使用Java连接池的AWS IAM数据库身份验证 [英] AWS IAM Database Authentication using Java connection pool

问题描述

我正在寻找一个Java数据库连接池，该池允许我对我的Aurora MySQL使用AWS IAM数据库身份验证.该池应该能够使用Tomcat context.xml文件.

I am looking for a Java database connection pool that allows me to use AWS IAM Database Authentication for my Aurora MySQL. The pool should be able to work Tomcat context.xml file.

我看过Tomcat DBCP，dbcp2，HikariCP和c3p0.但是它们似乎都假设用户名和密码在应用程序启动时就已知，并且在应用程序的生存期内没有改变.

I have looked at Tomcat DBCP, dbcp2, HikariCP and c3p0. But they all seem to asume the username and password is known at application startup and does not change in the lifetime of the application.

对于IAM数据库身份验证，凭据每15分钟更改一次，因此池在创建新连接时需要向AWS IAM询问新的凭据(凭据可能会缓存几分钟).

For IAM database authentication the credentials change every 15 minutes so the pool needs to ask the AWS IAM for a new credentials whenever it creates new connections (the credentials could be cached a few minutes.).

这是否在任何Java连接池中实现?还是您对如何使用它有想法?

Is this implemented in any Java connection pool? Or do you have an idea on how get this to work?

推荐答案

我还不得不使用节点js lambda和MySql RDS来面对这个问题.我们使用的是 mysql 连接池，因此我们实施了一个解决方案，该解决方案创建了一个将来的日期时间，我们可以检查池中每次请求连接时连接是否即将到期.该日期时间是15分钟减去连接池初始化后的一些抖动.

I've also had to face this problem using node js lambda and MySql RDS. We were using a mysql connection pool and so we implemented a solution that created a future date-time that we could check to see if connections were about to expire whenever a connection was requested from the pool. This date-time was 15 minutes minus some jitter after the connection pool was initialized.

因此，获取连接池(以获取连接)将如下所示:

So getting the connection pool (to get a connection) would look like:

const getPool = async (): Promise<DbConnectionPool> => {
  if (isRdsIamTokenCloseToExpiring()) {
    await poolHolder.lock.acquire();
    try {
      // if, after having acquired lock, thread pool is still about to expire...    
      if (isRdsIamTokenCloseToExpiring()) {     
        await closeConnectionsInPool();
        await initializeConnectionPool();
      }
    } finally {
      poolHolder.lock.release();
    }
  }
  if (!poolHolder.pool) {
    throw new Error('pool holder is null - this should never happen');
  } else {
    return poolHolder.pool;
  }
};

因为我们有多个并发异步线程试图建立连接，所以我们不得不引入一个信号量来控制池的重新初始化.总而言之，与使用用户名&密码，但更安全.

Because we had multiple concurrent async threads trying to get a connection we had to introduce a semaphore to control the pool re-initialization. All in all having to do this was more cumbersome than using a username & password but it is more secure.

要回答以上Isen Ng的评论(我没有代表直接回答)，RDS IAM令牌过期的连接将停止工作.

To answer Isen Ng's comment above (I don't have the rep to answer directly), connections whose RDS IAM token expires will stop working.

这篇关于使用Java连接池的AWS IAM数据库身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！