[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL OTP and syncrepl



[Replying to both messages]

Emmanuel Dreyfus wrote:
On Fri, Feb 19, 2010 at 07:53:09AM +0100, Emmanuel Dreyfus wrote:
A simple solution in the single master situation is to redirect any SASL
OTP bind to the master. As far as I understand, we have no way of
configuring this right now, it needs at add some code, right?

Perhaps slapo-rwm can do that? Is there a way of matching OTP
binds?

I'm afraid slapo-rwm can't do anything like that, since it is not involved in SASL binds (not even in rewriting identities).

To go back to your initial statement, redirecting SASL OTP binds to the master may sound simple, but the question is: is it acceptable? I mean: isn't it defeating the purpose of using replicas in the first place?

Going a bit technical, we need to let SASL bind know that some mechs may need to behave differently. But redirecting SASL binds to the master means playing man-in-the-middle, we'd rather need to have distributed SASL binds. Not familiar enough with SASL's internals to debate. As far as I understand, auxprops is the intended method to implement distributed SASL info storage and thus (try to) support distributed SASL bind. However, this means that not only slap_auxprop_store() needs to:

	- understand it's acting on behalf of a shadow database

	- redirect writes to the master

but also

	- wait for replication to complete

before authentication can continue.

A totally different approach would be to have auxprop handling, including reads, redirected to the master. In this latter case, auxprop info (at least for specific SASL mechs) shouldn't be replicated at all.

p.