feat: mysql and pg server support tls

[SSebo]

I hereby agree to the terms of the GreptimeDB CLA

What's changed and what's your intention?

add tls support for mysql and pg

Please explain IN DETAIL what the changes are in this PR and why they are needed:

• add a common TlsOption to save cert and key path, can also generate rustls::ServerConfig
• pass tls option to mysql setup logic, then feed ServerConfig to opensrv_mysql
• pass tls option to gp setup logic, then feed TlsAcceptor to pgwire

Checklist

• I have written the necessary rustdoc comments.
• I have added the necessary unit tests and integration tests.

Refer to a related PR or issue link (optional)

#515

[SSebo]

@sunng87 @MichaelScofield Lack of testing for now. Can I add integration test which use mysql-client to execute echo "SELECT * FROM foo" | mysql -h 127.0.0.1 --table --ssl-mode=REQUIRED for mysql, and something similar for pg?

[codecov]

Codecov Report

Merging #641 (7ee73b0) into develop (53ab19e) will increase coverage by 0.05%.
The diff coverage is 95.76%.

@@             Coverage Diff             @@
##           develop     #641      +/-   ##
===========================================
+ Coverage    86.32%   86.38%   +0.05%     
===========================================
  Files          406      407       +1     
  Lines        51351    51524     +173     
===========================================
+ Hits         44330    44508     +178     
+ Misses        7021     7016       -5     

Flag	Coverage Δ
rust	86.38% <95.76%> (+0.05%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
src/datanode/src/server.rs	0.00% <0.00%> (ø)
src/frontend/src/server.rs	0.00% <0.00%> (ø)
src/servers/src/error.rs	55.26% <0.00%> (+28.23%)	⬆️
src/servers/src/lib.rs	100.00% <ø> (ø)
src/servers/src/postgres/auth_handler.rs	82.71% <93.75%> (+2.41%)	⬆️
src/servers/src/mysql/server.rs	95.34% <95.23%> (+0.80%)	⬆️
src/frontend/src/mysql.rs	100.00% <100.00%> (ø)
src/frontend/src/postgres.rs	100.00% <100.00%> (ø)
src/servers/src/postgres/server.rs	98.38% <100.00%> (+0.34%)	⬆️
src/servers/src/tls.rs	100.00% <100.00%> (ø)
... and 3 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[sunng87]

More on mysql and postgres ssl configuration:
https://dev.mysql.com/doc/refman/5.7/en/using-encrypted-connections.html
https://www.percona.com/blog/enabling-and-enforcing-ssl-tls-for-postgresql-connections/

[sunng87]

@SSebo Is ssl supported in those client libraries we are using for testing? Using mysql-client for testing will add more dependencies in our build and CI requirements, which is not preferred.

[SSebo]

@SSebo Is ssl supported in those client libraries we are using for testing? Using mysql-client for testing will add more dependencies in our build and CI requirements, which is not preferred.

for opensrv-mysql integration test, mysql-client is installed in github action ubuntun by default.
I'll try to find out if rust based client support ssl.

[SSebo]

@sunng87 I found there is no way to force pgwire to reject connect if TlsAcceptor is supplied but client want to connect normally. This is used for TlsMode::Require

sunng87/pgwire#22

[sunng87]

@SSebo perhaps we can reject the client by checking its ssl state in startup handler. When the client sends its Startup message to server, we can reply with error. I will check postgresql's behaviour to see if we really need to cut it during SslRequest.

[sunng87]

@SSebo I confirmed postgres enforces this check when handling Startup message. So we can do it in on_startup callback of pgwire's auth handler

This is how postgresql receives startup message and responds plain text connection when ssl is enforced.

Frame 24: 145 bytes on wire (1160 bits), 145 bytes captured (1160 bits) on interface lo, id 0
Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst: 00:00:00_00:00:00 (00:00:00:00:00:00)
Internet Protocol Version 4, Src: 127.0.0.1, Dst: 127.0.0.1
Transmission Control Protocol, Src Port: 59040, Dst Port: 5432, Seq: 1, Ack: 1, Len: 79
PostgreSQL
    Type: Startup message
    Length: 79
    Protocol major version: 3
    Protocol minor version: 0
    Parameter name: user
    Parameter value: sunng
    Parameter name: database
    Parameter value: testdb
    Parameter name: application_name
    Parameter value: psql
    Parameter name: client_encoding
    Parameter value: UTF8


Frame 26: 219 bytes on wire (1752 bits), 219 bytes captured (1752 bits) on interface lo, id 0
Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst: 00:00:00_00:00:00 (00:00:00:00:00:00)
Internet Protocol Version 4, Src: 127.0.0.1, Dst: 127.0.0.1
Transmission Control Protocol, Src Port: 5432, Dst Port: 59040, Seq: 1, Ack: 80, Len: 153
PostgreSQL
    Type: Error
    Length: 152
    Severity: FATAL
    Text: FATAL
    Code: 28000
    Message: no pg_hba.conf entry for host "127.0.0.1", user "sunng", database "testdb", no encryption
    File: auth.c
    Line: 545
    Routine: ClientAuthentication

[SSebo]

@sunng87 Since we should handle the plain client connect to secure required server as the real server, how about we put the logic in opensrv-mysql and pgwire. Every user who use opensrv-mysql and pgwire enable tls feature may need this. Currently I just drop the plain connection in secure required mysql which is not proper I think.

[sunng87]

@SSebo I realized that opensrv-mysql and pgwire may provide different level of abstraction. pgwire expose on_startup to developer to customize this behaviour, while opensrv-mysql does not expose this startup apis.

In real world, this ssl policy is a little complex,it involves tuple of host, user and database to decide if ssl is to be enforced. It's better to be implemented where these three entities are defined and provided.

So the problem is we need to customize mysql connection handshake (or startup) process. We have another issue #600 can be related to this as well.

But for now I think it's ok to simply drop the plain connection to move on. We can resolve that in future PR

[SSebo]

@sunng87 mysql and pg both covered by unit test.

[sunng87]

@SSebo Look almost good to me! Please check these two minor comments.

@MichaelScofield Please take a look as well. Thank you!

[killme2008]

What a good job! Thanks a lot. I have a few comments, PTAL.

[killme2008]

LGTM. Almost done, Good job.

[MichaelScofield]

LGTM, ping me if you resolve the remaining comments, and I'll merge this PR, thx!

[killme2008]

@SSebo There is also a code format issue, https://github.com/GreptimeTeam/greptimedb/actions/runs/3580016212/jobs/6021767404

[SSebo]

@SSebo There is also a code format issue, https://github.com/GreptimeTeam/greptimedb/actions/runs/3580016212/jobs/6021767404

got it.

[killme2008]

@SSebo Congrats on your first PR! Thanks a lot.

[sunng87]

Congratulations! Thanks for your effort! This is a big step for enabling greptimedb in shared environment.