From 60cfcbb1906de13e48abdf4a6a40ed2b0b4d103e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dani=C3=ABl=20van=20Eeden?= Date: Tue, 8 Dec 2020 09:01:43 +0100 Subject: [PATCH] Add support for VERIFY_CA and VERIFY_IDENTITY SslMode's MySQL Server does support a `group_replication_ssl_mode` of `DISABLED`, `REQUIRED`, `VERIFY_CA` or `VERIFY_IDENTITY`. But MySQL Shell only supports `DISABLED` and `REQUIRED`, which this commit fixes. * https://bugs.mysql.com/bug.php?id=101892 * https://dev.mysql.com/doc/refman/8.0/en/group-replication-options.html#sysvar_group_replication_ssl_mode --- modules/adminapi/common/common.cc | 12 ++++++++++-- modules/adminapi/common/common.h | 2 ++ modules/adminapi/common/group_replication_options.cc | 5 ++++- modules/adminapi/common/provision.cc | 11 +++++++++++ 4 files changed, 27 insertions(+), 3 deletions(-) diff --git a/modules/adminapi/common/common.cc b/modules/adminapi/common/common.cc index 969e9dc06..9cd471a67 100644 --- a/modules/adminapi/common/common.cc +++ b/modules/adminapi/common/common.cc @@ -300,7 +300,9 @@ std::string resolve_instance_ssl_mode( gr_ssl_mode = *pinstance.get_sysvar_string("group_replication_ssl_mode"); // The cluster REQUIRES SSL - if (!shcore::str_casecmp(gr_ssl_mode.c_str(), "REQUIRED")) { + if ((!shcore::str_casecmp(gr_ssl_mode.c_str(), "REQUIRED")) || + (!shcore::str_casecmp(gr_ssl_mode.c_str(), "VERIFY_CA")) || + (!shcore::str_casecmp(gr_ssl_mode.c_str(), "VERIFY_IDENTITY"))) { // memberSslMode is DISABLED if (!shcore::str_casecmp(member_ssl_mode.c_str(), "DISABLED")) throw shcore::Exception::runtime_error( @@ -327,7 +329,13 @@ std::string resolve_instance_ssl_mode( } // memberSslMode is either AUTO or REQUIRED - ret_val = dba::kMemberSSLModeRequired; + if (!shcore::str_casecmp(gr_ssl_mode.c_str(), "REQUIRED")) { + ret_val = dba::kMemberSSLModeRequired; + } else if (!shcore::str_casecmp(gr_ssl_mode.c_str(), "VERIFY_CA")) { + ret_val = dba::kMemberSSLModeVerifyCA; + } else if (!shcore::str_casecmp(gr_ssl_mode.c_str(), "VERIFY_IDENTITY")) { + ret_val = dba::kMemberSSLModeVerifyIdentity; + } // The cluster has SSL DISABLED } else if (!shcore::str_casecmp(gr_ssl_mode.c_str(), "DISABLED")) { diff --git a/modules/adminapi/common/common.h b/modules/adminapi/common/common.h index 78d496c8b..75e5a65a2 100644 --- a/modules/adminapi/common/common.h +++ b/modules/adminapi/common/common.h @@ -221,6 +221,8 @@ std::string get_mysqlprovision_error_string( extern const char *kMemberSSLModeAuto; extern const char *kMemberSSLModeRequired; extern const char *kMemberSSLModeDisabled; +extern const char *kMemberSSLModeVerifyCA; +extern const char *kMemberSSLModeVerifyIdentity; /** * Check if a setting is supported on the target instance diff --git a/modules/adminapi/common/group_replication_options.cc b/modules/adminapi/common/group_replication_options.cc index 442e0bf6a..10c70839c 100644 --- a/modules/adminapi/common/group_replication_options.cc +++ b/modules/adminapi/common/group_replication_options.cc @@ -52,8 +52,11 @@ void validate_group_name_option(std::string group_name) { const char *kMemberSSLModeAuto = "AUTO"; const char *kMemberSSLModeRequired = "REQUIRED"; const char *kMemberSSLModeDisabled = "DISABLED"; +const char *kMemberSSLModeVerifyCA = "VERIFY_CA"; +const char *kMemberSSLModeVerifyIdentity = "VERIFY_IDENTITY"; const std::set kMemberSSLModeValues = { - kMemberSSLModeAuto, kMemberSSLModeDisabled, kMemberSSLModeRequired}; + kMemberSSLModeAuto, kMemberSSLModeDisabled, kMemberSSLModeRequired, + kMemberSSLModeVerifyCA, kMemberSSLModeVerifyIdentity}; void validate_ssl_instance_options(std::string ssl_mode) { // Validate use of SSL options for the cluster instance and issue an diff --git a/modules/adminapi/common/provision.cc b/modules/adminapi/common/provision.cc index f1adb6735..7fa9f5b6b 100644 --- a/modules/adminapi/common/provision.cc +++ b/modules/adminapi/common/provision.cc @@ -75,6 +75,17 @@ void set_gr_options(const mysqlshdk::mysql::IInstance &instance, mysqlshdk::utils::nullable(true)); config->set("group_replication_ssl_mode", mysqlshdk::utils::nullable("REQUIRED")); + } else if (*gr_opts.ssl_mode == mysqlsh::dba::kMemberSSLModeVerifyCA) { + config->set("group_replication_recovery_use_ssl", + mysqlshdk::utils::nullable(true)); + config->set("group_replication_ssl_mode", + mysqlshdk::utils::nullable("VERIFY_CA")); + } else if (*gr_opts.ssl_mode == + mysqlsh::dba::kMemberSSLModeVerifyIdentity) { + config->set("group_replication_recovery_use_ssl", + mysqlshdk::utils::nullable(true)); + config->set("group_replication_ssl_mode", + mysqlshdk::utils::nullable("VERIFY_IDENTITY")); } else if (*gr_opts.ssl_mode == mysqlsh::dba::kMemberSSLModeDisabled) { if (instance.get_version() >= mysqlshdk::utils::Version(8, 0, 5)) { // This option is required to connect using the new