6.9.4. Using Fall-Back Bridge Mode

This feature will allow the Tungsten Connector to fall back to bridge mode if a user cannot be successfully authenticated through user.map.

The connector is able to employ a special fall-back bridge mode which allows for a hybrid configuration of both Proxy and Bridge modes. By default, the bridge mode fallback feature is disabled.

When fallBackBridgeMode is set to either RW_STRICT or RO_RELAXED, the Connector will first check the user.map file for an entry that matches the user name passed in the connection request. If a match is found in the user.map, the Connector will act in Proxy mode so the conversation with the client will be handled locally, and a new connection will be opened from the connector to the database server based on the normal Proxy mode routing rules. If the user name is not found in user.map, then the connector will act in Bridge mode, and the connection will be forwarded directly to the specified database server, either to the master (RW_STRICT) or to the slave (RO_RELAXED) for handling with no intercept, just a TCP-layer packet routing. There will be no query interpretation or analysis, and no auto-reconnect, just failover handling.

For more information, see Section 6.4, “Using Bridge Mode”, and Section 6.5, “User Authentication”.

To enable Fall-Back Bridge Mode using the DB Master:

shell> ./tools/tpm configure alpha —property=fallBackBridgeMode=RW_STRICT --connector-bridge-mode=false
shell> ./tools/tpm update

To enable Fall-Back Bridge Mode using a DB Slave (if available):

shell> ./tools/tpm configure alpha —property=fallBackBridgeMode=RO_RELAXED --connector-bridge-mode=false
shell> ./tools/tpm update

Warning

Updating these values require a connector restart (via tpm update) for the changes to be recognized.

Important

To be consistent, Bridge mode should be disabled when fallBackBridgeMode is enabled. The --connector-bridge-mode option to tpm must be set to false. A consistency check is performed when starting the connector.

6.9.4.1. Using Fall-Back SSL To Bridge Mode

SSL connections are by design unreadable until the handshake has been exchanged. Because of this, the MySQL user name in the request is not visible to the Connector immediately, and therefore the Connector is unable to check against user.map for fallBackBridgeMode.

Due to this situation, another feature was created to address SSL connections while the fallBackBridgeMode is enabled called fallBackSSLToBridge. When fallBackSSLToBridge is set to true (default), then all SSL connections will use Bridge mode, while non-SSL connections will use the fallBackBridgeMode setting (i.e. RW_STRICT which routes traffic to the Master or RO_RELAXED which routes to the slaves). When fallBackSSLToBridge is set to false, then SSL connections will run in non-Bridge mode - if the specified user doesn't exist in user.map, an error will be raised.

Important

The fallBackSSLToBridge setting is ONLY available when fallBackBridgeMode is enabled, and is ignored when fallBackBridgeMode is set to false.

Since fallBackSSLToBridge is enabled by default when fallBackBridgeMode is enabled, you may turn it off as follows:

shell> ./tools/tpm configure alpha —property=fallBackSSLToBridge=false
shell> ./tools/tpm update

Warning

Updating these values require a connector restart (via tpm update) for the changes to be recognized.