MDEV-31809 Automatic SST user account management

Implement automatic creation of temporary accounts for SST and pass account credentials to SST script via socket as opposed to environment variables. Delete the user after the SST script returns, Respect wsrep_sst_auth set by the adminitrator in case some additional privilege grants are needed for particular SST method. mysqldump SST requires significant change to make use of the new automatic user generation facility. For now just make it compatible by ignoring automatically generated user and rely only on wsrep_sst_auth setting on the joiner node to keep backward compatibility. Adapt mysqldump SST to automatic SST user generation changes: - disable special treatment for mysqldump SST on donor - make mysqldump SST script compatible with the new SST script interface. Differentiate user privileges for different SST methods: - grant minimum required privileges for clone and xtrabackup SST accounts - grant all privileges to custom SST accounts as it is not known what is needed. - disable SST account generation for rsync SST since it is not needed. MTR tests: - add MTR tests for clone and xtrabackup SSTs without wsrep_sst_auth, - add MTR test for testing masking of wsrep_sst_auth. - don't attmept to restore original wsrep_sst_auth in MTR tests as it is always masked. Signed-off-by: Julius Goryavsky <julius.goryavsky@mariadb.com>
2026-05-03 13:45:34 +02:00 · 2023-07-26 22:34:56 +03:00 · 2023-07-26 22:34:56 +03:00 · a1e5a284fc
commit a1e5a284fc
parent 1aa1a7cf64
18 changed files with 1329 additions and 268 deletions
--- a/scripts/wsrep_sst_common.sh
+++ b/scripts/wsrep_sst_common.sh
@ -1057,19 +1057,55 @@ if ! wsrep_auth_not_set; then
    fi
 fi

-readonly WSREP_SST_OPT_USER
-readonly WSREP_SST_OPT_PSWD
-readonly WSREP_SST_OPT_AUTH
-
+WSREP_SST_OPT_REMOTE_USER=
+WSREP_SST_OPT_REMOTE_PSWD=
 if [ -n "$WSREP_SST_OPT_REMOTE_AUTH" ]; then
    # Split auth string at the last ':'
    readonly WSREP_SST_OPT_REMOTE_USER="${WSREP_SST_OPT_REMOTE_AUTH%%:*}"
    readonly WSREP_SST_OPT_REMOTE_PSWD="${WSREP_SST_OPT_REMOTE_AUTH#*:}"
-else
-    readonly WSREP_SST_OPT_REMOTE_USER=
-    readonly WSREP_SST_OPT_REMOTE_PSWD=
 fi

+# Reads incoming data from STDIN and sets the variables
+#
+# Globals:
+#   WSREP_SST_OPT_USER (sets this variable)
+#   WSREP_SST_OPT_PSWD (sets this variable)
+#
+# Parameters:
+#   None
+#
+read_variables_from_stdin()
+{
+    while read line; do
+        key=${line%%=*}
+        value=${line#*=}
+        case "$key" in
+            'sst_user')
+                WSREP_SST_OPT_USER="$value"
+                ;;
+            'sst_password')
+                WSREP_SST_OPT_PSWD="$value"
+                ;;
+            'sst_remote_user')
+                WSREP_SST_OPT_REMOTE_USER="$value"
+                ;;
+            'sst_remote_password')
+                WSREP_SST_OPT_REMOTE_PSWD="$value"
+                ;;
+            *)
+                wsrep_log_warning "Unrecognized input: $line"
+        esac
+    done
+    return 0
+}
+
+[ "$WSREP_SST_OPT_ROLE" = "donor" ] && read_variables_from_stdin || :
+
+readonly WSREP_SST_OPT_USER
+readonly WSREP_SST_OPT_PSWD
+readonly WSREP_SST_OPT_AUTH
+readonly WSREP_SST_OPT_REMOTE_USER
+readonly WSREP_SST_OPT_REMOTE_PSWD
 readonly WSREP_SST_OPT_REMOTE_AUTH

 if [ -n "$WSREP_SST_OPT_DATA" ]; then