1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
|
################################################################################
# Base test to verify the basic SSL options functioning and their manipulation
#
# Test:
# 0. The test requires two servers: M1 and M2.
# 1. Set ssl related global variables and do initial setup.
# 2. Setup the first member (M1) with a recovery user that requires SSL.
# 3. Add some data and bootstrap start a group on M1.
# 4. Try to configure SSL variables with invalid and long path (i.e 540 vs 512)
# max on M2. Expect errors.
# 5. When SSL is required, check that recovery cannot advance when it is not
# properly configured i.e. set SSL var to bad path and start GR on M2.
# Member state should become ERROR.
# 6. Check that when SSL is properly configured all goes fine i.e. set SSL var
# to correct path and start GR on M2.
# 7. Check the data is there on M2.
# 8. Clean up.
################################################################################
--source include/have_group_replication_xcom_communication_stack.inc
--source include/big_test.inc
--let $group_replication_group_name= ebe0b000-f0e7-11e4-b80c-0800200c9a66
--source include/have_group_replication_plugin.inc
--let $rpl_skip_group_replication_start= 1
--source include/group_replication.inc
##
## Global variables and initial setup
##
--let $tmpdir_name=`SELECT UUID()`
--let $tmpdir=$MYSQLTEST_VARDIR/tmp/$tmpdir_name
--let $CERTDIR_LOCATION=$tmpdir/certs
--let $CADIR_LOCATION=$tmpdir/certs/cacerts
--let $CRLDIR_LOCATION=$tmpdir/certs/crldir
--error 0, 1
--rmdir $CADIR_LOCATION
--error 0, 1
--rmdir $CERTDIR_LOCATION
--error 0, 1
--rmdir $CRLDIR_LOCATION
--error 0, 1
--rmdir $tmpdir
--mkdir $tmpdir
--mkdir $CERTDIR_LOCATION
--mkdir $CADIR_LOCATION
--mkdir $CRLDIR_LOCATION
--copy_file $MYSQL_TEST_DIR/std_data/cacert.pem $CADIR_LOCATION/cacert.pem
--copy_file $MYSQL_TEST_DIR/std_data/client-cert.pem $CERTDIR_LOCATION/client-cert.pem
--copy_file $MYSQL_TEST_DIR/std_data/client-key.pem $CERTDIR_LOCATION/client-key.pem
--copy_file $MYSQL_TEST_DIR/std_data/crl-client-revoked.crl $CRLDIR_LOCATION/crl-client-revoked.crl
##
## End of setup
##
--echo #
--echo # Setup the first member with a recovery user that requires SSL
--echo #
--connection server1
--echo server1
# create a user for replication that requires ssl encryption
set session sql_log_bin=0;
CREATE USER 'rec_ssl_user'@'%' REQUIRE SSL;
GRANT replication slave ON *.* TO 'rec_ssl_user'@'%';
set session sql_log_bin=1;
--echo #
--echo # Add some data and start the first member
--echo #
CREATE TABLE t1 (c1 INT NOT NULL PRIMARY KEY) ENGINE=InnoDB;
INSERT INTO t1 VALUES (1);
--source include/start_and_bootstrap_group_replication.inc
--echo #
--echo # Verify that we cannot set invalid and really long paths in the SSL options
--echo #
--connection server2
--echo server2
--let $conf_rec_retries= `SELECT @@GLOBAL.group_replication_recovery_retry_count;`
--let $conf_rec_ssl_verify= `SELECT @@GLOBAL.group_replication_recovery_ssl_verify_server_cert;`
--let $conf_rec_use_ssl= `SELECT @@GLOBAL.group_replication_recovery_use_ssl;`
--let $conf_rec_ssl_ca= `SELECT @@GLOBAL.group_replication_recovery_ssl_ca;`
--let $conf_rec_ssl_capath= `SELECT @@GLOBAL.group_replication_recovery_ssl_capath;`
--let $conf_rec_ssl_cert= `SELECT @@GLOBAL.group_replication_recovery_ssl_cert;`
--let $conf_rec_ssl_cipher= `SELECT @@GLOBAL.group_replication_recovery_ssl_cipher;`
--let $conf_rec_ssl_key= `SELECT @@GLOBAL.group_replication_recovery_ssl_key;`
# Test that variables doesn't accept invalid inputs.
--error ER_WRONG_VALUE_FOR_VAR
SET GLOBAL group_replication_recovery_ssl_verify_server_cert= NULL;
--error ER_WRONG_VALUE_FOR_VAR
SET GLOBAL group_replication_recovery_ssl_verify_server_cert= "a";
--error ER_WRONG_TYPE_FOR_VAR
SET GLOBAL group_replication_recovery_ssl_verify_server_cert= 1.2;
--error ER_WRONG_VALUE_FOR_VAR
SET GLOBAL group_replication_recovery_use_ssl= NULL;
--error ER_WRONG_VALUE_FOR_VAR
SET GLOBAL group_replication_recovery_use_ssl= "a";
--error ER_WRONG_TYPE_FOR_VAR
SET GLOBAL group_replication_recovery_use_ssl= 1.2;
# Create a really long path (540 characters vs 512 maximum)
--let $long_path= long_path/long_path/long_path/long_path/long_path/long_path/
--let $long_path= $long_path$long_path$long_path
--let $recovery_invalid_SSL_PATH= $long_path$long_path$long_path
--error ER_WRONG_VALUE_FOR_VAR
--eval SET GLOBAL group_replication_recovery_ssl_ca= '$recovery_invalid_SSL_PATH'
--error ER_WRONG_VALUE_FOR_VAR
--eval SET GLOBAL group_replication_recovery_ssl_capath= '$recovery_invalid_SSL_PATH'
--error ER_WRONG_VALUE_FOR_VAR
--eval SET GLOBAL group_replication_recovery_ssl_cert= '$recovery_invalid_SSL_PATH'
--error ER_WRONG_VALUE_FOR_VAR
--eval SET GLOBAL group_replication_recovery_ssl_cipher= '$recovery_invalid_SSL_PATH'
--error ER_WRONG_VALUE_FOR_VAR
--eval SET GLOBAL group_replication_recovery_ssl_key= '$recovery_invalid_SSL_PATH'
--error ER_WRONG_VALUE_FOR_VAR
--eval SET GLOBAL group_replication_recovery_ssl_crl= '$recovery_invalid_SSL_PATH'
--error ER_WRONG_VALUE_FOR_VAR
--eval SET GLOBAL group_replication_recovery_ssl_crlpath= '$recovery_invalid_SSL_PATH'
--echo #
--echo # See when SSL is required that Recovery cannot advance when not properly configured
--echo #
set session sql_log_bin=0;
call mtr.add_suppression("There was an error when connecting to the donor*");
call mtr.add_suppression("For details please check performance_schema.replication_connection_status table and error log messages of Replica I/O for channel group_replication_recovery.");
call mtr.add_suppression("Maximum number of retries when*");
call mtr.add_suppression("Fatal error during the incremental recovery process of Group Replication. The server will leave the group.");
call mtr.add_suppression("The member is leaving a group without being on one");
call mtr.add_suppression("The member is already leaving or joining a group.");
call mtr.add_suppression("Error leaving the group");
call mtr.add_suppression("Skipping leave operation: concurrent attempt to leave the group is on-going.");
call mtr.add_suppression("The server was automatically set into read only mode after an error was detected.");
set session sql_log_bin=1;
--disable_warnings
CHANGE REPLICATION SOURCE TO SOURCE_USER= 'rec_ssl_user', SOURCE_PASSWORD='' FOR CHANNEL 'group_replication_recovery';
--enable_warnings
--eval SET GLOBAL group_replication_recovery_use_ssl=1
--eval SET GLOBAL group_replication_recovery_ssl_ca= '/bad_path_parameter/file'
#try once and fail
--eval SET GLOBAL group_replication_recovery_retry_count= 1
--eval SET GLOBAL group_replication_group_name= '$group_replication_group_name'
--let $group_replication_start_member_state= ERROR
--source include/start_group_replication.inc
#
# Set this back to the previous value, since it could be that
# on slow machines we take more than one attempt.
#
--replace_result $conf_rec_retries CONF_REC_RETRIES
--eval SET @@GLOBAL.group_replication_recovery_retry_count= $conf_rec_retries
--source include/stop_group_replication.inc
--echo #
--echo # See that when SSL is properly configured all goes fine
--echo #
SET GLOBAL group_replication_recovery_use_ssl=1;
SET GLOBAL group_replication_recovery_ssl_verify_server_cert=1;
--replace_result $tmpdir TMPDIR
--eval SET GLOBAL group_replication_recovery_ssl_ca= '$CADIR_LOCATION/cacert.pem'
--replace_result $tmpdir TMPDIR
--eval SET GLOBAL group_replication_recovery_ssl_capath= ''
--replace_result $tmpdir TMPDIR
--eval SET GLOBAL group_replication_recovery_ssl_cert= '$CERTDIR_LOCATION/client-cert.pem'
--replace_result $tmpdir TMPDIR
--eval SET GLOBAL group_replication_recovery_ssl_key= '$CERTDIR_LOCATION/client-key.pem'
--source include/start_group_replication.inc
# Check also that a valid cipher is accepted (not used due to portability issues)
--eval SET GLOBAL group_replication_recovery_ssl_cipher= 'ECDHE-RSA-AES256-GCM-SHA384'
--echo #
--echo # Check the data is there
--echo #
--source include/rpl_sync.inc
--let $assert_text= On the recovered member, the table should exist and have 1 elements;
--let $assert_cond= [SELECT COUNT(*) FROM t1] = 1;
--source include/assert.inc
--echo #
--echo # Clean up
--echo #
# No need to print this to the result file
--disable_query_log
--eval SET @@GLOBAL.group_replication_recovery_use_ssl= $conf_rec_use_ssl
--eval SET @@GLOBAL.group_replication_recovery_ssl_verify_server_cert= $conf_rec_ssl_verify
--eval SET @@GLOBAL.group_replication_recovery_retry_count= $conf_rec_retries
--eval SET @@GLOBAL.group_replication_recovery_ssl_ca= "$conf_rec_ssl_ca"
--eval SET @@GLOBAL.group_replication_recovery_ssl_capath= "$conf_rec_ssl_capath"
--eval SET @@GLOBAL.group_replication_recovery_ssl_cert= "$conf_rec_ssl_cert"
--eval SET @@GLOBAL.group_replication_recovery_ssl_cipher= "$conf_rec_ssl_cipher"
--eval SET @@GLOBAL.group_replication_recovery_ssl_key= "$conf_rec_ssl_key"
--enable_query_log
--connection server1
--echo server1
set session sql_log_bin=0;
DROP USER 'rec_ssl_user';
set session sql_log_bin=1;
DROP TABLE t1;
#
# Finally remove the temporary directory
#
--force-rmdir $tmpdir
--source include/group_replication_end.inc
|
