(file_exist) : ssl_config.hash(); const uint64_t new_hash_value = ssl_config.empty()
? get_ssl_file_hash(OB_SSL_CA_FILE, OB_SSL_CERT_FILE, OB_SSL_KEY_FILE, file_exist)
: ssl_config.hash();
if (ssl_config.empty() && !file_exist) { if (ssl_config.empty() && !file_exist) {
ret = OB_INVALID_CONFIG; ret = OB_INVALID_CONFIG;
LOG_WARN("ssl file not available", K(new_hash_value)); LOG_WARN("ssl file not available", K(new_hash_value));
LOG_USER_ERROR(OB_INVALID_CONFIG, "ssl file not available"); LOG_USER_ERROR(OB_INVALID_CONFIG, "ssl file not available");
} else if (last_ssl_info_hash_ == new_hash_value) { } else if (last_ssl_info_hash_ == new_hash_value) {
LOG_INFO("no need reload_ssl_config", K(new_hash_value)); LOG_INFO("no need reload_ssl_config", K(new_hash_value));
} else { } else {
bool use_bkmi = false; bool use_bkmi = false;
bool use_sm = false; bool use_sm = false;
const char *ca_cert = NULL;
const char *public_cert = NULL;
const char *private_key = NULL;
share::ObSSLClient client; share::ObSSLClient client;
if (!ssl_config.empty()) { if (!ssl_config.empty()) {
if (OB_FAIL(client.init(ssl_config.ptr(), ssl_config.length()))) { if (OB_FAIL(client.init(ssl_config.ptr(), ssl_config.length()))) {
@ -256,12 +265,20 @@ int ObSrvNetworkFrame::reload_ssl_config()
} else { } else {
use_bkmi = client.is_bkmi_mode(); use_bkmi = client.is_bkmi_mode();
use_sm = client.is_sm_scene(); use_sm = client.is_sm_scene();
ca_cert = client.get_root_ca().ptr();
public_cert = client.public_cert_.content_.ptr();
private_key = client.private_key_.content_.ptr();
} }
} else { } else {
if (EASY_OK != easy_ssl_ob_config_check(OB_SSL_CA_FILE, OB_SSL_CERT_FILE, OB_SSL_KEY_FILE, true, false)) { if (EASY_OK != easy_ssl_ob_config_check(OB_SSL_CA_FILE, OB_SSL_CERT_FILE,
OB_SSL_KEY_FILE, true, false)) {
ret = OB_INVALID_CONFIG; ret = OB_INVALID_CONFIG;
LOG_WARN("key and cert not match", K(ret)); LOG_WARN("key and cert not match", K(ret));
LOG_USER_ERROR(OB_INVALID_CONFIG, "key and cert not match"); LOG_USER_ERROR(OB_INVALID_CONFIG, "key and cert not match");
} else {
ca_cert = OB_SSL_CA_FILE;
public_cert = OB_SSL_CERT_FILE;
private_key = OB_SSL_KEY_FILE;
} }
} }
@ -271,9 +288,9 @@ int ObSrvNetworkFrame::reload_ssl_config()
OB_LOG(WARN, "extract_expired_time failed", K(ret), K(use_bkmi)); OB_LOG(WARN, "extract_expired_time failed", K(ret), K(use_bkmi));
} else if (OB_FAIL(net_.load_ssl_config(use_bkmi, } else if (OB_FAIL(net_.load_ssl_config(use_bkmi,
use_sm, use_sm,
client.get_root_ca(), ca_cert,
client.public_cert_.content_, public_cert,
client.private_key_.content_))) { private_key))) {
OB_LOG(WARN, "load_ssl_config failed", K(ret), K(use_bkmi), K(use_sm)); OB_LOG(WARN, "load_ssl_config failed", K(ret), K(use_bkmi), K(use_sm));
} else { } else {
mysql_handler_.ez_handler()->is_ssl = 1; mysql_handler_.ez_handler()->is_ssl = 1;

6
src/observer/ob_srv_network_frame.h
View File

@ -52,7 +52,11 @@ public:
int reload_config(); int reload_config();
int reload_ssl_config(); int reload_ssl_config();
static uint64_t get_ssl_file_hash(bool& file_exist); static int extract_expired_time(const char *const cert_file, int64_t &expired_time);
static uint64_t get_ssl_file_hash(const char *ca_cert_file,
const char *ssl_cert_file,
const char *ssl_key_file,
bool &file_exist);
ObSrvDeliver& get_deliver() ObSrvDeliver& get_deliver()
{ {
return deliver_; return deliver_;