Protective convenience
Recent versions of MySQL has an added security feature, the –login-path option. This feature puts your username and password in an encrypted file, and you refer clients to this file instead of typing plain text passwords on the console, or putting them in scripts. This makes it harder for an attacker to snoop passwords, but also more convenient for you as the user as there is less password typing involved.
In this blog I’ll show you how to use feature with MCM.
2 scenarios
As a user there are two scenarios where one would typically use the –login-path feature. Between
- the mysql client and mysqld
- the mcm client and mcmd
To get going quickly, I’ll bootstrap a cluster using the –bootstrap option for mcmd.
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
$ ./mcm1.4.6/bin/mcmd --bootstrap MySQL Cluster Manager 1.4.6 (64bit) started Connect to MySQL Cluster Manager by running "/foo/mcm1.4.6/bin/mcm" -a thinkpad:1862 Configuring default cluster 'mycluster'... Setting default_storage_engine to ndbcluster... Starting default cluster 'mycluster' version '5.7.22-ndb-7.6.6-cluster-commercial-advanced'... Cluster 'mycluster' started successfully ndb_mgmd thinkpad:1186 ndbmtd thinkpad ndbmtd thinkpad mysqld thinkpad:3306 mysqld thinkpad:3307 ndbapi * Connect to the database by running "/foo/cluster/bin/mysql" -h 127.0.0.1 -P 3306 -u root |
Our test cluster is up and running in about 30 seconds – with 2 mysqlds, 2 datanodes, a ndb_mgmd, and a ndbapi slot ready to go.
mysql_config_editor
The tool used to create the encrypted file on disk is called mysql_config_editor. It places your logins in a single file in your home directory by default. On linux this file is ~/.mylogin.conf. Each defined login is associated with a logical name chosen by the user. In a MySQL Cluster context an example logical name could be “mysqld50” for a mysqld with cluster nodeid 50, but you are free to choose as you please.
In addition, you can set the $MYSQL_TEST_LOGIN_FILE environment variable to specify an alternative file for mysql_config_editor to use.
More details are available in the –login-path documentation, should you want.
Let’s decide we want to use one .mylogin.conf file per cluster in our MCM setup. By default MCM places all cluster specific data in a subfolder hierarchy under its mcm_data/clusters folder. Since our testing cluster is all on a single host, we can place our alternate .mylogin.conf here. In a real-world setup you would likely be better off placing the alternate login file somewhere in your home directory, or another globally reachable or mounted location. The cluster specific subfolder hierarchy under mcm_data is local to each machine, and isn’t distributed to other hosts across the MCM site. Any file created here will not be available on another host. Since this is a single host cluster, we disregard this, and carry on specifying the alternate login file:
|
1
2
|
$ cd /foo $ export MYSQL_TEST_LOGIN_FILE=/foo/mcm_data/clusters/mycluster/.mylogin.conf |
mysql client to mysqld
Next, we define the login paths for our 2 mysqlds on ports 3306 and 3307. Let’s name them “mysqld50” and “mysqld51” respectively:
|
1
2
3
4
|
$ ./cluster/bin/mysql_config_editor set --login-path=mysqld50 --host=thinkpad --port=3306 --user=mcmd --password Enter password: $ ./cluster/bin/mysql_config_editor set --login-path=mysqld51 --host=thinkpad --port=3307 --user=mcmd --password Enter password: |
Using the print –all options we may inspect the generated file:
|
1
2
3
4
5
6
7
8
9
10
11
|
$ ./cluster/bin/mysql_config_editor print --all [mysqld50] user = mcmd password = ***** host = thinkpad port = 3306 [mysqld51] user = mcmd password = ***** host = thinkpad port = 3307 |
We can now refer to these login paths when we connect to the mysqlds:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
$ ./cluster/bin/mysql --login-path=mysqld51 Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 9 Server version: 5.7.22-ndb-7.6.6-cluster-commercial-advanced MySQL Cluster Server - Advanced Edition (Commercial) Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> show variables like "port"; +---------------+-------+ | Variable_name | Value | +---------------+-------+ | port | 3307 | +---------------+-------+ 1 row in set (0.00 sec) mysql> show variables like "ndb_nodeid"; +---------------+-------+ | Variable_name | Value | +---------------+-------+ | ndb_nodeid | 51 | +---------------+-------+ 1 row in set (0.00 sec) |
As expected, login path “mysqld51” connected us to mysqld 51 running on port 3307. That’s sorted, then!
mcm client to mcmd
Now, let’s repeat for the mcm client connections to mcmd in a different shell. We’ll want to keep the mcmd login around even if we should delete the cluster, so we place the login file directly under mcm_data instead:
|
1
2
3
|
$ export MYSQL_TEST_LOGIN_FILE=/foo/mcm_data/.mcmdlogin.cnf $ ./cluster/bin/mysql_config_editor set --login-path=mcm --host=thinkpad --port=1862 --password Enter password: |
Again, using print –all to verify:
|
1
2
3
4
5
|
$ ./cluster/bin/mysql_config_editor print --all [mcm] password = ***** host = thinkpad port = 1862 |
We can now use –login-file to connect to mcmd with the mcm client as well:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
$ ./mcm1.4.6/bin/mcm --login-path=mcm MySQL Cluster Manager client started. This wrapper will spawn the mysql client to connect to mcmd Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 1 Server version: 1.4.6 MySQL Cluster Manager Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mcm> version; +-------------------------------------+ | Version | +-------------------------------------+ | MySQL Cluster Manager 1.4.6 (64bit) | +-------------------------------------+ 1 row in set (0.00 sec) mcm> |
And we’re all set, using –login-path with MCM.