HandlerSocket’s Secret Authentication Mechanism
Matt Ward made a comment on another blog post of mine informing me that HandlerSocket does, in fact, support authentication (committed 20 November 2010 in 43545662ddc23faa90ab). He mentions that it’s only plaintext (you’ve got to start somewhere, I suppose) and that it is undocumented, which explains why nobody knew about it. The purpose of this post is to document the functionality until it’s officially done.
The two configuration variables used for authentication are:
handlersocket_plain_secret = SECRET_PASS
This handles the authentication for the read_only listener.
handlersocket_plain_secret_wr = SECRET_PASS
This handles the authentication for the write listener. Obviously SECRET_PASS should be replaced with your secret password. For the purposes of this blog post, I have put the following in my my.cnf:
# Authentication for the read-only listener on port 9998 handlersocket_plain_secret = hps # Authentication for the write listener on port 9999 handlersocket_plain_secret_wr = hpsw
After a quick mysqld restart, let’s test this:
%> telnet localhost 9998 Trying 127.0.0.1... Connected to localhost.localdomain (127.0.0.1). Escape character is '^]'. P 0 test t1 PRIMARY id,c1,c2 3 1 unauth 0 = 1 1 3 1 unauth
Now that a secret is specified in my.cnf, any attempts to open an index or read an index are denied with “3 1 unauth”.
A 1 hps 0 1
A return of “0 1″ indicates a successful authentication attempt (this return code will look familiar because it’s the same response as for a successful open_index).
P 0 test t1 PRIMARY id,c1,c2 0 1 0 = 1 1 0 3 1 1 one
Now that we are authenticated, we can proceed as normal. We are only required to authenticate once per session, not per command.
A 1 aoeu 3 1 unauth P 0 test t1 PRIMARY id,c1,c2 3 1 unauth ^] telnet> q Connection closed.
If, however, we try and incorrectly authenticate again in the same session, we become unauthenticated.
It is entirely possible to choose to add authentication to only one of the listeners if, for example, you only want authentication for write operations.
