forked from percona/percona-server
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
WL#15166 patch #3 Testing NdbProcess and ndb_sign_keys
Add a unit test, an NdbApi test, and an MTR test. The unit test is testNdbProcess-t The NdbApi test is testMgmd -n SshKeySigning The MTR test is sign_keys in suite ndb_tls Create the ndb_tls test suite. Create the ndb-tls subdirectory in std_data. Create a CA key and certificate in std_data/ndb-tls/. Change-Id: Icec0fa4a9031be11facbd346d09debe8bc8bfe68
- Loading branch information
Showing
15 changed files
with
507 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
-----BEGIN CERTIFICATE----- | ||
MIIC6DCCAdCgAwIBAgILAOJzsRsTdsy+5KIwDQYJKoZIhvcNAQELBQAwKDEmMCQG | ||
A1UEAwwdTXlTUUwgTkRCIENsdXN0ZXIgQ2VydGlmaWNhdGUwHhcNMjIwNjA2MDEy | ||
NzAxWhcNMjYwNjA2MDEyNzAxWjAoMSYwJAYDVQQDDB1NeVNRTCBOREIgQ2x1c3Rl | ||
ciBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJtZ | ||
p2cfo6Q9TG7krVpfcdKWoAM9yjaWVt7TD6O+N2Zk1fxjgFigQEa20uMwfmaZ4L7n | ||
djWWpK6oa+TaCdfsNAaAdkE2HXA/mcFsd+fPFXOEELgkPoin83HnFRLWnPnj6wRU | ||
3O4r7TsDVqgPjEh4O3vmyOUYR7jw3B6rajDVQFtXT54ZrrsoH+QzWX8mX8Q0WSQd | ||
hKKFekQqnRyLucjJcMfb7B1fLwZGi5dC9/UzDIT4NM0a2mMBL4/9xjg94LYHfTmN | ||
MbmSaLbYQjuGrCwf3nelQIAq5UZ04/7mQ8mNMyEnXDI37FfMhIX1HzYew5nD4nxE | ||
sh/8RrFKpqHSayNj1d0CAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG | ||
9w0BAQsFAAOCAQEAJop7adeLAgULgwp4SwXr64DQ7aw2HsSHnI/iCOz6tV96hoDq | ||
COi02L4M5T8PS/T5/JjawZ82D/Xs2m61c3VTNblxP/WIWPMfTRH3cDd7YDjRPRZE | ||
xPZvbAJawMnkV/GtMxXPEScJzoIqjugaZ9B2KXCn20EGlXJ82qDBQZT/9HrYNKki | ||
Cc080C8ybLw2Sm7Ty8SzetS+fMmdfAzqdIHB+IlATOzkhsIvC1A3MG0TP17vtcUW | ||
JcL0sjI//5kX14Sz63lZl1ecVMl4e8oHrdOtrDfM7m2D4x4dfsn0VehP6ZmqygJ/ | ||
Pzp7VdwefvR0almfGq4hSGgXI1sR8DspPbgItw== | ||
-----END CERTIFICATE----- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
-----BEGIN ENCRYPTED PRIVATE KEY----- | ||
MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQI1W6H2p92tVsCAggA | ||
MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECLQUM5chjeEsBIIEyLcXK1k+5V3V | ||
F8OsAcxZNAGtkA3XvPvu4wZP4F0BT14x12Z2vL3DFib6krhv4yOJSSzW5P3qlc2v | ||
MzCZOtkkWBA2AQ5L1RF8o2x5AzpK9uyPKCuroiD76iuhNcAjNjeOyJVQmdV8zXdq | ||
QAixLX7nZQV8iorry8DY9nyBwBUxsaAuDYEAwCtLVz/YSCLqqjSXKqQuDmF/lMes | ||
Z4FE8B8O9y+TIqpjlh/7TIYQ8S925DyaS+elU3W2swBR1Vlr6Kc2k+KQw6gNStRj | ||
x1kouFpxknhYUeQwnEKafG7iPoQqtdYNbkmrkEJ6e/2KytTmT0Wlo9HCn4SEKG1q | ||
4VIsMTFXjtX7IzstCYX9+jRFljASP4Ajvbg/Cld27J45/Me5mhsPr4tcXYZseV89 | ||
6xqaA14sw7LvLR9MGqOGu9PhezvJ+Lz19kFQGd0q/aYwBr7UXvMJvJVxXlnZIfty | ||
XT3qoqIEaibYNFN666tldVP2K2eJVwV4e8Jc2D9yykodGS5ArmJ0bpsMhQ/oiAPd | ||
eSOCZEPH2iPLtgrdI2e8mH7Ukb1P7cv4m0NPDhlUSym3UeHHFwLN+FB9mlP5eJCy | ||
8Zp/ZUsgLrX8eYKAogu2abMSvPV7z9ZmE0pCnInfxEqA5TR4LKZlLQmxiTipksGc | ||
JniOJ5fqIc8ho2ZZZHR6HI8xyXyxFuCo1Fq10GtHurmrXJo2ENOOXX7R8Z0YdrtH | ||
jg2WSHWEKEdE7AxTU8XeyB17ljnUrtF9K+zZIjkapF9AkCpzgcCAwktqDYd/BaoU | ||
I5lufnb+fkE/LUqHNF4OCZa7C4yD2++0hQQblVbklWz4f/Tkt1HTai5pfFs1RtA8 | ||
BrB/IERKkBE3OITIA0whWUvrU/QlItRuP5jEZcw3WA0A8QyITjUa88CgOyC7LUD6 | ||
lXNt1A39AfxDwVkNSxy+pOCZm08WTGmaULhJy1fi+UeAUQRxZ3feVAVAckosAEIm | ||
ljosSunZEoZUW05YKyV9LZa7pfPP+5cm1FKoTSNpX2G2eS0v+pxcqQOOeR7HkeRM | ||
W9QewYVpkKQou68aHRG8RuXkcTTeadOwQQCTixWLuX4apJ/AnNLUURefh+qLl4Ko | ||
uFrH1yeae83oopp8bIsFEVxubHCpsrUEftfNpnkZ+puMHeHHNanxz86J8gsi8/jg | ||
2x4nLbbOMaV1dNyLGjeZacmWI1IzZcLWgiiSbflGnn7uLgq2QIevxyJgNKXjUkW5 | ||
VUFOIgfj7IAyZWwqFuBH4VrPFEohHKvkF5tI6zbt7WxZorTbSyTjdrBrlTT5sPuA | ||
DKjNtvstWIU43ONsRpMoRy4imaH+vFdA+lY9vOZWmo0g0wjYFRHWcS4eWUxgtcbx | ||
UVhx0MteVhMM9l5gK8Pe+3V1zGZioRVMa0GBCWsdLp+66Td72gclzOoeaAE+xlqJ | ||
vfnaplm/HB6bGNNbUrc+tv6HifWIC+bn/FuIv3ghlF15hr/PFYtupgmR0bFcQfxd | ||
llfxb/1tG12quQNAnmCSBeUGxf6dv3SXCMfbQAH/T6SCb04KhPjSdO0O1Xj+xSTz | ||
onhJOYc+5iFHwrhpTXctz2WCN2rgalWkbAJnRgc3g8QjjCU87SHJDZ86HOCvRLuk | ||
gZTWPbtzlpMXJ+q1MKKyTA== | ||
-----END ENCRYPTED PRIVATE KEY----- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
# Detect whether compile-time OpenSSL library provides sufficient support | ||
# for NDB to use TLS | ||
|
||
let $ver = query_get_value(show status like "Tls_library_version", Value, 1); | ||
let $match = `select "$ver" like "OpenSSL 1.0%"`; | ||
if($match) | ||
{ | ||
skip OpenSSL too old; | ||
} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
!include include/default_mysqld.cnf | ||
|
||
# | ||
# Define small two node cluster with only one mysqld | ||
# | ||
[cluster_config.1] | ||
ndbd=, | ||
ndb_mgmd= | ||
mysqld= | ||
ndbapi=,, | ||
|
||
[cluster_config] | ||
DataMemory= 30M | ||
NoOfFragmentLogFiles= 4 | ||
SharedGlobalMemory= 20M | ||
LongMessageBuffer= 4M | ||
RedoBuffer= 4M | ||
BackupLogBufferSize= 2M | ||
HeartbeatIntervalDbDb= 30000 | ||
HeartbeatIntervalDbApi= 30000 | ||
|
||
[mysqld] | ||
ndbcluster | ||
ndb-wait-connected=30 | ||
ndb-wait-setup=120 | ||
ndb-extra-logging=99 | ||
|
||
[cluster_config.mysqld.1.1] | ||
NodeId=51 | ||
Dedicated=1 | ||
|
||
[mysqld.1.1] | ||
ndb-nodeid=51 | ||
|
||
[ENV] | ||
NDB_CONNECTSTRING= @mysql_cluster.1.ndb_connectstring | ||
MTR_NDBMTD= 1 | ||
|
||
[ndb_mgmd.1.1] | ||
ndb-tls-search-path=$MYSQLTEST_VARDIR/mysql_cluster.1 | ||
|
||
[ndb_sign_keys] | ||
ndb-tls-search-path=$MYSQLTEST_VARDIR/mysql_cluster.1 | ||
passphrase=Stockholm |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
SELECT 1; | ||
1 | ||
1 | ||
ndb-api-cert | ||
ndb-api-private-key | ||
ndb-data-node-cert | ||
ndb-data-node-private-key | ||
ndb-mgm-server-cert | ||
ndb-mgm-server-private-key |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,159 @@ | ||
--source include/have_ndb.inc | ||
--source suite/ndb_tls/include/check_openssl.inc | ||
|
||
## TEMPORARILY SKIP THIS TEST ON WINDOWS | ||
## | ||
## Remote Key Signing (at line 106) will time out very slowly and create | ||
## crash dumps. Use the testNdbProcess-t unit test to isolate this issue, | ||
## then re-enable this test on Windows. | ||
## | ||
--source include/not_windows.inc | ||
|
||
# The MySQL server is up | ||
SELECT 1; | ||
|
||
# On startup, none of the files exist | ||
--error 1 | ||
--file_exists $MYSQLTEST_VARDIR/mysql_cluster.1/NDB-Cluster-cert | ||
--error 1 | ||
--file_exists $MYSQLTEST_VARDIR/mysql_cluster.1/NDB-Cluster-private-key | ||
--error 1 | ||
--file_exists $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-api-private-key | ||
|
||
# Create a CA | ||
--exec $NDB_SIGN_KEYS --create-CA | ||
|
||
# Now the CA files exist | ||
--file_exists $MYSQLTEST_VARDIR/mysql_cluster.1/NDB-Cluster-cert | ||
--file_exists $MYSQLTEST_VARDIR/mysql_cluster.1/NDB-Cluster-private-key | ||
|
||
# Create all the keys and certs for this cluster | ||
--exec $NDB_SIGN_KEYS --create-key | ||
--file_exists $MYSQLTEST_VARDIR/mysql_cluster.1/NDB-Cluster-cert | ||
--list_files $MYSQLTEST_VARDIR/mysql_cluster.1 ndb-* | ||
|
||
# Remove them; remove_file will fail if a file does not exist. | ||
# On Windows, private key files must be writable to be removed. | ||
--chmod 0600 $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-api-private-key | ||
--chmod 0600 $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-data-node-private-key | ||
--chmod 0600 $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-mgm-server-private-key | ||
|
||
--remove_file $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-api-private-key | ||
--remove_file $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-api-cert | ||
--remove_file $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-data-node-private-key | ||
--remove_file $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-data-node-cert | ||
--remove_file $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-mgm-server-private-key | ||
--remove_file $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-mgm-server-cert | ||
|
||
# Create a pending key and a 90-day certificate for the management node. | ||
--exec $NDB_SIGN_KEYS --create-key --pending -n 3 --schedule=70,5,80,5,90,0 | ||
--file_exists $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-mgm-server-pending-key | ||
--file_exists $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-mgm-server-pending-cert | ||
|
||
# Promote the files from pending to active | ||
--exec $NDB_SIGN_KEYS --promote -n 3 | ||
|
||
# Now the files have been renamed from pending to active | ||
--file_exists $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-mgm-server-private-key | ||
--file_exists $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-mgm-server-cert | ||
|
||
# The old pending files do not exist | ||
--error 1 | ||
--file_exists $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-mgm-server-pending-key | ||
--error 1 | ||
--file_exists $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-mgm-server-pending-cert | ||
|
||
# Create an active key and certificate for a data node, with bound node id | ||
--exec $NDB_SIGN_KEYS --create-key -n 2 | ||
--file_exists $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-data-node-private-key | ||
--file_exists $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-data-node-cert | ||
|
||
# Create a pending client key and cert in no-config mode | ||
--exec $NDB_SIGN_KEYS --no-config --create-key --pending -t api --bind-host=0 | ||
--file_exists $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-api-pending-key | ||
--file_exists $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-api-pending-cert | ||
|
||
# Then promote the pending files to active | ||
--exec $NDB_SIGN_KEYS --no-config -t api --promote | ||
|
||
# Remove them | ||
--chmod 0600 $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-api-private-key | ||
--remove_file $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-api-private-key | ||
--remove_file $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-api-cert | ||
|
||
# Try to create a CSR for node 10. | ||
# There is not a node 10 configured, so this fails. | ||
--error 110 | ||
--exec $NDB_SIGN_KEYS -n 10 --create-key --skip-sign | ||
|
||
# Try to create a CSR for node 10 in no-config mode. | ||
# This fails because -n and no-config mode are incompatible | ||
--error 101 | ||
--exec $NDB_SIGN_KEYS -l -n 10 -t api --create-key --skip-sign | ||
|
||
# Try to create a CSR for an API node in no-config mode. | ||
# This fails because it wants to bind a hostname, but none is available. | ||
--error 34 | ||
--exec $NDB_SIGN_KEYS -l -t api --create-key --skip-sign | ||
|
||
# Create the CSR for an API node in no-config mode. | ||
--exec $NDB_SIGN_KEYS -l -t api --create-key --skip-sign --bind-host=0 | ||
--file_exists $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-api-cert-request | ||
|
||
# Test remote key signing with a tool | ||
# (using ndb_sign_keys itself as the tool) | ||
# Because the CSR already exists, the binding options are not necessary. | ||
--let $cmd = `SELECT substring_index("$NDB_SIGN_KEYS", " ", 1)` | ||
--exec $NDB_SIGN_KEYS -l -t api -X $cmd >> $MYSQLTEST_VARDIR/tmp/rsk.out | ||
--remove_file $MYSQLTEST_VARDIR/tmp/rsk.out | ||
--file_exists $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-api-cert | ||
--error 1 | ||
--file_exists $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-api-cert-request | ||
|
||
# Refresh the certificate for node 2, but keep the existing key | ||
--exec $NDB_SIGN_KEYS -n 2 --schedule=70,5,80,5,90,0 | ||
--file_exists $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-data-node-retired-cert | ||
--error 1 | ||
--file_exists $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-data-node-retired-key | ||
|
||
# Check all the certs in the path, in no-config mode. | ||
--error 1 | ||
--exec $NDB_SIGN_KEYS --no-config --check --replace-by=-91 | ||
|
||
# Check all the certs in the path, using config | ||
--error 1 | ||
--exec $NDB_SIGN_KEYS --check --replace-by=-91 | ||
|
||
# Check the key cert node 3, using config (check passes) | ||
--exec $NDB_SIGN_KEYS --check --replace-by=-50 -n 3 | ||
|
||
# Check the cert for node 3, using config (check fails) | ||
--error 1 | ||
--exec $NDB_SIGN_KEYS --check --replace-by=-91 -n 3 | ||
|
||
# Replace the key and the certificate both | ||
--exec $NDB_SIGN_KEYS --create-key -n 3 | ||
|
||
# Rotate the CA | ||
--exec $NDB_SIGN_KEYS --rotate-CA | ||
|
||
# On Windows, private key files must be made writable to be removed. | ||
--chmod 0600 $MYSQLTEST_VARDIR/mysql_cluster.1/NDB-Cluster-private-key | ||
--chmod 0600 $MYSQLTEST_VARDIR/mysql_cluster.1/NDB-Cluster-private-key.retired | ||
--chmod 0600 $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-data-node-private-key | ||
--chmod 0600 $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-mgm-server-private-key | ||
--chmod 0600 $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-api-private-key | ||
|
||
# Delete everything so the test can be repeated | ||
--remove_file $MYSQLTEST_VARDIR/mysql_cluster.1/NDB-Cluster-private-key | ||
--remove_file $MYSQLTEST_VARDIR/mysql_cluster.1/NDB-Cluster-cert | ||
--remove_file $MYSQLTEST_VARDIR/mysql_cluster.1/NDB-Cluster-private-key.retired | ||
--remove_file $MYSQLTEST_VARDIR/mysql_cluster.1/NDB-Cluster-cert.retired | ||
--remove_file $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-data-node-private-key | ||
--remove_file $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-data-node-cert | ||
--remove_file $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-data-node-retired-cert | ||
--remove_file $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-mgm-server-cert | ||
--remove_file $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-mgm-server-private-key | ||
--remove_file $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-mgm-server-retired-cert | ||
--remove_file $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-api-private-key | ||
--remove_file $MYSQLTEST_VARDIR/mysql_cluster.1/ndb-api-cert |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.