Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support PEM file to connect to MySQL DB with SSL certificate #1350

Open
mickey opened this issue Oct 23, 2015 · 10 comments

Comments

Projects
None yet
9 participants
@mickey
Copy link

commented Oct 23, 2015

With MySQL: https://dev.mysql.com/doc/refman/5.0/en/ssl-options.html#option_general_ssl-ca

This would allow us to connect directly to our RDS instance.

@camsaul camsaul changed the title Support PEM file to connect with ssl certificate Support PEM file to connect to MySQL DB with SSL certificate Nov 18, 2015

@nambrot

This comment has been minimized.

Copy link

commented Dec 29, 2015

+1

@kevinmartin

This comment has been minimized.

Copy link

commented Nov 4, 2016

+1

@jefffriesen

This comment has been minimized.

Copy link

commented Feb 14, 2017

Has anyone else been able to get Metabase to connect to an RDS MySQL instance?

java.sql.SQLException: Access denied for user 'username'@'63-253-110-78.ip.mcleodusa.net' (using password: YES)

@jefffriesen

This comment has been minimized.

Copy link

commented Feb 19, 2017

@mickey @nambrot @kevinmartin Have any of you been able to connect to your RDS instance from Metabase?

@holtkamp

This comment has been minimized.

Copy link

commented Feb 23, 2017

The Metabase documentation suggests that it will try to use SSL. However, connections to the database seem to fail for users that have been configured to require SSL. Apparently Metabase does not use/consider the public key as issued by Amazon... So +1 on this!

Note
The way I circumvented this limitation is to create a dedicated user for 'read-only' operation that does not require SSL:

CREATE USER 'metabase_read_only'@'%' IDENTIFIED BY 'crazyPassword';
GRANT SELECT ON databaseName.* TO 'metabase_read_only'@'%';

@jefffriesen this is the way we connect to a AWS RDS MySQL instance (read-replica)

@nambrot

This comment has been minimized.

Copy link

commented Feb 23, 2017

@jefffriesen unfortunately no

@jefffriesen

This comment has been minimized.

Copy link

commented Feb 23, 2017

@holtkamp @nambrot Thank you for responding and the tip. I asked people who know AWS better than I looking at it and they are investigating using a VPC. But I'll pass this on.
Thanks again

@franceindia

This comment has been minimized.

Copy link

commented Apr 28, 2017

@holtkamp, your solution works and you're spot on about the issues you describe with requiring SSL vs. not requiring it.
That said, isn't it a slipery slope to not require SSL for a user? Especially since you can't force SSL from within Metabase. We have to trust that somehow behind the scenes, Metabase is using SSL to transfer data. While I know how to list all connections on the serve with SHOW FULL PROCESSLIST, it' doesn't show whether a connection is SSL or not. This means I can't verify whether that things are happening over SSL.

The documentation says you can change the SSL setting in Metabase but I couldn't figure out where to do that (I may be missing something though):

You can always change this setting later if you prefer to connect without this layer of security, but we highly recommend keeping SSL turned on to keep your data secure.

Of lesser danger if properly managed, but still not ideal, allowing even one user to connect without SSL opens up the possibility of someone indavertently setting up an unencrypted connection down the line.

I'd love to hear people's thoughts on my above concerns. Thus far, I have had no success setting up Metabase and an SSL RDS connection. I tried both Heroku and Elastic Beanstalk but unless I blindly trust Metabase to use SSL, I can't enforce it. Am I overthinking this?
I'll be sure to update this thread if I have a breakthrough.

@aardvark82

This comment has been minimized.

Copy link

commented Feb 2, 2018

+1 I have a Google Cloud instance (managed MySql 5.7.14) I wish to connect to. It is setup to only allow SSL connections.

  • I don't want to setup SSH tunneling. There is no tunnel to connect on the managed instance to and I don't have a server available on the subnet.
  • I don't want to setup a read-only, non SSL user. Db IP is exposed and I need security.
@robokaso

This comment has been minimized.

Copy link

commented Nov 2, 2018

I successfully connected to MariaDB 10.3 server that requires ssl by setting the "Additional JDBC connection string options" to useSSL=true&verifyServerCertificate=false

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.