WL#15524 Patch #11 Use MGM TLS in TransporterRegistry and MgmtSrvr

TransporterRegistry and MgmtSrvr both open some MGM connections
to management servers. Use MGM TLS for these, and extend the
init_tls() method to add the MGM TLS requirement level.

Change-Id: Iea6d776eeb676bd979267b03461bf62d59ca25b1

Author: jdduncan

storage/ndb/include/transporter/TransporterRegistry.hpp

@@ -238,7 +238,8 @@ class TransporterRegistry
    * Initialize TLS context. Cannot be called prior to init(NodeId).
    * Returns true on success.
    */
-  bool init_tls(const char * search_path, int node_type, bool is_primary);
+  bool init_tls(const char * search_path, int node_type,
+                bool is_primary, int mgm_tls_requirement_level);
 
   /**
      Perform handshaking of a client connection to accept it
@@ -572,6 +573,7 @@ class TransporterRegistry
   Uint32 nTCPTransporters;
   Uint32 nSHMTransporters;
   TlsKeyManager m_tls_keys;
+  int m_mgm_tls_req;
 
 #ifdef ERROR_INSERT
   NodeBitmask m_blocked;

storage/ndb/src/common/transporter/TransporterRegistry.cpp

@@ -514,10 +514,11 @@ TransporterRegistry::init(TransporterReceiveHandle& recvhandle)
 
 bool
 TransporterRegistry::init_tls(const char * searchPath, int nodeType,
-                              bool isPrimary)
+                              bool isPrimary, int mgmReqLevel)
 {
   require(localNodeId);
   m_tls_keys.init(searchPath, localNodeId, nodeType, isPrimary);
+  m_mgm_tls_req = mgmReqLevel;
   return m_tls_keys.ctx();
 }
 
@@ -3433,8 +3434,11 @@ TransporterRegistry::start_clients_thread()
                                 "dynamic port",
                                 nodeId));
 
-	    if(!ndb_mgm_is_connected(m_mgm_handle))
-	      ndb_mgm_connect(m_mgm_handle, 0, 0, 0);
+            if(! ndb_mgm_is_connected(m_mgm_handle))
+            {
+              ndb_mgm_set_ssl_ctx(m_mgm_handle, m_tls_keys.ctx());
+              ndb_mgm_connect_tls(m_mgm_handle, 0, 0, 0, m_mgm_tls_req);
+            }
 
 	    if(ndb_mgm_is_connected(m_mgm_handle))
 	    {

storage/ndb/src/kernel/ndbd.cpp

@@ -1172,7 +1172,8 @@ ndbd_run(bool foreground, int report_fd,
 
   theConfig->setupConfiguration();
 
-  globalTransporterRegistry.init_tls(tls_search_path, NODE_TYPE_DB, true);
+  globalTransporterRegistry.init_tls(tls_search_path, NODE_TYPE_DB, true,
+                                     opt_mgm_tls);
 
   const ndb_mgm_configuration_iterator *p =
       globalEmulatorData.theConfiguration->getOwnConfigIterator();

storage/ndb/src/mgmsrv/MgmtSrvr.cpp

@@ -592,7 +592,7 @@ MgmtSrvr::start()
 
   /* Configure TlsKeyManager */
   require(m_tls_search_path);
-  theFacade->mgm_configure_tls(m_tls_search_path);
+  theFacade->mgm_configure_tls(m_tls_search_path, m_client_tls_req);
 
   /* Start transporter */
   if(!start_transporter(m_local_config))
@@ -1330,7 +1330,8 @@ int MgmtSrvr::sendStopMgmd(NodeId nodeId,
   if ( h && connect_string.length() > 0 )
   {
     ndb_mgm_set_connectstring(h,connect_string.c_str());
-    if(ndb_mgm_connect(h,1,0,0))
+    ndb_mgm_set_ssl_ctx(h, ssl_ctx());
+    if(ndb_mgm_connect_tls(h,1,0,0, m_client_tls_req))
     {
       DBUG_PRINT("info",("failed ndb_mgm_connect"));
       ndb_mgm_destroy_handle(&h);
@@ -5186,7 +5187,8 @@ bool MgmtSrvr::connect_to_self()
              m_port);
   ndb_mgm_set_connectstring(mgm_handle, buf.c_str());
 
-  if(ndb_mgm_connect(mgm_handle, 0, 0, 0) < 0)
+  ndb_mgm_set_ssl_ctx(mgm_handle, ssl_ctx());
+  if(ndb_mgm_connect_tls(mgm_handle, 0, 0, 0, m_client_tls_req) < 0)
   {
     g_eventLogger->warning("%d %s",
                            ndb_mgm_get_latest_error(mgm_handle),

storage/ndb/src/mgmsrv/MgmtSrvr.hpp

@@ -463,6 +463,10 @@ class MgmtSrvr : private ConfigSubscriber, public trp_client {
   bool m_require_tls { false }; // ... and as MGM server.
   bool m_require_cert { false };
 
+  struct ssl_ctx_st * ssl_ctx() {
+    return theFacade->get_registry()->getTlsKeyManager()->ctx();
+  }
+
   bool m_need_restart;
 
   ndb_sockaddr m_connect_address[MAX_NODES];

storage/ndb/src/ndbapi/TransporterFacade.cpp

@@ -524,7 +524,8 @@ TransporterFacade::start_instance(NodeId nodeId,
 
   theTransporterRegistry->init_tls(m_tls_search_path,
                                    m_tls_node_type,
-                                   m_tls_primary_api);
+                                   m_tls_primary_api,
+                                   m_mgm_tls_level);
 
   if (theClusterMgr == nullptr)
   {
@@ -1777,12 +1778,14 @@ TransporterFacade::set_up_node_active_in_send_buffers(Uint32 nodeId,
 
 void
 TransporterFacade::configure_tls(const char * searchPath,
-                                 int nodeType, bool isPrimary)
+                                 int nodeType, bool isPrimary,
+                                 int mgmTlsRequirement)
 {
   assert(searchPath);
   m_tls_search_path = searchPath;
   m_tls_node_type = nodeType;
   m_tls_primary_api = isPrimary;
+  m_mgm_tls_level = mgmTlsRequirement;
 }
 
 bool

storage/ndb/src/ndbapi/TransporterFacade.hpp

@@ -73,14 +73,14 @@ class TransporterFacade :
   int start_instance(NodeId, const ndb_mgm_configuration*);
   void stop_instance();
 
-  void configure_tls(const char *, int type, bool primary);
-  void api_configure_tls(const char * searchPath, bool primary)
+  void configure_tls(const char *, int type, bool primary, int mgmLevel);
+  void api_configure_tls(const char * searchPath, bool primary, int mgmLevel)
   {
-    configure_tls(searchPath, NODE_TYPE_API, primary);
+    configure_tls(searchPath, NODE_TYPE_API, primary, mgmLevel);
   }
-  void mgm_configure_tls(const char * searchPath)
+  void mgm_configure_tls(const char * searchPath, int mgmLevel)
   {
-    configure_tls(searchPath, NODE_TYPE_MGM, true);
+    configure_tls(searchPath, NODE_TYPE_MGM, true, mgmLevel);
   }
 
   /*
@@ -611,6 +611,7 @@ class TransporterFacade :
   const char * m_tls_search_path;
   int m_tls_node_type;
   bool m_tls_primary_api;
+  int m_mgm_tls_level;
 };
 
 inline

storage/ndb/src/ndbapi/ndb_cluster_connection.cpp

@@ -946,7 +946,14 @@ Ndb_cluster_connection_impl::configure_tls(const char * searchPath)
 {
   bool isPrimary = ! (bool) m_main_connection;
   m_tls_search_path = strdup(searchPath);
-  m_transporter_facade->api_configure_tls(m_tls_search_path, isPrimary);
+
+  /* A later patch will make mgm_level configurable */
+  static constexpr int mgm_level = CLIENT_TLS_RELAXED;
+
+  m_config_retriever->init_mgm_tls(m_tls_search_path, ::Node::Type::Client,
+                                   mgm_level);
+  m_transporter_facade->api_configure_tls(m_tls_search_path, isPrimary,
+                                          mgm_level);
 }
 
 void