Comment 6 for bug 1505184

Krunal Bauskar (krunal-bauskar) wrote :

commit c0300e2564e8d03fee5c6e554918d8b98f67c16c
Merge: 4055140 b966fc0
Author: Krunal Bauskar <email address hidden>
Date: Thu Oct 22 15:05:42 2015 +0530

    Merge pull request #48 from kbauskar/5.6-pxc-460

    - PXC#460: wsrep_sst_auth don't work in Percona-XtraDB-Cluster-56-5.6…

commit b966fc0e200b0bd7ed32027c5ade7749f70dca51
Author: Krunal Bauskar <email address hidden>
Date: Thu Oct 22 14:56:29 2015 +0530

    - PXC#460: wsrep_sst_auth don't work in Percona-XtraDB-Cluster-56-5.6.25-25.12.1.el7

      Semantics:
      ---------

      * Generally end-user will create a separate user with needed privileges for
        performing DONOR action.
      * This user credentials are specified using wsrep_sst_auth.

      * Along with this user there could be other user(s) created on the server
        that sysadmin may use for normal or other operations
      * Credentials for these user(s) can be specified in same cluster/server
        cnf file as part of [client] section

      When cluster act as DONOR and if wsrep_sst_auth is provided then it should
      strictly use it for performing SST based action.

      What if end-user has same credentials for performing both SST action and
      normal admin work ?
      * Then end-user can simply specify these credentials as part of [client]
        section in cnf file and skip providing wsrep_sst_auth.

      Issue:
      -----

      MySQL client user/password parsing preference order is as follows:
      * command line (through --user/--password)
      * cnf file
      * MYSQL_PWD enviornment variable.

      Recent change tried passing sst user password through MYSQL_PWD
      (and user though --user command line param as before).

      On the system where-in admin had another user for performing non-SST actions,
      credentials for such user were present in cnf file under [client] section.

      Due to mysql client preference order, SST user name was used (as it was
      passed through command line) but password of other user (meant for non-SST)
      action was being used as it was passed through cnf file.

      Password passed through MYSQL_PWD was completely ignored causing
      user-name/password mismatch.

      Solution:
      ---------

      * If user has specified credentials for SST then pass them through command
        line so that they are used in priority.

      (There could be security concern on passing things through command line but
       when I tried passing user-name and password through command line to mysql
       client and then did ps I saw this
       ./bin/mysql --user=sstuser --password=x xxxxxxxx -S /tmp/n1.sock
      so seems like password is not shown)