Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

*: support reload tls used by mysql protocol in place (#14749) #15081

Closed
wants to merge 1 commit into from
Closed

*: support reload tls used by mysql protocol in place (#14749) #15081

wants to merge 1 commit into from

Conversation

sre-bot
Copy link
Contributor

@sre-bot sre-bot commented Mar 3, 2020

cherry-pick #14749 to release-4.0

What problem does this PR solve?

ref #14666

preliminary support reload tls used by mysql protocol

this PR doesn't try to full support mysql's dynamic modify "ssl_ca/ssl_key/ssl_cert" value, but can reload tls used old file path specified by old "ssl_ca/ssl_key/ssl_cert" value(so ssl_cert/ssl_ca/ssl_key keep read-only after this PR).

so user can:

  1. start TiDB with ssl-ca, ssl-key and ssl-cert config like https://pingcap.com/docs/stable/reference/security/cert-based-authentication/#install-openssl
  2. replace new file specified in ssl-ca, ssl-key and ssl-cert
  3. use super user(here need new priv in following pr) to execute alter instance reload tls

then all new db connection will use new cert file, old connection will keep work just like mysql does

What is changed and how it works?

  • extract common method LoadTLSCertificates
  • make server.tlsConfig can be atomic swap
  • let alter instance reload tls do reload

Check List

Tests

  • Unit test
  • Integration test

Code changes

  • impl change

Side effects

  • n/a

Related changes

  • 4.0 only

Release note

  • support reload tls used by mysql protocol in place.

This change is Reviewable

@sre-bot sre-bot requested a review from a team as a code owner March 3, 2020 02:03
@sre-bot
Copy link
Contributor Author

sre-bot commented Mar 3, 2020

/run-all-tests

@ghost ghost requested review from eurekaka and francis0407 March 3, 2020 02:03
@sre-bot sre-bot mentioned this pull request Mar 3, 2020
Merged
@sre-bot sre-bot added component/server security Everything related with security type/enhancement The issue or PR belongs to an enhancement. type/4.0 cherry-pick labels Mar 3, 2020
@eurekaka eurekaka removed their request for review March 3, 2020 02:43
@lysu lysu removed the request for review from francis0407 March 3, 2020 02:54
jackysp
jackysp reviewed Mar 3, 2020
View reviewed changes
Copy link
Member

@jackysp jackysp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@tiancaiamao
Copy link
Contributor

LGTM

@tiancaiamao tiancaiamao added the status/LGT2 Indicates that a PR has LGTM 2. label Mar 3, 2020
@zz-jason
Copy link
Member

zz-jason commented Mar 3, 2020

I think we don't need to cherry pick to release 4.0 manually since we are going to merge master branch to release-4.0 for fast forward?

zz-jason
zz-jason reviewed Mar 3, 2020
View reviewed changes
Copy link
Member

@zz-jason zz-jason left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@lysu
Copy link
Contributor

lysu commented Mar 3, 2020

@zz-jason O.O I'm misled by other PRs and add need-cherry-pick 4.0

@lysu lysu closed this Mar 3, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jackysp jackysp jackysp left review comments

@zz-jason zz-jason zz-jason left review comments

@tiancaiamao tiancaiamao tiancaiamao approved these changes

@imtbkcat imtbkcat Awaiting requested review from imtbkcat

Assignees
No one assigned
Labels
component/server security Everything related with security status/LGT2 Indicates that a PR has LGTM 2. type/enhancement The issue or PR belongs to an enhancement.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@sre-bot @tiancaiamao @zz-jason @lysu @jackysp