Use hosts IP address as user group instead of a guessed wildcard. #190
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The wildcard approach has the issue, that it allows monitor connections to the MySQL nodes from a too big IP range. Having the first pxc nodes IP something like 10.1.2.3, proxysql-admin would create the monitor user with the host range of 10.%. This would contain the complete 10.0.0.0/8 network which most likely contain other systems that are not supposed to be allowed to connect to MySQL, even if we are just talking about the monitor user. Another issue with the current solution pops up, when the IP address of the pxc node does not share the same first octet with the ProxySQL IP. Example: ProxySQL IP: 172.18.1.1 PXC IP: 10.0.0.1 Then the ProxySQL-Admin script will anyways create the monitor user as monitor@10.%, resulting in ProxySQL not being able to connect. In this commit, we use ifconfig to get the actual IP of the ProxySQL node and will therefore only allow the ProxySQL node to connect as monitor user. Co-authored-by: Isobel <[email protected]>
|
|
|
Hi @kennt-percona any updates on this PR? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The wildcard approach has the issue, that it allows monitor connections
to the MySQL nodes from a too big IP range. Having the first pxc nodes
IP something like 10.1.2.3, proxysql-admin would create the monitor user
with the host range of 10.%. This would contain the complete 10.0.0.0/8
network which most likely contain other systems that are not supposed to
be allowed to connect to MySQL, even if we are just talking about the
monitor user.
Another issue with the current solution pops up, when the IP address of
the pxc node does not share the same first octet with the ProxySQL IP.
Example:
ProxySQL IP: 172.18.1.1
PXC IP: 10.0.0.1
Then the ProxySQL-Admin script will anyways create the monitor user as
monitor@10.%, resulting in ProxySQL not being able to connect.
In this commit, we use ifconfig to get the actual IP of the ProxySQL
node and will therefore only allow the ProxySQL node to connect as
monitor user.
Co-authored-by: Isobel [email protected]