[proxy] Refactor cplane API and add new console SCRAM auth API

Now proxy binary accepts `--auth-backend` CLI option, which determines auth scheme and cluster routing method. Following backends are currently implemented: * legacy old method, when username ends with `@zenith` it uses md5 auth dbname as the cluster name; otherwise, it sends a login link and waits for the console to call back * console new SCRAM-based console API; uses SNI info to select the destination cluster * postgres uses postgres to select auth secrets of existing roles. Useful for local testing * link sends login link for all usernames
2026-05-31 03:50:37 +00:00 · 2022-04-30 00:58:57 +03:00
parent af0195b604
commit 0323bb5870
21 changed files with 722 additions and 578 deletions
--- a/proxy/src/proxy.rs
+++ b/proxy/src/proxy.rs
@@ -73,7 +73,7 @@ pub async fn thread_main(
 async fn handle_client(
    config: &ProxyConfig,
    cancel_map: &CancelMap,
-    stream: impl AsyncRead + AsyncWrite + Unpin,
+    stream: impl AsyncRead + AsyncWrite + Unpin + Send,
 ) -> anyhow::Result<()> {
    // The `closed` counter will increase when this future is destroyed.
    NUM_CONNECTIONS_ACCEPTED_COUNTER.inc();
@@ -148,6 +148,8 @@ async fn handshake<S: AsyncRead + AsyncWrite + Unpin>(
                    .or_else(|e| stream.throw_error(e))
                    .await?;

+                // TODO: set creds.cluster here when SNI info is available
+
                break Ok(Some((stream, creds)));
            }
            CancelRequest(cancel_key_data) => {
@@ -174,7 +176,7 @@ impl<S> Client<S> {
    }
 }

-impl<S: AsyncRead + AsyncWrite + Unpin> Client<S> {
+impl<S: AsyncRead + AsyncWrite + Unpin + Send> Client<S> {
    /// Let the client authenticate and connect to the designated compute node.
    async fn connect_to_db(
        self,