Feature request: read-only account
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| MySQL InnoDB Cluster Charm |
Triaged
|
Wishlist
|
Unassigned | ||
Bug Description
It would be very useful to have the charm create an additional root-like account but with read-only access to all the databases.
Here's a concrete use case: for a particular customer we sometimes need to review the HA status of their OpenStack routers. Doing this via a bash loop and openstack/neutron CLI commands may take 5+ minutes, and that's for a single report across all 200-ish routers this customer has. Via a MySQL terminal, I can get the same information in less than 1 second.
We can of course use the "root" user for this, but there's the danger of autocommit=1, let alone simple copy/paste mishaps, which make this more dangerous than one would like. On the other hand, if we had some sort of "read-only root" account which can still access all the databases but not actually perform changes, that would make these types of direct queries much more safe.
| Felipe Reyes (freyes) wrote | #1 |
| Changed in charm-mysql-innodb-cluster: | |
| status: | New → Triaged |
| importance: | Undecided → Wishlist |
just an idea: maybe we should have an action to create temporary accounts on demand, so the exposure is time constrained, for example:
juju run-action mysql-innodb-
This would give you a user account with a random username and password that will be available for 1 hour and permissions to access nova, cinder and neutron databases.
Having a permanent read-only account makes me feel worried how could be shared across the organization since "it's just a read only account".
The downside of this approach is that we don't have a daemon running, so we may need to register a cronjob that takes care of revoking/deleting the temporary users created.