Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ldap: add timeout and retry-backoff for ldap (#51927) #51943

Merged
merged 2 commits into from
Apr 12, 2024
Merged

ldap: add timeout and retry-backoff for ldap (#51927) #51943

merged 2 commits into from
Apr 12, 2024

Conversation

ti-chi-bot
Copy link
Member

This is an automated cherry-pick of #51927

What problem does this PR solve?

Issue Number: close #51883

This PR is a smaller version of #51912. We'll finally get #51912 merged, but we need a smaller one to focus on the timeout mechanism (which is much simpler than refactor the locks).

If the LDAP connection lost after the first handshake, the LDAP goroutine and function call will hang forever.

What changed and how does it work?

I have done two modifications in this PR:

  1. Add a timeout for LDAP dialing and requests. Therefore, the lock will be held for at most several seconds.
  2. Add an interval to the retry mechanism, to avoid using all quotas provided by the LDAP service.

Check List

Tests

  • Unit test
  • Integration test
  • Manual test (add detailed scripts or steps below)
  • No need to test
    • I checked and no code files have been changed.

docker run --network host -it yangkeao/ldap-sasl-example:d2b324 /bin/bash to get an environment with LDAP server. Then running a TiDB server at port 4000.

Create user, setup variables, and prepare CA:

set global authentication_ldap_sasl_server_host='127.0.0.1';
set global authentication_ldap_sasl_bind_root_dn='cn=admin,dc=example,dc=org';
set global authentication_ldap_sasl_bind_root_pwd='123456';
set global authentication_ldap_sasl_ca_path='/tmp/ca.crt';
set global authentication_ldap_simple_server_host='127.0.0.1';
set global authentication_ldap_simple_bind_root_dn='cn=admin,dc=example,dc=org';
set global authentication_ldap_simple_bind_root_pwd='123456';
set global authentication_ldap_simple_ca_path='/tmp/ca.crt';
create user yangkeao IDENTIFIED WITH authentication_ldap_simple as 'cn=yangkeao+uid=yangkeao,dc=example,dc=org';
sudo cp /proc/$(pidof mysqld)/root/etc/ssl/certs/example.crt /tmp/ca.crt

Then you can login to TiDB with yangkeao user:

LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN=1 mysql -h 127.0.0.1 -u yangkeao -P 4000 -p123456

Enable or disable authentication_ldap_simple_tls are both fine.

Use the following iptables command to drop all packets to LDAP server:

sudo iptables -A INPUT -p tcp --dport 389 -j DROP

Then login without TLS will timeout after 10 seconds:

root@home:/# time LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN=1 mysql -h 127.0.0.1 -u yangkeao -P 4000 -p123456
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'yangkeao'@'127.0.0.1' (using password: YES)

real    0m10.023s
user    0m0.000s
sys     0m0.009s

Then login with TLS will timeout after 20 seconds:

root@home:/# time LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN=1 mysql -h 127.0.0.1 -u yangkeao -P 4000 -p123456
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'yangkeao'@'127.0.0.1' (using password: YES)

real    0m20.023s
user    0m0.005s
sys     0m0.004s

This PR also fixed some tiny issues: like rebuilding the connection pool after resetting the connection related variables, to avoid having wrong connection in the pool.

Release note

None

@ti-chi-bot
This is an automated cherry-pick of pingcap#51927
4b35669 
Signed-off-by: ti-chi-bot <ti-community-prow-bot@tidb.io>
@ti-chi-bot ti-chi-bot added release-note-none Denotes a PR that doesn't merit a release note. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. type/cherry-pick-for-release-7.1 This PR is cherry-picked to release-7.1 from a source PR. labels Mar 20, 2024
@ti-chi-bot ti-chi-bot mentioned this pull request Mar 20, 2024
Merged
5 tasks
@ti-chi-bot ti-chi-bot bot added do-not-merge/cherry-pick-not-approved size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Mar 20, 2024
@ti-chi-bot ti-chi-bot added the cherry-pick-approved Cherry pick PR approved by release team. label Apr 11, 2024
fix conflicts
b348fa3 
Signed-off-by: Yang Keao <yangkeao@chunibyo.icu>
@ti-chi-bot ti-chi-bot bot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Apr 12, 2024
YangKeao
YangKeao approved these changes Apr 12, 2024
View reviewed changes
Copy link
Member

@YangKeao YangKeao left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ti-chi-bot ti-chi-bot bot added needs-1-more-lgtm Indicates a PR needs 1 more LGTM. approved labels Apr 12, 2024
@codecov Codecov
Copy link

codecov bot commented Apr 12, 2024

Codecov Report

❗ No coverage uploaded for pull request base (release-7.1@1c78eed). Click here to learn what that means.
The diff coverage is 57.8947%.

Additional details and impacted files 
@@               Coverage Diff                @@
##             release-7.1     #51943   +/-   ##
================================================
  Coverage               ?   73.4420%           
================================================
  Files                  ?       1211           
  Lines                  ?     379785           
  Branches               ?          0           
================================================
  Hits                   ?     278922           
  Misses                 ?      83051           
  Partials               ?      17812

@ti-chi-bot ti-chi-bot
Copy link

ti-chi-bot bot commented Apr 12, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: CbcWestwolf, YangKeao

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [CbcWestwolf,YangKeao]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@ti-chi-bot ti-chi-bot bot added lgtm and removed needs-1-more-lgtm Indicates a PR needs 1 more LGTM. labels Apr 12, 2024
@ti-chi-bot ti-chi-bot
Copy link

ti-chi-bot bot commented Apr 12, 2024

[LGTM Timeline notifier]

Timeline:

  • 2024-04-12 08:33:38.270507721 +0000 UTC m=+1210479.798048259: ☑️ agreed by YangKeao.
  • 2024-04-12 08:46:10.637634486 +0000 UTC m=+1211232.165175031: ☑️ agreed by CbcWestwolf.

@ti-chi-bot ti-chi-bot bot merged commit 425cda9 into pingcap:release-7.1 Apr 12, 2024
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@CbcWestwolf CbcWestwolf CbcWestwolf approved these changes

@YangKeao YangKeao YangKeao approved these changes

Assignees
No one assigned
Labels
approved cherry-pick-approved Cherry pick PR approved by release team. lgtm release-note-none Denotes a PR that doesn't merit a release note. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. type/cherry-pick-for-release-7.1 This PR is cherry-picked to release-7.1 from a source PR.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ti-chi-bot @YangKeao @CbcWestwolf