liboblog support ssl - observer part

deps/oblib/src/rpc/frame/ob_net_easy.cpp

@@ -303,22 +303,13 @@ int ObNetEasy::set_easy_keepalive(int easy_keepalive_enabled)
   return OB_SUCCESS;
 }
 
-int ObNetEasy::load_ssl_config(const bool use_bkmi, const bool use_sm, const common::ObString& cert,
-    const common::ObString& public_cert, const common::ObString& private_key)
+int ObNetEasy::load_ssl_config(const bool use_bkmi,
+    const bool use_sm,
+    const char *ca_ptr,
+    const char *cert_ptr,
+    const char *key_ptr)
 {
   int ret = OB_SUCCESS;
-  const char* ca_ptr = NULL;
-  const char* cert_ptr = NULL;
-  const char* key_ptr = NULL;
-  if (use_bkmi) {
-    ca_ptr = cert.ptr();
-    cert_ptr = public_cert.ptr();
-    key_ptr = private_key.ptr();
-  } else {
-    ca_ptr = OB_SSL_CA_FILE;
-    cert_ptr = OB_SSL_CERT_FILE;
-    key_ptr = OB_SSL_KEY_FILE;
-  }
   const int from_file = use_bkmi ? 0 : 1;
   const int use_babassl = use_sm ? 1 : 0;
   if (EASY_OK != (easy_ssl_ob_config_load(mysql_eio_, ca_ptr, cert_ptr, key_ptr, from_file, use_babassl, 0))) {

deps/oblib/src/rpc/frame/ob_net_easy.h

@@ -79,8 +79,11 @@ public:
   int add_mysql_listen(const uint32_t port, ObReqHandler& handler, ObReqTransport*& transport);
   int add_mysql_unix_listen(const char* path, ObReqHandler& handler);
   int set_easy_keepalive(int easy_keepalive_enabled);
-  int load_ssl_config(const bool use_bkmi, const bool use_sm, const common::ObString& cert,
-      const common::ObString& public_cert, const common::ObString& private_key);
+  int load_ssl_config(const bool use_bkmi,
+                      const bool use_sm,
+                      const char *cert,
+                      const char *public_cert,
+                      const char *private_key);
 
   void on_ioth_start();
 

deps/oblib/src/rpc/frame/ob_req_transport.cpp

@@ -148,7 +148,7 @@ int ObReqTransport::AsyncCB::on_error(int)
 }
 
 ObReqTransport::ObReqTransport(easy_io_t* eio, easy_io_handler_pt* handler)
-    : eio_(eio), handler_(handler), sgid_(0), bucket_count_(0)
+    : eio_(eio), handler_(handler), sgid_(0), bucket_count_(0), enable_use_ssl_(false)
 {
   // empty
 }
@@ -230,8 +230,11 @@ int ObReqTransport::create_session(easy_session_t*& session, const ObAddr& addr,
     session->timeout = static_cast<ev_tstamp>(timeout / 1000);
 
     bool use_ssl = false;
-    if (NULL != handler_ && 1 == handler_->is_ssl && 0 == handler_->is_ssl_opt && NULL != eio_ && NULL != eio_->ssl) {
-      if (ssl_invited_nodes.empty() || 0 == ssl_invited_nodes.case_compare("NONE")) {
+    if (NULL != handler_ && 1 == handler_->is_ssl && 0 == handler_->is_ssl_opt
+        && NULL != eio_ && NULL != eio_->ssl) {
+      if (enable_use_ssl_) {
+        use_ssl = true;
+      } else if (ssl_invited_nodes.empty() || 0 == ssl_invited_nodes.case_compare("NONE")) {
         //nothing
       } else if (0 == ssl_invited_nodes.case_compare("ALL")) {
         use_ssl = true;
@@ -246,7 +249,7 @@ int ObReqTransport::create_session(easy_session_t*& session, const ObAddr& addr,
         }
       }
     }
-    LOG_DEBUG("rpc connection session create", K(local_addr), "dest", addr, K(use_ssl), K(ssl_invited_nodes));
+    LOG_DEBUG("rpc connection session create", K(local_addr), "dest", addr, K(use_ssl), K(ssl_invited_nodes), K(enable_use_ssl_));
 
     if (use_ssl) {
       session->packet_id |= (EASY_CONNECT_SSL | EASY_CONNECT_SSL_OB);

deps/oblib/src/rpc/frame/ob_req_transport.h

@@ -238,6 +238,11 @@ public:
   {
     bucket_count_ = bucket_cnt;
   }
+  void enable_use_ssl()
+  {
+    enable_use_ssl_ = true;
+  }
+
   template <typename T>
   int create_request(Request<T>& req, const ObAddr& addr, int64_t size, int64_t timeout, const ObAddr& local_addr,
       const common::ObString& ssl_invited_nodes, const AsyncCB* cb = NULL) const;
@@ -269,6 +274,7 @@ private:
   easy_io_handler_pt* handler_;
   int32_t sgid_;
   int32_t bucket_count_;  // Control the number of buckets of batch_rpc_eio
+  bool enable_use_ssl_; // External client support enable ssl
 };                        // end of class ObReqTransport
 
 template <typename T>

deps/oblib/src/rpc/obrpc/ob_net_client.cpp

@@ -75,6 +75,27 @@ int ObNetClient::init()
   return ret;
 }
 
+int ObNetClient::load_ssl_config(const char *ca_cert,
+                                 const char *public_cert,
+                                 const char *private_key)
+{
+  int ret = OB_SUCCESS;
+  bool use_bkmi = false;
+  bool use_sm = false;
+  if (OB_ISNULL(ca_cert) || OB_ISNULL(public_cert) || OB_ISNULL(private_key)) {
+    ret = OB_INVALID_ARGUMENT;
+    OB_LOG(ERROR, "invalid argument", K(ret));
+  } else if (OB_FAIL(net_.load_ssl_config(use_bkmi, use_sm, ca_cert, public_cert, private_key))) {
+    OB_LOG(ERROR, "ObNetEasy load_ssl_config failed", K(ret), K(use_bkmi), K(use_sm));
+  } else {
+  	set_pkt_handler_ssl_opt();
+  	set_transport_ssl_opt();
+    LOG_INFO("ObNetClient load_ssl_config succ", K(use_bkmi), K(use_sm));
+  }
+
+  return ret;
+}
+
 int ObNetClient::init(const ObNetOptions opts)
 {
   return init_(opts);

deps/oblib/src/rpc/obrpc/ob_net_client.h

@@ -36,6 +36,22 @@ public:
   void destroy();
   int get_proxy(ObRpcProxy& proxy);
 
+  int load_ssl_config(const char *ca_cert,
+                      const char *public_cert,
+                      const char *private_key);
+  
+  void set_pkt_handler_ssl_opt()
+  {
+    pkt_handler_.ez_handler()->is_ssl = 1;
+    pkt_handler_.ez_handler()->is_ssl_opt = 0;
+  }
+
+  void set_transport_ssl_opt()
+  {
+    if (NULL != transport_) {
+      transport_->enable_use_ssl();
+    }
+  }
 private:
   int init_(const rpc::frame::ObNetOptions opts);
 

src/observer/ob_srv_network_frame.cpp

@@ -178,7 +178,7 @@ int ObSrvNetworkFrame::reload_config()
   return ret;
 }
 
-int extract_expired_time(const char* const cert_file, int64_t& expired_time)
+int ObSrvNetworkFrame::extract_expired_time(const char *const cert_file, int64_t &expired_time)
 {
   int ret = OB_SUCCESS;
   X509 *cert = NULL;
@@ -211,14 +211,18 @@ int extract_expired_time(const char* const cert_file, int64_t& expired_time)
   return ret;
 }
 
-uint64_t ObSrvNetworkFrame::get_ssl_file_hash(bool& file_exist)
+uint64_t ObSrvNetworkFrame::get_ssl_file_hash(const char *ca_cert_file,
+    const char *ssl_cert_file,
+    const char *ssl_key_file,
+    bool &file_exist)
 {
   file_exist = false;
   uint64_t hash_value = 0;
   struct stat tmp_buf[3];
 
-  if (0 == stat(OB_SSL_CA_FILE, tmp_buf + 0) && 0 == stat(OB_SSL_CERT_FILE, tmp_buf + 1) &&
-      0 == stat(OB_SSL_KEY_FILE, tmp_buf + 2)) {
+  if (0 == stat(ca_cert_file, tmp_buf + 0)
+      && 0 == stat(ssl_cert_file, tmp_buf + 1)
+      && 0 == stat(ssl_key_file, tmp_buf + 2)) {
     file_exist = true;
     hash_value = murmurhash(&(tmp_buf[0].st_mtime), sizeof(tmp_buf[0].st_mtime), hash_value);
     hash_value = murmurhash(&(tmp_buf[1].st_mtime), sizeof(tmp_buf[1].st_mtime), hash_value);
@@ -236,17 +240,22 @@ int ObSrvNetworkFrame::reload_ssl_config()
 
     ObString ssl_config(GCONF.ssl_external_kms_info.str());
     bool file_exist = false;
-    const uint64_t new_hash_value = ssl_config.empty() ? get_ssl_file_hash(file_exist) : ssl_config.hash();
+    const uint64_t new_hash_value = ssl_config.empty()
+        ? get_ssl_file_hash(OB_SSL_CA_FILE, OB_SSL_CERT_FILE, OB_SSL_KEY_FILE, file_exist)
+        : ssl_config.hash();
     if (ssl_config.empty() && !file_exist) {
       ret = OB_INVALID_CONFIG;
       LOG_WARN("ssl file not available", K(new_hash_value));
       LOG_USER_ERROR(OB_INVALID_CONFIG, "ssl file not available");
     } else if (last_ssl_info_hash_ == new_hash_value) {
       LOG_INFO("no need reload_ssl_config", K(new_hash_value));
-
     } else {
       bool use_bkmi = false;
       bool use_sm = false;
+      const char *ca_cert = NULL;
+      const char *public_cert = NULL;
+      const char *private_key = NULL;
+
       share::ObSSLClient client;
       if (!ssl_config.empty()) {
         if (OB_FAIL(client.init(ssl_config.ptr(), ssl_config.length()))) {
@@ -256,12 +265,20 @@ int ObSrvNetworkFrame::reload_ssl_config()
         } else {
           use_bkmi = client.is_bkmi_mode();
           use_sm = client.is_sm_scene();
+          ca_cert = client.get_root_ca().ptr();
+          public_cert = client.public_cert_.content_.ptr();
+          private_key = client.private_key_.content_.ptr();
         }
       } else {
-        if (EASY_OK != easy_ssl_ob_config_check(OB_SSL_CA_FILE, OB_SSL_CERT_FILE, OB_SSL_KEY_FILE, true, false)) {
+        if (EASY_OK != easy_ssl_ob_config_check(OB_SSL_CA_FILE, OB_SSL_CERT_FILE,
+                                                OB_SSL_KEY_FILE, true, false)) {
           ret = OB_INVALID_CONFIG;
           LOG_WARN("key and cert not match", K(ret));
           LOG_USER_ERROR(OB_INVALID_CONFIG, "key and cert not match");
+        } else {
+          ca_cert = OB_SSL_CA_FILE;
+          public_cert = OB_SSL_CERT_FILE;
+          private_key = OB_SSL_KEY_FILE;
         }
       }
 
@@ -271,9 +288,9 @@ int ObSrvNetworkFrame::reload_ssl_config()
           OB_LOG(WARN, "extract_expired_time failed", K(ret), K(use_bkmi));
         } else if (OB_FAIL(net_.load_ssl_config(use_bkmi,
                        use_sm,
-                       client.get_root_ca(),
-                       client.public_cert_.content_,
-                       client.private_key_.content_))) {
+                       ca_cert,
+                       public_cert,
+                       private_key))) {
           OB_LOG(WARN, "load_ssl_config failed", K(ret), K(use_bkmi), K(use_sm));
         } else {
           mysql_handler_.ez_handler()->is_ssl = 1;

src/observer/ob_srv_network_frame.h

@@ -52,7 +52,11 @@ public:
 
   int reload_config();
   int reload_ssl_config();
-  static uint64_t get_ssl_file_hash(bool& file_exist);
+  static int extract_expired_time(const char *const cert_file, int64_t &expired_time);
+  static uint64_t get_ssl_file_hash(const char *ca_cert_file,
+      const char *ssl_cert_file,
+      const char *ssl_key_file,
+      bool &file_exist);
   ObSrvDeliver& get_deliver()
   {
     return deliver_;