From f71728f6349c7c5608c1f3dc1c565bc691d35aac Mon Sep 17 00:00:00 2001 From: Marco Slot Date: Tue, 7 Nov 2017 18:46:27 +0100 Subject: [PATCH] Add GUC for specifying sslmode in connections to workers --- .../connection/connection_management.c | 53 ++++++++++++++++++- src/backend/distributed/shared_library_init.c | 24 ++++++++- .../distributed/connection_management.h | 19 +++++++ 3 files changed, 93 insertions(+), 3 deletions(-) diff --git a/src/backend/distributed/connection/connection_management.c b/src/backend/distributed/connection/connection_management.c index 6e7cbcfc5..68c1084b2 100644 --- a/src/backend/distributed/connection/connection_management.c +++ b/src/backend/distributed/connection/connection_management.c @@ -28,9 +28,11 @@ int NodeConnectionTimeout = 5000; +int CitusSSLMode = CITUS_SSL_MODE_PREFER; HTAB *ConnectionHash = NULL; MemoryContext ConnectionContext = NULL; + static uint32 ConnectionHashHash(const void *key, Size keysize); static int ConnectionHashCompare(const void *a, const void *b, Size keysize); static MultiConnection * StartConnectionEstablishment(ConnectionHashKey *key); @@ -591,14 +593,15 @@ StartConnectionEstablishment(ConnectionHashKey *key) char nodePortString[12]; const char *clientEncoding = GetDatabaseEncodingName(); MultiConnection *connection = NULL; + const char *sslmode = CitusSSLModeString(); const char *keywords[] = { - "host", "port", "dbname", "user", + "host", "port", "dbname", "user", "sslmode", "client_encoding", "fallback_application_name", NULL }; const char *values[] = { - key->hostname, nodePortString, key->database, key->user, + key->hostname, nodePortString, key->database, key->user, sslmode, clientEncoding, "citus", NULL }; @@ -624,6 +627,52 @@ StartConnectionEstablishment(ConnectionHashKey *key) } +/* + * CitusSSLModeString returns the current value of citus.sslmode. + */ +char * +CitusSSLModeString(void) +{ + switch (CitusSSLMode) + { + case CITUS_SSL_MODE_DISABLE: + { + return "disable"; + } + + case CITUS_SSL_MODE_ALLOW: + { + return "allow"; + } + + case CITUS_SSL_MODE_PREFER: + { + return "prefer"; + } + + case CITUS_SSL_MODE_REQUIRE: + { + return "require"; + } + + case CITUS_SSL_MODE_VERIFY_CA: + { + return "verify-ca"; + } + + case CITUS_SSL_MODE_VERIFY_FULL: + { + return "verify-full"; + } + + default: + { + ereport(ERROR, (errmsg("unrecognized value for citus.sslmode"))); + } + } +} + + /* * Close all remote connections if necessary anymore (i.e. not session * lifetime), or if in a failed state. diff --git a/src/backend/distributed/shared_library_init.c b/src/backend/distributed/shared_library_init.c index 752dd69ae..3907dc5e2 100644 --- a/src/backend/distributed/shared_library_init.c +++ b/src/backend/distributed/shared_library_init.c @@ -22,7 +22,6 @@ #include "distributed/backend_data.h" #include "distributed/citus_nodefuncs.h" #include "distributed/connection_management.h" -#include "distributed/connection_management.h" #include "distributed/distributed_deadlock_detection.h" #include "distributed/maintenanced.h" #include "distributed/master_metadata_utility.h" @@ -110,6 +109,16 @@ static const struct config_enum_entry multi_shard_commit_protocol_options[] = { { NULL, 0, false } }; +static const struct config_enum_entry citus_ssl_mode_options[] = { + { "disable", CITUS_SSL_MODE_DISABLE, false }, + { "allow", CITUS_SSL_MODE_ALLOW, false }, + { "prefer", CITUS_SSL_MODE_PREFER, false }, + { "require", CITUS_SSL_MODE_REQUIRE, false }, + { "verify-ca", CITUS_SSL_MODE_VERIFY_CA, false }, + { "verify-full", CITUS_SSL_MODE_VERIFY_FULL, false }, + { NULL, 0, false } +}; + static const struct config_enum_entry multi_task_query_log_level_options[] = { { "off", MULTI_TASK_QUERY_INFO_OFF, false }, { "debug", DEBUG2, false }, @@ -304,6 +313,19 @@ RegisterCitusConfigVariables(void) NULL, NULL, NULL); NormalizeWorkerListPath(); + DefineCustomEnumVariable( + "citus.sslmode", + gettext_noop("SSL mode to use for connections to worker nodes."), + gettext_noop("When connecting to a worker node, specify whether the SSL mode" + "mode for the connection is 'disable', 'allow', 'prefer' " + "(the default), 'require', 'verify-ca' or 'verify-full'."), + &CitusSSLMode, + CITUS_SSL_MODE_PREFER, + citus_ssl_mode_options, + PGC_POSTMASTER, + GUC_SUPERUSER_ONLY, + NULL, NULL, NULL); + DefineCustomBoolVariable( "citus.binary_master_copy_format", gettext_noop("Use the binary master copy format."), diff --git a/src/include/distributed/connection_management.h b/src/include/distributed/connection_management.h index 93dc9d0e5..323e5ed4f 100644 --- a/src/include/distributed/connection_management.h +++ b/src/include/distributed/connection_management.h @@ -14,6 +14,7 @@ #include "distributed/transaction_management.h" #include "distributed/remote_transaction.h" #include "lib/ilist.h" +#include "utils/guc.h" #include "utils/hsearch.h" #include "utils/timestamp.h" @@ -106,6 +107,23 @@ typedef struct ConnectionHashEntry dlist_head *connections; } ConnectionHashEntry; +/* + * SSL modes available for connecting to worker nodes. + */ +enum CitusSSLMode +{ + CITUS_SSL_MODE_DISABLE = 1 << 0, + CITUS_SSL_MODE_ALLOW = 1 << 1, + CITUS_SSL_MODE_PREFER = 1 << 2, + CITUS_SSL_MODE_REQUIRE = 1 << 3, + CITUS_SSL_MODE_VERIFY_CA = 1 << 4, + CITUS_SSL_MODE_VERIFY_FULL = 1 << 5 +}; + + +/* SSL mode to use when connecting to worker nodes */ +extern int CitusSSLMode; + /* maximum duration to wait for connection */ extern int NodeConnectionTimeout; @@ -133,6 +151,7 @@ extern MultiConnection * StartNodeUserDatabaseConnection(uint32 flags, int32 port, const char *user, const char *database); +extern char * CitusSSLModeString(void); extern void CloseNodeConnectionsAfterTransaction(char *nodeName, int nodePort); extern void CloseConnection(MultiConnection *connection); extern void ShutdownConnection(MultiConnection *connection);