Not the answer you need?
Register and ask your own question!

passowrd in clear text in pmm-mysql-metrics-42002.service file

Hello,
During some test of pmm tool, we find a strange behaviour from security point of view.

The pmm-mysql-metrics-42002.service file exposes the username and password credentials in plain text to non-privileged users via the DATA_SOURCE_NAME Environment variable.
WIth a non-privileged user:
systemctl cat pmm-mysql-metrics-42002
...
Environment="DATA_SOURCE_NAME=PERCONA_USER:CLEAR_PASSWORD@unix(/var/run/mysqld/mysqld.sock)/?parseTime=true&time_zone='%%2b00%%3a00'&loc=UTC"
Restart=always
...
The password is in clear text for all users. This user asks SUPER privileges to works.


Other strange behaviour appear when we activate mysql metric to PMM
pmm-admin add mysql --user USER --password PASSWORD
It's not possible to use prompt to hide the password. Password is appearing in bash history.

Is it possible to use a mysql user with Linux authentication (auth_socket) ?
This will solve our password problems.
Thank you for your help,
Regards,

Answers

  • alexey.palazhchenkoalexey.palazhchenko PMM Tech Lead Percona Staff Role Contributor
    It is possible to use UNIX socket with --socket flag, and MySQL client configuration file with --defaults-file flag. The later one can contain the password and be protected. pmm-admin add mysql also can use my_print_defaults tool for using an encrypted password.
  • aurelferaurelfer Current User Role Poster
    It is possible to use UNIX socket with --socket flag, and MySQL client configuration file with --defaults-file flag. The later one can contain the password and be protected. pmm-admin add mysql also can use my_print_defaults tool for using an encrypted password.

    Hello, 
    Thanks for answer, but I didn't find on documentation or on web example to use my_print_defaultstool with pmm-admin add mysql.
    Do you use like :
    pmm-adm add mysql --user USER --password `my_print_defaults LOGIN_PATH_NAME -s | 
    grep password | cut -d "=" -f 2`
    or there is a simple way ?
    Thank in advance



Sign In or Register to comment.

MySQL, InnoDB, MariaDB and MongoDB are trademarks of their respective owners.
Copyright ©2005 - 2020 Percona LLC. All rights reserved.