Details
-
New Feature
-
Status: Open (View Workflow)
-
Major
-
Resolution: Unresolved
-
None
-
None
-
None
Description
Actually security of maxscale mariadb users is based on a non-encrypted file located on the maxscale server.
- maxkeys
it is generated by maxkeys, called .secrets and stored by default in /var/lib/maxscale ( but can be changed at creation time )
it would be greatr if we could give maxkeys some parameters so that the secret is directly send to a KMS which xwould be defined on the command line
somethiong along the lines of :
maxkeys --host= --port= --key= --cert= --ca=
on the stdout it should provide with necessary information to retrieve the created secret later on.
- maxxpasswd
To hash the password we have to call on the maxpasswd function. this would be great if we could feed it the info retrieved from maxkeys to allow it to encrypt the password using the KMS secret.
something along the lines oif :
maxpasswd --host= --port= --key= --cert= --ca= --token= PASSWORD_TO_HASH
it would still reply with the hash on the stdout.
- maxscale cnf file
in the [masxcale] section, we could add a a pârameter which is the pasword related secret token/id and add a switch telling maxscale to use the already defined key manager.
Attachments
Issue Links
- relates to
-
MXS-5090 ability to setup .secrets file location
-
- Open
-