search

tarantool / tarantool-python

Python client library for Tarantool
https://www.tarantool.io
BSD 2-Clause "Simplified" License
101 stars 46 forks source link

Release 0.9.0 #221

Closed DifferentialOrange closed 2 years ago

DifferentialOrange commented 2 years ago

Overview

This release features SSL support.

To use encrypted connection with Tarantool Enterprise Edition instance, pass "ssl" transport parameter on connect:

con = tarantool.Connection(
    host, port,
    user=user,
    password=pass,
    transport="ssl")

To verify the server, set client trusted certificate authorities (CA) file with ssl_ca_file parameter:

con = tarantool.Connection(
    host, port,
    user=user,
    password=password,
    transport="ssl",
    ssl_ca_file=client_ca_file)

If the server authenticates clients using certificates issued by given CA, you must provide private SSL key file with ssl_key_file parameter and SSL certificate file with ssl_cert_file parameter. Otherwise, these parameters are optional.

con = tarantool.Connection(
    host, port,
    user=user,
    password=password,
    transport="ssl",
    ssl_key_file=client_key_file,
    ssl_cert_file=client_cert_file)

To set SSL ciphers, set them with ssl_ciphers parameter as a colon-separated (:) string:

con = tarantool.Connection(
    host, port,
    user=user,
    password=password,
    transport="ssl",
    ssl_ciphers=client_ssl_ciphers)

ConnectionPool and MeshConnection also support these parameters.

mesh = tarantool.MeshConnection(
    addrs={
        "host": host,
        "post": port,
        "transport": "ssl",
        "ssl_key_file": client_key_file,
        "ssl_cert_file": client_cert_file,
        "ssl_ca_file": client_ca_file,
        "ssl_ciphers": client_ssl_ciphers,
    },
    user=user,
    password=password)
pool = tarantool.ConnectionPool(
    addrs={
        "host": host,
        "post": port,
        "transport": "ssl",
        "ssl_key_file": client_key_file,
        "ssl_cert_file": client_cert_file,
        "ssl_ca_file": client_ca_file,
        "ssl_ciphers": client_ssl_ciphers,
    },
    user=user,
    password=password)

See Tarantool Enterprise Edition manual for details.

Breaking changes

There are no breaking changes in the release.

New features

Testing

Totktonada commented 2 years ago
  1. I would split encryption related options to groups:
    • To use encrypted connection...
    • To validate server's certificate...
    • To provide a client certificate...
    • Also you can set a ciphers list using...
  2. There are several more changes/actions we need to do at release: https://github.com/tarantool/tarantool-python/wiki/How-to-make-a-release.
DifferentialOrange commented 2 years ago

Package is available in test PyPi under 0.8.4 tag

Totktonada commented 2 years ago

Now the recipes are go in this order:

  1. How to encrypt the traffic.
  2. How to pass a client certificate.
  3. How to validate the server's certificate.
  4. How to tune ciphers.

I would change the order of 2 and 3.

I would also reword the paragraph, which describes how to authenticate on a server, which expects a client certificate. The phrase 'server uses trusted certificate authorities (CA) file' is not the equivalent to 'requires a client certificate' or 'authenticate clients using certificates issued by given CA'. At least: 'trusted CA file' -- trusted by who? 'Uses CA file' -- for what?

Those are minor comments, the PR is generally okay for me. Feel free to ignore.