MDEV-31809 Automatic SST user account management

Implement automatic creation of temporary accounts for SST and pass account credentials to SST script via socket as opposed to environment variables. Delete the user after the SST script returns, Respect wsrep_sst_auth set by the adminitrator in case some additional privilege grants are needed for particular SST method. mysqldump SST requires significant change to make use of the new automatic user generation facility. For now just make it compatible by ignoring automatically generated user and rely only on wsrep_sst_auth setting on the joiner node to keep backward compatibility. Adapt mysqldump SST to automatic SST user generation changes: - disable special treatment for mysqldump SST on donor - make mysqldump SST script compatible with the new SST script interface. Differentiate user privileges for different SST methods: - grant minimum required privileges for clone and xtrabackup SST accounts - grant all privileges to custom SST accounts as it is not known what is needed. - disable SST account generation for rsync SST since it is not needed. MTR tests: - add MTR tests for clone and xtrabackup SSTs without wsrep_sst_auth, - add MTR test for testing masking of wsrep_sst_auth. - don't attmept to restore original wsrep_sst_auth in MTR tests as it is always masked. Signed-off-by: Julius Goryavsky <julius.goryavsky@mariadb.com>
2025-08-08 11:22:35 +03:00 · 2023-07-26 22:34:56 +03:00
parent 1aa1a7cf64
commit a1e5a284fc
18 changed files with 1348 additions and 287 deletions
--- a/sql/wsrep_utils.cc
+++ b/sql/wsrep_utils.cc
@@ -404,11 +404,13 @@ process::process (const char* cmd, const char* type, char** env)
    if (read_from_child)
    {
        setup_parent_pipe_end(READ, read_pipe, READ_END, "r");
+        assert(from());
    }

    if (write_to_child)
    {
        setup_parent_pipe_end(WRITE, write_pipe, WRITE_END, "w");
+        assert(to());
    }

 cleanup_fact:
@@ -532,6 +534,40 @@ thd::~thd ()
  }
 }

+mysql::mysql() :
+  mysql_(mysql_init(NULL))
+{
+  int err = 0;
+  if (mysql_real_connect_local(mysql_) == NULL) {
+      err = mysql_errno(mysql_);
+      WSREP_ERROR("mysql::mysql() mysql_real_connect() failed: %d (%s)",
+                  err, mysql_error(mysql_));
+  }
+}
+
+mysql::~mysql()
+{
+  mysql_close(mysql_);
+}
+
+int
+mysql::disable_replication()
+{
+  int err = execute("SET SESSION sql_log_bin = OFF;");
+  if (err) {
+    WSREP_ERROR("sst_user::user() disabling log_bin failed: %d (%s)",
+                err, errstr());
+  }
+  else {
+    err = execute("SET SESSION wsrep_on = OFF;");
+    if (err) {
+      WSREP_ERROR("sst_user::user() disabling wsrep replication failed: %d (%s)",
+                  err, errstr());
+    }
+  }
+  return err;
+}
+
 } // namespace wsp

 /* Returns INADDR_NONE, INADDR_ANY, INADDR_LOOPBACK or something else */