[tarantool-patches] [PATCH v2] iproto: introduce a proxy module.
Vladimir Davydov
vdavydov.dev at gmail.com
Mon Oct 8 19:48:07 MSK 2018
On Tue, Oct 02, 2018 at 09:05:54PM +0300, Serge Petrenko wrote:
> Since salt proxy sends to a client differs from the salt it recieves
> from a remote instance, forwarding auth requests to establish non-guest
> connections is a little bit tricky:
> let hash1 = sha1(password),
> hash2 = sha1(hash1)
> then upon auth proxy recieves such a string from the client:
> reply = xor(hash1, sha1(proxy_salt, hash2))
> proxy has to send an auth request of such form to an instance:
> request = xor(hash1, sha1(instance_salt, hash2))
> proxy fetches hash2 via a special message to tx thread (again, it is
> accessible, since proxy is run on one of the cluster instances).
> Then proxy computes hash1 = xor(reply, sha1(proxy_salt, hash2)) and
> computes the request using hash1, hash2 and instance_salt.
So unless the user is fine with guest access (which is rather unlikely
AFAIU), it doesn't make sense to run a proxy on a standalone instance,
does it?
If so, may be we could simplify both configuration and the code by
requiring a proxy to be a part of the replica set?
I mean instead of netbox.listen(), we could add a knob to box.cfg, say
box.cfg.proxy_enable = true|false. If this knob was set, the instance
would automatically forward all incoming iproto requests to members of
the replica set (including self). What do you think?
> Proxy may be configured like this:
> ```
> netbox = require("net.box")
> netbox.listen(uri_to_listen, {cluster={
> {uri=uri1, is_master=false},
> {uri=uri2, is_master=true},
> ...
> }})
> ```
I don't like that the user has to explicitly configure which participant
is rw and which is ro. How will it work when box.ctl.promote is finally
implemented?
More information about the Tarantool-patches
mailing list