During some test of pmm tool, we find a strange behaviour from security point of view.
The pmm-mysql-metrics-42002.service file exposes the username and password
credentials in plain text to non-privileged users via the DATA_SOURCE_NAME
Environment variable.WIth a non-privileged user:
systemctl cat pmm-mysql-metrics-42002<br>...<br>Environment="DATA_SOURCE_NAME=<b>PERCONA_USER</b>:<b>CLEAR_PASSWORD</b>@unix(/var/run/mysqld/mysqld.sock)/?parseTime=true&time_zone='%%2b00%%3a00'&loc=UTC"<br>Restart=always<br>...<br>
The password is in clear text for all users. This user asks SUPER privileges to works.
Other strange behaviour appear when we activate mysql metric to PMM
pmm-admin add mysql --user USER --password PASSWORD
It’s not possible to use prompt to hide the password. Password is appearing in bash history.
Is it possible to use a mysql user with Linux authentication (auth_socket) ?
This will solve our password problems.
Thank you for your help,