[MDEV-10112] mysql_secure_installation should use GRANT, REVOKE, etc for galera support Created: 2016-05-24  Updated: 2023-04-27

Status: Open
Project: MariaDB Server
Component/s: Scripts & Clients
Fix Version/s: 10.4

Type: Task Priority: Major
Reporter: Michaël de groot Assignee: Anel Husakovic
Resolution: Unresolved Votes: 8
Labels: None

Issue Links:
PartOf
is part of MDEV-26593 Replace mysql_secure_installation wit... Open

 Description   

Currently the mysql_secure_installation script execute DELETE and UPDATE and so forth. This is not compatible with Galera as these tables are MyISAM.

Please change them to use GRANT, REVOKE, etc...

 Comments   
Comment by Michaël de groot [ 2017-05-29 ]

Hi,

As this issue is open for a year now and still a big problem to all first-time Galera users, increasing priority.

As far as I know there is no work-around, except not uing mysql_secure_installation. Instead, you could use the corresponding GRANT statements.

Thanks,
Michaël

Comment by George [ 2017-11-27 ]

Hi Michaël,
We have been able to run mysql_secure_installation in non-production with Galera - simply by running it on each Galera node (and we did not run this script on the first node in the cluster before adding more nodes, we did it after..) So far everything seems fine..but maybe not according to your comment in this JIRA ticket?

Based on what you are saying and what is presented here: https://mariadb.com/kb/en/library/mysql_secure_installation/
Is this not a recommended approach in production simply because someone may neglect to run it on all nodes (said first-time user incorrectly assuming mysql.user changes would not be transported to the other nodes), or is there some other issue? I'm a little confused since I would think it is preferable to run the types of commands in the script, as opposed to not using mysql_secure_installation e.g. do_query "DELETE FROM mysql.db WHERE Db='test' OR Db='test
_%'"

Thanks!

Comment by Daniel Black [ 2018-02-04 ]

mysql_secure_installation.cc from mysql has most of thse fixed.

Otherwise/alternately we can do queries like:

set_root_password

SELECT CONCAT('ALTER USER IF EXISTS ',
 
                GROUP_CONCAT(
 
                    CONCAT('\'', User, '\'@\'', Host, '\'', ' IDENTIFIED BY '$esc_pass')
 
                )
 
            ) INTO @str
 
            FROM mysql.user
 
            WHERE User='root'
 
        PREPARE stmt FROM @str;
 
        EXECUTE stmt;
 
        DROP PREPARE stmt;

remove_remote_root

        SELECT CONCAT('DROP USER IF EXISTS ',
 
                GROUP_CONCAT(
 
                    CONCAT('\'', User, '\'@\'', Host, '\'')
 
                )
 
            ) INTO @str
 
            FROM mysql.user
 
            WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');
 
        PREPARE stmt FROM @str;
 
        EXECUTE stmt;
 
        DROP PREPARE stmt;

Comment by Daniel Black [ 2021-04-14 ]

Suggested SQL fragments https://github.com/vitessio/vitess/pull/7318/files

Generated at Thu Feb 08 07:39:46 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.