MDEV-37548 : wsrep_allowlist allows all connections during SST

janlindstrom · janlindstrom · commit c96a4fd419dc · 2025-09-10T15:03:59.000+03:00
MDEV-37136 allowed connections by default if wsrep_schema is
not initialized, but this allows and process to connect to a
node which is joining to the cluster and receiving SST (i.e.
all incoming connections are allowed until the storage engines
get initialized). We need to allow all connections by default
to maintain upgradability if nothing else is configured.

However, if user has given wsrep_allowlist string or stored
allowed connections to mysql.wsrep_allowlist table used
address should be checked.

When node is joining to the cluster and receiving SST InnoDB
storage engine is not initialized, thus mysq.wsrep_allowlist
table is not available and wsrep_schema is not intialized.
In this case we still should check has user configured
allowed connections using wsrep_allowlist configuration
variable. If wsrep_allowlist configuration variable contains
list of allowed addressed, we check is address used in
new connection in this list. If it is not connection is not
allowed.
diff --git a/sql/wsrep_allowlist_service.cc b/sql/wsrep_allowlist_service.cc
@@ -36,12 +36,31 @@ bool Wsrep_allowlist_service::allowlist_cb (
   const wsrep::const_buffer& value)
   WSREP_NOEXCEPT
 {
-  bool res=true; // allow all connections
+  // Allow all connections if user has not given list of
+  // allowed addresses or stored them on mysql.wsrep_allowlist
+  // table. Note that table is available after SEs are initialized.
+  bool res=true; 
+  std::string string_value(value.data());
   if (wsrep_schema)
   {
-    std::string string_value(value.data());
     res= wsrep_schema->allowlist_check(key, string_value);
   }
+  // If wsrep_schema is not initialized check if user has given
+  // list of addresses where connections are allowed
+  else if (wsrep_allowlist && wsrep_allowlist[0] != '\0')
+  {
+    res= false; // Allow only given addresses
+    std::vector<std::string> allowlist;
+    wsrep_split_allowlist(allowlist);
+    for(auto allowed : allowlist)
+    {
+      if (!string_value.compare(allowed))
+      {
+        res= true; // Address found allow connection
+        break;
+      }
+    }
+  }
   return res;
 }
 
