Improve MySQL Galera password handling - use dedicated not root credentials
Prod related PROD-23926 (PROD:23926)
Change-Id: I1c09b54e22ac274336597fff6582a5b997f13ea4
diff --git a/metadata/service/master/cluster.yml b/metadata/service/master/cluster.yml
index 38c23c4..e66c3ae 100644
--- a/metadata/service/master/cluster.yml
+++ b/metadata/service/master/cluster.yml
@@ -8,6 +8,8 @@
galera_server_bind_address: ${_param:cluster_local_address}
galera_server_bind_port: 3306
galera_server_admin_user: root
+ galera_server_sst_user: sstuser
+ galera_server_sst_password: ${_param:galera_server_admin_password}
galera_max_connections: 20000
galera_innodb_buffer_pool_size: 3138M
galera_innodb_read_io_threads: 0
@@ -27,6 +29,9 @@
admin:
user: ${_param:galera_server_admin_user}
password: ${_param:galera_server_admin_password}
+ sst:
+ user: ${_param:galera_server_sst_user}
+ password: ${_param:galera_server_sst_password}
members:
- host: ${_param:cluster_node01_address}
port: 4567
@@ -51,3 +56,12 @@
host: '%'
- name: haproxy
host: ${_param:cluster_local_address}
+ - name: ${_param:galera_server_sst_user}
+ password: ${_param:galera_server_sst_password}
+ host: localhost
+ database: '*.*'
+ grants:
+ - PROCESS
+ - RELOAD
+ - LOCK TABLES
+ - REPLICATION CLIENT
diff --git a/metadata/service/master/container.yml b/metadata/service/master/container.yml
index f4957a6..9711b48 100644
--- a/metadata/service/master/container.yml
+++ b/metadata/service/master/container.yml
@@ -3,6 +3,8 @@
galera_server_cluster_name: galeracluster
galera_server_bind_port: 3306
galera_server_admin_user: root
+ galera_server_sst_user: sstuser
+ galera_server_sst_password: ${_param:galera_server_admin_password}
galera_max_connections: 20000
galera_innodb_buffer_pool_size: 3138M
galera_innodb_read_io_threads: 8
@@ -29,6 +31,9 @@
admin:
user: ${_param:galera_server_admin_user}
password: ${_param:galera_server_admin_password}
+ sst:
+ user: ${_param:galera_server_sst_user}
+ password: ${_param:galera_server_sst_password}
members:
- host: ${_param:mysql_service_host01}
port: 4567
@@ -51,3 +56,12 @@
host: localhost
- name: haproxy
host: '%'
+ - name: ${_param:galera_server_sst_user}
+ password: ${_param:galera_server_sst_password}
+ host: localhost
+ database: '*.*'
+ grants:
+ - PROCESS
+ - RELOAD
+ - LOCK TABLES
+ - REPLICATION CLIENT
diff --git a/metadata/service/master/single.yml b/metadata/service/master/single.yml
index 7ac04d9..fc5ca23 100644
--- a/metadata/service/master/single.yml
+++ b/metadata/service/master/single.yml
@@ -8,6 +8,8 @@
galera_server_bind_address: ${_param:single_address}
galera_server_bind_port: 3306
galera_server_admin_user: root
+ galera_server_sst_user: sstuser
+ galera_server_sst_password: ${_param:galera_server_admin_password}
galera_max_connections: 20000
galera_innodb_buffer_pool_size: 3138M
galera_error_log_enabled: true
@@ -27,6 +29,9 @@
admin:
user: ${_param:galera_server_admin_user}
password: ${_param:galera_server_admin_password}
+ sst:
+ user: ${_param:galera_server_sst_user}
+ password: ${_param:galera_server_sst_password}
members:
- host: ${_param:single_address}
port: 4567
@@ -47,3 +52,12 @@
host: '%'
- name: haproxy
host: ${_param:single_address}
+ - name: ${_param:galera_server_sst_user}
+ password: ${_param:galera_server_sst_password}
+ host: localhost
+ database: '*.*'
+ grants:
+ - PROCESS
+ - RELOAD
+ - LOCK TABLES
+ - REPLICATION CLIENT
diff --git a/metadata/service/slave/cluster.yml b/metadata/service/slave/cluster.yml
index 92ee133..a4c7133 100644
--- a/metadata/service/slave/cluster.yml
+++ b/metadata/service/slave/cluster.yml
@@ -8,6 +8,8 @@
galera_server_bind_address: ${_param:cluster_local_address}
galera_server_bind_port: 3306
galera_server_admin_user: root
+ galera_server_sst_user: sstuser
+ galera_server_sst_password: ${_param:galera_server_admin_password}
galera_max_connections: 20000
galera_innodb_buffer_pool_size: 3138M
galera_innodb_read_io_threads: 0
@@ -27,6 +29,9 @@
admin:
user: ${_param:galera_server_admin_user}
password: ${_param:galera_server_admin_password}
+ sst_user:
+ user: ${_param:galera_server_sst_user}
+ password: ${_param:galera_server_sst_password}
members:
- host: ${_param:cluster_node01_address}
port: 4567
@@ -51,3 +56,12 @@
host: '%'
- name: haproxy
host: ${_param:cluster_local_address}
+ - name: ${_param:galera_server_sst_user}
+ password: ${_param:galera_server_sst_password}
+ host: localhost
+ database: '*.*'
+ grants:
+ - PROCESS
+ - RELOAD
+ - LOCK TABLES
+ - REPLICATION CLIENT