ccl/sqlproxyccl: frontend admitter #57849
Conversation
|
This change is |
darinpp
force-pushed
the
frontend-admitter
branch
from
78cd439 to
be50759
Compare
There was a problem hiding this comment.
Reviewable status:
complete! 1 of 0 LGTMs obtained (waiting on @andy-kimball, @darinpp, @imjching, and @spaskob)
pkg/ccl/sqlproxyccl/frontend_admitter.go, line 18 at r1 (raw file):
) // FrontendAdmit is an example frontend admitter
I don't think this is a good description - it's more than "an example" - it's the default admitter. Beef up this comment with information about what this method does and when and why it would be used. I'd put a bit of example code on how to use it as a library caller.
pkg/ccl/sqlproxyccl/proxy.go, line 84 at r1 (raw file):
// is accepted. It can optionally negotiate SSL, provide admittance control or // other types of frontend connection filtering. FrontendAdmitter func(incoming net.Conn) (net.Conn, *pgproto3.StartupMessage, error)
NIT: move this above BackendDialer since it's called first, and so I'd want to read about it first.
|
Would also like to see |
|
I think we are trying to reinvent the wheel. ie https://godoc.org/github.com/jackc/pgconn#ConnectConfig. We should use this API instead - it handles auth correctly (currently sqlproxy does not) and is going to support future changes to the protocol. |
darinpp
force-pushed
the
frontend-admitter
branch
from
be50759 to
4700f66
Compare
There was a problem hiding this comment.
I added several unit tests for the frontend admitter. I'll add tests for the backend dialer in another PR as I can combine with swapping it to use PG client that Spas found.
Reviewable status:
pkg/ccl/sqlproxyccl/frontend_admitter.go, line 18 at r1 (raw file):
Previously, andy-kimball (Andy Kimball) wrote…
I don't think this is a good description - it's more than "an example" - it's the default admitter. Beef up this comment with information about what this method does and when and why it would be used. I'd put a bit of example code on how to use it as a library caller.
I expanded the comment.
pkg/ccl/sqlproxyccl/proxy.go, line 84 at r1 (raw file):
Previously, andy-kimball (Andy Kimball) wrote…
NIT: move this above BackendDialer since it's called first, and so I'd want to read about it first.
moved
This library implements a client - I'll try replacing the Backend Dialer code to use it. This PR is more like a server side PG code. |
darinpp
force-pushed
the
frontend-admitter
branch
4 times, most recently
from
12a429e to
a44cbf2
Compare
|
bors r+ |
|
Build failed: |
|
bors r+ |
|
bors r- |
|
Canceled. |
This replaces `IncomingTLSConfig` with a function similar to
`BackendDialer` that will be called to setup the frontend
connection/pipeline of the proxy.
It requires that all clients replace the calls like this one
```
server := sqlproxyccl.NewServer(
sqlproxyccl.Options{
IncomingTLSConfig: &tlsConfig
}
}
```
with the analogous code
```
server := sqlproxyccl.NewServer(
sqlproxyccl.Options{
FrontendAdmitter: func(
incoming net.Conn,
) (net.Conn, *pgproto3.StartupMessage, error) {
return sqlproxyccl.FrontendAdmit(
incoming,
&tls.Config,
)
}
}
}
```
While a bit more verbose, this makes possible for the proxy
library users to implement a custom logic to admit or
reject connections based on the client's IP address.
Release note: none
darinpp
force-pushed
the
frontend-admitter
branch
from
a44cbf2 to
4bd6614
Compare
|
bors r+ |
|
Build succeeded: |
This replaces
IncomingTLSConfigwith a function similar toBackendDialerthat will be called to setup the frontendconnection/pipeline of the proxy.
It requires that all clients replace the calls like this one
with the analogous code
While a bit more verbose, this makes possible for the proxy
library users to implement a custom logic to admit or
reject connections based on the client's IP address.
Release note: none
cc: @cockroachdb/sqlproxy-prs