WL#15135 patch #5: Configure TLS in DB and MGM nodes

Part of WL#15135 Certificate Architecture

In NDB data and management nodes, initialize TLS at startup time.

ndbd and ndb_mgmd now take option --ndb-tls-search-path.

Change-Id: I73e29c10af9d5366c53f86106ec82feac33c4bdf

Author: jdduncan

storage/ndb/include/util/ndb_opts.h

@@ -47,6 +47,7 @@ OPT_EXTERN(const char *,opt_ndb_connectstring,=0);
 OPT_EXTERN(int, opt_connect_retry_delay,NONE);
 OPT_EXTERN(int, opt_connect_retries,NONE);
 OPT_EXTERN(const char *,opt_charsets_dir,=0);
+OPT_EXTERN(const char *,opt_tls_search_path,=NDB_TLS_SEARCH_PATH);
 
 #ifndef NDEBUG
 OPT_EXTERN(const char *,opt_debug,= 0);
@@ -141,6 +142,12 @@ static constexpr struct my_option connect_retries =
     &opt_connect_retries, nullptr, nullptr, GET_INT, REQUIRED_ARG,
     12, -1, INT_MAX, nullptr, 0, nullptr};
 
+static constexpr struct my_option tls_search_path =
+  { "ndb-tls-search-path", NDB_OPT_NOSHORT,
+    "List of directories containing TLS keys and certificates",
+    &opt_tls_search_path, nullptr, nullptr, GET_STR, REQUIRED_ARG,
+    0, 0, 0, nullptr, 0, nullptr};
+
 #ifndef NDEBUG
 static constexpr struct my_option debug =
   { "debug", '#', "Output debug log. Often this is 'd:t:o,filename'.",

storage/ndb/src/common/util/CMakeLists.txt

@@ -95,6 +95,11 @@ ENDIF()
 
 NDB_ADD_TEST(ndb_version-t version.cpp LIBS ndbgeneral)
 
+SET_PROPERTY(SOURCE ndb_opts.cpp
+             PROPERTY COMPILE_DEFINITIONS
+             NDB_TLS_SEARCH_PATH="${WITH_NDB_TLS_SEARCH_PATH}")
+
+
 FOREACH(tests
     NdbPack
     mysql_utils_test

storage/ndb/src/kernel/main.cpp

@@ -76,6 +76,7 @@ static struct my_option my_long_options[] =
   NdbStdOpt::ndb_nodeid,
   NdbStdOpt::connect_retry_delay, //used
   NdbStdOpt::connect_retries, // used
+  NdbStdOpt::tls_search_path,
   NDB_STD_OPT_DEBUG
   { "core-file", NDB_OPT_NOSHORT, "Write core on errors.",\
     &opt_core, nullptr, nullptr, GET_BOOL, NO_ARG,
@@ -265,7 +266,7 @@ real_main(int argc, char** argv)
              opt_ndb_connectstring, opt_ndb_nodeid, opt_bind_address,
              opt_no_start, opt_initial, opt_initialstart,
              opt_allocated_nodeid, opt_connect_retries, opt_connect_retry_delay,
-             opt_logbuffer_size);
+             opt_logbuffer_size, opt_tls_search_path);
   }
 
   /**

storage/ndb/src/kernel/ndbd.cpp

@@ -1030,7 +1030,7 @@ ndbd_run(bool foreground, int report_fd,
          const char* connect_str, int force_nodeid, const char* bind_address,
          bool no_start, bool initial, bool initialstart,
          unsigned allocated_nodeid, int connect_retries, int connect_delay,
-         size_t logbuffer_size)
+         size_t logbuffer_size, const char * tls_search_path)
 {
   log_memusage("ndbd_run");
   LogBuffer* logBuf = new LogBuffer(logbuffer_size);
@@ -1169,6 +1169,7 @@ ndbd_run(bool foreground, int report_fd,
 
   theConfig->setupConfiguration();
 
+  globalTransporterRegistry.init_tls(tls_search_path, NODE_TYPE_DB, true);
 
   /**
     Printout various information about the threads in the

storage/ndb/src/kernel/ndbd.hpp

@@ -33,7 +33,7 @@ ndbd_run(bool foreground, int report_fd,
          const char* connect_str, int force_nodeid, const char* bind_address,
          bool no_start, bool initial, bool initialstart,
          unsigned allocated_nodeid, int connect_retries, int connect_delay,
-         size_t logbuffer_size);
+         size_t logbuffer_size, const char * tls_search_path);
 
 enum NdbShutdownType {
   NST_Normal,

storage/ndb/src/mgmsrv/CMakeLists.txt

@@ -41,6 +41,8 @@ IF(WITHOUT_SERVER)
   RETURN()
 ENDIF()
 
+ADD_COMPILE_DEFINITIONS(NDB_TLS_SEARCH_PATH="${WITH_NDB_TLS_SEARCH_PATH}")
+
 # Define MYSQLCLUSTERDIR, the default location
 # of ndb_mgmd config files
 IF(NOT DEFINED DEFAULT_MYSQL_HOME)

storage/ndb/src/mgmsrv/MgmtSrvr.cpp

@@ -249,6 +249,7 @@ MgmtSrvr::MgmtSrvr(const MgmtOpts& opts) :
   m_local_config(NULL),
   _ownReference(0),
   m_config_manager(NULL),
+  m_tls_search_path(opts.tls_search_path),
   m_need_restart(false),
   theFacade(NULL),
   _isStopThread(false),
@@ -391,22 +392,21 @@ MgmtSrvr::init()
 
   assert(_ownNodeId);
 
+  theFacade= new TransporterFacade(0);
+  if (theFacade == 0)
+  {
+    g_eventLogger->error("Could not create TransporterFacade.");
+    DBUG_RETURN(false);
+  }
+
   DBUG_RETURN(true);
 }
 
-
 bool
 MgmtSrvr::start_transporter(const Config* config)
 {
   DBUG_ENTER("MgmtSrvr::start_transporter");
 
-  theFacade= new TransporterFacade(0);
-  if (theFacade == 0)
-  {
-    g_eventLogger->error("Could not create TransporterFacade.");
-    DBUG_RETURN(false);
-  }
-
   assert(_blockNumber == 0); // Blocknumber shouldn't been allocated yet
 
   /*
@@ -572,6 +572,10 @@ MgmtSrvr::start()
 {
   DBUG_ENTER("MgmtSrvr::start");
 
+  /* Configure TLS */
+  require(m_tls_search_path);
+  theFacade->mgm_configure_tls(m_tls_search_path);
+
   /* Start transporter */
   if(!start_transporter(m_local_config))
   {

storage/ndb/src/mgmsrv/MgmtSrvr.hpp

@@ -112,10 +112,13 @@ class MgmtSrvr : private ConfigSubscriber, public trp_client {
     int print_full_config;
     const char* configdir;
     int verbose;
-    MgmtOpts() : configdir(MYSQLCLUSTERDIR) {}
     int reload;
     int initial;
     NodeBitmask nowait_nodes;
+    const char* tls_search_path;
+
+    MgmtOpts() : configdir(MYSQLCLUSTERDIR),
+                 tls_search_path(NDB_TLS_SEARCH_PATH) {}
   };
 
   MgmtSrvr(); // Not implemented
@@ -453,6 +456,8 @@ class MgmtSrvr : private ConfigSubscriber, public trp_client {
 
   class ConfigManager* m_config_manager;
 
+  const char * m_tls_search_path { nullptr };
+
   bool m_need_restart;
 
   ndb_sockaddr m_connect_address[MAX_NODES];

storage/ndb/src/mgmsrv/main.cpp

@@ -113,6 +113,7 @@ static struct my_option my_long_options[] =
   NdbStdOpt::ndb_nodeid,
   NdbStdOpt::mgmd_host,
   NdbStdOpt::connectstring,
+  NdbStdOpt::tls_search_path,
   NDB_STD_OPT_DEBUG
   { "config-file", 'f', "Specify cluster configuration file",
     &opts.config_filename, nullptr, nullptr, GET_STR, REQUIRED_ARG,
@@ -457,6 +458,8 @@ static int mgmd_main(int argc, char** argv)
     }
   }
 
+  opts.tls_search_path = opt_tls_search_path;
+
   /* Setup use of event logger */
   g_eventLogger->setCategory(opt_logname);
 

storage/ndb/src/ndbapi/TransporterFacade.hpp

@@ -78,6 +78,10 @@ class TransporterFacade :
   {
     configure_tls(searchPath, NODE_TYPE_API, primary);
   }
+  void mgm_configure_tls(const char * searchPath)
+  {
+    configure_tls(searchPath, NODE_TYPE_MGM, true);
+  }
 
   /*
     (Re)configure the TransporterFacade