WL#15135 patch #4: Configure TLS in API and MySQL nodes

Part of WL#15135 Certificate Architecture

In Ndb_cluster_connection, this patch provides a new top-level
method configure_tls(). It also implements TLS initialization
in connect(), calling down through the TransporterFacade layer
to TransporterRegistry.

In the MySQL server this adds the new read-only configuration
option ndb-tls-search-path, with a compile-time default that is
configurable in CMake, WITH_NDB_TLS_SEARCH_PATH.

Unmodified API nodes that do not call into configure_tls() will
still be able to make TLS connections if keys are found
somewhere in the default search path.

Change-Id: Id1d046ff3c5a48a30131c3d15274f5ed625933a9

Author: jdduncan

mysql-test/suite/ndb/r/ndb_basic.result

@@ -203,6 +203,7 @@ ndb_show_foreign_key_mock_tables	#
 ndb_slave_conflict_role	#
 ndb_table_no_logging	#
 ndb_table_temporary	#
+ndb_tls_search_path	#
 ndb_use_copying_alter_table	#
 ndb_use_exact_count	#
 ndb_use_transactions	#

mysql-test/suite/ndb/r/ndb_basic_3rpl.result

@@ -203,6 +203,7 @@ ndb_show_foreign_key_mock_tables	#
 ndb_slave_conflict_role	#
 ndb_table_no_logging	#
 ndb_table_temporary	#
+ndb_tls_search_path	#
 ndb_use_copying_alter_table	#
 ndb_use_exact_count	#
 ndb_use_transactions	#

mysql-test/suite/ndb/r/ndb_basic_4rpl.result

@@ -203,6 +203,7 @@ ndb_show_foreign_key_mock_tables	#
 ndb_slave_conflict_role	#
 ndb_table_no_logging	#
 ndb_table_temporary	#
+ndb_tls_search_path	#
 ndb_use_copying_alter_table	#
 ndb_use_exact_count	#
 ndb_use_transactions	#

mysql-test/suite/ndb/r/ndb_basic_ndbd.result

@@ -203,6 +203,7 @@ ndb_show_foreign_key_mock_tables	#
 ndb_slave_conflict_role	#
 ndb_table_no_logging	#
 ndb_table_temporary	#
+ndb_tls_search_path	#
 ndb_use_copying_alter_table	#
 ndb_use_exact_count	#
 ndb_use_transactions	#

storage/ndb/CMakeLists.txt

@@ -38,6 +38,15 @@ IF(NOT WITHOUT_SERVER)
       SET(WITH_NDBCLUSTER_STORAGE_ENGINE 0)
     ENDIF()
   ENDIF()
+
+  IF(WIN32)
+    SET(DEFAULT_TLS_SEARCH_PATH "$HOMEPATH/ndb-tls")
+  ELSE()
+    SET(DEFAULT_TLS_SEARCH_PATH "$HOME/ndb-tls")
+  ENDIF()
+  SET(WITH_NDB_TLS_SEARCH_PATH ${DEFAULT_TLS_SEARCH_PATH}
+      CACHE STRING "Search path for TLS keys and certificates")
+
   #
   # Add the ndbcluster plugin
   #
@@ -123,6 +132,10 @@ IF(NOT WITHOUT_SERVER)
     DEFAULT STATIC_ONLY
     LINK_LIBRARIES ndbclient_static extra::rapidjson)
 
+  SET_PROPERTY(SOURCE plugin/ha_ndbcluster.cc
+               PROPERTY COMPILE_DEFINITIONS
+               NDB_TLS_SEARCH_PATH="${WITH_NDB_TLS_SEARCH_PATH}")
+
   # Sanity check that MYSQL_ADD_PLUGIN didn't decide to skip build
   IF (NOT WITH_NDBCLUSTER_STORAGE_ENGINE)
     IF(WITH_NDB)

storage/ndb/include/ndbapi/ndb_cluster_connection.hpp

@@ -108,6 +108,26 @@ class Ndb_cluster_connection {
    */
   void set_name(const char *name);
 
+  /**
+   * Configure TLS for the connection.
+   *
+   * tls_search_path is a colon-delimited list of directories that may contain
+   * TLS private key files or signed public key certificates. The search path
+   * may contain absolute directories, relative directories, and environment
+   * variables which will be expanded.
+   *
+   * The second (int) parameter will be introduced in WL#15524.
+   *
+   * If the node finds active NDB TLS node keys and certificates in the seach
+   * path, it will be able to connect securely to other nodes. These keys and
+   * certificates can be created using the ndb_sign_keys tool.
+   *
+   * If configure_tls() is not called for a connection, the search path used
+   * will be the compile-time default NDB_TLS_SEARCH_PATH.
+
+   */
+   void configure_tls(const char * tls_search_path, int);
+
   /**
    * For each Ndb_cluster_connection, NDB publishes a URI in the ndbinfo
    * processes table. A user may customize this URI using set_service_uri().

storage/ndb/plugin/ha_ndbcluster.cc

@@ -145,6 +145,8 @@ static ulong opt_ndb_data_node_neighbour;
 static bool opt_ndb_fully_replicated;
 static ulong opt_ndb_row_checksum;
 
+char *opt_ndb_tls_search_path;
+
 // The version where ndbcluster uses DYNAMIC by default when creating columns
 static const ulong NDB_VERSION_DYNAMIC_IS_DEFAULT = 50711;
 enum ndb_default_colum_format_enum {
@@ -17606,6 +17608,12 @@ static MYSQL_SYSVAR_STR(
     nullptr  /* default */
 );
 
+static MYSQL_SYSVAR_STR(tls_search_path,         /* name */
+                        opt_ndb_tls_search_path, /* var */
+                        PLUGIN_VAR_RQCMDARG | PLUGIN_VAR_READONLY,
+                        "Directory containing NDB Cluster TLS Private Keys",
+                        NULL, NULL, NDB_TLS_SEARCH_PATH);
+
 static const int MIN_ACTIVATION_THRESHOLD = 0;
 static const int MAX_ACTIVATION_THRESHOLD = 16;
 
@@ -18442,6 +18450,7 @@ static SYS_VAR *system_variables[] = {
     MYSQL_SYSVAR(optimization_delay),
     MYSQL_SYSVAR(index_stat_enable),
     MYSQL_SYSVAR(index_stat_option),
+    MYSQL_SYSVAR(tls_search_path),
     MYSQL_SYSVAR(table_no_logging),
     MYSQL_SYSVAR(table_temporary),
     MYSQL_SYSVAR(log_bin),

storage/ndb/plugin/ha_ndbcluster_connection.cc

@@ -59,6 +59,8 @@ static uint g_pool_alloc = 0;
 static uint g_pool_pos = 0;
 static mysql_mutex_t g_pool_mutex;
 
+extern char *opt_ndb_tls_search_path;
+
 /**
    @brief Parse the --ndb-cluster-connection-pool-nodeids=nodeid[,nodeidN]
           comma separated list of nodeids to use for the pool
@@ -245,6 +247,7 @@ int ndbcluster_connect(ulong wait_connected,  // Timeout in seconds
     char buf[128];
     snprintf(buf, sizeof(buf), "mysqld --server-id=%lu", server_id);
     g_ndb_cluster_connection->set_name(buf);
+    g_ndb_cluster_connection->configure_tls(opt_ndb_tls_search_path, 0);
     snprintf(buf, sizeof(buf), "%s%s", processinfo_path, server_id_string);
     g_ndb_cluster_connection->set_service_uri("mysql", processinfo_host,
                                               processinfo_port, buf);
@@ -306,6 +309,7 @@ int ndbcluster_connect(ulong wait_connected,  // Timeout in seconds
         snprintf(buf, sizeof(buf), "mysqld --server-id=%lu (connection %u)",
                  server_id, i + 1);
         g_pool[i]->set_name(buf);
+        g_pool[i]->configure_tls(opt_ndb_tls_search_path, 0);
         const char *uri_sep = server_id ? ";" : "?";
         snprintf(buf, sizeof(buf), "%s%s%sconnection=%u", processinfo_path,
                  server_id_string, uri_sep, i + 1);

storage/ndb/src/ndbapi/CMakeLists.txt

@@ -78,5 +78,8 @@ ADD_CONVENIENCE_LIBRARY(ndbapi
   LINK_LIBRARIES ext::zlib
   )
 
+SET_PROPERTY(SOURCE TransporterFacade.cpp
+             PROPERTY COMPILE_DEFINITIONS
+             NDB_TLS_SEARCH_PATH="${WITH_NDB_TLS_SEARCH_PATH}")
 
 NDB_ADD_TEST(SectionIterators-t SectionIterators.cpp NdbApiSignal.cpp)

storage/ndb/src/ndbapi/TransporterFacade.cpp

@@ -522,6 +522,10 @@ TransporterFacade::start_instance(NodeId nodeId,
     DBUG_RETURN(-1);
   }
 
+  theTransporterRegistry->init_tls(m_tls_search_path,
+                                   m_tls_node_type,
+                                   m_tls_primary_api);
+
   if (theClusterMgr == nullptr)
   {
     theClusterMgr = new ClusterMgr(*this);
@@ -1666,7 +1670,10 @@ TransporterFacade::TransporterFacade(GlobalDictCache *cache) :
   m_send_thread_mutex(nullptr),
   m_send_thread_cond(nullptr),
   m_send_thread_nodes(),
-  m_has_data_nodes()
+  m_has_data_nodes(),
+  m_tls_search_path(NDB_TLS_SEARCH_PATH),
+  m_tls_node_type(NODE_TYPE_API),
+  m_tls_primary_api(true)
 {
   DBUG_ENTER("TransporterFacade::TransporterFacade");
   thePollMutex = NdbMutex_CreateWithName("PollMutex");
@@ -1768,6 +1775,16 @@ TransporterFacade::set_up_node_active_in_send_buffers(Uint32 nodeId,
   DBUG_VOID_RETURN;
 }
 
+void
+TransporterFacade::configure_tls(const char * searchPath,
+                                 int nodeType, bool isPrimary)
+{
+  assert(searchPath);
+  m_tls_search_path = searchPath;
+  m_tls_node_type = nodeType;
+  m_tls_primary_api = isPrimary;
+}
+
 bool
 TransporterFacade::configure(NodeId nodeId,
                              const ndb_mgm_configuration* conf)

storage/ndb/src/ndbapi/TransporterFacade.hpp

@@ -73,6 +73,12 @@ class TransporterFacade :
   int start_instance(NodeId, const ndb_mgm_configuration*);
   void stop_instance();
 
+  void configure_tls(const char *, int type, bool primary);
+  void api_configure_tls(const char * searchPath, bool primary)
+  {
+    configure_tls(searchPath, NODE_TYPE_API, primary);
+  }
+
   /*
     (Re)configure the TransporterFacade
     to a specific configuration
@@ -596,6 +602,11 @@ class TransporterFacade :
    * of sending to these nodes.
    */
   NodeBitmask m_has_data_nodes;
+
+  /* TLS Configuration */
+  const char * m_tls_search_path;
+  int m_tls_node_type;
+  bool m_tls_primary_api;
 };
 
 inline

storage/ndb/src/ndbapi/ndb_cluster_connection.cpp

@@ -615,6 +615,9 @@ Ndb_cluster_connection_impl::~Ndb_cluster_connection_impl()
     m_nodes_proximity_mutex = nullptr;
   }
 
+  free(const_cast<char *>(m_tls_search_path));
+  m_tls_search_path = nullptr;
+
   if (m_event_add_drop_mutex)
     NdbMutex_Destroy(m_event_add_drop_mutex);
   m_event_add_drop_mutex = nullptr;
@@ -938,6 +941,14 @@ Ndb_cluster_connection_impl::set_data_node_neighbour(Uint32 node)
   NdbMutex_Unlock(m_nodes_proximity_mutex);
 }
 
+void
+Ndb_cluster_connection_impl::configure_tls(const char * searchPath)
+{
+  bool isPrimary = ! (bool) m_main_connection;
+  m_tls_search_path = strdup(searchPath);
+  m_transporter_facade->api_configure_tls(m_tls_search_path, isPrimary);
+}
+
 void
 Ndb_cluster_connection_impl::set_name(const char *name)
 {
@@ -1390,6 +1401,11 @@ Ndb_cluster_connection_impl::do_test()
   delete[] nodes;
 }
 
+void Ndb_cluster_connection::configure_tls(const char * searchPath, int)
+{
+  m_impl.configure_tls(searchPath);
+}
+
 void Ndb_cluster_connection::set_data_node_neighbour(Uint32 node)
 {
   m_impl.set_data_node_neighbour(node);

storage/ndb/src/ndbapi/ndb_cluster_connection_impl.hpp

@@ -134,6 +134,7 @@ class Ndb_cluster_connection_impl : public Ndb_cluster_connection
   int configure(Uint32 nodeid, const ndb_mgm_configuration *config);
   void connect_thread();
   void set_name(const char *name);
+  void configure_tls(const char * search_path);
   int set_service_uri(const char *, const char *, int, const char *);
   void set_data_node_neighbour(Uint32 neighbour_node);
   void adjust_node_proximity(Uint32 node_id, Int32 adjustment);
@@ -208,6 +209,9 @@ class Ndb_cluster_connection_impl : public Ndb_cluster_connection
 
   // Config generation of used configuration
   Uint32 m_config_generation{0};
+
+  // TLS Certificate Search Path
+  const char * m_tls_search_path {nullptr};
 };
 
 #endif