From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from localhost (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id EC3272C704 for ; Tue, 16 Oct 2018 14:40:00 -0400 (EDT) Received: from turing.freelists.org ([127.0.0.1]) by localhost (turing.freelists.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zVNopZxyloWI for ; Tue, 16 Oct 2018 14:40:00 -0400 (EDT) Received: from smtp20.mail.ru (smtp20.mail.ru [94.100.179.251]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTPS id A9E3A2C6F1 for ; Tue, 16 Oct 2018 14:40:00 -0400 (EDT) Date: Tue, 16 Oct 2018 21:39:58 +0300 From: Konstantin Osipov Subject: [tarantool-patches] Re: [PATCH v2] iproto: introduce a proxy module. Message-ID: <20181016183958.GE5454@chai> References: <20181002180554.1142-1-sergepetrenko@tarantool.org> <20181008164807.ewiv7lwfh4e4decg@esperanza> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20181008164807.ewiv7lwfh4e4decg@esperanza> Sender: tarantool-patches-bounce@freelists.org Errors-to: tarantool-patches-bounce@freelists.org Reply-To: tarantool-patches@freelists.org List-help: List-unsubscribe: List-software: Ecartis version 1.0.0 List-Id: tarantool-patches List-subscribe: List-owner: List-post: List-archive: To: tarantool-patches@freelists.org Cc: Serge Petrenko * Vladimir Davydov [18/10/11 09:55]: > On Tue, Oct 02, 2018 at 09:05:54PM +0300, Serge Petrenko wrote: > > Since salt proxy sends to a client differs from the salt it recieves > > from a remote instance, forwarding auth requests to establish non-guest > > connections is a little bit tricky: > > let hash1 = sha1(password), > > hash2 = sha1(hash1) > > then upon auth proxy recieves such a string from the client: > > reply = xor(hash1, sha1(proxy_salt, hash2)) > > proxy has to send an auth request of such form to an instance: > > request = xor(hash1, sha1(instance_salt, hash2)) > > proxy fetches hash2 via a special message to tx thread (again, it is > > accessible, since proxy is run on one of the cluster instances). > > Then proxy computes hash1 = xor(reply, sha1(proxy_salt, hash2)) and > > computes the request using hash1, hash2 and instance_salt. > > So unless the user is fine with guest access (which is rather unlikely > AFAIU), it doesn't make sense to run a proxy on a standalone instance, > does it? > > If so, may be we could simplify both configuration and the code by > requiring a proxy to be a part of the replica set? It's OK to simplify the patch now and only make it work within a replica set. In future we will have replication groups, remember, and this way we'll get a standalone proxy for free. > I mean instead of netbox.listen(), we could add a knob to box.cfg, say > box.cfg.proxy_enable = true|false. If this knob was set, the instance > would automatically forward all incoming iproto requests to members of > the replica set (including self). What do you think? We need a new knob for two reasons: - we need to be able to turn on listen port before box.cfg; it's albeit separate, a popular user request. - we need backward compatibility. i.e. old listen should work the old way, to not surprise users > > > Proxy may be configured like this: > > ``` > > netbox = require("net.box") > > netbox.listen(uri_to_listen, {cluster={ > > {uri=uri1, is_master=false}, > > {uri=uri2, is_master=true}, > > ... > > }}) > > ``` > > I don't like that the user has to explicitly configure which participant > is rw and which is ro. How will it work when box.ctl.promote is finally > implemented? Can we please implement a proxy in which there is no {cluster=} option? As we were discussing with Vlad, proxy should be integrated with box.ctl.promote() and learn about ro/rw masters from it. -- Konstantin Osipov, Moscow, Russia, +7 903 626 22 32 http://tarantool.io - www.twitter.com/kostja_osipov