This feature will allow the Tungsten Connector to fall back to bridge mode if
a user cannot be successfully authenticated through
user.map
.
The connector is able to employ a special fall-back bridge mode which allows for a hybrid configuration of both Proxy and Bridge modes. By default, the bridge mode fallback feature is disabled.
When fallBackBridgeMode is set to either RW_STRICT or RO_RELAXED, the Connector will first check the user.map file for an entry that matches the user name passed in the connection request. If a match is found in the user.map, the Connector will act in Proxy mode so the conversation with the client will be handled locally, and a new connection will be opened from the connector to the database server based on the normal Proxy mode routing rules. If the user name is not found in user.map, then the connector will act in Bridge mode, and the connection will be forwarded directly to the specified database server, either to the Primary (RW_STRICT) or to the Replica (RO_RELAXED) for handling with no intercept, just a TCP-layer packet routing. There will be no query interpretation or analysis, and no auto-reconnect, just failover handling.
For more information, see Section 7.5, “Using Bridge Mode”, and Section 7.6, “User Authentication”.
To enable Fall-Back Bridge Mode using the DB Primary:
Click the link below to switch examples between Staging and INI methods...
shell>tpm query staging
tungsten@db1:/opt/continuent/software/tungsten-clustering-7.1.4-10 shell>echo The staging USER is `tpm query staging| cut -d: -f1 | cut -d@ -f1`
The staging USER is tungsten shell>echo The staging HOST is `tpm query staging| cut -d: -f1 | cut -d@ -f2`
The staging HOST is db1 shell>echo The staging DIRECTORY is `tpm query staging| cut -d: -f2`
The staging DIRECTORY is /opt/continuent/software/tungsten-clustering-7.1.4-10 shell>ssh {STAGING_USER}@{STAGING_HOST}
shell>cd {STAGING_DIRECTORY}
shell> ./tools/tpm configure alpha \
--property=fallBackBridgeMode=RW_STRICT \
--connector-bridge-mode=false
Run the tpm command to update the software with the Staging-based configuration:
shell> ./tools/tpm update
For information about making updates when using a Staging-method deployment, please see Section 10.3.7, “Configuration Changes from a Staging Directory”.
shell> vi /etc/tungsten/tungsten.ini
[alpha]
...
property=fallBackBridgeMode=RW_STRICT
connector-bridge-mode=false
Run the tpm command to update the software with the INI-based configuration:
shell>tpm query staging
tungsten@db1:/opt/continuent/software/tungsten-clustering-7.1.4-10 shell>echo The staging DIRECTORY is `tpm query staging| cut -d: -f2`
The staging DIRECTORY is /opt/continuent/software/tungsten-clustering-7.1.4-10 shell>cd {STAGING_DIRECTORY}
shell>./tools/tpm update
For information about making updates when using an INI file, please see Section 10.4.4, “Configuration Changes with an INI file”.
To enable Fall-Back Bridge Mode using a DB Replica (if available):
shell> ./tools/tpm configure alpha \
--property=fallBackBridgeMode=RO_RELAXED \
--connector-bridge-mode=false
[alpha]
...
property=fallBackBridgeMode=RO_RELAXED
connector-bridge-mode=false
Updating these values require a connector restart (via tpm update) for the changes to be recognized.
To be consistent, Bridge mode should be disabled when fallBackBridgeMode
is enabled. The --connector-bridge-mode
option to tpm must be set to
false
. A consistency check is
performed when starting the connector.
SSL connections are by design unreadable until the handshake has been
exchanged. Because of this, the MySQL user name in the request is not
visible to the Connector immediately, and therefore the Connector is
unable to check against user.map for
fallBackBridgeMode
.
Due to this situation, another feature was created to address SSL
connections while the fallBackBridgeMode
is enabled called fallBackSSLToBridge
.
When fallBackSSLToBridge
is set to
true
(default), then all SSL
connections will use Bridge mode, while non-SSL connections will use the
fallBackBridgeMode setting (i.e. RW_STRICT which routes traffic to the
Primary or RO_RELAXED which routes to the Replicas). When
fallBackSSLToBridge
is set to
false
, then SSL connections will run
in non-Bridge mode - if the specified user doesn't exist in user.map, an
error will be raised.
The fallBackSSLToBridge
setting is ONLY
available when fallBackBridgeMode
is
enabled, and is ignored when
fallBackBridgeMode
is set to
false
.
Since fallBackSSLToBridge
is enabled by
default when fallBackBridgeMode
is
enabled, you may turn it off as follows:
shell> ./tools/tpm configure alpha \
--property=fallBackSSLToBridge=false
[alpha]
...
property=fallBackSSLToBridge=false
Updating these values require a connector restart (via tpm update) for the changes to be recognized.