Support REDIS AUTH command#576
Conversation
|
I support the push to get this integrated. Has this been pulled into dev branch? |
|
I've rebased @axelfauvel's work on top of the style changes: |
|
@axelfauvel @smukil Is there any chance to rethink about this issue. |
Hi @gsambasiva, i would love to see this implemented but i haven't received feedbacks :( |
|
Bumping this. Would love to use this project but AUTH is a blocker |
|
Reviewing this now. Will get back shortly with comments. |
smukil
left a comment
smukil
left a comment
There was a problem hiding this comment.
Thanks for submitting this patch. I've done a first pass. After these changes are addressed, I'll have another pass then approve.
| } | ||
|
|
||
| static struct mbuf * | ||
| get_mbuf(struct msg *msg) |
There was a problem hiding this comment.
I would call this get_or_create_mbuf(struct msg*) and move it to dyn_message.h/c.
| } | ||
| } | ||
| auth_reply(ctx, conn, req, "-ERR invalid password\r\n"); | ||
| } else { |
There was a problem hiding this comment.
You can remove this else condition and just do:
...
...
auth_reply(ctx, conn, req, "-ERR invalid password\r\n");
}
auth_reply(ctx, conn, req, "-NOAUTH Authentication required\r\n");
return true;
}
...
...
| } | ||
|
|
||
| static void | ||
| auth_reply(struct context *ctx, struct conn *conn, struct msg *smsg, const char *usr_msg) |
There was a problem hiding this comment.
Could you move auth_reply() and get_password() to a new file called src/proto/dyn_redis_auth.c ?
And have a top level function called authenticate_conn(struct conn*), which can be called from the Handle "AUTH requirepass\r\n" case.
| msg->done = 1; | ||
|
|
||
| conn_event_add_out(conn); | ||
| TAILQ_INSERT_TAIL(&conn->omsg_q, smsg, c_tqe); |
There was a problem hiding this comment.
This seems like a race. You'd need to insert it to the omsg_q before doing an event notification.
Also, prefer to use the conn_enqueue_outq() helper which would eventually call req_client_enqueue_omsgq().
| server_failure(ctx, datastore); | ||
| } | ||
|
|
||
| static void |
There was a problem hiding this comment.
Move redis_auth() to src/dyn_redis_auth.c. We shouldn't be mixing redis specifc code in generic files. (There are other instances of this in existing code that need to be cleaned up as well, but when introducing new code, let's try to keep it as clean as possible).
| conn_pool_connected(conn->conn_pool, conn); | ||
|
|
||
| log_notice("%s connected ", print_obj(conn)); | ||
| redis_auth(ctx, conn); |
There was a problem hiding this comment.
Instead of calling redis_auth() directly here, we'd need to add some indirection to keep it datastore agnostic.
You'd need to add a function like datastore_auth() and call into redis_auth() if Dynomite is configured for Redis.
It's fairly simple to do, and you can follow this example of how I added a datastore agnostic rewrite_query() function:
68aad15
grep for g_rewrite_query and see all the places it's used to understand how to do this.
| log_info("%s %s RECEIVED %s", print_obj(c_conn), print_obj(req), print_obj(rsp)); | ||
|
|
||
|
|
||
| if (c_conn->type == CONN_SERVER) { |
There was a problem hiding this comment.
Why is this block of code necessary?
|
|
||
| static void | ||
| auth_reply(struct context *ctx, struct conn *conn, struct msg *smsg, const char *usr_msg) | ||
| { |
There was a problem hiding this comment.
On the top of the new file src/proto/dyn_redis_auth.c, could you add some comments about how Dynomite performs this authentication.
Eg: On Dynomite startup, the server authenticates with the datastore by itself. And on each client connection, it authenticates on the first AUTH command from the client. (add detail as you see fit)
|
@axelfauvel I've submitted a review above. |
|
@smukil : unfortunately the person who made the code for this PR is gone and we don't have resources that can handle it anymore. Nethertheless, I agree on letting you fix the code and merging it |
|
@axelfauvel @smukil I can take this and try to merge it properly to current version of dynomite. Any objections? |
|
@nCore : Au contraire ! Go ahead :) |
This commit is based on orange-cloudfoundry@7aa41a4 from @axelfauvel in Netflix#576 and tries to close Netflix#46. Unfortunatelly the initial commit was already so old and the dynomite code base already evolved, that it was easier to not jump directly on this. Especically as there were some refactorings requested. Redis Datastore Authentification If Dynomite is configured to require a password via config option `requirepass` the following behaviour will be applied: 1. On Dynomite startup, the server authenticates with the backend itself by calling the datastore agnostic function g_datastore_auth. 2. The corresponding Redis response will be handeled in g_is_authenticated. Dynomite will exit if authentification to the datatstore was not successful. 3. Each newly created client connection will require authentification. 4. Clients can authentificate itself by issue the AUTH command against dynomite. 5. Dynomite will check the password and simulate an AUTH response. 6. If AUTH was successful, the auth_required flag on the connection is reset and the client can process further commands through this connection.
|
hello,any news about this merging ? |
hello,any news about this merging ? |
This commit is based on orange-cloudfoundry@7aa41a4 from @axelfauvel in Netflix#576 and tries to close Netflix#46. Unfortunatelly the initial commit was already so old and the dynomite code base already evolved, that it was easier to not jump directly on this. Especically as there were some refactorings requested. Redis Datastore Authentification If Dynomite is configured to require a password via config option `requirepass` the following behaviour will be applied: 1. On Dynomite startup, the server authenticates with the backend itself by calling the datastore agnostic function g_datastore_auth. 2. The corresponding Redis response will be handeled in g_is_authenticated. Dynomite will exit if authentification to the datatstore was not successful. 3. Each newly created client connection will require authentification. 4. Clients can authentificate itself by issue the AUTH command against dynomite. 5. Dynomite will check the password and simulate an AUTH response. 6. If AUTH was successful, the auth_required flag on the connection is reset and the client can process further commands through this connection.
…t/682daa32a80396f9522c390d9ffff277df3bd953.patch by W. Qiu) This commit is based on orange-cloudfoundry@7aa41a4 from @axelfauvel in Netflix#576 and tries to close Netflix#46. Unfortunatelly the initial commit was already so old and the dynomite code base already evolved, that it was easier to not jump directly on this. Especically as there were some refactorings requested. Redis Datastore Authentification If Dynomite is configured to require a password via config option `requirepass` the following behaviour will be applied: 1. On Dynomite startup, the server authenticates with the backend itself by calling the datastore agnostic function g_datastore_auth. 2. The corresponding Redis response will be handeled in g_is_authenticated. Dynomite will exit if authentification to the datatstore was not successful. 3. Each newly created client connection will require authentification. 4. Clients can authentificate itself by issue the AUTH command against dynomite. 5. Dynomite will check the password and simulate an AUTH response. 6. If AUTH was successful, the auth_required flag on the connection is reset and the client can process further commands through this connection.
This commit is based on orange-cloudfoundry@7aa41a4 from @axelfauvel in Netflix#576 and tries to close Netflix#46. Unfortunatelly the initial commit was already so old and the dynomite code base already evolved, that it was easier to not jump directly on this. Especically as there were some refactorings requested. Redis Datastore Authentification If Dynomite is configured to require a password via config option `requirepass` the following behaviour will be applied: 1. On Dynomite startup, the server authenticates with the backend itself by calling the datastore agnostic function g_datastore_auth. 2. The corresponding Redis response will be handeled in g_is_authenticated. Dynomite will exit if authentification to the datatstore was not successful. 3. Each newly created client connection will require authentification. 4. Clients can authentificate itself by issue the AUTH command against dynomite. 5. Dynomite will check the password and simulate an AUTH response. 6. If AUTH was successful, the auth_required flag on the connection is reset and the client can process further commands through this connection.
9 participants
Hello,
According to this issue : #46
We have implemented AUTH command in Dynomite
Enjoy :)