mirror of
https://github.com/MariaDB/server.git
synced 2025-04-11 17:55:34 +02:00
MDEV-10847 Bring AWS KMS encryption plugin up-to-date with released SDK
- Library path's are different now - New dependency on Linux libuuid - Add calls for SDK Initialization/shutdown - Also add request_timeout parameter, default SDK HTTPs timeout appears to be too short in my tests
This commit is contained in:
Vladislav Vaintroub
parent
f1aefd9d75
commit
3f5aedccca
2 changed files with 57 additions and 34 deletions
plugin/aws_key_management
|
|
@ -3,7 +3,7 @@
|
|||
# are
|
||||
|
||||
# - OS : Windows,Linux or OSX
|
||||
# - C++11 compiler : VS2013+, gcc 4.7+, clang 3.3+
|
||||
# - C++11 compiler : VS2013+, gcc 4.8+, clang 3.3+
|
||||
# - libcurl development package needs to be present on Unixes
|
||||
#
|
||||
# If we build SDK outselves, we'll need require GIT to be present on the build machine
|
||||
|
|
@ -13,7 +13,10 @@
|
|||
# or if plugin is explicitely requested to build. Then bail out.
|
||||
MACRO(SKIP_AWS_PLUGIN msg)
|
||||
IF(VERBOSE OR "${PLUGIN_AWS_KEY_MANAGEMENT}" MATCHES "^(STATIC|DYNAMIC)$")
|
||||
MESSAGE(STATUS "Skip aws_key_management - ${msg}")
|
||||
MESSAGE(STATUS "Can't build aws_key_management - ${msg}")
|
||||
ENDIF()
|
||||
IF(TARGET aws_key_management)
|
||||
MESSAGE(FATAL_ERROR "Error configuring aws_key_management - aborting")
|
||||
ENDIF()
|
||||
RETURN()
|
||||
ENDMACRO()
|
||||
|
|
@ -27,7 +30,7 @@ ENDIF()
|
|||
|
||||
# This plugin needs recent C++ compilers (AWS C++ SDK header files are using C++11 features)
|
||||
SET(CXX11_FLAGS)
|
||||
SET(OLD_COMPILER_MSG "AWS SDK requires c++11 -capable compiler (minimal supported versions are g++ 4.7, clang 3.3, VS2103)")
|
||||
SET(OLD_COMPILER_MSG "AWS SDK requires c++11 -capable compiler (minimal supported versions are g++ 4.8, clang 3.3, VS2103)")
|
||||
|
||||
IF(CMAKE_CXX_COMPILER_ID MATCHES "GNU")
|
||||
EXECUTE_PROCESS(COMMAND ${CMAKE_CXX_COMPILER} -dumpversion OUTPUT_VARIABLE GCC_VERSION)
|
||||
|
|
@ -54,26 +57,6 @@ IF (NOT(WIN32 OR APPLE OR (CMAKE_SYSTEM_NAME MATCHES "Linux")))
|
|||
ENDIF()
|
||||
|
||||
|
||||
# Figure out where AWS installs SDK libraries
|
||||
# The below is defined in AWS SDK's CMakeLists.txt
|
||||
# (and their handling is weird, every OS has special install directory)
|
||||
IF(WIN32)
|
||||
SET(SDK_INSTALL_BINARY_PREFIX "windows")
|
||||
ELSEIF(APPLE)
|
||||
SET(SDK_INSTALL_BINARY_PREFIX "mac")
|
||||
ELSEIF(UNIX)
|
||||
SET(SDK_INSTALL_BINARY_PREFIX "linux")
|
||||
ENDIF()
|
||||
IF(NOT APPLE)
|
||||
IF(CMAKE_SIZEOF_VOID_P EQUAL 8)
|
||||
SET(SDK_INSTALL_BINARY_PREFIX "${SDK_INSTALL_BINARY_PREFIX}/intel64")
|
||||
ELSE()
|
||||
SET(SDK_INSTALL_BINARY_PREFIX "${SDK_INSTALL_BINARY_PREFIX}/ia32")
|
||||
ENDIF()
|
||||
ENDIF()
|
||||
IF(CMAKE_CONFIGURATION_TYPES)
|
||||
SET(SDK_INSTALL_BINARY_PREFIX "${SDK_INSTALL_BINARY_PREFIX}/${CMAKE_CFG_INTDIR}")
|
||||
ENDIF()
|
||||
|
||||
FIND_LIBRARY(AWS_CPP_SDK_CORE NAMES aws-cpp-sdk-core PATH_SUFFIXES "${SDK_INSTALL_BINARY_PREFIX}")
|
||||
FIND_LIBRARY(AWS_CPP_SDK_KMS NAMES aws-cpp-sdk-core PATH_SUFFIXES "${SDK_INSTALL_BINARY_PREFIX}")
|
||||
|
|
@ -99,26 +82,35 @@ ELSE()
|
|||
SKIP_AWS_PLUGIN("AWS C++ SDK requires libcurl development package")
|
||||
ENDIF()
|
||||
SET(PIC_FLAG -fPIC)
|
||||
FIND_PATH(UUID_INCLUDE_DIR uuid/uuid.h)
|
||||
IF(NOT UUID_INCLUDE_DIR)
|
||||
SKIP_AWS_PLUGIN("AWS C++ SDK requires uuid development package")
|
||||
ENDIF()
|
||||
IF(NOT APPLE)
|
||||
FIND_LIBRARY(UUID_LIBRARIES uuid)
|
||||
IF(NOT UUID_LIBRARIES)
|
||||
SKIP_AWS_PLUGIN("AWS C++ SDK requires uuid development package")
|
||||
ENDIF()
|
||||
ENDIF()
|
||||
ENDIF()
|
||||
IF(MSVC)
|
||||
SET(EXTRA_SDK_CMAKE_FLAGS -DCMAKE_CXX_FLAGS_DEBUGOPT="" -DCMAKE_EXE_LINKER_FLAGS_DEBUGOPT="" -DCMAKE_CXX_FLAGS=/wd4592)
|
||||
SET(EXTRA_SDK_CMAKE_FLAGS -DCMAKE_CXX_FLAGS_DEBUGOPT="" -DCMAKE_EXE_LINKER_FLAGS_DEBUGOPT="" "-DCMAKE_CXX_FLAGS=/wd4530 /WX-")
|
||||
ENDIF()
|
||||
IF(CMAKE_CXX_COMPILER)
|
||||
SET(EXTRA_SDK_CMAKE_FLAGS ${EXTRA_SDK_CMAKE_FLAGS} -DCMAKE_CXX_COMPILER=${CMAKE_CXX_COMPILER})
|
||||
ENDIF()
|
||||
|
||||
# Relax AWS C++ SDK unreasonably high requirements for CMake version. Use replace utility (from MariaDB build)
|
||||
# to patch their CMakeLists.txt
|
||||
SET(AWS_SDK_PATCH_COMMAND )
|
||||
ExternalProject_Add(
|
||||
aws_sdk_cpp
|
||||
GIT_REPOSITORY "https://github.com/awslabs/aws-sdk-cpp.git"
|
||||
GIT_TAG "0.9.6" # single tag
|
||||
GIT_TAG "1.0.8"
|
||||
UPDATE_COMMAND ""
|
||||
PATCH_COMMAND replace 3.1.2 2.8 -- ${CMAKE_BINARY_DIR}/aws-sdk-cpp/CMakeLists.txt
|
||||
SOURCE_DIR "${CMAKE_BINARY_DIR}/aws-sdk-cpp"
|
||||
CMAKE_ARGS
|
||||
-DBUILD_ONLY=aws-cpp-sdk-kms -DSTATIC_LINKING=1
|
||||
-DBUILD_ONLY=kms
|
||||
-DBUILD_SHARED_LIBS=OFF
|
||||
-DFORCE_SHARED_CRT=OFF
|
||||
"-DCMAKE_CXX_FLAGS_DEBUG=${CMAKE_CXX_FLAGS_DEBUG} ${PIC_FLAG}"
|
||||
"-DCMAKE_CXX_FLAGS_RELWITHDEBINFO=${CMAKE_CXX_FLAGS_RELWITHDEBINFO} ${PIC_FLAG}"
|
||||
"-DCMAKE_CXX_FLAGS_RELEASE=${CMAKE_CXX_FLAGS_RELEASE} ${PIC_FLAG}"
|
||||
|
|
@ -127,18 +119,18 @@ ELSE()
|
|||
-DCMAKE_INSTALL_PREFIX=${CMAKE_BINARY_DIR}/aws_sdk_cpp
|
||||
TEST_COMMAND ""
|
||||
)
|
||||
|
||||
SET_TARGET_PROPERTIES(aws_sdk_cpp PROPERTIES EXCLUDE_FROM_ALL TRUE)
|
||||
# We do not need to build the whole SDK , just 2 of its libs
|
||||
set(AWS_SDK_LIBS aws-cpp-sdk-core aws-cpp-sdk-kms)
|
||||
FOREACH(lib ${AWS_SDK_LIBS})
|
||||
ADD_LIBRARY(${lib} STATIC IMPORTED GLOBAL)
|
||||
ADD_DEPENDENCIES(${lib} aws_sdk_cpp)
|
||||
SET(loc "${CMAKE_BINARY_DIR}/aws_sdk_cpp/lib/${SDK_INSTALL_BINARY_PREFIX}/${CMAKE_STATIC_LIBRARY_PREFIX}${lib}${CMAKE_STATIC_LIBRARY_SUFFIX}")
|
||||
SET(loc "${CMAKE_BINARY_DIR}/aws_sdk_cpp/lib/${CMAKE_STATIC_LIBRARY_PREFIX}${lib}${CMAKE_STATIC_LIBRARY_SUFFIX}")
|
||||
SET_TARGET_PROPERTIES(${lib} PROPERTIES IMPORTED_LOCATION ${loc})
|
||||
IF(WIN32)
|
||||
SET_TARGET_PROPERTIES(${lib} PROPERTIES IMPORTED_LINK_INTERFACE_LIBRARIES "bcrypt;winhttp;wininet;userenv")
|
||||
ELSE()
|
||||
SET_TARGET_PROPERTIES(${lib} PROPERTIES IMPORTED_LINK_INTERFACE_LIBRARIES "${SSL_LIBRARIES};${CURL_LIBRARIES}")
|
||||
SET_TARGET_PROPERTIES(${lib} PROPERTIES IMPORTED_LINK_INTERFACE_LIBRARIES "${SSL_LIBRARIES};${CURL_LIBRARIES};${UUID_LIBRARIES}")
|
||||
ENDIF()
|
||||
ENDFOREACH()
|
||||
|
||||
|
|
@ -150,5 +142,6 @@ ELSE()
|
|||
INCLUDE_DIRECTORIES(${CMAKE_BINARY_DIR}/aws_sdk_cpp/include)
|
||||
ENDIF()
|
||||
|
||||
ADD_DEFINITIONS(${SSL_DEFINES}) # Need to know whether openssl should be initialized
|
||||
SET(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${CXX11_FLAGS}")
|
||||
TARGET_LINK_LIBRARIES(aws_key_management ${AWS_SDK_LIBS})
|
||||
|
|
|
|||
|
|
@ -34,6 +34,7 @@
|
|||
#include <sstream>
|
||||
#include <fstream>
|
||||
|
||||
#include <aws/core/Aws.h>
|
||||
#include <aws/core/client/AWSError.h>
|
||||
#include <aws/core/utils/logging/AWSLogging.h>
|
||||
#include <aws/core/utils/logging/ConsoleLogSystem.h>
|
||||
|
|
@ -79,6 +80,7 @@ static char* master_key_id;
|
|||
static unsigned long key_spec;
|
||||
static unsigned long log_level;
|
||||
static int rotate_key;
|
||||
static int request_timeout;
|
||||
|
||||
/* AWS functionality*/
|
||||
static int aws_decrypt_key(const char *path, KEY_INFO *info);
|
||||
|
|
@ -138,6 +140,7 @@ protected:
|
|||
}
|
||||
};
|
||||
|
||||
Aws::SDKOptions sdkOptions;
|
||||
|
||||
/*
|
||||
Plugin initialization.
|
||||
|
|
@ -148,13 +151,30 @@ protected:
|
|||
static int plugin_init(void *p)
|
||||
{
|
||||
DBUG_ENTER("plugin_init");
|
||||
client = new KMSClient();
|
||||
|
||||
#ifdef HAVE_YASSL
|
||||
sdkOptions.cryptoOptions.initAndCleanupOpenSSL = true;
|
||||
#else
|
||||
/* Server initialized OpenSSL already, thus AWS must skip it */
|
||||
sdkOptions.cryptoOptions.initAndCleanupOpenSSL = false;
|
||||
#endif
|
||||
|
||||
Aws::InitAPI(sdkOptions);
|
||||
InitializeAWSLogging(Aws::MakeShared<MySQLLogSystem>("aws_key_management_plugin", (Aws::Utils::Logging::LogLevel) log_level));
|
||||
|
||||
Aws::Client::ClientConfiguration clientConfiguration;
|
||||
if (request_timeout)
|
||||
{
|
||||
clientConfiguration.requestTimeoutMs= request_timeout;
|
||||
clientConfiguration.connectTimeoutMs= request_timeout;
|
||||
}
|
||||
client = new KMSClient(clientConfiguration);
|
||||
if (!client)
|
||||
{
|
||||
sql_print_error("Can not initialize KMS client");
|
||||
DBUG_RETURN(-1);
|
||||
}
|
||||
InitializeAWSLogging(Aws::MakeShared<MySQLLogSystem>("aws_key_management_plugin", (Aws::Utils::Logging::LogLevel) log_level));
|
||||
|
||||
#ifdef HAVE_PSI_INTERFACE
|
||||
mysql_mutex_register("aws_key_management", &mtx_info, 1);
|
||||
#endif
|
||||
|
|
@ -189,6 +209,8 @@ static int plugin_deinit(void *p)
|
|||
mysql_mutex_destroy(&mtx);
|
||||
delete client;
|
||||
ShutdownAWSLogging();
|
||||
|
||||
Aws::ShutdownAPI(sdkOptions);
|
||||
DBUG_RETURN(0);
|
||||
}
|
||||
|
||||
|
|
@ -557,11 +579,19 @@ static MYSQL_SYSVAR_INT(rotate_key, rotate_key,
|
|||
"Set this variable to key id to perform rotation of the key. Specify -1 to rotate all keys",
|
||||
NULL, update_rotate, 0, -1, INT_MAX, 1);
|
||||
|
||||
|
||||
static MYSQL_SYSVAR_INT(request_timeout, request_timeout,
|
||||
PLUGIN_VAR_RQCMDARG | PLUGIN_VAR_READONLY,
|
||||
"Timeout in milliseconds for create HTTPS connection or execute AWS request. Specify 0 to use SDK default.",
|
||||
NULL, NULL, 0, 0, INT_MAX, 1);
|
||||
|
||||
|
||||
static struct st_mysql_sys_var* settings[]= {
|
||||
MYSQL_SYSVAR(master_key_id),
|
||||
MYSQL_SYSVAR(key_spec),
|
||||
MYSQL_SYSVAR(rotate_key),
|
||||
MYSQL_SYSVAR(log_level),
|
||||
MYSQL_SYSVAR(request_timeout),
|
||||
NULL
|
||||
};
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue