6.10.2 Configuring the MySQL Router User

When MySQL Router connects to a Cluster, ClusterSet, or ReplicaSet, it requires a user account that has the correct privileges. From MySQL Router version 8.0.19 this internal user can be specified using the --account option. In previous versions, MySQL Router created internal accounts at each bootstrap of the cluster, which could result in many accounts building up over time. From MySQL Shell version 8.0.20, you can use AdminAPI to set up the user account required for MySQL Router.

Use the setupRouterAccount(user, [options]) operation to create a MySQL user account or upgrade an existing account so that it can be used by MySQL Router to operate on an InnoDB Cluster or InnoDB ReplicaSet. This is the recommended method of configuring MySQL Router with InnoDB Cluster and InnoDB ReplicaSet.

To add a new MySQL Router account named myRouter1 to the InnoDB Cluster referenced by the variable testCluster, issue:

mysqlsh> testCluster.setupRouterAccount('myRouter1')

In this case, no domain is specified and so the account is created with the wildcard (%) character, which ensures that the created user can connect from any domain. To limit the account to only be able to connect from the example.com domain in JavaScript, issue:

mysql-js> testCluster.setupRouterAccount('myRouter1@example.com')

Or using Python:

mysql-py> testCluster.setup_router_account('myRouter1@example.com')

The operation prompts for a password, and then sets up the MySQL Router user with the correct privileges. If the InnoDB Cluster or InnoDB ReplicaSet has multiple instances, the created MySQL Router user is propagated to all of the instances.

When you already have a MySQL Router user configured, for example if you are using a version prior to 8.0.20, you can use the setupRouterAccount() operation to reconfigure the existing user. In this case, pass in the update option set to true. For example, to reconfigure the myOldRouter user, issue the following in JavaScript:

mysql-js> testCluster.setupRouterAccount('myOldRouter', {'update':1})

Or using Python:

mysql-py> testCluster.setup_router_account('myOldRouter', {'update':1})

You can also update the MySQL Router user's password with the dictionary options {password: "newPassword", update: 1} . The following JavaScript example updates the password of the MySQL Router user, myRouter1 to newPassword1#:

mysql-js> testCluster.setupRouterAccount('myRouter1', {password: "newPassword1#",'update':1})

Or using Python:

mysql-py> testCluster.setup_router_account('myRouter1', {password: "newPassword1#", 'update':1})

As of MySQL Shell 8.0.33, SSL certificates are supported. The following options were added to setupRouterAccount():

  • requireCertIssuer: Optional SSL certificate issuer for the account.

  • requireCertSubject: Optional SSL certificate subject for the account.

  • passwordExpiration: numberOfDays | Never | Default: Password expiration setting for the account.

    • numberOfDays: The number of days before the password expires.

    • Never: The password never expires.

    • Default: The system default is used.