Managing a shared_mysql_farm_phpday2011

Managing a shared MySQL farm Thijs Feryn Evangelist +32 (0)9 218 79 06 thijs@combellgroup.com phpDay Friday May 13th 2011 Verona, Italy

About me I’m an evangelist at Combell

About me I’m a board member at PHPBenelux

I live in the wonderful city of Bruges MPBecker -‐ Bruges by Night hYp://www.ﬂickr.com/photos/galverson2/3715965933

Follow me on TwiYer: @ThijsFerynGive me feedback: hYp://joind.in/3003 Read my blog: hYp://blog.feryn.eu

Challenges

Challenges ✓Management across mulaple nodes ✓Aggregaang data from mulaple nodes ✓Name clashes ✓Quota management

Soluaons

Soluaons ✓Centralized provisioning database ✓GeYers on the provisioning database ✓Node mapper for user/db/privilege management ✓INFORMATION_SCHEMA for quota management ✓Preﬁxes to avoid name clashes

Provisioning plan

User Database✓Id ✓Id✓Preﬁx ✓Node✓Username ✓Preﬁx✓Password ✓Database✓Enabled ✓Quota✓DatabaseId ✓Enabled✓Write ✓Overquota✓CreateDate ✓CreateDate✓UpdateDate ✓UpdateDate

Mapping uses cases to SQL

MySQL authenacaaon & privilege system

✓Add user✓Delete user✓Reset user password✓Disable user✓Enable user

Add userINSERT INTO `user`(`prefix`,`username`,`password`,`createdate`)VALUES(‘test’,‘test_user’,‘mypass123’,NOW());

Delete userDELETE FROM ùser`WHERE username=‘test_user’;DELETE u.*, db.* FROM `mysql`.ùser` uLEFT JOIN `mysql`.`db` dbON(db.Ùser` = u.Ùser`)WHERE u.Ùser` = ‘test_user’;

Reset user passwordUPDATE ùser`SET `password` = ‘newpass123’WHERE ùsername` = ‘test_user’;UPDATE `mysql`.ùser`SET `Password` = PASSWORD(‘newpass123’)WHERE Ùser`= ‘test_user’;

Disable userUPDATE ùser`SET ènabled` = 0WHERE ùsername` = ‘test_user’;UPDATE `mysql`.ùser`SET `Host` = ‘localhost’WHERE Ùser`= ‘test_user’

Enable userUPDATE ùser`SET ènabled` = 1WHERE ùsername` = ‘test_user’;UPDATE `mysql`.ùser`SET `Host` = ‘%’WHERE Ùser`= ‘test_user’

✓Add database✓Delete database✓Set database quota✓Disable database✓Enable database

Add databaseINSERT INTO `database`(`node`,`prefix`,`database`,`quota`,`createdate`) VALUES(1,‘test’,‘test_db’,10,NOW());CREATE DATABASE test_db1;

Delete databaseDELETE FROM `database`WHERE `database` = ‘test_db’;

Delete database Are linked to this databaseSELECT u.usernameFROM `user` uWHERE u.databaseId = 123GROUP BY u.username; Find deletable users to delete from MySQL privileges system

Delete databaseDELETE u.*, db.*FROM ùser` uLEFT JOIN `db` dbON(db.Ùser` = u.Ùser`)WHERE u.Ùser` IN(test_user’); Delete these users from MySQL privileges system

Delete databaseDROP DATABASE test_db;

Set database quotaUPDATE `database`SET `quota` = 100WHERE `database` = ‘test_db’;

Disable databaseUPDATE `database` SET`enabled` = 0WHERE `database` = ‘test_db’;DELETE FROM `db`WHERE db = test_db’;

Enable databaseUPDATE `database` SET`enabled` = 1WHERE `database` = ‘test_db’;

Enable databaseSELECT u.username, u.writeFROM user uWHERE u.databaseId = 123 Find user mappings to re-‐enable

Enable databaseINSERT INTO `db`(Host,Db,User,Select_priv,Insert_priv,Update_priv,Delete_priv,Create_priv,Drop_priv,Grant_priv,References_priv,Index_priv,Alter_priv,Create_tmp_table_priv,Lock_tables_priv,Create_view_priv,Show_view_priv,Create_routine_priv,Alter_routine_priv,Execute_priv)

Write Enable database permissionsVALUES(‘%’,‘test_db’,‘test_user’,Y,Y,Y,Y,Y,Y,N,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y); Read-‐ only permissionsVALUES(‘%’,‘test_db’,‘test_user’,Y,N,N,N,N,N,N,N,N,N,N,N,N,Y,N,N,Y);

✓Grant privilege✓Revoke privilege✓Enable database wriang✓Disable database wriang

Write Grant privilege permissionsUPDATE ùser`SET `databaseId`=123, `write`=1WHERE ùsername`= ‘test_user’; Read-‐ only permissionsUPDATE ùser`SET `databaseId`=123, `write`=0WHERE ùsername`= ‘test_user’;

Grant privilege Try adding user or catch duplicate user errorINSERT INTO `user`(Host,User,Password)VALUES(‘%’,‘test_user’,PASSWORD(‘password’));

Grant privilegeINSERT INTO `db`(Host,Db,User,Select_priv,Insert_priv,Update_priv,Delete_priv,Create_priv,Drop_priv,Grant_priv,References_priv,Index_priv,Alter_priv,Create_tmp_table_priv,Lock_tables_priv,Create_view_priv,Show_view_priv,Create_routine_priv,Alter_routine_priv,Execute_priv)

Write Grant privilege permissionsVALUES(‘%’,‘test_db’,‘test_user’,Y,Y,Y,Y,Y,Y,N,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y); Read-‐ only permissionsVALUES(‘%’,‘test_db’,‘test_user’,Y,N,N,N,N,N,N,N,N,N,N,N,N,Y,N,N,Y);

Revoke privilegeUPDATE ùser`SET `databaseId`= NULL, `write`= NULLWHERE ùser`= ‘test_user’;DELETE u.*, db.* FROM ùser` u LEFT JOIN`db` db ON(db.Ùser` = u.Ùser`) WHEREu.Ùser` = ‘test_user’;

Enable database wriangUPDATE `user` SET `write`= 1WHERE `username` = ‘test_user’;

Enable database wriangUPDATE `db` SET`Select_priv` = Y,Ìnsert_priv` = Y,UPDATE ùser`Y,`Delete_priv` 1Ùpdate_priv` = SET `write`= = Y,WHERE ùsername` = ‘test_user’;`Create_priv` = Y,`Drop_priv` = Y,`Grant_priv` = N,`References_priv` = Y,Ìndex_priv` = Y,Àlter_priv` = Y,`Create_tmp_table_priv`=Y,`Lock_tables_priv` =Y,`Create_view_priv` = Y,`Show_view_priv` =Y,`Create_routine_priv` = Y,Àlter_routine_priv` = Y,Èxecute_priv` = YWHERE `db`= ‘test_db’ AND ùser` = ‘test_user’;

Disable database wriangUPDATE `user` SET `write`= 0WHERE `username` = ‘test_user’;

Disable database wriangUPDATE `db` SET`Select_priv` = Y,Ìnsert_priv` = N,UPDATE ùser`N,`Delete_priv` 1Ùpdate_priv` = SET `write`= = N,WHERE ùsername` = ‘test_user’;`Create_priv` = N,`Drop_priv` = N,`Grant_priv` = N,`References_priv` = N,Ìndex_priv` = N,Àlter_priv` = N,`Create_tmp_table_priv`=N,`Lock_tables_priv` =N,`Create_view_priv` = N,`Show_view_priv` =Y,`Create_routine_priv` = N,Àlter_routine_priv` = N,Èxecute_priv` = YWHERE `db`= ‘test_db’ AND ùser` = ‘test_user’;

Quota management

Quota management✓Limits in provisioning database✓Current usage stored in INFORMATION_SCHEMA✓Raao calculated via cron task✓Write permissions disabled while over quota

Quota managementSELECT `database`,`quota`FROM `database`SELECT TABLE_SCHEMA as `database`,ROUND(SUM(DATA_LENGTH + INDEX_LENGTH)/1048576,2) as `usage`FROM `information_schema`.`TABLES`GROUP BY TABLE_SCHEMA

Quota managementUPDATE `database`SET `overquota` = 1WHERE `database` = ‘test_db’;

Quota managementUPDATE `db` SET`Select_priv` = Y,Ìnsert_priv` = N,Ùpdate_priv` = N,`Delete_priv` = Y,`Create_priv` = N,`Drop_priv` = Y,`Grant_priv` = N,`References_priv` = N,Ìndex_priv` = N,Àlter_priv` = N,`Create_tmp_table_priv` =N,`Lock_tables_priv` = N,`Create_view_priv` = N,`Show_view_priv` =Y,`Create_routine_priv` = N,Àlter_routine_priv` = N,Èxecute_priv` =Y WHERE `db`= ‘test_database’

Quota managementUPDATE `database`SET `overquota` = 0WHERE `database` = ‘test_db’;

Quota managementUPDATE `db` SET`Select_priv` = Y,Ìnsert_priv` = Y,Ùpdate_priv` = Y,`Delete_priv` = Y,`Create_priv` = Y,`Drop_priv` = Y,`Grant_priv` = N,`References_priv` = Y,Ìndex_priv` = Y,Àlter_priv` = Y,`Create_tmp_table_priv`=Y,`Lock_tables_priv` = Y,`Create_view_priv` = Y,`Show_view_priv` =Y,`Create_routine_priv` = Y,Àlter_routine_priv` = Y,Èxecute_priv` =Y WHERE `db`= ‘test_db’

Single point of management

Single point of connecaon

Replicaaon & loadbalancing

Proxying strategies

Server proxy

Goal✓ Accept connecaon using the proxy✓Hook into the authenacaaon✓Match user to the provisioning DB✓Fetch node from provisioning✓Switch to the right node➡Eﬀecave proxying soluaon

Reality

Reality✓ Accept connecaon using the proxy✓Hook into the authenacaaon✓Match user to the provisioning DB✓Fetch node from provisioning✓Switch to the right node➡Eﬀecave proxying soluaon

RealityConnecaon switching only happens in the connect_server hook Auth info is only available starang from the read_auth hook

Bridge the gap Redirect to node based on client IP

Let’s see some code !

Coderequire(luarocks.require)require(md5)require(Memcached)require(luasql.mysql)local memcache = Memcached.Connect()-‐-‐-‐ configlocal mysqlhost = "localhost"local mysqluser = "myUser"local mysqlpassword = "MyPwDsesd"local mysqldatabase = "test"-‐-‐ debuglocal debug = true Dependencies & conﬁg

Codefunction error_result (msg) proxy.response = { type = proxy.MYSQLD_PACKET_ERR, errmsg = msg, errcode = 7777, sqlstate = X7777, } return proxy.PROXY_SEND_RESULTend Custom MySQL errors

function node_get(ip) local node = memcache:get(md5.sumhexa(ip))Code if not node == nil then return loadstring(return ..memcache:get(md5.sumhexa(ip)))() end node = sql_get(ip) if node == nil then return nil end memcache:set(md5.sumhexa(ip), node, 3600) return nodeend Get node from cache or database

function sql_get(ip) env = assert (luasql.mysql())Code con = assert (env:connect(mysqldatabase,mysqluser,mysqlpassword,mysqlhost)) cur = assert (con:execute(string.format("SELECT n.ìd` FROM àccesslist` a JOIN `node` n ON(n.id=a.node) WHERE a.ìp` = %s",ip))) row = cur:fetch ({}, "a") if cur:numrows() == 0 then return nil end cur:close() con:close() env:close() return row.idend Get node from provisioning database

Codefunction connect_server() selectedNode = node_get(proxy.connection.client.src.address) if selectedNode == nil then return error_result(string.format("No info found in the cluster for IP %s",proxy.connection.client.src.address)) end proxy.connection.backend_ndx = selectedNode end Retrieve and switch to node

Reality MySQL Proxy is not acavely supported

Client proxy

MySQL Naave Driver Plugins

MySQL Naave Driver Plugins✓ Accept connecaon using the proxy✓Hook into the authenacaaon✓Match user to the provisioning DB✓Fetch node from provisioning✓Switch to the right node✓Doesn’t work for remote connecaons➡Eﬀecave proxying soluaon

DNS & hostnames Hostname per account

What about PhpMyAdmin?

What about PhpMyAdmin?✓Use single signon auth module✓Use customized fallback auth module✓Detect linked database & node✓Switch to node

conﬁg.inc.php<?php$cfg[Servers][1][auth_type] = httpsoap;$cfg[Servers][1][host] = 1.2.3.4;$cfg[Servers][1][connect_type] = tcp;$cfg[Servers][1][compress] = false;$cfg[Servers][1][extension] = mysql;$cfg[Servers][1][AllowNoPassword] = false;$cfg[Servers][2][auth_type] = httpsoap;$cfg[Servers][2][host] = 1.2.3.5;$cfg[Servers][2][connect_type] = tcp;$cfg[Servers][2][compress] = false;$cfg[Servers][2][extension] = mysql;$cfg[Servers][2][AllowNoPassword] = false;$cfg[Servers][3][extension] = mysql;$cfg[Servers][3][auth_type] = signon;$cfg[Servers][3][SignonSession] = SSOSession;$cfg[Servers][3][SignonURL] = scripts/signon.php;$cfg[Servers][3][LogoutURL] = scripts/signon-logout.php;

scripts/signon.php<?phpif (isset($_REQUEST[user])) { try{ $soap = new SoapClient(http://my.soap-webservice.net/?WSDL); $user = $soap->user_getByUsername($_REQUEST[user]); if(!isset($_REQUEST[hash])){ die("No hash submitted"); } if(sha1($user->username.$user->password.azertyuiop) !== $_REQUEST[hash]){ die("Invalid hash"); } } catch (Exception $e){ die("No such user"); }...

scripts/signon.php session_set_cookie_params(0, /, , 0); $session_name = SSOSession; session_name($session_name); session_start(); $_SESSION[PMA_single_signon_user] = $user->username; $_SESSION[PMA_single_signon_password] = $user->password; $_SESSION[PMA_single_signon_host] = $user->node; $_SESSION[PMA_single_signon_port] = 3306; $id = session_id(); session_write_close(); header(Location: ../index.php?server=3);} else { header(Location: ../index.php?server=1); exit();}

scripts/signon-‐logout.php<?phpsession_set_cookie_params(0, /, , 0);$session_name = SSOSession;session_name($session_name);session_start();session_destroy();header(Location: ../index.php?server=1);

Customized fallback auth module✓Copy of ./libraries/auth/h4p.auth.lib.php✓Modify PMA_auth_set_user() funcaon✓Implement detecaon logic✓Communicates with provisioning service✓Retrieves database & node✓Switches to node

libraries/auth/hYpsoap.auth.lib.php<?phpfunction PMA_auth_set_user(){ global $cfg, $server; global $PHP_AUTH_USER, $PHP_AUTH_PW; try{ $soap = new SoapClient(http://my.soap-webservice.net/?WSDL); $user = $soap->user_getByUsername($PHP_AUTH_USER); $cfg[Server][host] = $user->node; } catch (Exception $e){ PMA_auth(); return true; }...

libraries/auth/hYpsoap.auth.lib.phpif ($cfg[Server][user] != $PHP_AUTH_USER) { $servers_cnt = count($cfg[Servers]); for ($i = 1; $i <= $servers_cnt; $i++) { if (isset($cfg[Servers][$i]) && ($cfg[Servers][$i][host] == $cfg[Server][host] && $cfg[Servers][$i][user] == $PHP_AUTH_USER)) { $server = $i; $cfg[Server] = $cfg[Servers][$i]; break; } } } $cfg[Server][user] = $PHP_AUTH_USER; $cfg[Server][password] = $PHP_AUTH_PW; return true;}

Managing a shared_mysql_farm_phpday2011

by Combell Group on May 13, 2011

Accessibility

Categories

Tags

Upload Details

Usage Rights

Statistics

Managing a shared_mysql_farm_phpday2011 — Presentation Transcript