[MDEV-31809] Automatic SST user account management Created: 2023-07-31  Updated: 2024-02-06

Status: In Review
Project: MariaDB Server
Component/s: Galera SST
Fix Version/s: 11.5

Type: New Feature Priority: Critical
Reporter: Alexey Assignee: Julius Goryavsky
Resolution: Unresolved Votes: 0
Labels: galera

Issue Links:
Duplicate
duplicates MDEV-16009 mariabackup SST requires clear text p... Open
Relates
relates to MDEV-16009 mariabackup SST requires clear text p... Open
relates to MDEV-19949 [Enhancement] mariabackup option of '... Open
relates to MDEV-20757 wsrep_ss_auth password encryption Open
relates to MDEV-25321 mariabackup failed if password is pas... Closed

 Description   

Most advanced SST methods happen to require a dedicated database user
account with certain privileges to access the server during the SST
process on the donor node. Previously that user account had to be
created manually before any SST could take place and its authentication
credentials had to be manually entered into the configuration file and
stored there in clear text indefinitely - to be accessed by the SST
script when needed.

A much less error prone and more secure approach is to automatically
create such user account just for the SST and delete it afterwards. The
account credentials can be passed directly to SST script. Besides better
security and simpler node configuration this also solves the problem of
SST user privilege evolution: the required privileges may change with
the new server release, and automatic account generation will always
create the user with the right privileges.
Generated at Thu Feb 08 10:26:38 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.