Vladislav Vaintroub added a comment - 2018-07-26 12:55 - edited mariabackup uses C client. C clients transparently load authentication plugins when required (when user identifies with auth.plugin). We have a plugin that supports Kerberos (auth_gssapi - server side, auth_gssapi_client -client side) what SST scripts do , I've no good idea really

Jacob Moorman (Inactive) added a comment - 2019-04-12 21:51 Geoff to re-assess this ticket based on current state of documentation and make a specific recommendation on ticket about any outstanding needs.

Geoff Montee (Inactive) added a comment - 2019-04-13 00:00 - edited The following text has been added: Some authentication plugins do not require a password. For example, the unix_socket and gssapi authentication plugins do not require a password. If you are using a user account that does not require a password in order to log in, then you can just leave the password component of wsrep_sst_auth empty. For example: [mariadb] ... wsrep_sst_auth = mariabackup: https://mariadb.com/kb/en/library/introduction-to-state-snapshot-transfers-ssts/#authentication https://mariadb.com/kb/en/library/mariabackup-sst-method/#authentication-and-privileges https://mariadb.com/kb/en/library/xtrabackup-v2-sst-method/#authentication-and-privileges The following section about unix_socket authentication has also been added to the mariabackup and xtrabackup-v2 SST pages: It is possible to use the unix_socket authentication plugin for the user account that performs SSTs. This would provide the benefit of not needing to configure a plain-text password in wsrep_sst_auth. The user account would have to have the same name as the operating system user account that is running the mysqld process. On many systems, this is the user account configured as the user option, and it tends to default to mysql. For example, if the unix_socket authentication plugin is already installed, then you could execute the following to create the user account: CREATE USER 'mysql'@'localhost' IDENTIFIED VIA unix_socket; GRANT RELOAD, PROCESS, LOCK TABLES, REPLICATION CLIENT ON . TO 'mysql'@'localhost'; And then to configure wsrep_sst_auth, you could set the following in a server option group in an option file prior to starting up a node: [mariadb] ... wsrep_sst_auth = mysql: https://mariadb.com/kb/en/library/mariabackup-sst-method/#passwordless-authentication-unix-socket https://mariadb.com/kb/en/library/xtrabackup-v2-sst-method/#passwordless-authentication-unix-socket And the following section about gssapi authentication has also been added to the mariabackup and xtrabackup-v2 SST pages: It is possible to use the gssapi authentication plugin for the user account that performs SSTs. This would provide the benefit of not needing to configure a plain-text password in wsrep_sst_auth. The following steps would need to be done beforehand: You need a KDC running MIT Kerberos or Microsoft Active Directory. You will need to create a keytab file for the MariaDB server. You will need to install the package containing the gssapi authentication plugin. You will need to install the plugin in MariaDB, so that the gssapi authentication plugin is available to use. You will need to configure the plugin. You will need to create a user account that authenticates with the gssapi authentication plugin, so that the user account can be used for SSTs. This user account will need to correspond with a user account that exists on the backend KDC. For example, you could execute the following to create the user account in MariaDB: CREATE USER 'mariabackup'@'localhost' IDENTIFIED VIA gssapi; GRANT RELOAD, PROCESS, LOCK TABLES, REPLICATION CLIENT ON . TO 'mariabackup'@'localhost'; And then to configure wsrep_sst_auth, you could set the following in a server option group in an option file prior to starting up a node: [mariadb] ... wsrep_sst_auth = mariabackup: https://mariadb.com/kb/en/library/mariabackup-sst-method/#passwordless-authentication-gssapi https://mariadb.com/kb/en/library/xtrabackup-v2-sst-method/#passwordless-authentication-gssapi

Geoff Montee (Inactive) added a comment - 2019-05-01 18:33 Thanks, valerii ! I reassigned to KennethDyer for review by the documentation team.