6.9.4. Using Fall-Back Bridge Mode
This feature will allow the Tungsten Connector to fall back to bridge mode if
a user cannot be successfully authenticated through
The connector is able to employ a special fall-back bridge mode which allows
for a hybrid configuration of both Proxy and Bridge modes. By default, the
bridge mode fallback feature is disabled.
When fallBackBridgeMode is set to either RW_STRICT or RO_RELAXED, the
Connector will first check the user.map file for an entry that matches the
user name passed in the connection request. If a match is found in the
user.map, the Connector will act in Proxy mode so the conversation with the
client will be handled locally, and a new connection will be opened from the
connector to the database server based on the normal Proxy mode routing
rules. If the user name is not found in user.map, then the connector will
act in Bridge mode, and the connection will be forwarded directly to the
specified database server, either to the master (RW_STRICT) or to the slave
(RO_RELAXED) for handling with no intercept, just a TCP-layer packet
routing. There will be no query interpretation or analysis, and no
auto-reconnect, just failover handling.
For more information, see Section 6.4, “Using Bridge Mode”, and
Section 6.5, “User Authentication”.
To enable Fall-Back Bridge Mode using the DB Master:
./tools/tpm configure alpha —property=fallBackBridgeMode=RW_STRICT --connector-bridge-mode=false
To enable Fall-Back Bridge Mode using a DB Slave (if available):
./tools/tpm configure alpha —property=fallBackBridgeMode=RO_RELAXED --connector-bridge-mode=false
Updating these values require a connector restart (via tpm update) for the
changes to be recognized.
To be consistent, Bridge mode should be disabled when fallBackBridgeMode
is enabled. The
option to tpm must be set to
false. A consistency check is
performed when starting the connector.
126.96.36.199. Using Fall-Back SSL To Bridge Mode
SSL connections are by design unreadable until the handshake has been
exchanged. Because of this, the MySQL user name in the request is not
visible to the Connector immediately, and therefore the Connector is
unable to check against user.map for
Due to this situation, another feature was created to address SSL
connections while the
is enabled called
fallBackSSLToBridge is set to
true (default), then all SSL
connections will use Bridge mode, while non-SSL connections will use the
fallBackBridgeMode setting (i.e. RW_STRICT which routes traffic to the
Master or RO_RELAXED which routes to the slaves). When
fallBackSSLToBridge is set to
false, then SSL connections will run
in non-Bridge mode - if the specified user doesn't exist in user.map, an
error will be raised.
fallBackSSLToBridge setting is ONLY
enabled, and is ignored when
fallBackBridgeMode is set to
fallBackSSLToBridge is enabled by
enabled, you may turn it off as follows:
./tools/tpm configure alpha —property=fallBackSSLToBridge=false
Updating these values require a connector restart (via tpm update) for
the changes to be recognized.