System users password management

[fishday53]

It would be great to add support for system users password management.

When system users passwords are compromised, it's be impossible to change them in an existing cluster.

I tried to deploy Secret with passwords for users:

• moco-admin
• moco-agent
• moco-backup
• moco-clone-donor
• moco-exporter
• moco-readonly
• moco-repl
• moco-writable
  And manually change their passwords in MySQL, but the operator rolled back my changes.

So, it seems, the only way to change system users passwords is to deploy a new cluster and move all data to it.

Maybe I'm wrong, and there's an easier way?

[mhkarimi1383]

Currently We don't have support for customized users

I would like to add this feature it that's OK

Will be great if we can provide a secret containing required information, Containing usernames and passwords and fallback to default if nothing provided

[shunki-fujita]

@fishday53 @mhkarimi1383
Thanks for the report and clear explanation!

As a potential solution, we’re considering an implementation where specific annotations on MySQLCluster trigger system-user password rotation:

When the rotation annotation is added, the operator updates the system users with RETAIN CURRENT PASSWORD (i.e., dual-password mode) and rolls dependent components to pick up the new secret.
When the discard annotation is added, the operator finalizes the change with DISCARD OLD PASSWORD to drop the previous password.

Does this direction make sense to you?

[fishday53]

@shunki-fujita Hi! It sounds great from my point of view.

[mhkarimi1383]

@shunki-fujita

Hi! looks good for now, But being able to customize users and supporting additional managed users will be awesome

[shunki-fujita]

@mhkarimi1383
Yes, I also think adding user management (such as creating users) would be valuable.
However, we haven’t worked on it yet.
#349

[shunki-fujita]

We are currently considering implementing this.
Since the logic is a bit complex, we expect that it will take some time to complete the implementation.