feat(mysql): support AWS RDS IAM authentication#404
Open
p4pupro wants to merge 7 commits into
Open
Conversation
…alation Adds AWS RDS IAM database authentication for MySQL connections, with auto-escalation of SSL mode to VerifyCa when a CA bundle is configured. Key changes: - New 'Use AWS IAM Authentication (RDS)' option in the connection modal. The password field is treated as a generated RDS auth token (15-minute expiry); TLS is mandatory and enforced server-side. - Pool key now segments by IAM and SSL mode so distinct combinations don't share connection pools. - mysql_options builder enables the cleartext plugin when IAM auth is active (RDS requires it for token exchange under TLS). - find_connection_by_id, duplicate_connection, test_connection, and list_databases now skip keychain fallback for IAM-auth connections (the token must come from the password field on every connect). - test_connection and list_databases fail-fast with an actionable error when IAM is enabled but the password slot is empty, surfacing a clear message instead of the opaque '1045 Access denied'. - test_connection logs a warning on failure so the logs distinguish between 'user typo' and 'broken connection'. - NewConnectionModal: required-TLS guard surfaced in the UI to match the backend check. - mcp/mod.rs: pass IAM flag through to the connection-options builder. - 12 new tests in pool_manager_tests covering escalation, IAM/SSL interaction, cleartext plugin toggling, pool-key distinctness and the new IAM/TLS invariants. - i18n: new strings translated across 8 locales (en, es, de, fr, it, ja, ru, zh).
The IAM auth, SSL auto-escalation, and cleartext plugin code is self-explanatory once the surrounding prose is removed. Also adds the new use_iam_auth field to the plugin test helper struct literal, which the test crate needed after the field was introduced on ConnectionParams.
The 183b754 chore commit added a second test_connection impl in drivers/mysql/mod.rs, but the file already had one routed through build_mysql_options (which honours pipes_as_concat, IAM, and the auto-fallback). Keep the more general one.
Contributor
Code Review SummaryStatus: 1 Critical Issue | Recommendation: Address before merge Overview
Issue Details (click to expand)CRITICAL
Files Reviewed (16 files)
Technical AssessmentCode Changes Summary
Risk Assessment
Fix these issues in Kilo Cloud Reviewed by nemotron-3-nano-30b-a3b:free · Input: 348.8K · Output: 5.1K · Cached: 187.3K |
# Conflicts: # src-tauri/src/pool_manager.rs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds AWS RDS IAM database authentication for MySQL connections. The password
field is treated as a short-lived RDS auth token (e.g. from
aws rds generate-db-auth-token); TLS is mandatory and the connection opts into MySQL's
mysql_native_passwordcleartext plugin so the token can beexchanged under TLS.
Fixes the
1045 Access deniedusers currently get when wiring a generated RDSauth token into a normal Tabularis connection.
What changed
use_iam_authflag on the MySQL connection modal. The password field isfed straight into
MySqlConnectOptionson every connect; keychain lookupsare skipped because the token must come from the form (15-minute expiry).
enable_cleartext_plugin(true)is set on the pool builder when IAM auth isactive. RDS requires it for token exchange under TLS.
VerifyCawhen a CA bundle is configured andthe user picked
RequiredorPreferred, so the IAM/TLS invariant holdswithout manual setup.
iam:{}so an IAM-auth connection never shares a poolwith a regular one.
test_connectionandlist_databasesfail fast with a clear error when IAMis enabled but the password is empty, and log a warning on failure so the
logs distinguish "user typo" from "broken connection".
mcp/mod.rsforwards the IAM flag into the connection-options builder.UI
New "Use AWS IAM Authentication (RDS)" checkbox in the MySQL connection
modal. When enabled, the password placeholder switches to the RDS-token hint
and an inline message surfaces if SSL is off.
Tests
Twelve new unit tests in
pool_manager_tests.rscovering:cargo build --release,cargo test --lib(761 passing; the four askpassfailures are pre-existing on
main), andpnpm tsc --noEmitall pass.i18n
Added
useIamAuth,useIamAuthHint, anduseIamAuthTlsRequiredacross alleight locales (en, es, de, fr, it, ja, ru, zh).