With "socket.ssl=true;" in wsrep_provider_options, MariaDB-Galera cluster joins even without wsrep_sst_auth, and Why?
112 views
Skip to first unread message
Mike Zhao
Feb 1, 2024, 1:37:37 AM2/1/24
to codership
Hi, Community,
We have confirmed in test that when MariaDB configuration file has socket.ssl=true;, the cluster still works even without a correct credential of wsrep_sst_auth. And we wonder why.
So, if the configuration file /etc/my.cnf.d/server.cnf has:
wsrep_provider_options="socket.ssl=true; ..."
, then even without correct credential in wsrep_sst_auth, the cluster can still join with working replication.
Please see below for the partial configuration file in the section of [galera]. The comments also described more details of our testing steps.
Our Question:
- Why does the cluster still work without a correct wsrep_sst_auth credential?
- Does it mean the socket.ssl=true is already a valid authentication for SST?
We appreciate any hints and suggestions.
---------- Partial configuration file server.cnf ------------
...
#
# * Galera-related settings
#
[galera]
wsrep_on=ON
wsrep_provider=/usr/lib64/galera-4/libgalera_smm.so
...
# * Galera-related settings
#
[galera]
wsrep_on=ON
wsrep_provider=/usr/lib64/galera-4/libgalera_smm.so
...
wsrep_sst_method=mariabackup
...
# The testing details:
#
# 1) The correct credential works:
# wsrep_sst_auth=sst_user:sst_user_password
#
# 2) The wrong credential works:
# 2) The wrong credential works:
# wsrep_sst_auth=sst_user:sst_user_wrong_password
#
# 3) The username without password works:
# wsrep_sst_auth=sst_user
#
#
# 4) Even with no wsrep_sst_auth, the cluster still joins:
#
wsrep_provider_options="socket.ssl=true; socket.ssl_key=/etc/pki/galera/server-key.pem; socket.ssl_cert=/etc/pki/galera/server-cert.pem; socket.ssl_ca=/etc/pki/galera/ca-cert.pem; pc.weight=10"
binlog_format=row
default_storage_engine=InnoDB
innodb_autoinc_lock_mode=2
binlog_format=row
default_storage_engine=InnoDB
innodb_autoinc_lock_mode=2
...
Mike Zhao
Feb 1, 2024, 7:23:00 PM2/1/24
to codership
Hi, Community,
We have done more testing and confirmed the following system behavior of MariaDB-Galera clustering:
1) The first-time bootstrap always needs to get everything correct, including the "wsrep_sst_auth", and if choose to use SSL, "socket.ssl" in "wsrep_provider_options".
2) After the first successful clustering joining, we can re-bootstrap even with a wrong password for the "sst_user". We guess the MariaDB-Galera software has a design for error tolerance. Confirm?
3) The error tolerance above does not include the SSL certificates.
So, when using SSL, if re-bootstrap with wrong certificates, e.g., the self-signing CA and Server certificates have the same Common Name. In this case, the Donor can still start but the Joiner will fail to join in, with log events of "WSREP: Handshake failed: tlsv1 alert unknown ca".
Our Questions:
1) Could we confirm the "error tolerance" function on "sst_user" credential after the first-time successful join? If yes, what is the mechanism?
2) Do we have a reference or link to the documentation?
We highly appreciate any hints and suggestions.
Reply all
Reply to author
Forward
0 new messages