WL#12974: Frontend for MySQL Routers keyring
MySQL Router can store the passwords in a keyring at bootstrap.
The keyring is secured by either
- master key provided via stdin or
- master-key-file or
- an external key utility
master-key-file and external-key-utility get the absolute filename of the keyfile as key to retrieve keyring-key.
- As Router Admin I want to add or change the password that's used by the router to update it after it has been expired on the server.
- As Router Admin I want to move router installation to a new location.
- As Router Admin I want to add new accounts to the keyring to unify accounts used by the router after bootstrap.
- As Router Admin I want to remove account from the keyring that aren't used anymore.
- list the accounts stored in the keyring
- remove accounts from the keyring
- change password of accounts in the keyring
- change the filename location in the master-keyring
All commands which accept
--master-key-writerMUST fail if
--master-key-fileis also specified.
if decryption fails,
exportMUST fail if keyring does not exist
- empty usernames MUST fail.
- empty property-keys MUST fail.
if the keyring does not exist
initMUST create it
initMUST create a master-key-file if it doesn't exist
initMUST add the encrypted keyring-key to the master-key-file.
initMUST pass the keyring-key to the provided executable.
listMUST fail if master-key-file does not exist
if only filename is provided,
listMUST print the usernames stored in the keyring.
if filename and username are provided and username exists in the keyring,
listMUST print the property names stored in the keyring for that username.
if filename and username are provided and username does not exist in the keyring,
if filename, username and property-key are provided and the property-key exists for the user in the keyring,
getMUST print the value of the property that's stored in the keyring for that username.
if filename, username and property-key are provided and the property-key does not exists for the user in the keyring,
if filename, username and property-key are provided and the username does not exists in the keyring,
if filename is provided
exportMUST print the decrypted content of the keyring as JSON to stdout
if filename, username, property-key and value are provided,
setMUST set the property and create username if it does not exist already in the keyring.
if filename, username and property-key are provided and username and property-key exist,
deleteMUST delete the property of that user from the keyring.
if filename, username and property-key are provided and username or property-key do not exist,
if filename and username are provided, but no property-key, and username exist in the keyring
deleteMUST delete the user from the keyring.
if filename and username are provided, but no property-key, and username does not exist in the keyring
if master-key-file is provided and exists,
master-key-listMUST print the ids to stdout.
if master-key-file is provided and exists, and key-id is provided and exists ,
master-key-deleteMUST delete the entry from the master-key-file.
if master-key-file is provided and exists, and key-id is provided and exists, and new-key-id is not empty,
master-key-renameMUST rename the entry in the master-key-file.
keyring and master-key-file
keyring is stored in
data/keyring of the router datadir and contains:
- a 32-byte salt
- an encrypted dictionary of key-value pairs per username
The dictionary of the keyring is
AES-256-CBC encrypted based on a key stored
- externally with via --master-key-reader/--master-key-writer
- in a master-key-file
The master-key-file is a persisted array of
enc_keyring_key = AES_256_CBC_enc(keyring_key, keyring_random, iv)
Get the usage help on stdout:
$ mysqlrouter_keyring --help
Get the version information on stdout:
$ mysqlrouter_keyring --version
All commands accept
--master-key-writer instead of
Initialize keyring with master-key-file:
$ mysqlrouter_keyring init --master-key-file=mysqlrouter.key data/keyring
- creates keyring if it doesn't exist
- creates master-key-file if it doesn't exist
- adds keyring to master-key-file if it isn't existing in master-key-file
List usernames stored in keyring to stdout.
$ mysqlrouter_keyring list --master-key-file=mysqlrouter.key data/keyring
List properties of a user stored in keyring to stdout.
$ mysqlrouter_keyring list --master-key-file=mysqlrouter.key data/keyring user
Get property of user from keyring and print to stdout.
$ mysqlrouter_keyring get --master-key-file=mysqlrouter.key data/keyring someuser key
Export the keyring as JSON to stdout.
$ mysqlrouter_keyring export --master-key-file=mysqlrouter.key data/keyring
Set a property in keyring
$ mysqlrouter_keyring get --master-key-file=mysqlrouter.key data/keyring user key value
If value is not provided, it will be read from stdin.
Delete a user from the keyring:
$ mysqlrouter_keyring delete --master-key-file=mysqlrouter.key data/keyring user
Delete a property of a user from the keyring:
$ mysqlrouter_keyring delete --master-key-file=mysqlrouter.key data/keyring user key
List keyring-ids from master-key-file to stdout:
$ mysqlrouter_keyring master-key-list --master-key-file=mysqlrouter.key
Delete master-key for "keyring" from master-key-file:
$ mysqlrouter_keyring master-key-delete --master-key-file=mysqlrouter.key data/keyring
Rename the keyring-id in a master-key-file:
$ mysqlrouter_keyring master-key-rename --master-key-file=mysqlrouter.key data/keyring other/data/keyring
- library that does all the keyring manipulation
- command-line wrapper executable that calls appropriate library functions