Access Denied

[thomasten]

Hi,

Can you connect to EDB with the mysql command-line client and use the database without problems?

If yes, can you provide instructions on how I can reproduce the flink-connector problem?

[thomasten]

Ok. Can you connect from B to A with the mysql client like this?

mysql -h<a's ip addr> -P3307 -utest -p123

[thomasten]

Sorry for the confusion, I meant a's ip addr in the command. (I edited it just now.)

So if I see this correctly, the same connection from B to A doesn't work with neither the flink connector nor with the mysql client? So this isn't an issue with the connector, but a more fundametal sql connection problem?

[thomasten]

Tried to reproduce this, bot got another error than you:

[Warning] Aborted connection 8 to db: 'unconnected' user: 'test' host: '<my ip>' (Got an error reading communication packets)

However, if you say

I started to connect A(edb) from server b like this: mysql -h<A's ip addr> -P3307 -utest -p123 the result is: ERROR 1045 (28000): Access denied for user 'test'@'b's ip addr' (using password: YES)

then this error is not related to flink, but happens with any mysql client, right?

[thomasten]

Sorry, I got no idea what could be wrong.

[thomasten]

Happy to hear that. Binlog is disabled for EDB because the default implementation is insecure with regards to the strong EDB attacker model. We would need to implement a stronger encryption for it, like we did for RocksDB.

[thomasten]

I can check whether it's possible to enable it with a few code changes. But please note that

• it subverts EDB's security
• you will have to build EDB yourself from source.

Would that be of interest for you despite these limitations?

[thomasten]

I just noticed that when you run EDB with EDG_EDB_LOG_DIR=edblogs (see docs), it also activates the binlog. Can you try this first?

[Nirusu]

If you built and use EDB outside Docker, just prepend it to the command when you execute edb. For example:

EDG_EDB_LOG_DIR=edblogs ./edb

[Nirusu]

Not 100% sure right now but you should see a directory with the log files, including the binlog, on the host system.

[thomasten]

You should have multiple files in edblogs. data_LOG is the RocksDB log, which is not a binlog.

The binlog is mariadb-binary.000001. This is also what's shown to me when I execute show binlog events. I don't know why you get something different.

[thomasten]

I can confirm that I can't connect to EdgelessDB with the mysql client when using --tls-version=TLSv1.1. However, I also can't connect to MariaDB with TLS 1.1, whereas on @CoconuterTATA's machine this seemed to work. (It is also possible that @CoconuterTATA's setup of MariaDB doesn't enforce TLS and it just falls back to unencrypted.)

Bottom line is EdgelessDB probably doesn't support TLSv1.1. It may be possible to enable it (via source changes), but I don't know how and wouldn't recommend it.

I agree that flink cdc may have a bug. A short research shows that they have some custom TLS code for the binlog connection, so that may be the reason why it doesn't adhere to jdbc.properties.enabledTLSProtocols.

[thomasten]

By modifying the configuration code of debezium and setting the TLS version to TLSv1.2, I did not see an error when connecting

Thanks for verifying this!

Does EdgelessDB not support binlog encryption?

Never tried the builtin encryption of MariaDB because EdgelessDB uses a custom encryption within RocksDB for storage, which is more suitable for the strong attacker model of enclaves.

flink has to process the data after getting it, so the plaintext data will be exposed. However, I think this can be solved by putting flink cdc into SGX using occlum to prevent attackers from getting plaintext

Yes, I think that should work and can still be considered confidential.