Feature request: read-only account
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
MySQL InnoDB Cluster Charm |
Triaged
|
Wishlist
|
Unassigned |
Bug Description
It would be very useful to have the charm create an additional root-like account but with read-only access to all the databases.
Here's a concrete use case: for a particular customer we sometimes need to review the HA status of their OpenStack routers. Doing this via a bash loop and openstack/neutron CLI commands may take 5+ minutes, and that's for a single report across all 200-ish routers this customer has. Via a MySQL terminal, I can get the same information in less than 1 second.
We can of course use the "root" user for this, but there's the danger of autocommit=1, let alone simple copy/paste mishaps, which make this more dangerous than one would like. On the other hand, if we had some sort of "read-only root" account which can still access all the databases but not actually perform changes, that would make these types of direct queries much more safe.
Changed in charm-mysql-innodb-cluster: | |
status: | New → Triaged |
importance: | Undecided → Wishlist |
just an idea: maybe we should have an action to create temporary accounts on demand, so the exposure is time constrained, for example:
juju run-action mysql-innodb- cluster/ leader create-temp-account duration=1h database= nova,cinder, neutron reason="HA routers audit script"
This would give you a user account with a random username and password that will be available for 1 hour and permissions to access nova, cinder and neutron databases.
Having a permanent read-only account makes me feel worried how could be shared across the organization since "it's just a read only account".
The downside of this approach is that we don't have a daemon running, so we may need to register a cronjob that takes care of revoking/deleting the temporary users created.