Does Percona Toolkit support SSL client authentication?

Hello,

I’m new to this forum and I’d like to ask a simple question.
I can’t find anything about it on google…

Do you know if we can use percola toolkit with SSL authentication on client side ?

I have a MySQL server open to the internet with SSL enable users only.

On my SQL clients I have a certificate that authenticate them.
I can log to the SQL server with a command like this (or a .cnf conf file) :
mysql -u sentybox -h IP_HERE --ssl-ca=/certs/ca-cert.pem --ssl-cert=/certs/client-cert.pem --ssl-key=/certs/client-key.pem

It work very well with mysql client command line. But as soon as I try to use for example pt-table-sync command this fails.
(I tried to specify the conf file in parameter but this doesn’t work)

thanks for your help :slight_smile:

Regards

Gael

Sorry for the typo in the title…

I got to this post trying to make pt-show-grants work with Google Cloud Platform (GCP) CloudSQL. Leaving a trace of the fix here:

SSL_DSN=";mysql_ssl=1"
SSL_DSN="$SSL_DSN;mysql_ssl_client_key=$(pwd)/client-key.pem"
SSL_DSN="$SSL_DSN;mysql_ssl_client_cert=$(pwd)/client-cert.pem"
SSL_DSN="$SSL_DSN;mysql_ssl_ca_file=$(pwd)/server-ca.pem"
pt-show-grants -F $(pwd)/.my.cnf $SSL_DSN

Above, I posted how to make pt-show-grants works with Google Cloud Platform (GCP) CloudSQL with SSL enabled and forced on the CloudSQL side. It allows to have the host connection details in the defaults-file, including username and password. However, it is more complicated with pt-online-schema change.

I was not able to have pt-osc work with reading a defaults-file. I think it has do do with the database (D) and table (t) needing to be specified in the DSN. My understanding is that pt-osc strips this before sending it to DBD:mysql, and this, combined with the tool trying to make the right thing, breaks things at the lower layer. But my Perl and DBD:MySQL foo is not yet strong enough for fully understanding the real cause and to provide a patch.

I am posting below how I was able to make pt-osc works with SSL, I hope this can help someone. I am not happy about it because, not wanting to specify a password on the command line and needing the tool to be used interactively do not make automation possible, but it is the best I found yet.

SSL_DSN=";mysql_ssl=1"
SSL_DSN="$SSL_DSN;mysql_ssl_client_key=$(pwd)/client-key.pem"
SSL_DSN="$SSL_DSN;mysql_ssl_client_cert=$(pwd)/client-cert.pem"
SSL_DSN="$SSL_DSN;mysql_ssl_ca_file=$(pwd)/server-ca.pem"
pt-online-schema-change [pt-osc-options]
“D=$db,t=$table,h=${host}${SSL_DSN}” -u $user --ask-pass

If you know of a better solution, please post it below, and thanks in advance for that.

And these are the versions of the tools that I am using:

$ pt-show-grants --version
pt-show-grants 3.0.11
$ pt-online-schema-change --version
pt-online-schema-change 3.0.11