3. Password management is a pain
ssh host1.example.com
Password: XXX
$ mysql -u root -p
Password: XYZ
ssh host1.example.com
Password: ZZZ
$ mysql -u root -p
Password: ZYX
What if the
sysadmin has 20
hosts to manage?
4. Automating passwords hurts even more
Example: Ansible scripts for cluster
# Galera replicates users table and nodes need to have the
same debian-sys-maint configs
- name: update debian-sys-maint user
mysql_user:
name: debian-sys-maint
password: "{{ galera_debian_sys_maint_password }}"
priv: "*.*:ALL,GRANT"
append_privs: yes
host: localhost
state: present
# Update same debian-sys-maint configs for all nodes
- name: update debian.cnf
template:
src: debian.cnf.j2
dest: /etc/mysql/debian.cnf
mode: 0600
owner: mysql
group: root
- name: Create xtrabackup user and grant priviledges
mysql_user:
name: xtrabackup
password: "{{ galera_xtrabackup_password }}"
priv: "*.*:RELOAD,LOCK TABLES,REPLICATION CLIENT,SUPER"
append_privs: yes
host: localhost
state: present
- name: update mysql root password for all root accounts
mysql_user:
name: root
host: "{{ item }}"
priv: "*.*:ALL,GRANT"
password: "{{ galera_root_password }}"
with_items:
- "{{ inventory_hostname }}"
- 127.0.0.1
- ::1
- localhost
ignore_errors: True
Failing to sync the password configuration makes the node fail completely.
5. The irony
ssh host1.example.com
Password: XXX
root$ mysql -u root -p
Password: XYZ
Mysqld: wrong password!
root$ service mysql stop
root$ scp -r /var/lib/mysql
host2.example.com
root$ rm -rf
root$ echo ”Revenge!” | wall
6. Goal: eliminate the root passwords
Yes, Debian/Ubuntu has two
MariaDB [mysql]> select
host,user,plugin from user;
+-----------+------------------+--------+
| host | user | plugin |
+-----------+------------------+--------+
| localhost | root | |
| htpc | root | |
| 127.0.0.1 | root | |
| ::1 | root | |
| localhost | debian-sys-maint | |
+-----------+------------------+--------+
$ cat /etc/mysql/debian.cnf
# Automatically generated for Debian scripts.
DO NOT TOUCH!
[client]
host = localhost
user = debian-sys-maint
password = z3tm0eLnX6k2fnvb
socket = /var/run/mysqld/mysqld.sock
[mysql_upgrade]
host = localhost
user = debian-sys-maint
password = z3tm0eLnX6k2fnvb
socket = /var/run/mysqld/mysqld.sock
basedir = /usr
7. unix_socket to the rescue!
MariaDB [mysql]> install plugin unix_socket SONAME
'auth_socket';
MariaDB [mysql]> grant usage on *.* to
'root'@'localhost' identified via unix_socket;
MariaDB [mysql]> select host,user,plugin from user;
+-----------+------------------+-------------+
| host | user | plugin |
+-----------+------------------+-------------+
| localhost | root | unix_socket |
| htpc | root | |
| 127.0.0.1 | root | |
| ::1 | root | |
| localhost | debian-sys-maint | |
+-----------+------------------+-------------+
8. unix_socket in action
root$ mysql -u root
Welcome to the MariaDB monitor. Commands end with ;
or g.
Your MariaDB connection id is 38
Server version: 5.5.44-MariaDB-1ubuntu0.14.04.2
(Ubuntu)
user$ sudo mysql -u root
Welcome to the MariaDB monitor. Commands end with ;
or g.
Your MariaDB connection id is 29
Server version: 5.5.44-MariaDB-1ubuntu0.14.04.2
(Ubuntu)
MariaDB [(none)]>
9. unix_socket in action
root$ mysql
Welcome to the MariaDB monitor. Commands end with ;
or g.
root$ mysql -u root -psurelywrongpassword
Welcome to the MariaDB monitor. Commands end with ;
or g.
root$ mysql -u somebodyelse
ERROR 1045 (28000): Access denied for user
'somebodyelse'@'localhost' (using password: NO)
10. Caveat: logging in as root with password from the
local host (using whatever name) will stop working
user$ mysql -u root -p
Enter password:
ERROR 1698 (28000): Access
denied for user
'root'@'localhost'
user$ mysql -u root -h
127.0.0.1 -p
Enter password:
ERROR 1698 (28000): Access
denied for user
'root'@'localhost'
11. Great! When will this be by default?
● Now: New installs in Debian unstable
● Soon: New installs in Ubuntu 15.10
● Some day: official in all MariaDB
releases
..but only new installs. We don't want to
mess up password usage in normal
version upgrades.
12. Credits and contributions
Development done
● by me (mariadb.org) and Daniel Black (openquery.com.au)
● in Debian (http://git.debian.org/?p=pkg-mysql/mariadb-10.0.git)
Contributions are welcome!