Using Fall-Back Bridge Mode
This feature will allow the Tungsten Connector to fall back to bridge mode if a user cannot be successfully authenticated through user.map.
The connector is able to employ a special fall-back bridge mode which allows for a hybrid configuration of both Proxy and Bridge modes. By default, the bridge mode fallback feature is disabled.
When fallBackBridgeMode is set to either RW_STRICT or RO_RELAXED, the Connector will first check the user.map file
for an entry that matches the user name passed in the connection request. If a match is found in the user.map, the Connector will act in Proxy mode
so the conversation with the client will be handled locally, and a new connection will be opened from the connector to the database server based on the normal
Proxy mode routing rules. If the user name is not found in the user.map, then the connector will act in Bridge mode, and the connection will be
forwarded directly to the specified database server, either to the Primary (RW_STRICT) or to the Replica (RO_RELAXED) for handling with
no intercept, just a TCP-layer packet routing. There will be no query interpretation or analysis, and no auto-reconnect, just failover handling.
Available in 7.0.3 and later.
Support for Fall-Back Bridge Mode and MySQL 8 was introduced in v7.0.3.
For more information, see "Using Bridge Mode", and "User Authentication".
To enable Fall-Back Bridge Mode to use the Primary, include the following entries to the /etc/tungsten/tungsten.ini file prior to installation, or issuing
tpm update after installation:
property=fallBackBridgeMode=RW_STRICT
connector-bridge-mode=false
To enable Fall-Back Bridge Mode to use a replica (if available), include the following entries to the /etc/tungsten/tungsten.ini file prior to installation, or
issuing tpm update after installation:
property=fallBackBridgeMode=RO_RELAXED
connector-bridge-mode=false
Updating these values require a connector restart (via tpm update), if enabled after installation, for the changes to be recognized.
To be consistent, Bridge mode should be disabled when fallBackBridgeMode is enabled. The connector-bridge-mode option must be set to
false. A consistency check is performed when starting the connector.
Using Fall-Back SSL To Bridge Mode
SSL connections are by design unreadable until the handshake has been exchanged. Because of this, the MySQL user name in the request is not visible to the
Connector immediately, and therefore the Connector is unable to check against the user.map for fallBackBridgeMode.
Due to this situation, another feature was created to address SSL connections while the fallBackBridgeMode is enabled called
fallBackSSLToBridge. When fallBackSSLToBridge is set to true (default), then all SSL connections will
use Bridge mode, while non-SSL connections will use the fallBackBridgeMode setting (i.e. RW_STRICT which routes traffic to the Primary or
RO_RELAXED which routes to the Replicas). When fallBackSSLToBridge is set to false, then SSL connections will run in
non-Bridge mode - if the specified user doesn't exist in the user.map, an error will be raised.
The fallBackSSLToBridge setting is ONLY available when fallBackBridgeMode is enabled, and is ignored when
fallBackBridgeMode is set to false.
Since fallBackSSLToBridge is enabled by default when fallBackBridgeMode is enabled, you may turn it off with the following property:
property=fallBackSSLToBridge=false
Updating these values require a connector restart (via tpm update), if enabled after installation, for the changes to be recognized.