▪️ Security

SSL

In many cases you might want to encrypt traffic between your client and the server. To do that you can specify that the server should use HTTPS protocol rather than HTTP.

To enable HTTPS at least the following two directives should be set in searchd section of the config and there should be at least one listener set to https

In addition to that you can specify certificate authority’s certificate (aka root certificate) in

  • ssl_ca certificate authority’s certificate file
  • with CA
  • without CA

with CA without CA

Example with CA:

  1. ssl_ca = ca-cert.pem
  2. ssl_cert = server-cert.pem
  3. ssl_key = server-key.pem

Example without CA:

  1. ssl_cert = server-cert.pem
  2. ssl_key = server-key.pem

Generating SSL files

These steps will help you generate the SSL certificates with ‘openssl’ tool.

Server can use Certificate Authority to verify the signature of certificates, but can also work with just private key and certificate (w/o the CA certificate).

Generate the CA key

  1. openssl genrsa 2048 > ca-key.pem

Generate the CA certificate from the CA key

Generate self-signed CA (root) certificate from the private key (fill in at least “Common Name”):

  1. openssl req -new -x509 -nodes -days 365 -key ca-key.pem -out ca-cert.pem

Server Certificate

Server uses the server certificate to secure communication with client. Generate certificate request and server private key (fill in at least “Common Name” different from the root certificate’s common name):

  1. openssl req -newkey rsa:2048 -days 365 -nodes -keyout server-key.pem -out server-req.pem
  2. openssl rsa -in server-key.pem -out server-key.pem
  3. openssl x509 -req -in server-req.pem -days 365 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

When done you can verify the key and certificate files were generated correctly:

  1. openssl verify -CAfile ca-cert.pem server-cert.pem

Secured connection behaviour

When your SSL config is valid the following things are available:

  • you can connect to multiprotocol port (when no listener type is specified) over HTTPS and run queries. Both request and response will be ssl encrypted.
  • you can connect to dedicated https port with http and run queries. Connection will be secured. (attempt to connect to this port via plain http will be rejected with 400 error code).
  • you can connect to mysql port with a mysql client using secured connection. The session will be secured. Note, that Linux mysql client tries to use ssl by default, so usual connect to Manticore in case it has a valid SSL config most probably will be secured. You can check it by running SQL ‘status’ command after you connect.

When your SSL config is not valid by any reason, which daemon detects by the fact that a secured connection can’t be established (apart non-valid config there may be other reasons, like just inability to load appropriate SSL lib at all), the following things will not work or work non-secured way:

  • you can’t connect to multiprotocol port with https. The connection will be dropped.
  • you can’t connect to dedicated https port. The HTTPS connections will be dropped.
  • connection to mysql port via mysql client will not propagate possibility of SSL securing. So, if the client demands it, it will fail. If not - it will use plain mysql or compressed connection.

Caution:

  • binary API connections (such as connections from old clients, or inter-daemons master-agent communication) are not secured
  • SSL for replication needs to be set up separately. However since SST stage of the replication is done by the binary API connection it is not secured too.
  • you still can use any external proxies (e.g. SSH tunnelling) which will secure your connections.

Read-only mode

Read-only mode for connection disables any table or global modifications. So, queries like create, drop, all kinds of alter, attach, optimize, data modifications queries, such as insert, replace, delete, update and others will all be rejected. Changing daemon-wide settings via SET GLOBAL is also not possible in this mode.

You still can perform all search operations, generate snippets and run CALL PQ queries. Also, you can modify local (connection-wide) settings.

You can check, whether your current connection is read-only or not by executing show variables like 'session_read_only' statement. Value 1 means read-only, 0 - usual (not read-only).

Activation

Normally you define a separate listen directive in read-only mode by adding suffix _readonly to it, but you can also, do it interactively for the current connection by executing SET ro=1 statement via sql.

Deactivation

If you’re connected to a vip socket, you can execute SET ro=0 (even if the socket you are connected to was defined read-only in config, not interactively), and the connection will switch to usual (not read-only) mode with all modifications allowed.

For usual (non-VIP) connections escaping read-only mode is only possible by reconnecting, if it was set read-only interactively, or updating the configuration file and restarting the daemon.