diff --git a/deps/oblib/src/lib/CMakeLists.txt b/deps/oblib/src/lib/CMakeLists.txt index 455f47dbad..2ae43dd0c4 100644 --- a/deps/oblib/src/lib/CMakeLists.txt +++ b/deps/oblib/src/lib/CMakeLists.txt @@ -263,6 +263,7 @@ ob_set_subtarget(oblib_lib utility utility/ob_backtrace.cpp utility/ob_proto_trans_util.cpp utility/ob_unify_serialize.cpp + utility/ob_rpc_authentication_utility.cpp ) ob_set_subtarget(oblib_lib ash diff --git a/deps/oblib/src/lib/utility/ob_rpc_authentication_utility.cpp b/deps/oblib/src/lib/utility/ob_rpc_authentication_utility.cpp new file mode 100644 index 0000000000..8a72ee2905 --- /dev/null +++ b/deps/oblib/src/lib/utility/ob_rpc_authentication_utility.cpp @@ -0,0 +1,92 @@ +/** + * Copyright (c) 2021 OceanBase + * OceanBase CE is licensed under Mulan PubL v2. + * You can use this software according to the terms and conditions of the Mulan PubL v2. + * You may obtain a copy of Mulan PubL v2 at: + * http://license.coscl.org.cn/MulanPubL-2.0 + * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, + * EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, + * MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE. + * See the Mulan PubL v2 for more details. + */ +#define USING_LOG_PREFIX LIB +#include "rpc/obrpc/ob_rpc_packet.h" +#include "lib/ob_errno.h" +#include "lib/utility/ob_print_utils.h" + +using namespace oceanbase::obrpc; + +namespace oceanbase +{ +namespace common +{ +extern "C" { +int ob_decode_pcode(const char *buf, const int64_t data_len, int64_t *pos, uint32_t *val) +{ + int ret = (NULL != buf && NULL != pos && data_len - *pos >= 4) ? OB_SUCCESS : OB_DESERIALIZE_ERROR; + if (OB_SUCC(ret)) { + *val = ((static_cast(*(buf + (*pos)++))) & 0xff) << 24; + *val |= ((static_cast(*(buf + (*pos)++))) & 0xff) << 16; + *val |= ((static_cast(*(buf + (*pos)++))) & 0xff) << 8; + *val |= ((static_cast(*(buf + (*pos)++))) & 0xff); + } + return ret; +} + +int ob_is_bypass_pcode(uint32_t pcode) +{ + //table_api pcode directly bypass + int bret = 0; + if (pcode >= OB_TABLE_API_LOGIN && pcode <= OB_TABLE_API_MOVE) { //table_api + bret = 1; + } + #ifdef OB_BUILD_ARBITRATION + else if (OB_CREATE_ARB == pcode || OB_DELETE_ARB == pcode + || OB_LOG_FORCE_CLEAR_ARB_CLUSTER_INFO == pcode + || OB_ARB_CLUSTER_OP == pcode) { //arb + bret = 1; + } + #endif + else if (OB_SET_MEMBER_LIST == pcode || OB_ARB_GC_NOTIFY == pcode + || OB_SET_CONFIG == pcode) { //arb + bret = 1; + } else if (pcode >= OB_LOG_PUSH_REQ && pcode <= OB_LOG_BATCH_FETCH_RESP) { //arb + bret = 1; + } else if (OB_LOG_REQ_START_LSN_BY_TS == pcode || OB_LS_FETCH_LOG2 == pcode + ||OB_LS_FETCH_MISSING_LOG == pcode) { //libcdc or standby cluster + bret = 1; + } + return bret; +} + +int ob_is_tableapi_pcode(uint32_t pcode) +{ + int bret = 0; + if (pcode >= OB_TABLE_API_LOGIN && pcode <= OB_TABLE_API_MOVE) { //table_api + bret = 1; + } + return bret; +} + +int ob_judge_is_tableapi_pcode_from_raw_packet(const char *buf, ssize_t data_len) +{ + int bret = 0; + int ret = OB_SUCCESS; + if (NULL != buf) { + int demand_length = OB_NET_HEADER_LENGTH + 4; + if (data_len >= demand_length && 0 == memcmp(buf, ObRpcPacket::MAGIC_HEADER_FLAG, + sizeof(ObRpcPacket::MAGIC_HEADER_FLAG))) { + int64_t pos = 0; + uint32_t pcode = 0; + if (OB_SUCC(ob_decode_pcode(buf + OB_NET_HEADER_LENGTH, 4, &pos, &pcode))) { + if (ob_is_tableapi_pcode(pcode)) { + bret = 1; + } + } + } + } + return bret; +} +} +} +} diff --git a/deps/oblib/src/lib/utility/utility.cpp b/deps/oblib/src/lib/utility/utility.cpp index a3d065f727..3dbe3d4bb4 100644 --- a/deps/oblib/src/lib/utility/utility.cpp +++ b/deps/oblib/src/lib/utility/utility.cpp @@ -1903,6 +1903,52 @@ int64_t get_level3_cache_size() return l3_cache_size; } +int extract_cert_expired_time(const char* cert, const int64_t cert_len, int64_t &expired_time) +{ + int ret = OB_SUCCESS; + STACK_OF(X509_INFO) *chain = NULL; + BIO *cbio = NULL; + if (OB_ISNULL(cert)) { + ret = OB_INVALID_ARGUMENT; + LOG_WARN("public cert from kms is null!", K(ret)); + } else if (OB_ISNULL(cbio = BIO_new_mem_buf((void*)cert, cert_len))) { + ret = OB_ALLOCATE_MEMORY_FAILED; + LOG_WARN("BIO_new_mem_buf failed", K(ret)); + } else if (OB_ISNULL(chain = PEM_X509_INFO_read_bio(cbio, NULL, NULL, NULL))) { + ret = OB_INVALID_ARGUMENT; + LOG_WARN("PEM_X509_INFO_read_bio failed", K(ret)); + } else { + ASN1_TIME *notAfter = NULL; + X509_INFO *x509_info = NULL; + if (OB_ISNULL(x509_info = sk_X509_INFO_value(chain, 0))) { + ret = OB_INVALID_ARGUMENT; + LOG_WARN("get app cert failed!", K(ret)); + } else if (OB_ISNULL((notAfter = X509_get_notAfter(x509_info->x509)))) { + ret = OB_INVALID_ARGUMENT; + LOG_WARN("X509_get_notAfter failed",K(ret)); + } else { + struct tm tm1; + memset (&tm1, 0, sizeof (tm1)); + tm1.tm_year = (notAfter->data[ 0] - '0') * 10 + (notAfter->data[ 1] - '0') + 100; + tm1.tm_mon = (notAfter->data[ 2] - '0') * 10 + (notAfter->data[ 3] - '0') - 1; + tm1.tm_mday = (notAfter->data[ 4] - '0') * 10 + (notAfter->data[ 5] - '0'); + tm1.tm_hour = (notAfter->data[ 6] - '0') * 10 + (notAfter->data[ 7] - '0'); + tm1.tm_min = (notAfter->data[ 8] - '0') * 10 + (notAfter->data[ 9] - '0'); + tm1.tm_sec = (notAfter->data[10] - '0') * 10 + (notAfter->data[11] - '0'); + time_t expired_time_t = mktime(&tm1); + expired_time_t += (int)(mktime(localtime(&expired_time_t)) - mktime(gmtime(&expired_time_t))); + expired_time = expired_time_t * 1000000; + } + } + if (NULL != cbio) { + BIO_free(cbio); + } + if (NULL != chain) { + sk_X509_INFO_pop_free(chain, X509_INFO_free); + } + return ret; +} + } // end namespace common } // end namespace oceanbase diff --git a/deps/oblib/src/lib/utility/utility.h b/deps/oblib/src/lib/utility/utility.h index 72b5495546..5295b2547e 100644 --- a/deps/oblib/src/lib/utility/utility.h +++ b/deps/oblib/src/lib/utility/utility.h @@ -1310,6 +1310,8 @@ void call_dtor(T *&ptr) // OB_IO_ERROR Error executing system call // OB_SUCCESS successfully executed int is_dir_empty(const char *dirname, bool &is_empty); + +int extract_cert_expired_time(const char* cert, const int64_t cert_len, int64_t &expired_time); } // end namespace common } // end namespace oceanbase diff --git a/deps/oblib/src/rpc/obrpc/ob_poc_rpc_server.cpp b/deps/oblib/src/rpc/obrpc/ob_poc_rpc_server.cpp index d211a3e4ef..aa623b7b9e 100644 --- a/deps/oblib/src/rpc/obrpc/ob_poc_rpc_server.cpp +++ b/deps/oblib/src/rpc/obrpc/ob_poc_rpc_server.cpp @@ -22,7 +22,9 @@ extern "C" { }; #include "rpc/obrpc/ob_rpc_endec.h" #define cfgi(k, v) atoi(getenv(k)?:v) - +extern "C" { +int ussl_check_pcode_mismatch_connection(int fd, uint32_t pcode); +}; namespace oceanbase { namespace obrpc @@ -57,59 +59,64 @@ int ObPocServerHandleContext::create(int64_t resp_id, const char* buf, int64_t s } else { ObCurTraceId::set(tmp_pkt.get_trace_id()); obrpc::ObRpcPacketCode pcode = tmp_pkt.get_pcode(); - auto &set = obrpc::ObRpcPacketSet::instance(); - const char* pcode_label = set.label_of_idx(set.idx_of_pcode(pcode)); - const int64_t pool_size = sizeof(ObPocServerHandleContext) + sizeof(ObRequest) + sizeof(ObRpcPacket) + alloc_payload_sz; - int64_t tenant_id = tmp_pkt.get_tenant_id(); - if (OB_UNLIKELY(tmp_pkt.get_group_id() == OBCG_ELECTION)) { - tenant_id = OB_SERVER_TENANT_ID; - } - timeguard.click(); - ObRpcMemPool* pool = ObRpcMemPool::create(tenant_id, pcode_label, pool_size); - void *temp = NULL; - -#ifdef ERRSIM - THIS_WORKER.set_module_type(tmp_pkt.get_module_type()); -#endif - - if (OB_ISNULL(pool)) { - ret = common::OB_ALLOCATE_MEMORY_FAILED; - RPC_LOG(WARN, "create memory pool failed", K(tenant_id), K(pcode_label)); - } else if (OB_ISNULL(temp = pool->alloc(sizeof(ObPocServerHandleContext) + sizeof(ObRequest)))){ - ret = common::OB_ALLOCATE_MEMORY_FAILED; - RPC_LOG(WARN, "pool allocate memory failed", K(tenant_id), K(pcode_label)); + if (OB_UNLIKELY(ussl_check_pcode_mismatch_connection(pn_get_fd(resp_id), pcode))) { + ret = OB_UNKNOWN_CONNECTION; + RPC_LOG(WARN, "rpc bypass connection received none bypass pcode", K(pcode), K(ret)); } else { - int64_t resp_expired_abs_us = ObTimeUtility::current_time() + tmp_pkt.get_timeout(); - ctx = new(temp)ObPocServerHandleContext(*pool, resp_id, resp_expired_abs_us); - ctx->set_peer_unsafe(); - req = new(ctx + 1)ObRequest(ObRequest::OB_RPC, ObRequest::TRANSPORT_PROTO_POC); + auto &set = obrpc::ObRpcPacketSet::instance(); + const char* pcode_label = set.label_of_idx(set.idx_of_pcode(pcode)); + const int64_t pool_size = sizeof(ObPocServerHandleContext) + sizeof(ObRequest) + sizeof(ObRpcPacket) + alloc_payload_sz; + int64_t tenant_id = tmp_pkt.get_tenant_id(); + if (OB_UNLIKELY(tmp_pkt.get_group_id() == OBCG_ELECTION)) { + tenant_id = OB_SERVER_TENANT_ID; + } timeguard.click(); - ObRpcPacket* pkt = (ObRpcPacket*)pool->alloc(sizeof(ObRpcPacket) + alloc_payload_sz); - if (NULL == pkt) { - RPC_LOG(WARN, "pool allocate rpc packet memory failed", K(tenant_id), K(pcode_label)); - ret = common::OB_ALLOCATE_MEMORY_FAILED; - } else { - MEMCPY(reinterpret_cast(pkt), reinterpret_cast(&tmp_pkt), sizeof(ObRpcPacket)); - const char* packet_data = NULL; - if (alloc_payload_sz > 0) { - packet_data = reinterpret_cast(pkt + 1); - MEMCPY(const_cast(packet_data), tmp_pkt.get_cdata(), tmp_pkt.get_clen()); - } else { - packet_data = tmp_pkt.get_cdata(); - } - int64_t receive_ts = ObTimeUtility::current_time(); - pkt->set_receive_ts(receive_ts); - pkt->set_content(packet_data, tmp_pkt.get_clen()); - req->set_server_handle_context(ctx); - req->set_packet(pkt); - req->set_receive_timestamp(pkt->get_receive_ts()); - req->set_request_arrival_time(pkt->get_receive_ts()); - req->set_arrival_push_diff(common::ObTimeUtility::current_time()); + ObRpcMemPool* pool = ObRpcMemPool::create(tenant_id, pcode_label, pool_size); + void *temp = NULL; - const int64_t fly_ts = receive_ts - pkt->get_timestamp(); - if (fly_ts > oceanbase::common::OB_MAX_PACKET_FLY_TS && TC_REACH_TIME_INTERVAL(100 * 1000)) { - RPC_LOG(WARN, "PNIO packet wait too much time between proxy and server_cb", "pcode", pkt->get_pcode(), - "fly_ts", fly_ts, "send_timestamp", pkt->get_timestamp()); + #ifdef ERRSIM + THIS_WORKER.set_module_type(tmp_pkt.get_module_type()); + #endif + + if (OB_ISNULL(pool)) { + ret = common::OB_ALLOCATE_MEMORY_FAILED; + RPC_LOG(WARN, "create memory pool failed", K(tenant_id), K(pcode_label)); + } else if (OB_ISNULL(temp = pool->alloc(sizeof(ObPocServerHandleContext) + sizeof(ObRequest)))){ + ret = common::OB_ALLOCATE_MEMORY_FAILED; + RPC_LOG(WARN, "pool allocate memory failed", K(tenant_id), K(pcode_label)); + } else { + int64_t resp_expired_abs_us = ObTimeUtility::current_time() + tmp_pkt.get_timeout(); + ctx = new(temp)ObPocServerHandleContext(*pool, resp_id, resp_expired_abs_us); + ctx->set_peer_unsafe(); + req = new(ctx + 1)ObRequest(ObRequest::OB_RPC, ObRequest::TRANSPORT_PROTO_POC); + timeguard.click(); + ObRpcPacket* pkt = (ObRpcPacket*)pool->alloc(sizeof(ObRpcPacket) + alloc_payload_sz); + if (NULL == pkt) { + RPC_LOG(WARN, "pool allocate rpc packet memory failed", K(tenant_id), K(pcode_label)); + ret = common::OB_ALLOCATE_MEMORY_FAILED; + } else { + MEMCPY(reinterpret_cast(pkt), reinterpret_cast(&tmp_pkt), sizeof(ObRpcPacket)); + const char* packet_data = NULL; + if (alloc_payload_sz > 0) { + packet_data = reinterpret_cast(pkt + 1); + MEMCPY(const_cast(packet_data), tmp_pkt.get_cdata(), tmp_pkt.get_clen()); + } else { + packet_data = tmp_pkt.get_cdata(); + } + int64_t receive_ts = ObTimeUtility::current_time(); + pkt->set_receive_ts(receive_ts); + pkt->set_content(packet_data, tmp_pkt.get_clen()); + req->set_server_handle_context(ctx); + req->set_packet(pkt); + req->set_receive_timestamp(pkt->get_receive_ts()); + req->set_request_arrival_time(pkt->get_receive_ts()); + req->set_arrival_push_diff(common::ObTimeUtility::current_time()); + + const int64_t fly_ts = receive_ts - pkt->get_timestamp(); + if (fly_ts > oceanbase::common::OB_MAX_PACKET_FLY_TS && TC_REACH_TIME_INTERVAL(100 * 1000)) { + RPC_LOG(WARN, "PNIO packet wait too much time between proxy and server_cb", "pcode", pkt->get_pcode(), + "fly_ts", fly_ts, "send_timestamp", pkt->get_timestamp()); + } } } } diff --git a/deps/oblib/src/rpc/obrpc/ob_rpc_net_handler.cpp b/deps/oblib/src/rpc/obrpc/ob_rpc_net_handler.cpp index 47ba428aeb..9cc44304ce 100644 --- a/deps/oblib/src/rpc/obrpc/ob_rpc_net_handler.cpp +++ b/deps/oblib/src/rpc/obrpc/ob_rpc_net_handler.cpp @@ -30,6 +30,10 @@ using namespace oceanbase::common; using namespace oceanbase::common::serialization; using namespace oceanbase::rpc::frame; +extern "C" { +int ussl_check_pcode_mismatch_connection(int fd, uint32_t pcode); +}; + namespace oceanbase { namespace obrpc @@ -193,15 +197,22 @@ void *ObRpcNetHandler::decode(easy_message_t *ms) LOG_ERROR("failed to decode", K(easy_conn), KP(ms), K(is_current_normal_mode), K(ret)); } else { if (NULL != pkt) { - const int64_t receive_ts = common::ObClockGenerator::getClock(); - const int64_t fly_ts = receive_ts - pkt->get_timestamp(); - if (!pkt->is_resp() && fly_ts > common::OB_MAX_PACKET_FLY_TS && TC_REACH_TIME_INTERVAL(100 * 1000)) { - LOG_WARN_RET(common::OB_ERR_TOO_MUCH_TIME, "packet fly cost too much time", "pcode", pkt->get_pcode(), - "fly_ts", fly_ts, "send_timestamp", pkt->get_timestamp(), "connection", easy_connection_str(ms->c)); - } - pkt->set_receive_ts(receive_ts); - if (receive_ts - start_ts > common::OB_MAX_PACKET_DECODE_TS && TC_REACH_TIME_INTERVAL(100 * 1000)) { - LOG_WARN_RET(OB_ERR_TOO_MUCH_TIME, "packet decode cost too much time", "pcode", pkt->get_pcode(), "connection", easy_connection_str(ms->c)); + uint32_t pcode = pkt->get_pcode(); + if (OB_UNLIKELY(ussl_check_pcode_mismatch_connection(ms->c->fd, pcode))) { + pkt = NULL; + ms->status = EASY_ERROR; + LOG_WARN_RET(common::OB_BAD_ADDRESS, "enable bypass connection received other RPC, disconnect", K(pcode)); + } else { + const int64_t receive_ts = common::ObClockGenerator::getClock(); + const int64_t fly_ts = receive_ts - pkt->get_timestamp(); + if (!pkt->is_resp() && fly_ts > common::OB_MAX_PACKET_FLY_TS && TC_REACH_TIME_INTERVAL(100 * 1000)) { + LOG_WARN_RET(common::OB_ERR_TOO_MUCH_TIME, "packet fly cost too much time", "pcode", pkt->get_pcode(), + "fly_ts", fly_ts, "send_timestamp", pkt->get_timestamp(), "connection", easy_connection_str(ms->c)); + } + pkt->set_receive_ts(receive_ts); + if (receive_ts - start_ts > common::OB_MAX_PACKET_DECODE_TS && TC_REACH_TIME_INTERVAL(100 * 1000)) { + LOG_WARN_RET(OB_ERR_TOO_MUCH_TIME, "packet decode cost too much time", "pcode", pkt->get_pcode(), "connection", easy_connection_str(ms->c)); + } } } else { //receive data is not enough diff --git a/deps/oblib/src/rpc/pnio/interface/group.c b/deps/oblib/src/rpc/pnio/interface/group.c index a3d5893a0b..5b05c459f2 100644 --- a/deps/oblib/src/rpc/pnio/interface/group.c +++ b/deps/oblib/src/rpc/pnio/interface/group.c @@ -588,3 +588,17 @@ int dispatch_accept_fd_to_certain_group(int fd, uint64_t gid) } return ret; } + +PN_API int pn_get_fd(uint64_t req_id) +{ + int fd = -1; + pn_resp_ctx_t* ctx = (typeof(ctx))req_id; + if (unlikely(NULL == ctx)) { + rk_warn("invalid arguments, req_id=%p", ctx); + } else { + pkts_t* pkts = &ctx->pn->pkts; + pkts_sk_t* sock = (typeof(sock))idm_get(&pkts->sk_map, ctx->sock_id); + fd = sock->fd; + } + return fd; +} diff --git a/deps/oblib/src/rpc/pnio/interface/group.h b/deps/oblib/src/rpc/pnio/interface/group.h index c909580266..c207b5e0ab 100644 --- a/deps/oblib/src/rpc/pnio/interface/group.h +++ b/deps/oblib/src/rpc/pnio/interface/group.h @@ -78,6 +78,7 @@ PN_API uint64_t pn_get_rxbytes(int grp_id); PN_API int dispatch_accept_fd_to_certain_group(int fd, uint64_t gid); PN_API void pn_stop(uint64_t gid); PN_API void pn_wait(uint64_t gid); +PN_API int pn_get_fd(uint64_t req_id); extern int64_t pnio_keepalive_timeout; pn_comm_t* get_current_pnio(); void pn_release(pn_comm_t* pn_comm); diff --git a/deps/ussl-hook/loop/auth-methods.c b/deps/ussl-hook/loop/auth-methods.c index bdbbfe934a..62f3a54bc7 100644 --- a/deps/ussl-hook/loop/auth-methods.c +++ b/deps/ussl-hook/loop/auth-methods.c @@ -15,6 +15,7 @@ int g_ussl_client_auth_methods = USSL_AUTH_NONE; int g_ussl_server_auth_methods = USSL_AUTH_NONE | USSL_AUTH_SSL_HANDSHAKE | USSL_AUTH_SSL_IO; +int g_ussl_enable_bypass_flag = 0; void set_server_auth_methods(const int methods) { @@ -44,3 +45,13 @@ int get_client_auth_methods() { return ATOMIC_LOAD(&g_ussl_client_auth_methods); } + +void ussl_set_auth_bypass_flag(int enable) +{ + g_ussl_enable_bypass_flag = enable; +} + +int ussl_get_auth_bypass_flag() +{ + return g_ussl_enable_bypass_flag; +} diff --git a/deps/ussl-hook/loop/auth-methods.h b/deps/ussl-hook/loop/auth-methods.h index f950de4b3b..1f95a8e974 100644 --- a/deps/ussl-hook/loop/auth-methods.h +++ b/deps/ussl-hook/loop/auth-methods.h @@ -20,5 +20,8 @@ extern int get_server_auth_methods(); extern void set_client_auth_methods(const int methods); extern int get_client_auth_methods(); +extern void ussl_set_auth_bypass_flag(int enable); +extern int ussl_get_auth_bypass_flag(); + #endif // USSL_HOOK_LOOP_AUTH_METHODS_ diff --git a/deps/ussl-hook/loop/handle-event.c b/deps/ussl-hook/loop/handle-event.c index 3def0d0c4a..78de9e21d4 100644 --- a/deps/ussl-hook/loop/handle-event.c +++ b/deps/ussl-hook/loop/handle-event.c @@ -31,6 +31,32 @@ enum ServerNegoStage { SERVER_ACK_NEGO_AND_SSL = 3, }; +enum ob_rpc_connection_type { + OB_CONNECTION_COMMON_TYPE, + OB_CONNECTION_AUTH_BYPASS_TYPE, +}; + +static const int MAX_FD_NUM = 1024 * 1024; +static uint8_t gs_connection_type_arr[MAX_FD_NUM]; + +int ussl_set_rpc_connection_type(int fd, int type) +{ + int ret = 0; + if (fd >= 0 && fd < MAX_FD_NUM) { + gs_connection_type_arr[fd] = type; + } else { + ret = -ERANGE; + } + return ret; +} + +void ussl_reset_rpc_connection_type(int fd) +{ + if (fd >= 0 && fd < MAX_FD_NUM) { + gs_connection_type_arr[fd] = 0; + } +} + static void auth_type_to_str(int auth_type, char *buf, size_t len) { if (USSL_AUTH_NONE == auth_type) { @@ -326,9 +352,28 @@ static int acceptfd_handle_first_readable_event(acceptfd_sk_t *s) } else if (is_local_ip_address(src_addr)) { ussl_log_info("local ip address:%s, need dispatch", src_addr); need_dispatch = 1; + } else if (is_net_keepalive_connection(rbytes, buf)) { + need_dispatch = 1; + ussl_log_info("net keepalive negotation message, need dispatch, src:%s, fd:%d", src_addr, s->fd); } else { - need_dispatch = is_net_keepalive_connection(rbytes, buf); - ussl_log_info("easy negotation message, need dispatch:%d, src:%s, fd:%d", need_dispatch, src_addr, s->fd); + //if enable rpc auth bypass, all connections are allowed, including tableapi, liboblog, + //else, only tableapi connections are allowed + if (ussl_get_auth_bypass_flag()) { + ussl_log_info("rpc auth enable bypass, need dispatch, src:%s, fd:%d", src_addr, s->fd); + need_dispatch = 1; + } else { + if (ob_judge_is_tableapi_pcode_from_raw_packet(buf, rbytes)) { + ussl_log_info("tableapi connection, need dispatch, src:%s, fd:%d", src_addr, s->fd); + need_dispatch = 1; + } + } + if (need_dispatch) { + if (0 == ussl_set_rpc_connection_type(s->fd, OB_CONNECTION_AUTH_BYPASS_TYPE)) { + } else { + ussl_log_warn("ussl_set_rpc_connection_type failed, need close, src:%s, fd:%d", src_addr, s->fd); + need_dispatch = 0; + } + } } if (need_dispatch) { err = EUCLEAN; @@ -375,6 +420,14 @@ static int acceptfd_handle_first_readable_event(acceptfd_sk_t *s) s->fd_info.client_gid = nego_message->client_gid; ussl_log_info("auth mothod is NONE, the fd will be dispatched, fd:%d, src_addr:%s", s->fd, src_addr); + } else if (ussl_get_auth_bypass_flag()) { + if (0 == ussl_set_rpc_connection_type(s->fd, OB_CONNECTION_AUTH_BYPASS_TYPE)) { + err = EUCLEAN; + ussl_log_warn("enable bypass connection, allow connect, src:%s, fd:%d", src_addr, s->fd); + } else { + err = EUCLEAN; + s->has_error = 1; + } } else { err = EUCLEAN; s->has_error = 1; @@ -387,7 +440,7 @@ static int acceptfd_handle_first_readable_event(acceptfd_sk_t *s) if (-1 == ssl_config_ctx_id) { err = EUCLEAN; s->has_error = 1; - ussl_log_error("ssl config not configured!"); + ussl_log_warn("ssl config not configured or not load completely!"); } else { negotiation_message_t nego_message_ack; nego_message_ack.type = nego_message->type; @@ -449,4 +502,14 @@ int acceptfd_sk_handle_event(acceptfd_sk_t *s) } } return ret; +} + +int ussl_check_pcode_mismatch_connection(int fd, uint32_t pcode) +{ + int ret = 0; + if (fd >= 0 && fd < MAX_FD_NUM) { + ret = (gs_connection_type_arr[fd] & OB_CONNECTION_AUTH_BYPASS_TYPE) && + !ob_is_bypass_pcode(pcode); + } + return ret; } \ No newline at end of file diff --git a/deps/ussl-hook/loop/handle-event.h b/deps/ussl-hook/loop/handle-event.h index 02085e4e6e..1bad81d0d1 100644 --- a/deps/ussl-hook/loop/handle-event.h +++ b/deps/ussl-hook/loop/handle-event.h @@ -19,4 +19,7 @@ extern int clientfd_sk_handle_event(clientfd_sk_t *s); extern int acceptfd_sk_handle_event(acceptfd_sk_t *s); extern void ussl_get_peer_addr(int fd, char *buf, int len); extern int is_net_keepalive_connection(ssize_t rbytes, char *buf); +extern int ob_judge_is_tableapi_pcode_from_raw_packet(const char *buf, ssize_t data_len); +extern int ob_is_bypass_pcode(uint32_t pcode); +extern void ussl_reset_rpc_connection_type(int fd); #endif // USSL_HOOK_LOOP_HANDLE_EVENT_ \ No newline at end of file diff --git a/deps/ussl-hook/loop/ussl_listenfd.c b/deps/ussl-hook/loop/ussl_listenfd.c index 85d49a70d8..d780e5f45e 100644 --- a/deps/ussl-hook/loop/ussl_listenfd.c +++ b/deps/ussl-hook/loop/ussl_listenfd.c @@ -36,6 +36,7 @@ void ussl_on_accept(int fd, ussl_sf_t *sf, ussl_eloop_t *ep) add_to_timeout_list(&accept_sk->timeout_link); char src_addr[IP_STRING_MAX_LEN] = {0}; ussl_get_peer_addr(fd, src_addr, IP_STRING_MAX_LEN); + ussl_reset_rpc_connection_type(fd); ussl_log_info("accept new connection, fd:%d, src_addr:%s", fd, src_addr); } } diff --git a/deps/ussl-hook/ssl/ssl_config.c b/deps/ussl-hook/ssl/ssl_config.c index bb1f793d48..64a3c60b76 100644 --- a/deps/ussl-hook/ssl/ssl_config.c +++ b/deps/ussl-hook/ssl/ssl_config.c @@ -228,6 +228,7 @@ static int ob_ssl_set_verify_mode_and_load_CA(SSL_CTX *ctx, const ssl_config_ite } else { SSL_CTX_set_cert_store(ctx, x509_store); } + if (NULL != bio) { BIO_free(bio); } @@ -851,3 +852,12 @@ ssize_t writev_regard_ssl(int fildes, const struct iovec *iov, int iovcnt) } return wbytes; } + +SSL_CTX* ussl_get_server_ctx(int ctx_id) +{ + SSL_CTX *ctx = NULL; + pthread_rwlock_rdlock(&g_ssl_ctx_rwlock); + ctx = gs_ssl_ctx_array[ctx_id][SSL_ROLE_SERVER]; + pthread_rwlock_unlock(&g_ssl_ctx_rwlock); + return ctx; +} \ No newline at end of file diff --git a/deps/ussl-hook/ssl/ssl_config.h b/deps/ussl-hook/ssl/ssl_config.h index 63292abb8f..2723f34eea 100644 --- a/deps/ussl-hook/ssl/ssl_config.h +++ b/deps/ussl-hook/ssl/ssl_config.h @@ -25,6 +25,7 @@ int fd_enable_ssl_for_server(int fd, int ctx_id, int type); int fd_enable_ssl_for_client(int fd, int ctx_id, int type); void fd_disable_ssl(int fd); int ssl_do_handshake(int fd); +SSL_CTX* ussl_get_server_ctx(int ctx_id); ssize_t read_regard_ssl(int fd, char *buf, size_t nbytes); ssize_t write_regard_ssl(int fd, const void *buf, size_t nbytes); ssize_t writev_regard_ssl(int fildes, const struct iovec *iov, int iovcnt); diff --git a/deps/ussl-hook/ussl-hook.c b/deps/ussl-hook/ussl-hook.c index fb368e8ba0..98d8c9889f 100644 --- a/deps/ussl-hook/ussl-hook.c +++ b/deps/ussl-hook/ussl-hook.c @@ -37,6 +37,7 @@ static __thread int ussl_server_ctx_id = -1; static uint64_t global_gid_arr[USSL_MAX_FD_NUM]; static int global_client_ctx_id_arr[USSL_MAX_FD_NUM]; static int global_send_negotiation_arr[USSL_MAX_FD_NUM]; + int is_ussl_bg_thread_started = 0; static int ussl_is_stopped = 0; @@ -278,6 +279,7 @@ ssize_t ussl_write(int fd, const void *buf, size_t nbytes) int ussl_close(int fd) { + ussl_reset_rpc_connection_type(fd); fd_disable_ssl(fd); return libc_close(fd); } diff --git a/deps/ussl-hook/ussl-hook.h b/deps/ussl-hook/ussl-hook.h index 78f65e7079..fe3eb25832 100644 --- a/deps/ussl-hook/ussl-hook.h +++ b/deps/ussl-hook/ussl-hook.h @@ -79,5 +79,4 @@ typedef struct ssl_config_item_t extern int ob_epoll_wait(int __epfd, struct epoll_event *__events, int __maxevents, int __timeout); - #endif // USSL_HOOK_USSL_HOOK_ diff --git a/src/observer/ob_srv_network_frame.cpp b/src/observer/ob_srv_network_frame.cpp index d104aa2b0e..1b7bcd0e62 100644 --- a/src/observer/ob_srv_network_frame.cpp +++ b/src/observer/ob_srv_network_frame.cpp @@ -27,6 +27,7 @@ extern "C" { #include "ussl-hook.h" #include "auth-methods.h" +SSL_CTX* ussl_get_server_ctx(int ctx_id); } #include #include @@ -373,6 +374,115 @@ static int create_ssl_ctx(int ctx_id, int is_from_file, int is_sm, const char *c return ret; } +namespace oceanbase { +static int ob_add_client_CA_list(SSL_CTX *ctx, const char *cert, int cert_length) +{ + int ret = OB_SUCCESS; + if (OB_ISNULL(ctx) || OB_ISNULL(cert)) { + ret = OB_INVALID_ARGUMENT; + LOG_ERROR("invalid argument", KP(ctx), KP(cert)); + } else { + STACK_OF(X509_INFO) *chain = NULL; + X509_STORE *ca_store = NULL; + X509_INFO *x509_info = NULL; + BIO *cbio = NULL; + if (OB_ISNULL(cbio = BIO_new_mem_buf((void*)cert, cert_length))) { + ret = OB_ALLOCATE_MEMORY_FAILED; + LOG_ERROR("BIO_new_mem_buf failed", K(ret)); + } else if (OB_ISNULL(chain = PEM_X509_INFO_read_bio(cbio, NULL, NULL, NULL))) { + ret = OB_ERR_UNEXPECTED; + int len = strlen(cert); + common::ObString err_reason = common::ObString::make_string(ERR_reason_error_string(ERR_get_error())); + LOG_ERROR("PEM_X509_INFO_read_bio failed", K(ret), K(cert), K(len), K(err_reason)); + } else if (OB_ISNULL(ca_store = SSL_CTX_get_cert_store(ctx))) { + ret = OB_ERR_UNEXPECTED; + LOG_ERROR("SSL_CTX_get_cert_store failed", K(ret)); + } else { + for (int64_t i = 0; i < sk_X509_INFO_num(chain) && OB_SUCC(ret); i++) { + x509_info = sk_X509_INFO_value(chain, i); + if (OB_ISNULL(x509_info)) { + ret = OB_INVALID_ARGUMENT; + LOG_WARN("x509_info is NULL", K(i), K(ret)); + } else if (!SSL_CTX_add_client_CA(ctx, x509_info->x509)) { + ret = OB_ERR_UNEXPECTED; + LOG_WARN("SSL_CTX_add_client_CA failed", K(ret), K(i)); + } else if (!X509_STORE_add_cert(ca_store, x509_info->x509)) { + ret = OB_ERR_UNEXPECTED; + LOG_WARN("X509_STORE_add_cert failed", K(ret), K(i)); + } + } + } + if (NULL != cbio) { + BIO_free(cbio); + } + if (NULL != chain) { + sk_X509_INFO_pop_free(chain, X509_INFO_free); + } + } + return ret; +} + +static int ob_add_client_CA_list_from_sys_table(SSL_CTX *ctx) +{ + int ret = OB_SUCCESS; + uint64_t data_version = 0; + if (OB_ISNULL(ctx)) { + ret = OB_INVALID_ARGUMENT; + LOG_ERROR("ctx is NULL", K(ret)); + } else if (OB_FAIL(GET_MIN_DATA_VERSION(OB_SYS_TENANT_ID, data_version))) { + LOG_WARN("get min data_version with sys tenant id failed", KR(ret)); + } else if (data_version < DATA_VERSION_4_3_0_0) { + LOG_WARN("tenant data version is too low, skip load", KR(ret), KR(data_version)); + } else { + MTL_SWITCH(OB_SYS_TENANT_ID) { + ObMySQLProxy *mysql_proxy = GCTX.sql_proxy_; + if (OB_ISNULL(mysql_proxy)) { + ret = OB_NOT_INIT; + LOG_WARN("mysql proxy is not inited", K(ret)); + } else { + int sql_len = 0; + char sql[OB_SHORT_SQL_LENGTH]; + const char *table_name = share::OB_ALL_TRUSTED_ROOT_CERTIFICATE_TNAME; + sql_len = snprintf(sql, OB_SHORT_SQL_LENGTH, + "SELECT content FROM %s", + table_name); + if (sql_len >= OB_SHORT_SQL_LENGTH || sql_len <= 0) { + ret = OB_SIZE_OVERFLOW; + LOG_WARN("failed to format sql, buffer size not enough", K(ret)); + } else { + SMART_VAR(ObMySQLProxy::MySQLResult, res) { + common::sqlclient::ObMySQLResult *result = NULL; + if (OB_FAIL(mysql_proxy->read(res, OB_SYS_TENANT_ID, sql))) { + LOG_WARN("failed to read data", K(ret)); + } else if (OB_ISNULL(result = res.get_result())) { + ret = OB_ERR_UNEXPECTED; + LOG_WARN("failed to get result", K(ret)); + } else { + ObString cert_content; + while (OB_SUCC(ret) && OB_SUCC(result->next())) { + if (OB_FAIL(result->get_varchar(0l, cert_content))) { + LOG_WARN("failed to get content", K(ret)); + } else if (OB_FAIL(ob_add_client_CA_list(ctx, cert_content.ptr(), cert_content.length()))) { + LOG_WARN("failed to ob_add_client_CA_list", K(ret), K(cert_content.length())); + } + } + if (OB_ITER_END == ret) { + ret = OB_SUCCESS; + } + } + } + } + } + } + } + if (OB_TENANT_NOT_IN_SERVER == ret && SS_SERVING != GCTX.status_) { + ret = OB_SUCCESS; + LOG_WARN("observice is not serving do not load CA from sys table"); + } + return ret; +} +} + int ObSrvNetworkFrame::reload_ssl_config() { int ret = common::OB_SUCCESS; @@ -384,9 +494,13 @@ int ObSrvNetworkFrame::reload_ssl_config() const char *intl_file[3] = {OB_SSL_CA_FILE, OB_SSL_CERT_FILE, OB_SSL_KEY_FILE}; const char *sm_file[5] = {OB_SSL_CA_FILE, OB_SSL_SM_SIGN_CERT_FILE, OB_SSL_SM_SIGN_KEY_FILE, OB_SSL_SM_ENC_CERT_FILE, OB_SSL_SM_ENC_KEY_FILE}; - const uint64_t new_hash_value = ssl_config.empty() + const uint64_t file_or_kms_hash_value = ssl_config.empty() ? get_ssl_file_hash(intl_file, sm_file, file_exist) : ssl_config.hash(); + const uint64_t sys_table_cerfificate_hash = get_root_certificate_table_hash(); + uint64_t new_hash_value = common::murmurhash(&sys_table_cerfificate_hash, + sizeof(sys_table_cerfificate_hash), + file_or_kms_hash_value); if (ssl_config.empty() && !file_exist) { ret = OB_INVALID_CONFIG; LOG_WARN("ssl file not available", K(new_hash_value)); @@ -500,7 +614,9 @@ int ObSrvNetworkFrame::reload_ssl_config() const int OB_EASY_RPC_SSL_CTX_ID = 0; if (OB_FAIL(create_ssl_ctx(OB_EASY_RPC_SSL_CTX_ID, !use_bkmi, use_sm, ca_cert, public_cert, private_key, NULL, NULL))) { - LOG_ERROR("create ssl ctx failed", K(OB_EASY_RPC_SSL_CTX_ID)); + LOG_ERROR("create ssl ctx failed", K(OB_EASY_RPC_SSL_CTX_ID), K(ret)); + } else if (OB_FAIL(ob_add_client_CA_list_from_sys_table(ussl_get_server_ctx(OB_EASY_RPC_SSL_CTX_ID)))) { + LOG_WARN("add client CA to SSL_CTX failed", K(ret)); } } } @@ -646,6 +762,7 @@ int ObSrvNetworkFrame::reload_rpc_auth_method() } } set_server_auth_methods(server_auth_methods); + ussl_set_auth_bypass_flag(GCONF.enable_rpc_authentication_bypass); return ret; } @@ -706,4 +823,64 @@ int ObSrvNetworkFrame::net_endpoint_set_ingress(const ObNetEndpointKey &endpoint } } return ret; -} \ No newline at end of file +} + +uint64_t ObSrvNetworkFrame::get_root_certificate_table_hash() +{ + int ret = OB_SUCCESS; + uint64_t hash_value = 0; + int64_t row_count = 0; + int64_t last_modify_time = 0; + uint64_t data_version = 0; + if (OB_FAIL(GET_MIN_DATA_VERSION(OB_SYS_TENANT_ID, data_version))) { + LOG_WARN("get min data_version with sys tenant id failed", KR(ret)); + } else if (data_version < DATA_VERSION_4_3_0_0) { + ret = OB_NOT_SUPPORTED; + LOG_WARN("tenant data version is too low", KR(ret), K(data_version)); + } else { + MTL_SWITCH(OB_SYS_TENANT_ID) { + ObMySQLProxy *mysql_proxy = GCTX.sql_proxy_; + if (OB_ISNULL(mysql_proxy)) { + ret = OB_NOT_INIT; + LOG_WARN("mysql proxy is not inited", K(ret)); + } else { + int sql_len = 0; + char sql[OB_SHORT_SQL_LENGTH]; + const char *table_name = share::OB_ALL_TRUSTED_ROOT_CERTIFICATE_TNAME; + sql_len = snprintf(sql, OB_SHORT_SQL_LENGTH, + "SELECT count(*), max(gmt_modified) " + "FROM %s", + table_name); + if (sql_len >= OB_SHORT_SQL_LENGTH || sql_len <= 0) { + ret = OB_SIZE_OVERFLOW; + LOG_WARN("failed to format sql, buffer size not enough", K(ret)); + } else { + SMART_VAR(ObMySQLProxy::MySQLResult, res) { + common::sqlclient::ObMySQLResult *result = NULL; + if (OB_FAIL(mysql_proxy->read(res, OB_SYS_TENANT_ID, sql))) { + LOG_WARN("failed to read data", K(ret)); + } else if (OB_ISNULL(result = res.get_result())) { + ret = OB_ERR_UNEXPECTED; + LOG_WARN("failed to get result", K(ret)); + } else { + while (OB_SUCC(ret) && OB_SUCC(result->next())) { + if (OB_FAIL(result->get_int(0l, row_count))) { + LOG_WARN("failed to get row_count", K(ret)); + } else if (OB_FAIL(result->get_timestamp("max(gmt_modified)", NULL, last_modify_time))) { + LOG_WARN("failed to get modify_time", K(ret)); + } + } + if (OB_ITER_END == ret) { + ret = OB_SUCCESS; + } + } + } + } + if (OB_SUCC(ret)) { + hash_value = common::murmurhash(&row_count, sizeof(row_count), last_modify_time); + } + } + } + } + return hash_value; +} diff --git a/src/observer/ob_srv_network_frame.h b/src/observer/ob_srv_network_frame.h index 8d5e7544ec..bb0bd8f305 100644 --- a/src/observer/ob_srv_network_frame.h +++ b/src/observer/ob_srv_network_frame.h @@ -83,6 +83,7 @@ public: int net_endpoint_set_ingress(const ObNetEndpointKey &endpoint_key, int64_t assigned_bw); private: + uint64_t get_root_certificate_table_hash(); ObGlobalContext &gctx_; ObSrvXlator xlator_; diff --git a/src/pl/CMakeLists.txt b/src/pl/CMakeLists.txt index 441848b68f..7d2dc905a8 100644 --- a/src/pl/CMakeLists.txt +++ b/src/pl/CMakeLists.txt @@ -53,6 +53,7 @@ ob_set_subtarget(ob_pl sys_package sys_package/ob_dbms_user_define_rule.cpp sys_package/ob_dbms_workload_repository.cpp sys_package/ob_pl_dbms_resource_manager.cpp + sys_package/ob_pl_dbms_trusted_certificate_manager.cpp ) ob_set_subtarget(ob_pl dblink diff --git a/src/pl/ob_pl_interface_pragma.h b/src/pl/ob_pl_interface_pragma.h index 3353959a15..9bfa8d3668 100644 --- a/src/pl/ob_pl_interface_pragma.h +++ b/src/pl/ob_pl_interface_pragma.h @@ -65,6 +65,7 @@ #endif #include "pl/sys_package/ob_dbms_session.h" #include "pl/sys_package/ob_dbms_workload_repository.h" +#include "pl/sys_package/ob_pl_dbms_trusted_certificate_manager.h" #ifdef INTERFACE_DEF INTERFACE_DEF(INTERFACE_START, "TEST", (ObPLInterfaceImpl::call)) @@ -681,6 +682,11 @@ // end of dbms_workload_repository /****************************************************************************/ + // start of dbms_trusted_certificate_manager + INTERFACE_DEF(INTERFACE_DBMS_ADD_TRUSTED_CERTIFICATE, "ADD_TRUSTED_CERTIFICATE", (ObPlDBMSTrustedCertificateManager::add_trusted_certificate)) + INTERFACE_DEF(INTERFACE_DBMS_DELETE_TRUSTED_CERTIFICATE, "DELETE_TRUSTED_CERTIFICATE", (ObPlDBMSTrustedCertificateManager::delete_trusted_certificate)) + INTERFACE_DEF(INTERFACE_DBMS_UPDATE_TRUSTED_CERTIFICATE, "UPDATE_TRUSTED_CERTIFICATE", (ObPlDBMSTrustedCertificateManager::update_trusted_certificate)) + // end of end of dbms_workload_repository INTERFACE_DEF(INTERFACE_END, "INVALID", (nullptr)) #endif diff --git a/src/pl/ob_pl_package_manager.cpp b/src/pl/ob_pl_package_manager.cpp index 74f67be074..3a61ad6b33 100644 --- a/src/pl/ob_pl_package_manager.cpp +++ b/src/pl/ob_pl_package_manager.cpp @@ -273,7 +273,8 @@ static ObSysPackageFile mysql_sys_package_file_table[] = { {"dbms_spm", "dbms_spm_mysql.sql", "dbms_spm_body_mysql.sql"}, #endif {"dbms_udr", "dbms_udr_mysql.sql", "dbms_udr_body_mysql.sql"}, - {"dbms_workload_repository", "dbms_workload_repository_mysql.sql", "dbms_workload_repository_body_mysql.sql"} + {"dbms_workload_repository", "dbms_workload_repository_mysql.sql", "dbms_workload_repository_body_mysql.sql"}, + {"dbms_trusted_certificate_manager", "dbms_trusted_certificate_manager_mysql.sql", "dbms_trusted_certificate_manager_body_mysql.sql"}, }; int ObPLPackageManager::load_sys_package(ObMySQLProxy &sql_proxy, ObString &package_name, ObCompatibilityMode compa_mode) diff --git a/src/pl/sys_package/ob_pl_dbms_trusted_certificate_manager.cpp b/src/pl/sys_package/ob_pl_dbms_trusted_certificate_manager.cpp new file mode 100644 index 0000000000..14a8c6d8d5 --- /dev/null +++ b/src/pl/sys_package/ob_pl_dbms_trusted_certificate_manager.cpp @@ -0,0 +1,232 @@ +/** + * Copyright (c) 2021 OceanBase + * OceanBase CE is licensed under Mulan PubL v2. + * You can use this software according to the terms and conditions of the Mulan PubL v2. + * You may obtain a copy of Mulan PubL v2 at: + * http://license.coscl.org.cn/MulanPubL-2.0 + * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, + * EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, + * MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE. + * See the Mulan PubL v2 for more details. + */ + +#define USING_LOG_PREFIX PL +#include "ob_pl_dbms_trusted_certificate_manager.h" +#include "share/ob_errno.h" +#include "lib/utility/ob_macro_utils.h" +#include "lib/utility/utility.h" +#include "share/inner_table/ob_inner_table_schema_constants.h" + +using namespace oceanbase::common; +using namespace oceanbase::share; +using namespace oceanbase::pl; +using namespace oceanbase::sql; + +int ObPlDBMSTrustedCertificateManager::check_data_version_and_privilege(ObExecContext &ctx) +{ + int ret = OB_SUCCESS; + uint64_t data_version = 0; + ObSQLSessionInfo *session = ctx.get_my_session(); + if (OB_ISNULL(session)) { + ret = OB_ERR_UNEXPECTED; + LOG_WARN("session is null", K(ret)); + } else if (!is_sys_tenant(session->get_effective_tenant_id())) { + ret = OB_ERR_NO_PRIVILEGE; + LOG_WARN("only sys tenant can operate", K(ret)); + } else if (OB_FAIL(GET_MIN_DATA_VERSION(session->get_effective_tenant_id(), + data_version))) { + LOG_WARN("fail to get tenant data version", KR(ret)); + } else if (data_version < DATA_VERSION_4_3_0_0) { + ret = OB_NOT_SUPPORTED; + LOG_WARN("tenant data version is too low for add trusted certificate", + KR(ret), + K(session->get_effective_tenant_id()), + K(data_version)); + LOG_USER_ERROR(OB_NOT_SUPPORTED, "version is less than 4.3.0, trusted certificate manager not supported"); + } + return ret; +} + +int ObPlDBMSTrustedCertificateManager::add_trusted_certificate( + sql::ObExecContext &ctx, + sql::ParamStore ¶ms, + common::ObObj &result) +{ + enum { + COMMON_NAME = 0, + DESCRIPTION = 1, + CONTENT + }; + int ret = OB_SUCCESS; + if (OB_FAIL(check_data_version_and_privilege(ctx))) { + LOG_WARN("check_data_version_and_privilege failed", K(ret)); + } else { + ObString common_name; + ObString description; + ObString content; + //check cert content validity + for (int64_t i = 0; OB_SUCC(ret) && i < params.count(); i++) { + ObObj &obj = params.at(i); + switch(i) { + case COMMON_NAME: { + if (OB_FAIL(obj.get_string(common_name))) { + LOG_WARN("failed to get content string", K(ret)); + } + break; + } + case DESCRIPTION: { + if (OB_FAIL(obj.get_string(description))) { + LOG_WARN("failed to get description string", K(ret)); + } + break; + } + case CONTENT: { + int64_t cert_expired_time = 0; + if (OB_FAIL(obj.get_string(content))) { + LOG_WARN("failed to get cert string", K(ret)); + } else if (OB_FAIL(extract_cert_expired_time(content.ptr(), content.length(), + cert_expired_time))) { + LOG_WARN("failed to extract cert expired time", K(ret)); + LOG_USER_ERROR(OB_INVALID_ARGUMENT, "cert content, please check"); + } + break; + } + default: + break; + } + } + if (OB_SUCC(ret)) { + int64_t affected_rows = 0; + ObSqlString sql; + ObMySQLProxy *mysql_proxy = GCTX.sql_proxy_; + if (OB_ISNULL(mysql_proxy)) { + ret = OB_NOT_INIT; + LOG_WARN("mysql proxy is not inited", K(ret)); + } else if (OB_FAIL(sql.assign_fmt(INSERT_ALL_TRUSTED_ROOT_CERTIFICAT_SQL, + share::OB_ALL_TRUSTED_ROOT_CERTIFICATE_TNAME, + common_name.length(), common_name.ptr(), + description.length(), description.ptr(), + content.length(), content.ptr()))) { + LOG_WARN("format sql failed", KR(ret), K(sql)); + } else if (OB_FAIL(mysql_proxy->write(OB_SYS_TENANT_ID, sql.ptr(), affected_rows))) { + LOG_WARN("execute sql fail", KR(ret), K(sql)); + } + } + } + return ret; +} + +int ObPlDBMSTrustedCertificateManager::delete_trusted_certificate( + sql::ObExecContext &ctx, + sql::ParamStore ¶ms, + common::ObObj &result) +{ + enum { + COMMON_NAME = 0, + }; + int ret = OB_SUCCESS; + if (OB_FAIL(check_data_version_and_privilege(ctx))) { + LOG_WARN("check_data_version_and_privilege failed", K(ret)); + } else { + ObString common_name; + for (int64_t i = 0; OB_SUCC(ret) && i < params.count(); i++) { + ObObj &obj = params.at(i); + switch(i) { + case COMMON_NAME: { + if (OB_FAIL(obj.get_string(common_name))) { + LOG_WARN("failed to get content string", K(ret)); + } + break; + } + default: + break; + } + } + if (OB_SUCC(ret)) { + int64_t affected_rows = 0; + ObSqlString sql; + ObMySQLProxy *mysql_proxy = GCTX.sql_proxy_; + if (OB_ISNULL(mysql_proxy)) { + ret = OB_NOT_INIT; + LOG_WARN("mysql proxy is not inited", K(ret)); + } else if (OB_FAIL(sql.assign_fmt(DELETE_ALL_TRUSTED_ROOT_CERTIFICAT_SQL, + share::OB_ALL_TRUSTED_ROOT_CERTIFICATE_TNAME, + common_name.length(), common_name.ptr()))) { + LOG_WARN("format sql failed", KR(ret), K(sql)); + } else if (OB_FAIL(mysql_proxy->write(OB_SYS_TENANT_ID, sql.ptr(), affected_rows))) { + LOG_WARN("execute sql fail", KR(ret), K(sql)); + } + } + } + return ret; +} + + +int ObPlDBMSTrustedCertificateManager::update_trusted_certificate( + sql::ObExecContext &ctx, + sql::ParamStore ¶ms, + common::ObObj &result) +{ + enum { + COMMON_NAME = 0, + DESCRIPTION = 1, + CONTENT + }; + int ret = OB_SUCCESS; + if (OB_FAIL(check_data_version_and_privilege(ctx))) { + LOG_WARN("check_data_version_and_privilege failed", K(ret)); + } else { + ObString common_name; + ObString description; + ObString content; + //check cert content validity + for (int64_t i = 0; OB_SUCC(ret) && i < params.count(); i++) { + ObObj &obj = params.at(i); + switch(i) { + case COMMON_NAME: { + if (OB_FAIL(obj.get_string(common_name))) { + LOG_WARN("failed to get content string", K(ret)); + } + break; + } + case DESCRIPTION: { + if (OB_FAIL(obj.get_string(description))) { + LOG_WARN("failed to get description string", K(ret)); + } + break; + } + case CONTENT: { + int64_t cert_expired_time = 0; + if (OB_FAIL(obj.get_string(content))) { + LOG_WARN("failed to get cert string", K(ret)); + } else if (OB_FAIL(extract_cert_expired_time(content.ptr(), content.length(), + cert_expired_time))) { + LOG_WARN("failed to extract cert expired time", K(ret)); + LOG_USER_ERROR(OB_INVALID_ARGUMENT, "cert content, please check"); + } + break; + } + default: + break; + } + } + if (OB_SUCC(ret)) { + int64_t affected_rows = 0; + ObSqlString sql; + ObMySQLProxy *mysql_proxy = GCTX.sql_proxy_; + if (OB_ISNULL(mysql_proxy)) { + ret = OB_NOT_INIT; + LOG_WARN("mysql proxy is not inited", K(ret)); + } else if (OB_FAIL(sql.assign_fmt(UPDATE_ALL_TRUSTED_ROOT_CERTIFICAT_SQL, + share::OB_ALL_TRUSTED_ROOT_CERTIFICATE_TNAME, + description.length(), description.ptr(), + content.length(), content.ptr(), + common_name.length(), common_name.ptr()))) { + LOG_WARN("format sql failed", KR(ret), K(sql)); + } else if (OB_FAIL(mysql_proxy->write(OB_SYS_TENANT_ID, sql.ptr(), affected_rows))) { + LOG_WARN("execute sql fail", KR(ret), K(sql)); + } + } + } + return ret; +} diff --git a/src/pl/sys_package/ob_pl_dbms_trusted_certificate_manager.h b/src/pl/sys_package/ob_pl_dbms_trusted_certificate_manager.h new file mode 100644 index 0000000000..aeca12f1b3 --- /dev/null +++ b/src/pl/sys_package/ob_pl_dbms_trusted_certificate_manager.h @@ -0,0 +1,64 @@ +/** + * Copyright (c) 2021 OceanBase + * OceanBase CE is licensed under Mulan PubL v2. + * You can use this software according to the terms and conditions of the Mulan PubL v2. + * You may obtain a copy of Mulan PubL v2 at: + * http://license.coscl.org.cn/MulanPubL-2.0 + * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, + * EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, + * MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE. + * See the Mulan PubL v2 for more details. + */ + +#ifndef OCEANBASE_SRC_PL_SYS_PACKAGE_DBMS_TRUSTED_CERTIFICATE_MANAGER_PL_H_ +#define OCEANBASE_SRC_PL_SYS_PACKAGE_DBMS_TRUSTED_CERTIFICATE_MANAGER_PL_H_ + +#include "sql/engine/ob_exec_context.h" + +namespace oceanbase +{ +namespace pl +{ + +#define INSERT_ALL_TRUSTED_ROOT_CERTIFICAT_SQL " \ + insert into %s \ + (common_name, description, content) \ + values ('%.*s', '%.*s', '%.*s') \ + " + +#define DELETE_ALL_TRUSTED_ROOT_CERTIFICAT_SQL " \ + delete from %s \ + where common_name='%.*s' \ + " +#define UPDATE_ALL_TRUSTED_ROOT_CERTIFICAT_SQL " \ + update %s set description='%.*s', content='%.*s' \ + where common_name='%.*s' \ + " + +class ObPlDBMSTrustedCertificateManager +{ +public: + ObPlDBMSTrustedCertificateManager() {} + virtual ~ObPlDBMSTrustedCertificateManager() {} +public: + static int add_trusted_certificate( + sql::ObExecContext &ctx, + sql::ParamStore ¶ms, + common::ObObj &result); + static int delete_trusted_certificate( + sql::ObExecContext &ctx, + sql::ParamStore ¶ms, + common::ObObj &result); + static int update_trusted_certificate( + sql::ObExecContext &ctx, + sql::ParamStore ¶ms, + common::ObObj &result); +private: + static int check_data_version_and_privilege(ObExecContext &ctx); + DISALLOW_COPY_AND_ASSIGN(ObPlDBMSTrustedCertificateManager); +}; + +} +} + +#endif \ No newline at end of file diff --git a/src/share/inner_table/ob_inner_table_schema.21501_21550.cpp b/src/share/inner_table/ob_inner_table_schema.21501_21550.cpp index ebe9f5bf63..37c4b88d5c 100644 --- a/src/share/inner_table/ob_inner_table_schema.21501_21550.cpp +++ b/src/share/inner_table/ob_inner_table_schema.21501_21550.cpp @@ -25,6 +25,56 @@ using namespace common; namespace share { +int ObInnerTableSchema::dba_ob_trusted_root_certificate_schema(ObTableSchema &table_schema) +{ + int ret = OB_SUCCESS; + uint64_t column_id = OB_APP_MIN_COLUMN_ID - 1; + + //generated fields: + table_schema.set_tenant_id(OB_SYS_TENANT_ID); + table_schema.set_tablegroup_id(OB_INVALID_ID); + table_schema.set_database_id(OB_SYS_DATABASE_ID); + table_schema.set_table_id(OB_DBA_OB_TRUSTED_ROOT_CERTIFICATE_TID); + table_schema.set_rowkey_split_pos(0); + table_schema.set_is_use_bloomfilter(false); + table_schema.set_progressive_merge_num(0); + table_schema.set_rowkey_column_num(0); + table_schema.set_load_type(TABLE_LOAD_TYPE_IN_DISK); + table_schema.set_table_type(SYSTEM_VIEW); + table_schema.set_index_type(INDEX_TYPE_IS_NOT); + table_schema.set_def_type(TABLE_DEF_TYPE_INTERNAL); + + if (OB_SUCC(ret)) { + if (OB_FAIL(table_schema.set_table_name(OB_DBA_OB_TRUSTED_ROOT_CERTIFICATE_TNAME))) { + LOG_ERROR("fail to set table_name", K(ret)); + } + } + + if (OB_SUCC(ret)) { + if (OB_FAIL(table_schema.set_compress_func_name(OB_DEFAULT_COMPRESS_FUNC_NAME))) { + LOG_ERROR("fail to set compress_func_name", K(ret)); + } + } + table_schema.set_part_level(PARTITION_LEVEL_ZERO); + table_schema.set_charset_type(ObCharset::get_default_charset()); + table_schema.set_collation_type(ObCharset::get_default_collation(ObCharset::get_default_charset())); + + if (OB_SUCC(ret)) { + if (OB_FAIL(table_schema.set_view_definition(R"__( SELECT common_name AS COMMON_NAME, description AS DESCRIPTION, EXTRACT_CERT_EXPIRED_TIME(content) AS CERT_EXPIRED_TIME FROM oceanbase.__all_trusted_root_certificate )__"))) { + LOG_ERROR("fail to set view_definition", K(ret)); + } + } + table_schema.set_index_using_type(USING_BTREE); + table_schema.set_row_store_type(ENCODING_ROW_STORE); + table_schema.set_store_format(OB_STORE_FORMAT_DYNAMIC_MYSQL); + table_schema.set_progressive_merge_round(1); + table_schema.set_storage_format_version(3); + table_schema.set_tablet_id(0); + + table_schema.set_max_used_column_id(column_id); + return ret; +} + int ObInnerTableSchema::cdb_index_usage_schema(ObTableSchema &table_schema) { int ret = OB_SUCCESS; diff --git a/src/share/inner_table/ob_inner_table_schema.501_550.cpp b/src/share/inner_table/ob_inner_table_schema.501_550.cpp new file mode 100644 index 0000000000..5697c1142a --- /dev/null +++ b/src/share/inner_table/ob_inner_table_schema.501_550.cpp @@ -0,0 +1,167 @@ +/** + * Copyright (c) 2021 OceanBase + * OceanBase CE is licensed under Mulan PubL v2. + * You can use this software according to the terms and conditions of the Mulan PubL v2. + * You may obtain a copy of Mulan PubL v2 at: + * http://license.coscl.org.cn/MulanPubL-2.0 + * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, + * EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, + * MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE. + * See the Mulan PubL v2 for more details. + */ + +#define USING_LOG_PREFIX SHARE_SCHEMA +#include "ob_inner_table_schema.h" + +#include "share/schema/ob_schema_macro_define.h" +#include "share/schema/ob_schema_service_sql_impl.h" +#include "share/schema/ob_table_schema.h" +#include "share/scn.h" + +namespace oceanbase +{ +using namespace share::schema; +using namespace common; +namespace share +{ + +int ObInnerTableSchema::all_trusted_root_certificate_schema(ObTableSchema &table_schema) +{ + int ret = OB_SUCCESS; + uint64_t column_id = OB_APP_MIN_COLUMN_ID - 1; + + //generated fields: + table_schema.set_tenant_id(OB_SYS_TENANT_ID); + table_schema.set_tablegroup_id(OB_SYS_TABLEGROUP_ID); + table_schema.set_database_id(OB_SYS_DATABASE_ID); + table_schema.set_table_id(OB_ALL_TRUSTED_ROOT_CERTIFICATE_TID); + table_schema.set_rowkey_split_pos(0); + table_schema.set_is_use_bloomfilter(false); + table_schema.set_progressive_merge_num(0); + table_schema.set_rowkey_column_num(1); + table_schema.set_load_type(TABLE_LOAD_TYPE_IN_DISK); + table_schema.set_table_type(SYSTEM_TABLE); + table_schema.set_index_type(INDEX_TYPE_IS_NOT); + table_schema.set_def_type(TABLE_DEF_TYPE_INTERNAL); + + if (OB_SUCC(ret)) { + if (OB_FAIL(table_schema.set_table_name(OB_ALL_TRUSTED_ROOT_CERTIFICATE_TNAME))) { + LOG_ERROR("fail to set table_name", K(ret)); + } + } + + if (OB_SUCC(ret)) { + if (OB_FAIL(table_schema.set_compress_func_name(OB_DEFAULT_COMPRESS_FUNC_NAME))) { + LOG_ERROR("fail to set compress_func_name", K(ret)); + } + } + table_schema.set_part_level(PARTITION_LEVEL_ZERO); + table_schema.set_charset_type(ObCharset::get_default_charset()); + table_schema.set_collation_type(ObCharset::get_default_collation(ObCharset::get_default_charset())); + + if (OB_SUCC(ret)) { + ObObj gmt_create_default; + ObObj gmt_create_default_null; + + gmt_create_default.set_ext(ObActionFlag::OP_DEFAULT_NOW_FLAG); + gmt_create_default_null.set_null(); + ADD_COLUMN_SCHEMA_TS_T("gmt_create", //column_name + ++column_id, //column_id + 0, //rowkey_id + 0, //index_id + 0, //part_key_pos + ObTimestampType, //column_type + CS_TYPE_BINARY,//collation_type + 0, //column length + -1, //column_precision + 6, //column_scale + true,//is nullable + false, //is_autoincrement + false, //is_on_update_for_timestamp + gmt_create_default_null, + gmt_create_default) + } + + if (OB_SUCC(ret)) { + ObObj gmt_modified_default; + ObObj gmt_modified_default_null; + + gmt_modified_default.set_ext(ObActionFlag::OP_DEFAULT_NOW_FLAG); + gmt_modified_default_null.set_null(); + ADD_COLUMN_SCHEMA_TS_T("gmt_modified", //column_name + ++column_id, //column_id + 0, //rowkey_id + 0, //index_id + 0, //part_key_pos + ObTimestampType, //column_type + CS_TYPE_BINARY,//collation_type + 0, //column length + -1, //column_precision + 6, //column_scale + true,//is nullable + false, //is_autoincrement + true, //is_on_update_for_timestamp + gmt_modified_default_null, + gmt_modified_default) + } + + if (OB_SUCC(ret)) { + ADD_COLUMN_SCHEMA("common_name", //column_name + ++column_id, //column_id + 1, //rowkey_id + 0, //index_id + 0, //part_key_pos + ObVarcharType, //column_type + CS_TYPE_INVALID, //column_collation_type + 256, //column_length + -1, //column_precision + -1, //column_scale + false, //is_nullable + false); //is_autoincrement + } + + if (OB_SUCC(ret)) { + ADD_COLUMN_SCHEMA("description", //column_name + ++column_id, //column_id + 0, //rowkey_id + 0, //index_id + 0, //part_key_pos + ObVarcharType, //column_type + CS_TYPE_INVALID, //column_collation_type + 256, //column_length + -1, //column_precision + -1, //column_scale + false, //is_nullable + false); //is_autoincrement + } + + if (OB_SUCC(ret)) { + ADD_COLUMN_SCHEMA("content", //column_name + ++column_id, //column_id + 0, //rowkey_id + 0, //index_id + 0, //part_key_pos + ObLongTextType, //column_type + CS_TYPE_INVALID, //column_collation_type + 0, //column_length + -1, //column_precision + -1, //column_scale + false, //is_nullable + false); //is_autoincrement + } + table_schema.set_index_using_type(USING_BTREE); + table_schema.set_row_store_type(ENCODING_ROW_STORE); + table_schema.set_store_format(OB_STORE_FORMAT_DYNAMIC_MYSQL); + table_schema.set_progressive_merge_round(1); + table_schema.set_storage_format_version(3); + table_schema.set_tablet_id(OB_ALL_TRUSTED_ROOT_CERTIFICATE_TID); + table_schema.set_aux_lob_meta_tid(OB_ALL_TRUSTED_ROOT_CERTIFICATE_AUX_LOB_META_TID); + table_schema.set_aux_lob_piece_tid(OB_ALL_TRUSTED_ROOT_CERTIFICATE_AUX_LOB_PIECE_TID); + + table_schema.set_max_used_column_id(column_id); + return ret; +} + + +} // end namespace share +} // end namespace oceanbase diff --git a/src/share/inner_table/ob_inner_table_schema.50501_50550.cpp b/src/share/inner_table/ob_inner_table_schema.50501_50550.cpp new file mode 100644 index 0000000000..4b23150771 --- /dev/null +++ b/src/share/inner_table/ob_inner_table_schema.50501_50550.cpp @@ -0,0 +1,165 @@ +/** + * Copyright (c) 2021 OceanBase + * OceanBase CE is licensed under Mulan PubL v2. + * You can use this software according to the terms and conditions of the Mulan PubL v2. + * You may obtain a copy of Mulan PubL v2 at: + * http://license.coscl.org.cn/MulanPubL-2.0 + * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, + * EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, + * MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE. + * See the Mulan PubL v2 for more details. + */ + +#define USING_LOG_PREFIX SHARE_SCHEMA +#include "ob_inner_table_schema.h" + +#include "share/schema/ob_schema_macro_define.h" +#include "share/schema/ob_schema_service_sql_impl.h" +#include "share/schema/ob_table_schema.h" +#include "share/scn.h" + +namespace oceanbase +{ +using namespace share::schema; +using namespace common; +namespace share +{ + +int ObInnerTableSchema::all_trusted_root_certificate_aux_lob_meta_schema(ObTableSchema &table_schema) +{ + int ret = OB_SUCCESS; + uint64_t column_id = OB_APP_MIN_COLUMN_ID - 1; + + //generated fields: + table_schema.set_tenant_id(OB_SYS_TENANT_ID); + table_schema.set_tablegroup_id(OB_SYS_TABLEGROUP_ID); + table_schema.set_database_id(OB_SYS_DATABASE_ID); + table_schema.set_table_id(OB_ALL_TRUSTED_ROOT_CERTIFICATE_AUX_LOB_META_TID); + table_schema.set_rowkey_split_pos(0); + table_schema.set_is_use_bloomfilter(false); + table_schema.set_progressive_merge_num(0); + table_schema.set_rowkey_column_num(2); + table_schema.set_load_type(TABLE_LOAD_TYPE_IN_DISK); + table_schema.set_table_type(AUX_LOB_META); + table_schema.set_index_type(INDEX_TYPE_IS_NOT); + table_schema.set_def_type(TABLE_DEF_TYPE_INTERNAL); + + if (OB_SUCC(ret)) { + if (OB_FAIL(table_schema.set_table_name(OB_ALL_TRUSTED_ROOT_CERTIFICATE_AUX_LOB_META_TNAME))) { + LOG_ERROR("fail to set table_name", K(ret)); + } + } + + if (OB_SUCC(ret)) { + if (OB_FAIL(table_schema.set_compress_func_name(OB_DEFAULT_COMPRESS_FUNC_NAME))) { + LOG_ERROR("fail to set compress_func_name", K(ret)); + } + } + table_schema.set_part_level(PARTITION_LEVEL_ZERO); + table_schema.set_charset_type(ObCharset::get_default_charset()); + table_schema.set_collation_type(ObCharset::get_default_collation(ObCharset::get_default_charset())); + + if (OB_SUCC(ret)) { + ADD_COLUMN_SCHEMA("lob_id", //column_name + ++column_id, //column_id + 1, //rowkey_id + 0, //index_id + 0, //part_key_pos + ObVarcharType, //column_type + CS_TYPE_BINARY, //column_collation_type + 16, //column_length + -1, //column_precision + -1, //column_scale + false, //is_nullable + false); //is_autoincrement + } + + if (OB_SUCC(ret)) { + ADD_COLUMN_SCHEMA("seq_id", //column_name + ++column_id, //column_id + 2, //rowkey_id + 0, //index_id + 0, //part_key_pos + ObVarcharType, //column_type + CS_TYPE_BINARY, //column_collation_type + 8192, //column_length + -1, //column_precision + -1, //column_scale + false, //is_nullable + false); //is_autoincrement + } + + if (OB_SUCC(ret)) { + ADD_COLUMN_SCHEMA("binary_len", //column_name + ++column_id, //column_id + 0, //rowkey_id + 0, //index_id + 0, //part_key_pos + ObUInt32Type, //column_type + CS_TYPE_INVALID, //column_collation_type + sizeof(uint32_t), //column_length + -1, //column_precision + -1, //column_scale + false, //is_nullable + false); //is_autoincrement + } + + if (OB_SUCC(ret)) { + ADD_COLUMN_SCHEMA("char_len", //column_name + ++column_id, //column_id + 0, //rowkey_id + 0, //index_id + 0, //part_key_pos + ObUInt32Type, //column_type + CS_TYPE_INVALID, //column_collation_type + sizeof(uint32_t), //column_length + -1, //column_precision + -1, //column_scale + false, //is_nullable + false); //is_autoincrement + } + + if (OB_SUCC(ret)) { + ADD_COLUMN_SCHEMA("piece_id", //column_name + ++column_id, //column_id + 0, //rowkey_id + 0, //index_id + 0, //part_key_pos + ObUInt64Type, //column_type + CS_TYPE_INVALID, //column_collation_type + sizeof(uint64_t), //column_length + -1, //column_precision + -1, //column_scale + false, //is_nullable + false); //is_autoincrement + } + + if (OB_SUCC(ret)) { + ADD_COLUMN_SCHEMA("lob_data", //column_name + ++column_id, //column_id + 0, //rowkey_id + 0, //index_id + 0, //part_key_pos + ObVarcharType, //column_type + CS_TYPE_BINARY, //column_collation_type + 262144, //column_length + -1, //column_precision + -1, //column_scale + false, //is_nullable + false); //is_autoincrement + } + table_schema.set_index_using_type(USING_BTREE); + table_schema.set_row_store_type(ENCODING_ROW_STORE); + table_schema.set_store_format(OB_STORE_FORMAT_DYNAMIC_MYSQL); + table_schema.set_progressive_merge_round(1); + table_schema.set_storage_format_version(3); + table_schema.set_tablet_id(OB_ALL_TRUSTED_ROOT_CERTIFICATE_AUX_LOB_META_TID); + table_schema.set_data_table_id(OB_ALL_TRUSTED_ROOT_CERTIFICATE_TID); + + table_schema.set_max_used_column_id(column_id); + return ret; +} + + +} // end namespace share +} // end namespace oceanbase diff --git a/src/share/inner_table/ob_inner_table_schema.60501_60550.cpp b/src/share/inner_table/ob_inner_table_schema.60501_60550.cpp new file mode 100644 index 0000000000..ff0df783d4 --- /dev/null +++ b/src/share/inner_table/ob_inner_table_schema.60501_60550.cpp @@ -0,0 +1,120 @@ +/** + * Copyright (c) 2021 OceanBase + * OceanBase CE is licensed under Mulan PubL v2. + * You can use this software according to the terms and conditions of the Mulan PubL v2. + * You may obtain a copy of Mulan PubL v2 at: + * http://license.coscl.org.cn/MulanPubL-2.0 + * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, + * EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, + * MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE. + * See the Mulan PubL v2 for more details. + */ + +#define USING_LOG_PREFIX SHARE_SCHEMA +#include "ob_inner_table_schema.h" + +#include "share/schema/ob_schema_macro_define.h" +#include "share/schema/ob_schema_service_sql_impl.h" +#include "share/schema/ob_table_schema.h" +#include "share/scn.h" + +namespace oceanbase +{ +using namespace share::schema; +using namespace common; +namespace share +{ + +int ObInnerTableSchema::all_trusted_root_certificate_aux_lob_piece_schema(ObTableSchema &table_schema) +{ + int ret = OB_SUCCESS; + uint64_t column_id = OB_APP_MIN_COLUMN_ID - 1; + + //generated fields: + table_schema.set_tenant_id(OB_SYS_TENANT_ID); + table_schema.set_tablegroup_id(OB_SYS_TABLEGROUP_ID); + table_schema.set_database_id(OB_SYS_DATABASE_ID); + table_schema.set_table_id(OB_ALL_TRUSTED_ROOT_CERTIFICATE_AUX_LOB_PIECE_TID); + table_schema.set_rowkey_split_pos(0); + table_schema.set_is_use_bloomfilter(false); + table_schema.set_progressive_merge_num(0); + table_schema.set_rowkey_column_num(1); + table_schema.set_load_type(TABLE_LOAD_TYPE_IN_DISK); + table_schema.set_table_type(AUX_LOB_PIECE); + table_schema.set_index_type(INDEX_TYPE_IS_NOT); + table_schema.set_def_type(TABLE_DEF_TYPE_INTERNAL); + + if (OB_SUCC(ret)) { + if (OB_FAIL(table_schema.set_table_name(OB_ALL_TRUSTED_ROOT_CERTIFICATE_AUX_LOB_PIECE_TNAME))) { + LOG_ERROR("fail to set table_name", K(ret)); + } + } + + if (OB_SUCC(ret)) { + if (OB_FAIL(table_schema.set_compress_func_name(OB_DEFAULT_COMPRESS_FUNC_NAME))) { + LOG_ERROR("fail to set compress_func_name", K(ret)); + } + } + table_schema.set_part_level(PARTITION_LEVEL_ZERO); + table_schema.set_charset_type(ObCharset::get_default_charset()); + table_schema.set_collation_type(ObCharset::get_default_collation(ObCharset::get_default_charset())); + + if (OB_SUCC(ret)) { + ADD_COLUMN_SCHEMA("piece_id", //column_name + ++column_id, //column_id + 1, //rowkey_id + 0, //index_id + 0, //part_key_pos + ObUInt64Type, //column_type + CS_TYPE_INVALID, //column_collation_type + sizeof(uint64_t), //column_length + -1, //column_precision + -1, //column_scale + false, //is_nullable + false); //is_autoincrement + } + + if (OB_SUCC(ret)) { + ADD_COLUMN_SCHEMA("data_len", //column_name + ++column_id, //column_id + 0, //rowkey_id + 0, //index_id + 0, //part_key_pos + ObUInt32Type, //column_type + CS_TYPE_INVALID, //column_collation_type + sizeof(uint32_t), //column_length + -1, //column_precision + -1, //column_scale + false, //is_nullable + false); //is_autoincrement + } + + if (OB_SUCC(ret)) { + ADD_COLUMN_SCHEMA("lob_data", //column_name + ++column_id, //column_id + 0, //rowkey_id + 0, //index_id + 0, //part_key_pos + ObVarcharType, //column_type + CS_TYPE_BINARY, //column_collation_type + 32, //column_length + -1, //column_precision + -1, //column_scale + false, //is_nullable + false); //is_autoincrement + } + table_schema.set_index_using_type(USING_BTREE); + table_schema.set_row_store_type(ENCODING_ROW_STORE); + table_schema.set_store_format(OB_STORE_FORMAT_DYNAMIC_MYSQL); + table_schema.set_progressive_merge_round(1); + table_schema.set_storage_format_version(3); + table_schema.set_tablet_id(OB_ALL_TRUSTED_ROOT_CERTIFICATE_AUX_LOB_PIECE_TID); + table_schema.set_data_table_id(OB_ALL_TRUSTED_ROOT_CERTIFICATE_TID); + + table_schema.set_max_used_column_id(column_id); + return ret; +} + + +} // end namespace share +} // end namespace oceanbase diff --git a/src/share/inner_table/ob_inner_table_schema.h b/src/share/inner_table/ob_inner_table_schema.h index a87edd08c1..0b38551667 100644 --- a/src/share/inner_table/ob_inner_table_schema.h +++ b/src/share/inner_table/ob_inner_table_schema.h @@ -558,6 +558,7 @@ public: static int all_import_table_task_history_schema(share::schema::ObTableSchema &table_schema); static int all_aux_stat_schema(share::schema::ObTableSchema &table_schema); static int all_index_usage_info_schema(share::schema::ObTableSchema &table_schema); + static int all_trusted_root_certificate_schema(share::schema::ObTableSchema &table_schema); static int tenant_virtual_all_table_schema(share::schema::ObTableSchema &table_schema); static int tenant_virtual_table_column_schema(share::schema::ObTableSchema &table_schema); static int tenant_virtual_table_index_schema(share::schema::ObTableSchema &table_schema); @@ -1583,6 +1584,7 @@ public: static int dba_ob_aux_statistics_schema(share::schema::ObTableSchema &table_schema); static int cdb_ob_aux_statistics_schema(share::schema::ObTableSchema &table_schema); static int dba_index_usage_schema(share::schema::ObTableSchema &table_schema); + static int dba_ob_trusted_root_certificate_schema(share::schema::ObTableSchema &table_schema); static int cdb_index_usage_schema(share::schema::ObTableSchema &table_schema); static int dba_synonyms_schema(share::schema::ObTableSchema &table_schema); static int dba_objects_ora_schema(share::schema::ObTableSchema &table_schema); @@ -2274,6 +2276,7 @@ public: static int all_import_table_task_history_aux_lob_meta_schema(share::schema::ObTableSchema &table_schema); static int all_aux_stat_aux_lob_meta_schema(share::schema::ObTableSchema &table_schema); static int all_index_usage_info_aux_lob_meta_schema(share::schema::ObTableSchema &table_schema); + static int all_trusted_root_certificate_aux_lob_meta_schema(share::schema::ObTableSchema &table_schema); static int all_table_aux_lob_piece_schema(share::schema::ObTableSchema &table_schema); static int all_column_aux_lob_piece_schema(share::schema::ObTableSchema &table_schema); static int all_ddl_operation_aux_lob_piece_schema(share::schema::ObTableSchema &table_schema); @@ -2540,6 +2543,7 @@ public: static int all_import_table_task_history_aux_lob_piece_schema(share::schema::ObTableSchema &table_schema); static int all_aux_stat_aux_lob_piece_schema(share::schema::ObTableSchema &table_schema); static int all_index_usage_info_aux_lob_piece_schema(share::schema::ObTableSchema &table_schema); + static int all_trusted_root_certificate_aux_lob_piece_schema(share::schema::ObTableSchema &table_schema); static int all_virtual_ash_all_virtual_ash_i1_schema(share::schema::ObTableSchema &table_schema); static int all_virtual_sql_plan_monitor_all_virtual_sql_plan_monitor_i1_schema(share::schema::ObTableSchema &table_schema); static int all_virtual_sql_audit_all_virtual_sql_audit_i1_schema(share::schema::ObTableSchema &table_schema); @@ -3010,6 +3014,7 @@ const schema_create_func sys_table_schema_creators [] = { ObInnerTableSchema::all_import_table_task_history_schema, ObInnerTableSchema::all_aux_stat_schema, ObInnerTableSchema::all_index_usage_info_schema, + ObInnerTableSchema::all_trusted_root_certificate_schema, NULL,}; const schema_create_func virtual_table_schema_creators [] = { @@ -4132,6 +4137,7 @@ const schema_create_func sys_view_schema_creators [] = { ObInnerTableSchema::dba_ob_aux_statistics_schema, ObInnerTableSchema::cdb_ob_aux_statistics_schema, ObInnerTableSchema::dba_index_usage_schema, + ObInnerTableSchema::dba_ob_trusted_root_certificate_schema, ObInnerTableSchema::cdb_index_usage_schema, ObInnerTableSchema::dba_synonyms_schema, ObInnerTableSchema::dba_objects_ora_schema, @@ -11658,6 +11664,14 @@ LOBMapping const lob_aux_table_mappings [] = { ObInnerTableSchema::all_index_usage_info_aux_lob_piece_schema }, + { + OB_ALL_TRUSTED_ROOT_CERTIFICATE_TID, + OB_ALL_TRUSTED_ROOT_CERTIFICATE_AUX_LOB_META_TID, + OB_ALL_TRUSTED_ROOT_CERTIFICATE_AUX_LOB_PIECE_TID, + ObInnerTableSchema::all_trusted_root_certificate_aux_lob_meta_schema, + ObInnerTableSchema::all_trusted_root_certificate_aux_lob_piece_schema + }, + }; static inline bool get_sys_table_lob_aux_table_id(const uint64_t tid, uint64_t& meta_tid, uint64_t& piece_tid) @@ -11695,12 +11709,12 @@ static inline int get_sys_table_lob_aux_schema(const uint64_t tid, } const int64_t OB_CORE_TABLE_COUNT = 4; -const int64_t OB_SYS_TABLE_COUNT = 263; +const int64_t OB_SYS_TABLE_COUNT = 264; const int64_t OB_VIRTUAL_TABLE_COUNT = 746; -const int64_t OB_SYS_VIEW_COUNT = 795; -const int64_t OB_SYS_TENANT_TABLE_COUNT = 1809; +const int64_t OB_SYS_VIEW_COUNT = 796; +const int64_t OB_SYS_TENANT_TABLE_COUNT = 1811; const int64_t OB_CORE_SCHEMA_VERSION = 1; -const int64_t OB_BOOTSTRAP_SCHEMA_VERSION = 1812; +const int64_t OB_BOOTSTRAP_SCHEMA_VERSION = 1814; } // end namespace share } // end namespace oceanbase diff --git a/src/share/inner_table/ob_inner_table_schema.lob.cpp b/src/share/inner_table/ob_inner_table_schema.lob.cpp index dfc7519f11..fd8fd089cd 100644 --- a/src/share/inner_table/ob_inner_table_schema.lob.cpp +++ b/src/share/inner_table/ob_inner_table_schema.lob.cpp @@ -21,7 +21,7 @@ inner_lob_map_t inner_lob_map; bool lob_mapping_init() { int ret = OB_SUCCESS; - if (OB_FAIL(inner_lob_map.create(266, ObModIds::OB_INNER_LOB_HASH_SET))) { + if (OB_FAIL(inner_lob_map.create(267, ObModIds::OB_INNER_LOB_HASH_SET))) { SERVER_LOG(WARN, "fail to create inner lob map", K(ret)); } else { for (int64_t i = 0; OB_SUCC(ret) && i < ARRAYSIZEOF(lob_aux_table_mappings); ++i) { diff --git a/src/share/inner_table/ob_inner_table_schema_constants.h b/src/share/inner_table/ob_inner_table_schema_constants.h index 02b613a3d3..54fa70a6c3 100644 --- a/src/share/inner_table/ob_inner_table_schema_constants.h +++ b/src/share/inner_table/ob_inner_table_schema_constants.h @@ -294,6 +294,7 @@ const uint64_t OB_ALL_IMPORT_TABLE_TASK_TID = 479; // "__all_import_table_task" const uint64_t OB_ALL_IMPORT_TABLE_TASK_HISTORY_TID = 480; // "__all_import_table_task_history" const uint64_t OB_ALL_AUX_STAT_TID = 494; // "__all_aux_stat" const uint64_t OB_ALL_INDEX_USAGE_INFO_TID = 495; // "__all_index_usage_info" +const uint64_t OB_ALL_TRUSTED_ROOT_CERTIFICATE_TID = 502; // "__all_trusted_root_certificate" const uint64_t OB_TENANT_VIRTUAL_ALL_TABLE_TID = 10001; // "__tenant_virtual_all_table" const uint64_t OB_TENANT_VIRTUAL_TABLE_COLUMN_TID = 10002; // "__tenant_virtual_table_column" const uint64_t OB_TENANT_VIRTUAL_TABLE_INDEX_TID = 10003; // "__tenant_virtual_table_index" @@ -1319,6 +1320,7 @@ const uint64_t OB_V_OB_TENANT_RUNTIME_INFO_TID = 21478; // "V$OB_TENANT_RUNTIME_ const uint64_t OB_DBA_OB_AUX_STATISTICS_TID = 21497; // "DBA_OB_AUX_STATISTICS" const uint64_t OB_CDB_OB_AUX_STATISTICS_TID = 21498; // "CDB_OB_AUX_STATISTICS" const uint64_t OB_DBA_INDEX_USAGE_TID = 21499; // "DBA_INDEX_USAGE" +const uint64_t OB_DBA_OB_TRUSTED_ROOT_CERTIFICATE_TID = 21509; // "DBA_OB_TRUSTED_ROOT_CERTIFICATE" const uint64_t OB_CDB_INDEX_USAGE_TID = 21513; // "CDB_INDEX_USAGE" const uint64_t OB_DBA_SYNONYMS_TID = 25001; // "DBA_SYNONYMS" const uint64_t OB_DBA_OBJECTS_ORA_TID = 25002; // "DBA_OBJECTS_ORA" @@ -2010,6 +2012,7 @@ const uint64_t OB_ALL_IMPORT_TABLE_TASK_AUX_LOB_META_TID = 50479; // "__all_impo const uint64_t OB_ALL_IMPORT_TABLE_TASK_HISTORY_AUX_LOB_META_TID = 50480; // "__all_import_table_task_history_aux_lob_meta" const uint64_t OB_ALL_AUX_STAT_AUX_LOB_META_TID = 50494; // "__all_aux_stat_aux_lob_meta" const uint64_t OB_ALL_INDEX_USAGE_INFO_AUX_LOB_META_TID = 50495; // "__all_index_usage_info_aux_lob_meta" +const uint64_t OB_ALL_TRUSTED_ROOT_CERTIFICATE_AUX_LOB_META_TID = 50502; // "__all_trusted_root_certificate_aux_lob_meta" const uint64_t OB_ALL_TABLE_AUX_LOB_PIECE_TID = 60003; // "__all_table_aux_lob_piece" const uint64_t OB_ALL_COLUMN_AUX_LOB_PIECE_TID = 60004; // "__all_column_aux_lob_piece" const uint64_t OB_ALL_DDL_OPERATION_AUX_LOB_PIECE_TID = 60005; // "__all_ddl_operation_aux_lob_piece" @@ -2276,6 +2279,7 @@ const uint64_t OB_ALL_IMPORT_TABLE_TASK_AUX_LOB_PIECE_TID = 60479; // "__all_imp const uint64_t OB_ALL_IMPORT_TABLE_TASK_HISTORY_AUX_LOB_PIECE_TID = 60480; // "__all_import_table_task_history_aux_lob_piece" const uint64_t OB_ALL_AUX_STAT_AUX_LOB_PIECE_TID = 60494; // "__all_aux_stat_aux_lob_piece" const uint64_t OB_ALL_INDEX_USAGE_INFO_AUX_LOB_PIECE_TID = 60495; // "__all_index_usage_info_aux_lob_piece" +const uint64_t OB_ALL_TRUSTED_ROOT_CERTIFICATE_AUX_LOB_PIECE_TID = 60502; // "__all_trusted_root_certificate_aux_lob_piece" const uint64_t OB_ALL_VIRTUAL_PLAN_CACHE_STAT_ALL_VIRTUAL_PLAN_CACHE_STAT_I1_TID = 14999; // "__all_virtual_plan_cache_stat" const uint64_t OB_ALL_VIRTUAL_SESSION_EVENT_ALL_VIRTUAL_SESSION_EVENT_I1_TID = 14998; // "__all_virtual_session_event" const uint64_t OB_ALL_VIRTUAL_SESSION_WAIT_ALL_VIRTUAL_SESSION_WAIT_I1_TID = 14997; // "__all_virtual_session_wait" @@ -2733,6 +2737,7 @@ const char *const OB_ALL_IMPORT_TABLE_TASK_TNAME = "__all_import_table_task"; const char *const OB_ALL_IMPORT_TABLE_TASK_HISTORY_TNAME = "__all_import_table_task_history"; const char *const OB_ALL_AUX_STAT_TNAME = "__all_aux_stat"; const char *const OB_ALL_INDEX_USAGE_INFO_TNAME = "__all_index_usage_info"; +const char *const OB_ALL_TRUSTED_ROOT_CERTIFICATE_TNAME = "__all_trusted_root_certificate"; const char *const OB_TENANT_VIRTUAL_ALL_TABLE_TNAME = "__tenant_virtual_all_table"; const char *const OB_TENANT_VIRTUAL_TABLE_COLUMN_TNAME = "__tenant_virtual_table_column"; const char *const OB_TENANT_VIRTUAL_TABLE_INDEX_TNAME = "__tenant_virtual_table_index"; @@ -3758,6 +3763,7 @@ const char *const OB_V_OB_TENANT_RUNTIME_INFO_TNAME = "V$OB_TENANT_RUNTIME_INFO" const char *const OB_DBA_OB_AUX_STATISTICS_TNAME = "DBA_OB_AUX_STATISTICS"; const char *const OB_CDB_OB_AUX_STATISTICS_TNAME = "CDB_OB_AUX_STATISTICS"; const char *const OB_DBA_INDEX_USAGE_TNAME = "DBA_INDEX_USAGE"; +const char *const OB_DBA_OB_TRUSTED_ROOT_CERTIFICATE_TNAME = "DBA_OB_TRUSTED_ROOT_CERTIFICATE"; const char *const OB_CDB_INDEX_USAGE_TNAME = "CDB_INDEX_USAGE"; const char *const OB_DBA_SYNONYMS_TNAME = "DBA_SYNONYMS"; const char *const OB_DBA_OBJECTS_ORA_TNAME = "DBA_OBJECTS"; @@ -4449,6 +4455,7 @@ const char *const OB_ALL_IMPORT_TABLE_TASK_AUX_LOB_META_TNAME = "__all_import_ta const char *const OB_ALL_IMPORT_TABLE_TASK_HISTORY_AUX_LOB_META_TNAME = "__all_import_table_task_history_aux_lob_meta"; const char *const OB_ALL_AUX_STAT_AUX_LOB_META_TNAME = "__all_aux_stat_aux_lob_meta"; const char *const OB_ALL_INDEX_USAGE_INFO_AUX_LOB_META_TNAME = "__all_index_usage_info_aux_lob_meta"; +const char *const OB_ALL_TRUSTED_ROOT_CERTIFICATE_AUX_LOB_META_TNAME = "__all_trusted_root_certificate_aux_lob_meta"; const char *const OB_ALL_TABLE_AUX_LOB_PIECE_TNAME = "__all_table_aux_lob_piece"; const char *const OB_ALL_COLUMN_AUX_LOB_PIECE_TNAME = "__all_column_aux_lob_piece"; const char *const OB_ALL_DDL_OPERATION_AUX_LOB_PIECE_TNAME = "__all_ddl_operation_aux_lob_piece"; @@ -4715,6 +4722,7 @@ const char *const OB_ALL_IMPORT_TABLE_TASK_AUX_LOB_PIECE_TNAME = "__all_import_t const char *const OB_ALL_IMPORT_TABLE_TASK_HISTORY_AUX_LOB_PIECE_TNAME = "__all_import_table_task_history_aux_lob_piece"; const char *const OB_ALL_AUX_STAT_AUX_LOB_PIECE_TNAME = "__all_aux_stat_aux_lob_piece"; const char *const OB_ALL_INDEX_USAGE_INFO_AUX_LOB_PIECE_TNAME = "__all_index_usage_info_aux_lob_piece"; +const char *const OB_ALL_TRUSTED_ROOT_CERTIFICATE_AUX_LOB_PIECE_TNAME = "__all_trusted_root_certificate_aux_lob_piece"; const char *const OB_ALL_VIRTUAL_PLAN_CACHE_STAT_ALL_VIRTUAL_PLAN_CACHE_STAT_I1_TNAME = "__idx_11003_all_virtual_plan_cache_stat_i1"; const char *const OB_ALL_VIRTUAL_SESSION_EVENT_ALL_VIRTUAL_SESSION_EVENT_I1_TNAME = "__idx_11013_all_virtual_session_event_i1"; const char *const OB_ALL_VIRTUAL_SESSION_WAIT_ALL_VIRTUAL_SESSION_WAIT_I1_TNAME = "__idx_11014_all_virtual_session_wait_i1"; diff --git a/src/share/inner_table/ob_inner_table_schema_def.py b/src/share/inner_table/ob_inner_table_schema_def.py index 9510053e17..85b461d8d7 100644 --- a/src/share/inner_table/ob_inner_table_schema_def.py +++ b/src/share/inner_table/ob_inner_table_schema_def.py @@ -6429,7 +6429,22 @@ def_table_schema( # 499 :__all_transfer_partition_task_history # 500 : __all_tenant_snapshot_create_job # 501 : __wr_sqltext -# 502 : __all_trusted_root_certificate + +def_table_schema( + owner = 'tony.wzh', + table_name = '__all_trusted_root_certificate', + table_id = '502', + table_type = 'SYSTEM_TABLE', + gm_columns = ['gmt_create', 'gmt_modified'], + rowkey_columns = [ + ('common_name', 'varchar:256'), + ], + normal_columns = [ + ('description', 'varchar:256'), + ('content', 'longtext', 'false'), + ], +) + # 503 : __all_audit_log_filter # 504 : __all_audit_log_user # 505 : __all_column_privilege @@ -13249,7 +13264,6 @@ def_table_schema(**gen_iterate_virtual_table_def( # 12452: __all_virtual_transfer_partition_task_history # 12453: __all_virtual_tenant_snapshot_create_job # 12454: __all_virtual_wr_sqltext -# 12455: __all_virtual_trusted_root_certificate_info # 12456: __all_virtual_dbms_lock_allocated # 12457: __all_virtual_sharing_storage_compaction_info # 12458: __all_virtual_ls_snapshot_in_storage_node @@ -30406,7 +30420,26 @@ def_table_schema( #21506 CDB_WR_SQLTEXT #21507 GV$OB_ACTIVE_SESSION_HISTORY #21508 V$OB_ACTIVE_SESSION_HISTORY -#21509 GV$OB_TRUSTED_ROOT_CERTIFICATE + +def_table_schema( + owner = 'tony.wzh', + table_name = 'DBA_OB_TRUSTED_ROOT_CERTIFICATE', + table_id = '21509', + table_type = 'SYSTEM_VIEW', + gm_columns = [], + rowkey_columns = [], + normal_columns = [], + in_tenant_space = False, + view_definition = """ + SELECT + common_name AS COMMON_NAME, + description AS DESCRIPTION, + EXTRACT_CERT_EXPIRED_TIME(content) AS CERT_EXPIRED_TIME + FROM + oceanbase.__all_trusted_root_certificate + """.replace("\n", " "), +) + #21510 DBA_OB_CLONE_PROGRESS #21511 mysql.role_edges #21512 mysql.default_roles diff --git a/src/share/inner_table/sys_package/dbms_trusted_certificate_manager_body_mysql.sql b/src/share/inner_table/sys_package/dbms_trusted_certificate_manager_body_mysql.sql new file mode 100644 index 0000000000..fbcc07b033 --- /dev/null +++ b/src/share/inner_table/sys_package/dbms_trusted_certificate_manager_body_mysql.sql @@ -0,0 +1,22 @@ +#package_name: dbms_trusted_certificate_manager +#author: tony.wzh + +CREATE OR REPLACE PACKAGE BODY dbms_trusted_certificate_manager + + PROCEDURE ADD_TRUSTED_CERTIFICATE( + COMMON_NAME VARCHAR(256), + DESCRIPTION VARCHAR(256), + CONTENT LONGTEXT); + PRAGMA INTERFACE(C, ADD_TRUSTED_CERTIFICATE); + + PROCEDURE DELETE_TRUSTED_CERTIFICATE( + COMMON_NAME VARCHAR(256)); + PRAGMA INTERFACE(C, DELETE_TRUSTED_CERTIFICATE); + + PROCEDURE UPDATE_TRUSTED_CERTIFICATE( + COMMON_NAME VARCHAR(256), + DESCRIPTION VARCHAR(256), + CONTENT LONGTEXT); + PRAGMA INTERFACE(C, UPDATE_TRUSTED_CERTIFICATE); + +END dbms_trusted_certificate_manager; \ No newline at end of file diff --git a/src/share/inner_table/sys_package/dbms_trusted_certificate_manager_mysql.sql b/src/share/inner_table/sys_package/dbms_trusted_certificate_manager_mysql.sql new file mode 100644 index 0000000000..a5c2ffb53b --- /dev/null +++ b/src/share/inner_table/sys_package/dbms_trusted_certificate_manager_mysql.sql @@ -0,0 +1,19 @@ +#package_name: dbms_trusted_certificate_manager +#author: tony.wzh +--only support SYS tenant + +CREATE OR REPLACE PACKAGE dbms_trusted_certificate_manager AUTHID CURRENT_USER + + PROCEDURE ADD_TRUSTED_CERTIFICATE( + COMMON_NAME VARCHAR(256), + DESCRIPTION VARCHAR(256), + CONTENT LONGTEXT); + + PROCEDURE DELETE_TRUSTED_CERTIFICATE(COMMON_NAME VARCHAR(256)); + + PROCEDURE UPDATE_TRUSTED_CERTIFICATE( + COMMON_NAME VARCHAR(256), + DESCRIPTION VARCHAR(256), + CONTENT LONGTEXT); + +END dbms_trusted_certificate_manager; \ No newline at end of file diff --git a/src/share/parameter/ob_parameter_seed.ipp b/src/share/parameter/ob_parameter_seed.ipp index 9f5adecf46..5147a604a4 100644 --- a/src/share/parameter/ob_parameter_seed.ipp +++ b/src/share/parameter/ob_parameter_seed.ipp @@ -1783,3 +1783,7 @@ DEF_STR_WITH_CHECKER(_iut_stat_collection_type, OB_TENANT_PARAMETER, "SAMPLE", DEF_INT(optimizer_index_cost_adj, OB_TENANT_PARAMETER, "0", "[0,100]", "adjust costing of index scan", ObParameterAttr(Section::TENANT, Source::DEFAULT, EditLevel::DYNAMIC_EFFECTIVE)); +DEF_BOOL(enable_rpc_authentication_bypass, OB_CLUSTER_PARAMETER, "True", + "specifies whether allow arbitration service, standby cluster, OMS service to connect " + "cluster and provide service when rpc authentication is turned on.", + ObParameterAttr(Section::OBSERVER, Source::DEFAULT, EditLevel::DYNAMIC_EFFECTIVE)); diff --git a/src/sql/CMakeLists.txt b/src/sql/CMakeLists.txt index ad4673e38b..ee47e37780 100644 --- a/src/sql/CMakeLists.txt +++ b/src/sql/CMakeLists.txt @@ -648,6 +648,7 @@ ob_set_subtarget(ob_sql engine_expr engine/expr/ob_expr_xmlcast.cpp engine/expr/ob_expr_update_xml.cpp engine/expr/ob_expr_temp_table_ssid.cpp + engine/expr/ob_expr_extract_cert_expired_time.cpp ) ob_set_subtarget(ob_sql engine_join diff --git a/src/sql/engine/expr/ob_expr_eval_functions.cpp b/src/sql/engine/expr/ob_expr_eval_functions.cpp index f06eea7c69..ae53b49735 100644 --- a/src/sql/engine/expr/ob_expr_eval_functions.cpp +++ b/src/sql/engine/expr/ob_expr_eval_functions.cpp @@ -335,6 +335,7 @@ #include "ob_expr_initcap.h" #include "ob_expr_temp_table_ssid.h" #include "ob_expr_align_date4cmp.h" +#include "ob_expr_extract_cert_expired_time.h" namespace oceanbase { @@ -1097,7 +1098,8 @@ static ObExpr::EvalFunc g_expr_eval_functions[] = { eval_questionmark_decint2nmb, /* 658 */ eval_questionmark_nmb2decint_eqcast, /* 659 */ eval_questionmark_decint2decint_eqcast, /* 660 */ - eval_questionmark_decint2decint_normalcast /* 661 */ + eval_questionmark_decint2decint_normalcast, /* 661 */ + ObExprExtractExpiredTime::eval_extract_cert_expired_time, /* 662 */ }; static ObExpr::EvalBatchFunc g_expr_eval_batch_functions[] = { diff --git a/src/sql/engine/expr/ob_expr_extract_cert_expired_time.cpp b/src/sql/engine/expr/ob_expr_extract_cert_expired_time.cpp new file mode 100644 index 0000000000..727fc7a9d7 --- /dev/null +++ b/src/sql/engine/expr/ob_expr_extract_cert_expired_time.cpp @@ -0,0 +1,112 @@ +/** + * Copyright (c) 2021 OceanBase + * OceanBase CE is licensed under Mulan PubL v2. + * You can use this software according to the terms and conditions of the Mulan PubL v2. + * You may obtain a copy of Mulan PubL v2 at: + * http://license.coscl.org.cn/MulanPubL-2.0 + * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, + * EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, + * MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE. + * See the Mulan PubL v2 for more details. + */ + +#define USING_LOG_PREFIX SQL_ENG + +#include "ob_expr_extract_cert_expired_time.h" +#include "lib/utility/utility.h" +#include "sql/session/ob_sql_session_info.h" +#include "sql/engine/ob_exec_context.h" + +using namespace oceanbase::share; +using namespace oceanbase::common; + +namespace oceanbase { +namespace sql { + +ObExprExtractExpiredTime::ObExprExtractExpiredTime(common::ObIAllocator& alloc) + : ObFuncExprOperator(alloc, + T_FUN_SYS_EXTRACT_CERT_EXPIRED_TIME, + N_EXTRACT_CERT_EXPIRED_TIME, + 1, + NOT_VALID_FOR_GENERATED_COL, + NOT_ROW_DIMENSION) +{ +} + +ObExprExtractExpiredTime::~ObExprExtractExpiredTime() {} + +int ObExprExtractExpiredTime::calc_result_type1(ObExprResType &type, + ObExprResType &text, + common::ObExprTypeCtx &type_ctx) const +{ + UNUSED(type_ctx); + int ret = OB_SUCCESS; + if (text.is_null()) { + type.set_null(); + } else { + if (!is_type_valid(text.get_type())) { + ret = OB_INVALID_ARGUMENT_NUM; + LOG_WARN("the param is not castable", K(text), K(ret)); + } else { + type.set_timestamp(); + type.set_scale(common::MAX_SCALE_FOR_TEMPORAL); + } + } + return ret; +} + +int ObExprExtractExpiredTime::eval_extract_cert_expired_time(const ObExpr &expr, ObEvalCtx &ctx, + ObDatum &res) +{ + int ret = OB_SUCCESS; + if (OB_UNLIKELY(expr.arg_cnt_ != 1) + || OB_ISNULL(expr.args_) + || OB_ISNULL(expr.args_[0])) { + ret = OB_INVALID_ARGUMENT; + LOG_WARN("invalid argument", K(ret)); + } else { + ObDatum *arg = NULL; + int64_t expired_time = 0; + ObObjTypeClass in_tc = ob_obj_type_class(expr.args_[0]->datum_meta_.type_); + if (!ob_is_castable_type_class(in_tc)) { + res.set_null(); + } else if (OB_FAIL(expr.eval_param_value(ctx, arg))) { + LOG_WARN("eval arg failed", K(ret)); + } else if (arg->is_null()) { + res.set_null(); + } else if (in_tc != ObTextTC) { + const ObString &arg_str = arg->get_string(); + if (OB_FAIL(extract_cert_expired_time(arg_str.ptr(), arg_str.length(), expired_time))) { + LOG_WARN("failed to extract expired time", K(ret), K(*arg), K(in_tc)); + } else { + res.set_timestamp(expired_time); + } + } else { + ObEvalCtx::TempAllocGuard alloc_guard(ctx); + ObIAllocator &tmp_alloc = alloc_guard.get_allocator(); + ObString text_str; + if (OB_FAIL(ObTextStringHelper::get_string(expr, tmp_alloc, + 0, arg, text_str))) { + LOG_WARN("failed to read realdata", K(ret)); + } else if (OB_FAIL(extract_cert_expired_time(text_str.ptr(), text_str.length(), expired_time))) { + LOG_WARN("failed to extract expired time", K(ret), K(*arg), K(in_tc)); + } else { + res.set_timestamp(expired_time); + } + } + } + return ret; +} + +int ObExprExtractExpiredTime::cg_expr(ObExprCGCtx &expr_cg_ctx, const ObRawExpr &raw_expr, + ObExpr &rt_expr) const +{ + int ret = OB_SUCCESS; + UNUSED(expr_cg_ctx); + UNUSED(raw_expr); + rt_expr.eval_func_ = eval_extract_cert_expired_time; + return ret; +} + +} +} diff --git a/src/sql/engine/expr/ob_expr_extract_cert_expired_time.h b/src/sql/engine/expr/ob_expr_extract_cert_expired_time.h new file mode 100644 index 0000000000..65b5843bdb --- /dev/null +++ b/src/sql/engine/expr/ob_expr_extract_cert_expired_time.h @@ -0,0 +1,37 @@ +/** + * Copyright (c) 2021 OceanBase + * OceanBase CE is licensed under Mulan PubL v2. + * You can use this software according to the terms and conditions of the Mulan PubL v2. + * You may obtain a copy of Mulan PubL v2 at: + * http://license.coscl.org.cn/MulanPubL-2.0 + * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, + * EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, + * MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE. + * See the Mulan PubL v2 for more details. + */ + +#ifndef OCEANBASE_SQL_ENGINE_EXPR_OB_EXTRACT_CERT_EXPIRED_TIME_H +#define OCEANBASE_SQL_ENGINE_EXPR_OB_EXTRACT_CERT_EXPIRED_TIME_H +#include "sql/engine/expr/ob_expr_operator.h" +namespace oceanbase { +namespace sql { + +class ObExprExtractExpiredTime : public ObFuncExprOperator +{ +public: + ObExprExtractExpiredTime(); + explicit ObExprExtractExpiredTime(common::ObIAllocator& alloc); + virtual ~ObExprExtractExpiredTime(); + virtual int calc_result_type1(ObExprResType &type, + ObExprResType &text, + common::ObExprTypeCtx &type_ctx) const; + static int eval_extract_cert_expired_time(const ObExpr &expr, ObEvalCtx &ctx, ObDatum &res); + virtual int cg_expr(ObExprCGCtx &expr_cg_ctx, const ObRawExpr &raw_expr, + ObExpr &rt_expr) const override; +private: + DISALLOW_COPY_AND_ASSIGN(ObExprExtractExpiredTime); +}; + +} +} +#endif \ No newline at end of file diff --git a/src/sql/engine/expr/ob_expr_operator_factory.cpp b/src/sql/engine/expr/ob_expr_operator_factory.cpp index c52e9f1a55..626be545b0 100644 --- a/src/sql/engine/expr/ob_expr_operator_factory.cpp +++ b/src/sql/engine/expr/ob_expr_operator_factory.cpp @@ -403,6 +403,7 @@ #include "sql/engine/expr/ob_expr_update_xml.h" #include "sql/engine/expr/ob_expr_temp_table_ssid.h" #include "sql/engine/expr/ob_expr_align_date4cmp.h" +#include "sql/engine/expr/ob_expr_extract_cert_expired_time.h" using namespace oceanbase::common; namespace oceanbase @@ -999,6 +1000,7 @@ void ObExprOperatorFactory::register_expr_operators() REG_OP(ObExprRandstr); REG_OP(ObExprPrefixPattern); REG_OP(ObExprAlignDate4Cmp); + REG_OP(ObExprExtractExpiredTime); }(); // 注册oracle系统函数 REG_OP_ORCL(ObExprSysConnectByPath); diff --git a/tools/deploy/mysql_test/r/mysql/information_schema.result b/tools/deploy/mysql_test/r/mysql/information_schema.result index 30081e6eaa..1337a1f134 100644 --- a/tools/deploy/mysql_test/r/mysql/information_schema.result +++ b/tools/deploy/mysql_test/r/mysql/information_schema.result @@ -2989,6 +2989,7 @@ select * from information_schema.statistics where table_schema in ('oceanbase', | def | oceanbase | __all_tenant_user_failed_login_stat | 0 | oceanbase | PRIMARY | 2 | user_id | A | NULL | NULL | NULL | | BTREE | | | YES | NULL | | def | oceanbase | __all_transfer_task | 0 | oceanbase | PRIMARY | 1 | task_id | A | NULL | NULL | NULL | | BTREE | | | YES | NULL | | def | oceanbase | __all_transfer_task_history | 0 | oceanbase | PRIMARY | 1 | task_id | A | NULL | NULL | NULL | | BTREE | | | YES | NULL | +| def | oceanbase | __all_trusted_root_certificate | 0 | oceanbase | PRIMARY | 1 | common_name | A | NULL | NULL | NULL | | BTREE | | | YES | NULL | | def | oceanbase | __all_type | 0 | oceanbase | PRIMARY | 1 | tenant_id | A | NULL | NULL | NULL | | BTREE | | | YES | NULL | | def | oceanbase | __all_type | 0 | oceanbase | PRIMARY | 2 | type_id | A | NULL | NULL | NULL | | BTREE | | | YES | NULL | | def | oceanbase | __all_type | 1 | oceanbase | idx_db_type_name | 1 | database_id | A | NULL | NULL | NULL | | BTREE | | | YES | NULL | diff --git a/tools/deploy/mysql_test/test_suite/inner_table/r/mysql/all_virtual_sys_parameter_stat.result b/tools/deploy/mysql_test/test_suite/inner_table/r/mysql/all_virtual_sys_parameter_stat.result index 5271e50d02..6ca01011db 100644 --- a/tools/deploy/mysql_test/test_suite/inner_table/r/mysql/all_virtual_sys_parameter_stat.result +++ b/tools/deploy/mysql_test/test_suite/inner_table/r/mysql/all_virtual_sys_parameter_stat.result @@ -90,6 +90,7 @@ enable_record_trace_id enable_record_trace_log enable_rereplication enable_rich_error_msg +enable_rpc_authentication_bypass enable_sql_audit enable_sql_extension enable_sql_operator_dump diff --git a/tools/deploy/mysql_test/test_suite/inner_table/r/mysql/desc_sys_views_in_sys.result b/tools/deploy/mysql_test/test_suite/inner_table/r/mysql/desc_sys_views_in_sys.result index a7b90717cc..b5f153ac0f 100644 --- a/tools/deploy/mysql_test/test_suite/inner_table/r/mysql/desc_sys_views_in_sys.result +++ b/tools/deploy/mysql_test/test_suite/inner_table/r/mysql/desc_sys_views_in_sys.result @@ -8031,6 +8031,14 @@ LAST_USED varchar(128) NO NULL select /*+QUERY_TIMEOUT(60000000)*/ count(*) as cnt from (select * from oceanbase.DBA_INDEX_USAGE limit 1); cnt 1 +desc oceanbase.DBA_OB_TRUSTED_ROOT_CERTIFICATE; +Field Type Null Key Default Extra +COMMON_NAME varchar(256) NO NULL +DESCRIPTION varchar(256) NO NULL +CERT_EXPIRED_TIME timestamp(6) NO NULL +select /*+QUERY_TIMEOUT(60000000)*/ count(*) as cnt from (select * from oceanbase.DBA_OB_TRUSTED_ROOT_CERTIFICATE limit 1); +cnt +1 desc oceanbase.CDB_INDEX_USAGE; Field Type Null Key Default Extra CON_ID bigint(20) NO NULL diff --git a/tools/deploy/mysql_test/test_suite/inner_table/r/mysql/inner_table_overall.result b/tools/deploy/mysql_test/test_suite/inner_table/r/mysql/inner_table_overall.result index c7090d1b94..1755abaab6 100644 --- a/tools/deploy/mysql_test/test_suite/inner_table/r/mysql/inner_table_overall.result +++ b/tools/deploy/mysql_test/test_suite/inner_table/r/mysql/inner_table_overall.result @@ -266,6 +266,7 @@ select 0xffffffffff & table_id, table_name, table_type, database_id, part_num fr 480 __all_import_table_task_history 0 201001 1 494 __all_aux_stat 0 201001 1 495 __all_index_usage_info 0 201001 1 +502 __all_trusted_root_certificate 0 201001 1 10001 __tenant_virtual_all_table 2 201001 1 10002 __tenant_virtual_table_column 2 201001 1 10003 __tenant_virtual_table_index 2 201001 1 @@ -1041,6 +1042,7 @@ select 0xffffffffff & table_id, table_name, table_type, database_id, part_num fr 21497 DBA_OB_AUX_STATISTICS 1 201001 1 21498 CDB_OB_AUX_STATISTICS 1 201001 1 21499 DBA_INDEX_USAGE 1 201001 1 +21509 DBA_OB_TRUSTED_ROOT_CERTIFICATE 1 201001 1 21513 CDB_INDEX_USAGE 1 201001 1 check sys table count and table_id range success check count and table_id range for virtual table success