Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Don't require a username or password when using a socket #233

Closed
wants to merge 1 commit into from
Closed

Don't require a username or password when using a socket #233

wants to merge 1 commit into from

Conversation

joshuaspence
Copy link

A username and password aren't required when connecting to MySQL via a Unix socket.

A username and password aren't required when connecting to MySQL via a Unix socket.
@roman-vynar
Copy link
Contributor

It's not about using a socket or not, it's all about security.
Username and password may not be required either for socket or TCP connection.
When not using any credentials, anonymous login (empty username/password on MySQL) is assumed which is a bad idea from security point of view.

@joshuaspence
Copy link
Author

Right, that is true that it technically applies to username/password login as well. But when you are using the auth_socket plugin there is no need for a password because MySQL uses the username of the user connecting to the socket for authentication.

@drzraf
Copy link

drzraf commented Aug 17, 2018

This still matters. auth_socket / unix_socket is now the default for Debian+MariaDB.
With this auth plugin the way to setup connection is:

  1. CREATE USER IF NOT EXISTS 'prometheus'@'localhost' IDENTIFIED VIA unix_socket;
  2. GRANT PROCESS, REPLICATION CLIENT, SELECT ON *.* TO 'prometheus'@'localhost';
    then the command to run exporter could looks like:
  3. sudo -u prometheus -E DATA_SOURCE_NAME="prometheus:nopassword@unix(/run/mysqld/mysqld.sock)/" /usr/bin/prometheus-mysqld-exporter

@SuperQ
Copy link
Member

SuperQ commented Aug 17, 2018

@drzraf Thanks for the hint. I think we should add that to the README.

I've been thinking about changing the way this exporter handles connection/auth config. Because we're moving towards a "ENV is unsafe" line of thinking, I am considering dropping support for the ENV completely and going to using the my.cnf style only.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants