-
Notifications
You must be signed in to change notification settings - Fork 994
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature Request: Encrypting password of Monitor user #1353
Comments
Another option that may be more flexible is a user-supplied executable that can be run to retrieve monitor credentials. This allows the user to fetch secrets from their preferred secrets store without having to support each one explicitly in proxysql. In that scenario, we wouldnt store it on disk at all, and it would only sit in memory. |
I'd expand this request to any passwords or credentials in the global_variables table. admin_credentials in particular |
You can already do this; e.g.: |
Where is the documentation for support of storing encrypted password(s) in the global_variables table for admin-credentials? Does this work for other admin credentials stored in this column? The documentation here: |
@jdanilson Is this what you are looking for? |
No. The ability to store the hash for users in the mysql_user table has existsed for a while and we use it My question deals with user passwords stored in the global_variables table (and by reference most are also coded in the cnf file). There is information about hashing the admin_admin_password but not the monitor and cluster users. I wish there was just a simple way to accomplish this, especially since the easy to use password() function is going away in mysql 8.x |
Any update on this requirement? |
any updates on this issue? we are also looking for a solution. |
@jdanilson do you have any updates on this issue? |
do you have any updates on this solution? my company has similar policy. |
There are a lot of people in this thread, so I think I can get some feedback. First of all, let me explain some details about passwords. When ProxySQL connects to a backend instead it is a client. Based on the above:
Question: how do you store passwords in the application? |
thanks for your reply. |
Rene. To answer your question about how applications authenticate. We begin with a mysql password which is given to the app operations team. They change this password; we do not then have the password. They encrypt the new password and store the encrypted value in the applications configuration file. The application calls a supplied api with a key and the encrypted password which returns the unencrypted password and proceed to login to mysql. The key is unique to the application and is stored securely but I do not know those details. All of this communications uses ssl. Passwords are changed every 90 days. I recognize your issue with these "client" passwords and suggest it might be a workaround to use an agreed upon encryption method. I totally understand such a solution is security theatre and not necessarily a good solution but it would allow us to answer cyber that the password is encrypted thereby meeting their requirement. Once we answer in the affirmative Cyber typically does not dive into the details. |
Hi friends, any update on this particular issue ? thanks |
Look at this PR --- > #4258 |
@thiborgesnvs Could you please provide a bit more details? I see that PR was merged, but still no changes for monitor_password. |
Hello,
would you please consider adding following feature to ProxySQL?
The ability to store the password of monitor user in an encrypted form (e.g. sha1(plaintext)) instead of plain text in the global_variables table.
Storing any password in a plain text form is considered a security bug in our company's policy.
Thank you
The text was updated successfully, but these errors were encountered: