Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Release 0.9.0 #221

Merged
merged 2 commits into from
Jun 20, 2022
Merged

Release 0.9.0 #221

merged 2 commits into from
Jun 20, 2022

Conversation

DifferentialOrange
Copy link
Member

@DifferentialOrange DifferentialOrange commented Jun 20, 2022
edited
Loading

Overview

This release features SSL support.

To use encrypted connection with Tarantool Enterprise Edition
instance, pass "ssl" transport parameter on connect:

con = tarantool.Connection(
    host, port,
    user=user,
    password=pass,
    transport="ssl")

To verify the server, set client trusted certificate
authorities (CA) file with ssl_ca_file parameter:

con = tarantool.Connection(
    host, port,
    user=user,
    password=password,
    transport="ssl",
    ssl_ca_file=client_ca_file)

If the server authenticates clients using certificates issued by
given CA, you must provide private SSL key file with ssl_key_file
parameter and SSL certificate file with ssl_cert_file parameter.
Otherwise, these parameters are optional.

con = tarantool.Connection(
    host, port,
    user=user,
    password=password,
    transport="ssl",
    ssl_key_file=client_key_file,
    ssl_cert_file=client_cert_file)

To set SSL ciphers, set them with ssl_ciphers parameter as
a colon-separated (:) string:

con = tarantool.Connection(
    host, port,
    user=user,
    password=password,
    transport="ssl",
    ssl_ciphers=client_ssl_ciphers)

ConnectionPool and MeshConnection also support these parameters.

mesh = tarantool.MeshConnection(
    addrs={
        "host": host,
        "post": port,
        "transport": "ssl",
        "ssl_key_file": client_key_file,
        "ssl_cert_file": client_cert_file,
        "ssl_ca_file": client_ca_file,
        "ssl_ciphers": client_ssl_ciphers,
    },
    user=user,
    password=password)
pool = tarantool.ConnectionPool(
    addrs={
        "host": host,
        "post": port,
        "transport": "ssl",
        "ssl_key_file": client_key_file,
        "ssl_cert_file": client_cert_file,
        "ssl_ca_file": client_ca_file,
        "ssl_ciphers": client_ssl_ciphers,
    },
    user=user,
    password=password)

See Tarantool Enterprise Edition manual
for details.

Breaking changes

There are no breaking changes in the release.

New features

Testing

@DifferentialOrange DifferentialOrange force-pushed the DifferentialOrange/release-0.9.0 branch from 2edbf69 to 2c8753f Compare June 20, 2022 12:16
@DifferentialOrange DifferentialOrange force-pushed the DifferentialOrange/release-0.9.0 branch from 2c8753f to f11a963 Compare June 20, 2022 12:22
@Totktonada
Copy link
Member

  1. I would split encryption related options to groups:
    • To use encrypted connection...
    • To validate server's certificate...
    • To provide a client certificate...
    • Also you can set a ciphers list using...
  2. There are several more changes/actions we need to do at release: https://github.com/tarantool/tarantool-python/wiki/How-to-make-a-release.

@DifferentialOrange DifferentialOrange force-pushed the DifferentialOrange/release-0.9.0 branch from f11a963 to f89e7c9 Compare June 20, 2022 15:02
@DifferentialOrange DifferentialOrange force-pushed the DifferentialOrange/release-0.9.0 branch from f89e7c9 to 2105c4a Compare June 20, 2022 15:47
@DifferentialOrange
Copy link
Member Author

Package is available in test PyPi under 0.8.4 tag

@Totktonada
Copy link
Member

Now the recipes are go in this order:

  1. How to encrypt the traffic.
  2. How to pass a client certificate.
  3. How to validate the server's certificate.
  4. How to tune ciphers.

I would change the order of 2 and 3.

I would also reword the paragraph, which describes how to authenticate on a server, which expects a client certificate. The phrase 'server uses trusted certificate authorities (CA) file' is not the equivalent to 'requires a client certificate' or 'authenticate clients using certificates issued by given CA'. At least: 'trusted CA file' -- trusted by who? 'Uses CA file' -- for what?

Those are minor comments, the PR is generally okay for me. Feel free to ignore.

@DifferentialOrange
Release 0.9.0
1971a3d 
Overview

    This release features SSL support.

    To use encrypted connection with Tarantool Enterprise Edition
    instance, pass "ssl" `transport` parameter on connect:

        con = tarantool.Connection(
            host, port,
            user=user,
            password=pass,
            transport="ssl")

    To verify the server, set client trusted certificate
    authorities (CA) file with `ssl_ca_file` parameter:

        con = tarantool.Connection(
            host, port,
            user=user,
            password=password,
            transport="ssl",
            ssl_ca_file=client_ca_file)

    If the server authenticates clients using certificates issued by
    given CA, you must provide private SSL key file with `ssl_key_file`
    parameter and SSL certificate file with `ssl_cert_file` parameter.
    Otherwise, these parameters are optional.

        con = tarantool.Connection(
            host, port,
            user=user,
            password=password,
            transport="ssl",
            ssl_key_file=client_key_file,
            ssl_cert_file=client_cert_file)

    To set SSL ciphers, set them with `ssl_ciphers` parameter as
    a colon-separated (:) string:

        con = tarantool.Connection(
            host, port,
            user=user,
            password=password,
            transport="ssl",
            ssl_ciphers=client_ssl_ciphers)

    ConnectionPool and MeshConnection also support these parameters.

        mesh = tarantool.MeshConnection(
            addrs={
                "host": host,
                "post": port,
                "transport": "ssl",
                "ssl_key_file": client_key_file,
                "ssl_cert_file": client_cert_file,
                "ssl_ca_file": client_ca_file,
                "ssl_ciphers": client_ssl_ciphers,
            },
            user=user,
            password=password)

        pool = tarantool.ConnectionPool(
            addrs={
                "host": host,
                "post": port,
                "transport": "ssl",
                "ssl_key_file": client_key_file,
                "ssl_cert_file": client_cert_file,
                "ssl_ca_file": client_ca_file,
                "ssl_ciphers": client_ssl_ciphers,
            },
            user=user,
            password=password)

    See Tarantool Enterprise Edition manual for details [1].

    1. https://www.tarantool.io/en/enterprise_doc/security/#enterprise-iproto-encryption

Breaking changes

    There are no breaking changes in the release.

New features

    * SSL support (PR #220, #217).

Testing

    * Tarantool Enterprise testing workflow on GitHub actions (PR #220).
@DifferentialOrange DifferentialOrange force-pushed the DifferentialOrange/release-0.9.0 branch from 2105c4a to 1971a3d Compare June 20, 2022 17:36
@DifferentialOrange DifferentialOrange merged commit 60a2f38 into master Jun 20, 2022
@DifferentialOrange DifferentialOrange deleted the DifferentialOrange/release-0.9.0 branch June 20, 2022 18:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Totktonada Totktonada Totktonada approved these changes

@oleg-jukovec oleg-jukovec oleg-jukovec approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@DifferentialOrange @Totktonada @oleg-jukovec