hcq/oceanbase
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

liboblog support ssl - observer part

Browse Source
This commit is contained in:
zb0
2021-09-09 10:16:49 +08:00
committed by wangzelin.wzl
parent 807a7c0bc0
commit 751ce2ac1b
8 changed files with 104 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
deps/oblib/src/rpc/frame/ob_net_easy.cpp vendored
View File

@ -303,22 +303,13 @@ int ObNetEasy::set_easy_keepalive(int easy_keepalive_enabled)
return OB_SUCCESS;
}
int ObNetEasy::load_ssl_config(const bool use_bkmi, const bool use_sm, const common::ObString& cert,
const common::ObString& public_cert, const common::ObString& private_key)
int ObNetEasy::load_ssl_config(const bool use_bkmi,
const bool use_sm,
const char *ca_ptr,
const char *cert_ptr,
const char *key_ptr)
{
int ret = OB_SUCCESS;
const char* ca_ptr = NULL;
const char* cert_ptr = NULL;
const char* key_ptr = NULL;
if (use_bkmi) {
ca_ptr = cert.ptr();
cert_ptr = public_cert.ptr();
key_ptr = private_key.ptr();
} else {
ca_ptr = OB_SSL_CA_FILE;
cert_ptr = OB_SSL_CERT_FILE;
key_ptr = OB_SSL_KEY_FILE;
}
const int from_file = use_bkmi ? 0 : 1;
const int use_babassl = use_sm ? 1 : 0;
if (EASY_OK != (easy_ssl_ob_config_load(mysql_eio_, ca_ptr, cert_ptr, key_ptr, from_file, use_babassl, 0))) {

7
deps/oblib/src/rpc/frame/ob_net_easy.h vendored
View File

@ -79,8 +79,11 @@ public:
int add_mysql_listen(const uint32_t port, ObReqHandler& handler, ObReqTransport*& transport);
int add_mysql_unix_listen(const char* path, ObReqHandler& handler);
int set_easy_keepalive(int easy_keepalive_enabled);
int load_ssl_config(const bool use_bkmi, const bool use_sm, const common::ObString& cert,
const common::ObString& public_cert, const common::ObString& private_key);
int load_ssl_config(const bool use_bkmi,
const bool use_sm,
const char *cert,
const char *public_cert,
const char *private_key);
void on_ioth_start();

13
deps/oblib/src/rpc/frame/ob_req_transport.cpp vendored
View File

@ -148,7 +148,7 @@ int ObReqTransport::AsyncCB::on_error(int)
}
ObReqTransport::ObReqTransport(easy_io_t* eio, easy_io_handler_pt* handler)
: eio_(eio), handler_(handler), sgid_(0), bucket_count_(0)
: eio_(eio), handler_(handler), sgid_(0), bucket_count_(0), enable_use_ssl_(false)
{
// empty
}
@ -230,9 +230,12 @@ int ObReqTransport::create_session(easy_session_t*& session, const ObAddr& addr,
session->timeout = static_cast<ev_tstamp>(timeout / 1000);
bool use_ssl = false;
if (NULL != handler_ && 1 == handler_->is_ssl && 0 == handler_->is_ssl_opt && NULL != eio_ && NULL != eio_->ssl) {
if (ssl_invited_nodes.empty() || 0 == ssl_invited_nodes.case_compare("NONE")) {
// nothing
if (NULL != handler_ && 1 == handler_->is_ssl && 0 == handler_->is_ssl_opt
&& NULL != eio_ && NULL != eio_->ssl) {
if (enable_use_ssl_) {
use_ssl = true;
} else if (ssl_invited_nodes.empty() || 0 == ssl_invited_nodes.case_compare("NONE")) {
//nothing
} else if (0 == ssl_invited_nodes.case_compare("ALL")) {
use_ssl = true;
} else {
@ -246,7 +249,7 @@ int ObReqTransport::create_session(easy_session_t*& session, const ObAddr& addr,
}
}
}
LOG_DEBUG("rpc connection session create", K(local_addr), "dest", addr, K(use_ssl), K(ssl_invited_nodes));
LOG_DEBUG("rpc connection session create", K(local_addr), "dest", addr, K(use_ssl), K(ssl_invited_nodes), K(enable_use_ssl_));
if (use_ssl) {
session->packet_id |= (EASY_CONNECT_SSL | EASY_CONNECT_SSL_OB);

6
deps/oblib/src/rpc/frame/ob_req_transport.h vendored
View File

@ -238,6 +238,11 @@ public:
{
bucket_count_ = bucket_cnt;
}
void enable_use_ssl()
{
enable_use_ssl_ = true;
}
template <typename T>
int create_request(Request<T>& req, const ObAddr& addr, int64_t size, int64_t timeout, const ObAddr& local_addr,
const common::ObString& ssl_invited_nodes, const AsyncCB* cb = NULL) const;
@ -269,6 +274,7 @@ private:
easy_io_handler_pt* handler_;
int32_t sgid_;
int32_t bucket_count_; // Control the number of buckets of batch_rpc_eio
bool enable_use_ssl_; // External client support enable ssl
}; // end of class ObReqTransport
template <typename T>

21
deps/oblib/src/rpc/obrpc/ob_net_client.cpp vendored
View File

@ -75,6 +75,27 @@ int ObNetClient::init()
return ret;
}
int ObNetClient::load_ssl_config(const char *ca_cert,
const char *public_cert,
const char *private_key)
{
int ret = OB_SUCCESS;
bool use_bkmi = false;
bool use_sm = false;
if (OB_ISNULL(ca_cert) || OB_ISNULL(public_cert) || OB_ISNULL(private_key)) {
ret = OB_INVALID_ARGUMENT;
OB_LOG(ERROR, "invalid argument", K(ret));
} else if (OB_FAIL(net_.load_ssl_config(use_bkmi, use_sm, ca_cert, public_cert, private_key))) {
OB_LOG(ERROR, "ObNetEasy load_ssl_config failed", K(ret), K(use_bkmi), K(use_sm));
} else {
set_pkt_handler_ssl_opt();
set_transport_ssl_opt();
LOG_INFO("ObNetClient load_ssl_config succ", K(use_bkmi), K(use_sm));
}
return ret;
}
int ObNetClient::init(const ObNetOptions opts)
{
return init_(opts);

16
deps/oblib/src/rpc/obrpc/ob_net_client.h vendored
View File

@ -36,6 +36,22 @@ public:
void destroy();
int get_proxy(ObRpcProxy& proxy);
int load_ssl_config(const char *ca_cert,
const char *public_cert,
const char *private_key);
void set_pkt_handler_ssl_opt()
{
pkt_handler_.ez_handler()->is_ssl = 1;
pkt_handler_.ez_handler()->is_ssl_opt = 0;
}
void set_transport_ssl_opt()
{
if (NULL != transport_) {
transport_->enable_use_ssl();
}
}
private:
int init_(const rpc::frame::ObNetOptions opts);

57
src/observer/ob_srv_network_frame.cpp
View File

@ -178,11 +178,11 @@ int ObSrvNetworkFrame::reload_config()
return ret;
}
int extract_expired_time(const char* const cert_file, int64_t& expired_time)
int ObSrvNetworkFrame::extract_expired_time(const char *const cert_file, int64_t &expired_time)
{
int ret = OB_SUCCESS;
X509* cert = NULL;
BIO* b = NULL;
X509 *cert = NULL;
BIO *b = NULL;
if (OB_ISNULL(b = BIO_new_file(cert_file, "r"))) {
ret = OB_ERR_UNEXPECTED;
OB_LOG(WARN, "BIO_new_file failed", K(ret), K(cert_file));
@ -190,16 +190,16 @@ int extract_expired_time(const char* const cert_file, int64_t& expired_time)
ret = OB_ERR_UNEXPECTED;
OB_LOG(WARN, "PEM_read_bio_X509 failed", K(ret), K(cert_file));
} else {
ASN1_TIME* notAfter = X509_get_notAfter(cert);
ASN1_TIME *notAfter = X509_get_notAfter(cert);
struct tm tm1;
memset(&tm1, 0, sizeof(tm1));
tm1.tm_year = (notAfter->data[0] - '0') * 10 + (notAfter->data[1] - '0') + 100;
tm1.tm_mon = (notAfter->data[2] - '0') * 10 + (notAfter->data[3] - '0') - 1;
tm1.tm_mday = (notAfter->data[4] - '0') * 10 + (notAfter->data[5] - '0');
tm1.tm_hour = (notAfter->data[6] - '0') * 10 + (notAfter->data[7] - '0');
tm1.tm_min = (notAfter->data[8] - '0') * 10 + (notAfter->data[9] - '0');
memset (&tm1, 0, sizeof (tm1));
tm1.tm_year = (notAfter->data[ 0] - '0') * 10 + (notAfter->data[ 1] - '0') + 100;
tm1.tm_mon = (notAfter->data[ 2] - '0') * 10 + (notAfter->data[ 3] - '0') - 1;
tm1.tm_mday = (notAfter->data[ 4] - '0') * 10 + (notAfter->data[ 5] - '0');
tm1.tm_hour = (notAfter->data[ 6] - '0') * 10 + (notAfter->data[ 7] - '0');
tm1.tm_min = (notAfter->data[ 8] - '0') * 10 + (notAfter->data[ 9] - '0');
tm1.tm_sec = (notAfter->data[10] - '0') * 10 + (notAfter->data[11] - '0');
expired_time = mktime(&tm1) * 1000000; // us
expired_time = mktime(&tm1) * 1000000;//us
}
if (NULL != cert) {
@ -211,14 +211,18 @@ int extract_expired_time(const char* const cert_file, int64_t& expired_time)
return ret;
}
uint64_t ObSrvNetworkFrame::get_ssl_file_hash(bool& file_exist)
uint64_t ObSrvNetworkFrame::get_ssl_file_hash(const char *ca_cert_file,
const char *ssl_cert_file,
const char *ssl_key_file,
bool &file_exist)
{
file_exist = false;
uint64_t hash_value = 0;
struct stat tmp_buf[3];
if (0 == stat(OB_SSL_CA_FILE, tmp_buf + 0) && 0 == stat(OB_SSL_CERT_FILE, tmp_buf + 1) &&
0 == stat(OB_SSL_KEY_FILE, tmp_buf + 2)) {
if (0 == stat(ca_cert_file, tmp_buf + 0)
&& 0 == stat(ssl_cert_file, tmp_buf + 1)
&& 0 == stat(ssl_key_file, tmp_buf + 2)) {
file_exist = true;
hash_value = murmurhash(&(tmp_buf[0].st_mtime), sizeof(tmp_buf[0].st_mtime), hash_value);
hash_value = murmurhash(&(tmp_buf[1].st_mtime), sizeof(tmp_buf[1].st_mtime), hash_value);
@ -236,17 +240,22 @@ int ObSrvNetworkFrame::reload_ssl_config()
ObString ssl_config(GCONF.ssl_external_kms_info.str());
bool file_exist = false;
const uint64_t new_hash_value = ssl_config.empty() ? get_ssl_file_hash(file_exist) : ssl_config.hash();
const uint64_t new_hash_value = ssl_config.empty()
? get_ssl_file_hash(OB_SSL_CA_FILE, OB_SSL_CERT_FILE, OB_SSL_KEY_FILE, file_exist)
: ssl_config.hash();
if (ssl_config.empty() && !file_exist) {
ret = OB_INVALID_CONFIG;
LOG_WARN("ssl file not available", K(new_hash_value));
LOG_USER_ERROR(OB_INVALID_CONFIG, "ssl file not available");
} else if (last_ssl_info_hash_ == new_hash_value) {
LOG_INFO("no need reload_ssl_config", K(new_hash_value));
} else {
bool use_bkmi = false;
bool use_sm = false;
const char *ca_cert = NULL;
const char *public_cert = NULL;
const char *private_key = NULL;
share::ObSSLClient client;
if (!ssl_config.empty()) {
if (OB_FAIL(client.init(ssl_config.ptr(), ssl_config.length()))) {
@ -256,12 +265,20 @@ int ObSrvNetworkFrame::reload_ssl_config()
} else {
use_bkmi = client.is_bkmi_mode();
use_sm = client.is_sm_scene();
ca_cert = client.get_root_ca().ptr();
public_cert = client.public_cert_.content_.ptr();
private_key = client.private_key_.content_.ptr();
}
} else {
if (EASY_OK != easy_ssl_ob_config_check(OB_SSL_CA_FILE, OB_SSL_CERT_FILE, OB_SSL_KEY_FILE, true, false)) {
if (EASY_OK != easy_ssl_ob_config_check(OB_SSL_CA_FILE, OB_SSL_CERT_FILE,
OB_SSL_KEY_FILE, true, false)) {
ret = OB_INVALID_CONFIG;
LOG_WARN("key and cert not match", K(ret));
LOG_USER_ERROR(OB_INVALID_CONFIG, "key and cert not match");
} else {
ca_cert = OB_SSL_CA_FILE;
public_cert = OB_SSL_CERT_FILE;
private_key = OB_SSL_KEY_FILE;
}
}
@ -271,9 +288,9 @@ int ObSrvNetworkFrame::reload_ssl_config()
OB_LOG(WARN, "extract_expired_time failed", K(ret), K(use_bkmi));
} else if (OB_FAIL(net_.load_ssl_config(use_bkmi,
use_sm,
client.get_root_ca(),
client.public_cert_.content_,
client.private_key_.content_))) {
ca_cert,
public_cert,
private_key))) {
OB_LOG(WARN, "load_ssl_config failed", K(ret), K(use_bkmi), K(use_sm));
} else {
mysql_handler_.ez_handler()->is_ssl = 1;

6
src/observer/ob_srv_network_frame.h
View File

@ -52,7 +52,11 @@ public:
int reload_config();
int reload_ssl_config();
static uint64_t get_ssl_file_hash(bool& file_exist);
static int extract_expired_time(const char *const cert_file, int64_t &expired_time);
static uint64_t get_ssl_file_hash(const char *ca_cert_file,
const char *ssl_cert_file,
const char *ssl_key_file,
bool &file_exist);
ObSrvDeliver& get_deliver()
{
return deliver_;