Not the answer you need?
Register and ask your own question!

Does Percona Toolkit support SSL client authentication ?

superjcvdsuperjcvd EntrantCurrent User Role Beginner
Hello,

I'm new to this forum and I'd like to ask a simple question.
I can't find anything about it on google...

Do you know if we can use percola toolkit with SSL authentication on client side ?


I have a MySQL server open to the internet with SSL enable users only.

On my SQL clients I have a certificate that authenticate them.
I can log to the SQL server with a command like this (or a .cnf conf file) :
mysql -u sentybox -h IP_HERE --ssl-ca=/certs/ca-cert.pem --ssl-cert=/certs/client-cert.pem --ssl-key=/certs/client-key.pem

It work very well with mysql client command line. But as soon as I try to use for example pt-table-sync command this fails.
(I tried to specify the conf file in parameter but this doesn't work)




thanks for your help :)



Regards


Gael

Comments

  • superjcvdsuperjcvd Entrant Current User Role Beginner
    Sorry for the typo in the title...
  • jfg956jfg956 Entrant Inactive User Role Beginner
    I got to this post trying to make pt-show-grants work with Google Cloud Platform (GCP) CloudSQL. Leaving a trace of the fix here:

    SSL_DSN=";mysql_ssl=1"
    SSL_DSN="$SSL_DSN;mysql_ssl_client_key=$(pwd)/client-key.pem"
    SSL_DSN="$SSL_DSN;mysql_ssl_client_cert=$(pwd)/client-cert.pem"
    SSL_DSN="$SSL_DSN;mysql_ssl_ca_file=$(pwd)/server-ca.pem"
    pt-show-grants -F $(pwd)/.my.cnf $SSL_DSN
  • jfg956jfg956 Entrant Inactive User Role Beginner
    Above, I posted how to make pt-show-grants works with Google Cloud Platform (GCP) CloudSQL with SSL enabled and forced on the CloudSQL side. It allows to have the host connection details in the defaults-file, including username and password. However, it is more complicated with pt-online-schema change.

    I was not able to have pt-osc work with reading a defaults-file. I think it has do do with the database (D) and table (t) needing to be specified in the DSN. My understanding is that pt-osc strips this before sending it to DBD:mysql, and this, combined with the tool trying to make the right thing, breaks things at the lower layer. But my Perl and DBD:MySQL foo is not yet strong enough for fully understanding the real cause and to provide a patch.

    I am posting below how I was able to make pt-osc works with SSL, I hope this can help someone. I am not happy about it because, not wanting to specify a password on the command line and needing the tool to be used interactively do not make automation possible, but it is the best I found yet.

    SSL_DSN=";mysql_ssl=1"
    SSL_DSN="$SSL_DSN;mysql_ssl_client_key=$(pwd)/client-key.pem"
    SSL_DSN="$SSL_DSN;mysql_ssl_client_cert=$(pwd)/client-cert.pem"
    SSL_DSN="$SSL_DSN;mysql_ssl_ca_file=$(pwd)/server-ca.pem"
    pt-online-schema-change [pt-osc-options] \
    "D=$db,t=$table,h=${host}${SSL_DSN}" -u $user --ask-pass

    If you know of a better solution, please post it below, and thanks in advance for that.

    And these are the versions of the tools that I am using:

    $ pt-show-grants --version
    pt-show-grants 3.0.11
    $ pt-online-schema-change --version
    pt-online-schema-change 3.0.11
Sign In or Register to comment.

MySQL, InnoDB, MariaDB and MongoDB are trademarks of their respective owners.
Copyright ©2005 - 2020 Percona LLC. All rights reserved.