[MDEV-10112] mysql_secure_installation should use GRANT, REVOKE, etc for galera support - Jira

Details

Type: Task
Status: Open (View Workflow)
Priority: Major
Resolution: Unresolved
Fix Version/s: 10.4(EOL)
Component/s: Scripts & Clients
Labels:
- foundation

Description

Currently the mysql_secure_installation script execute DELETE and UPDATE and so forth. This is not compatible with Galera as these tables are MyISAM.

Please change them to use GRANT, REVOKE, etc...

Attachments

Issue Links

is part of

MDEV-26593 Replace mysql_secure_installation with a notice that it is useless

Open

Activity

Ascending order - Click to sort in descending order

Michaël de groot added a comment - 2017-05-29 20:48

Hi,

As this issue is open for a year now and still a big problem to all first-time Galera users, increasing priority.

As far as I know there is no work-around, except not uing mysql_secure_installation. Instead, you could use the corresponding GRANT statements.

Thanks,
Michaël

Michaël de groot added a comment - 2017-05-29 20:48 Hi, As this issue is open for a year now and still a big problem to all first-time Galera users, increasing priority. As far as I know there is no work-around, except not uing mysql_secure_installation. Instead, you could use the corresponding GRANT statements. Thanks, Michaël

George added a comment - 2017-11-27 19:38

Hi Michaël,
We have been able to run mysql_secure_installation in non-production with Galera - simply by running it on each Galera node (and we did not run this script on the first node in the cluster before adding more nodes, we did it after..) So far everything seems fine..but maybe not according to your comment in this JIRA ticket?

Based on what you are saying and what is presented here: https://mariadb.com/kb/en/library/mysql_secure_installation/
Is this not a recommended approach in production simply because someone may neglect to run it on all nodes (said first-time user incorrectly assuming mysql.user changes would not be transported to the other nodes), or is there some other issue? I'm a little confused since I would think it is preferable to run the types of commands in the script, as opposed to not using mysql_secure_installation e.g. do_query "DELETE FROM mysql.db WHERE Db='test' OR Db='test
_%'"

Thanks!

George added a comment - 2017-11-27 19:38 Hi Michaël, We have been able to run mysql_secure_installation in non-production with Galera - simply by running it on each Galera node (and we did not run this script on the first node in the cluster before adding more nodes, we did it after..) So far everything seems fine..but maybe not according to your comment in this JIRA ticket? Based on what you are saying and what is presented here: https://mariadb.com/kb/en/library/mysql_secure_installation/ Is this not a recommended approach in production simply because someone may neglect to run it on all nodes (said first-time user incorrectly assuming mysql.user changes would not be transported to the other nodes), or is there some other issue? I'm a little confused since I would think it is preferable to run the types of commands in the script, as opposed to not using mysql_secure_installation e.g. do_query "DELETE FROM mysql.db WHERE Db='test' OR Db='test _%'" Thanks!

Daniel Black added a comment - 2018-02-04 11:46

mysql_secure_installation.cc from mysql has most of thse fixed.

Otherwise/alternately we can do queries like:

set_root_password

SELECT CONCAT('ALTER USER IF EXISTS ',

                GROUP_CONCAT(

                    CONCAT('\'', User, '\'@\'', Host, '\'', ' IDENTIFIED BY '$esc_pass')

            ) INTO @str

            FROM mysql.user

            WHERE User='root'

        PREPARE stmt FROM @str;

        EXECUTE stmt;

        DROP PREPARE stmt;

remove_remote_root

        SELECT CONCAT('DROP USER IF EXISTS ',

                GROUP_CONCAT(

                    CONCAT('\'', User, '\'@\'', Host, '\'')

            ) INTO @str

            FROM mysql.user

            WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');

        PREPARE stmt FROM @str;

        EXECUTE stmt;

        DROP PREPARE stmt;

Daniel Black added a comment - 2018-02-04 11:46 mysql_secure_installation.cc from mysql has most of thse fixed. Otherwise/alternately we can do queries like: set_root_password SELECT CONCAT( 'ALTER USER IF EXISTS ' , GROUP_CONCAT( CONCAT( '\'' , User , '\'@\'' , Host, '\'' , ' IDENTIFIED BY ' $esc_pass ') ) ) INTO @str FROM mysql.user WHERE User=' root' PREPARE stmt FROM @str; EXECUTE stmt; DROP PREPARE stmt; remove_remote_root SELECT CONCAT( 'DROP USER IF EXISTS ' , GROUP_CONCAT( CONCAT( '\'' , User , '\'@\'' , Host, '\'' ) ) ) INTO @str FROM mysql. user WHERE User = 'root' AND Host NOT IN ( 'localhost' , '127.0.0.1' , '::1' ); PREPARE stmt FROM @str; EXECUTE stmt; DROP PREPARE stmt;

Daniel Black added a comment - 2021-04-14 22:37 - edited

Suggested SQL fragments https://github.com/vitessio/vitess/pull/7318/files

Daniel Black added a comment - 2021-04-14 22:37 - edited Suggested SQL fragments https://github.com/vitessio/vitess/pull/7318/files

People

Assignee:: Anel Husakovic

Reporter:: Michaël de groot

Votes:: 8 Vote for this issue

Watchers:: 9 Start watching this issue

Dates

Created:: 2016-05-24 14:17

Updated:: 2025-02-06 07:19

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server