[MDEV-28667] Avoid clear text password in master.info Created: 2022-05-25  Updated: 2023-07-11

Status: Open
Project: MariaDB Server
Component/s: None
Fix Version/s: None

Type: Task Priority: Major
Reporter: Muhammad Irfan Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: None


 Description   

This is request to avoid clear text replication user password in master.info file.
I did noticed that pretty much request were exist MDEV-10055
It could be replication user with other authentication, pam_unix or LDAP or something, so that password is not needed.

 Comments   
Comment by Daniel Black [ 2022-05-26 ]

A different authentication mechanism for the user still requires the password in clear text. Any token stored as required by the master's authentication plugin of the replica user is effectively a clear text password as it provides the basis of the authentication. If a password isn't needed, nothing is stored, but how is that better?

MDEV-15547 could have provided a PAM based IP mechanism, as weak as it is, but the protocol of the pam plugin got changed.

Without storing a password, it would need to be re-provided before a START REPLICA could occur. Could encrypt the master.info with the encryption key management plugin as a feature request, or better yet, install as table (MDEV-21753) and then you've got the encryption option.

Comment by Sergei Golubchik [ 2023-01-27 ]

Encrypting the whole file using the key management plugin — that's a reasonable idea.
May be it's what users will be happy with.

Generated at Thu Feb 08 10:02:33 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.