Is it possible to intercept and change login information within a lua script for mysql-proxy.
for example, if a user were to hit the proxy like this:
mysql -h localhost -P 4040 -u bob -D orders -p
i would want the connection not only redirected to a backend server, but also the username/database name changed, so that the above command was the equivalent of this:
mysql -h production.server -P 3306 -u bob_production -D bob_orders -p
I notice that it seems that I can only get auth information in the script after the auth has been passed, and even if I could get it before, i don't see a way to easily inject it.
Does anyone have an idea on how this would be possible within mysql-proxy, or with some other solution?
It is possible. In the share/docs directory of the installation bundle have a look at the tutorial script tutorial-scramble.lua which is an example that validates a hashed password from a remote client and substitutes the authentication credentials required by the server.
The function used in the tutorial example is: read_auth()
You might also want to monitor the authentication response from the server which can be done with read_auth_result().
Related
You can avoid re-entering mysql command line password by putting the queries into a file.
In my case, the later queries are not determined until after the first queries have finished.
This happens in a non-interactive script so running a mysql console is not an option.
Is there any notion of a session for mysql command line interactions? Or can I set it up to listen for commands on a local unix socket (the output is required to be returned)? Or something like that?
User #smcjones mentions using the .my.cnf file or mysql_config_editor. Those are good suggestions, I give my +1 vote to him.
Another solution is to put the credentials in any file of your choosing and then specify that file when you invoke MySQL tools:
mysql --defaults-extra-file=my_special.cnf ...other arguments...
And finally, just for completeness, you can use environment variables for some options, like host and password. But strangely, not the user. See http://dev.mysql.com/doc/refman/5.7/en/environment-variables.html
export MYSQL_HOST="mydbserver"
export MYSQL_PWD="Xyzzy"
mysql ...other arguments...
I don't really recommend using an environment variable for the password, since anyone who can run ps on your client host can see the environment variables for the mysql client process.
There are a few ways to handle this in MySQL.
Put password in hidden .my.cnf in the home directory of the user the script is running as.
[client]
user=USER
password=PASSWORD
Use mysql_config_editor
mysql_config_editor set --login-path=client --host=localhost
--user=localuser --password
When prompted to enter your password, enter it like you otherwise would.
IMO this is the worst option, but I'll add it for the sake of completeness.
You could always create a function wrapper for MySQL that appends your set password.
#! /bin/bash
local_mysql_do_file() {
mysql -u localuser -h localhost -pPASSWORD_NO_SPACE < $1
}
# usage
local_mysql_do_file file.sql
I would like to connect to mysql database without interaction for the password (I need for using it during a batch script). I'm using this script, but before start the connection I must insert the password.
mysql -u username#databasename -p "Password" -h hostnamedatabase -P 3344
I have tried this other approach but I have no success
mysql -u username#databasename -pPassword -h hostnamedatabase -P 3344
Is there a way to enter the password directly without typing it in?
New answer
OP is on command line on a remote server (using SSH). From there, mysql needs to be used password-less - so to speak - to create user on INSTANCE1 and INSTANCE2.
That's doable also. You'd use --defaults-group-suffix switch.
~/.my.cnf
Let's start with creating a file called .my.cnf in your home directory (aka ~/.my.cnf). Put this in it.
[client1]
user=INSTANCE1-USERNAME
password=INSTANCE1-PASSWORD
database=INSTANCE1-DATABASE (this could be mysql)
host=INSTANCE1-HOSTNAME-OR-IP
[client2]
user=INSTANCE2-USERNAME
password=INSTANCE2-PASSWORD
database=INSTANCE2-DATABASE (this could be mysql)
host=INSTANCE2-HOSTNAME-OR-IP
Save the file. Do chmod 600 ~/.my.cnf to ensure only your username and root/root-like user can see it.
Now, type this to get to first server:
mysql --defaults-group-suffix=1
Then, use this to get to the second server:
mysql --defaults-group-suffix=2
Explanation
Typically ~/.my.cnf will have the following block
[client]
user=USERNAME
password=PASSWORD
database=DATABASE (this could be mysql)
host=localhost (or whatever hostname/IP)
That allows you to just type mysql and log on. MySQL looks for credentials, host, port etc. in ~/.my.cnf. If it gets that info, it'll use it to log in to MySQL. Cool. Easy enough.
--defaults-group-suffix=2 tells MySQL to look into ~/.my.cnf but not read the [client] block but instead read the [client2] block for credentials/information.
Similarly --defaults-group-suffix=1 tells MySQL to look into ~/.my.cnf and read the [client1] block for credentials/information.
That way, you can have credentials for multiple servers or databases within a single server and log on to MySQL without having to prompt/provide credentials through command line.
You can use this tool with scripts as long as the ~/.my.cnf file is in the username that is running those scripts.
Documentation
https://dev.mysql.com/doc/refman/8.0/en/option-file-options.html
https://dev.mysql.com/doc/refman/8.0/en/option-files.html#option-file-syntax
Another method using --login-path
See https://dev.mysql.com/doc/refman/8.0/en/mysql-config-editor.html. It shows you can log on to mysql using --login-path switch. Since the above method will work well for you, I am just adding this as a reference.
Old answer
You can actually do that. Assuming you are on Linux, create a .my.cnf file under your home directory. Type this in it:
[client]
user=username
password=yourpass
Then, you can do mysql -h host -P 3344 -D databasename
See documentation here: https://dev.mysql.com/doc/refman/8.0/en/option-files.html
Also make sure that this file is adequately protected (do chmod 600 ~/.my.cnf).
After I went to phpMyAdmin to create new user.
Username: ken
Hostname: localhost
Password: 123456
Checked Global Privilege
When I start the MySQL console, it said that I need to enter the password. I pressed [ENTER] and it seem I have login to root. I haven't create password for root yet, Do I have to create a password for root? (I know it kinda dumb question, but I just want be crystal clear and simple answer)
Also, If I wanted to login to my newly created user, how do I do it?
I tried:
mysql> mysql -h localhost -u ken -p
->exit
Nothing happened.
The MySQL Console menu item in WAMPServer is setup to use the root account.
As the root account comes out of the box with no password set, then the correct thing to do is to just hit enter when the mysql processor asks for a password.
If you set a password on the MYSQL root account then when the MYSQL Console asks for a password you can use the newly created password.
If you want to login to MYSQL using a different user account, then it is simpler to use a command window and CD into the mysql folder and run the mysql.exe processor from there like
> cd \wamp\bin\mysql\mysql{version}\mysql
mysql -uken -p
I personally use a little batch file, that I store in a folder that is already on the windows PATH, never add a wamp folder to the windows PATH as this will mess you up when/if you ever install more than one version of MYSQL in your WAMPServer!
mysqlpath.bat
echo off
if %1.==. GOTO ERROR
PATH=%PATH%;c:\wamp\bin\mysql\mysql%1\bin
echo
echo -----------------------------------------------
mysql -V
echo -----------------------------------------------
echo
GOTO EndPHP
:ERROR
echo -----------------------------------------------
echo Parameter 1 should be something like 5.4.13 to use mysql5.4.13
echo -----------------------------------------------
:EndPHP
Then you run it like
>mysqlpath 5.7.10
and it sets that path up just for the duration of the command windows life.
First of all you have to logout of your current and then login with your new user:
For exiting just type:
> exit;
Then login with your new user:
$ mysql -u <username> -p
Keep in mind that:
By default mysql logic try with host localhost, otherwise if your server it's in another host just add the flag -h <your-hostname> at the end of your Shell request.
By default also, mysql try with port 3306, otherwise if your mysql's server port it's in another port just add --port=3333 at the end of your Shell request.
Keep in mind that if you aren't enable to run console interface of mysql you can use a Environment PATH for executing mysql otherwise you must edit your comand... changing mysql by the path to the wamp mysql bin location.
Let's supose you have mysql in this location: C:\wamp\bin\mysql\mysql5.7.19\bin, then, your comand will be:
D:\wamp2\bin\mysql\mysql5.7.19\bin\mysql.exe -u <username> -p
And that's it. If you have any issue please let me know, I will gladly help.
Resources:
How to manage MySQL databases and users from the command line
You can avoid re-entering mysql command line password by putting the queries into a file.
In my case, the later queries are not determined until after the first queries have finished.
This happens in a non-interactive script so running a mysql console is not an option.
Is there any notion of a session for mysql command line interactions? Or can I set it up to listen for commands on a local unix socket (the output is required to be returned)? Or something like that?
User #smcjones mentions using the .my.cnf file or mysql_config_editor. Those are good suggestions, I give my +1 vote to him.
Another solution is to put the credentials in any file of your choosing and then specify that file when you invoke MySQL tools:
mysql --defaults-extra-file=my_special.cnf ...other arguments...
And finally, just for completeness, you can use environment variables for some options, like host and password. But strangely, not the user. See http://dev.mysql.com/doc/refman/5.7/en/environment-variables.html
export MYSQL_HOST="mydbserver"
export MYSQL_PWD="Xyzzy"
mysql ...other arguments...
I don't really recommend using an environment variable for the password, since anyone who can run ps on your client host can see the environment variables for the mysql client process.
There are a few ways to handle this in MySQL.
Put password in hidden .my.cnf in the home directory of the user the script is running as.
[client]
user=USER
password=PASSWORD
Use mysql_config_editor
mysql_config_editor set --login-path=client --host=localhost
--user=localuser --password
When prompted to enter your password, enter it like you otherwise would.
IMO this is the worst option, but I'll add it for the sake of completeness.
You could always create a function wrapper for MySQL that appends your set password.
#! /bin/bash
local_mysql_do_file() {
mysql -u localuser -h localhost -pPASSWORD_NO_SPACE < $1
}
# usage
local_mysql_do_file file.sql
I've heard that directly inputting your password on the command line is a bad idea, because anyone could see the "secret" in
mysql -u root -psecret
by browsing history.
I have a password for my MySQL database stored in a text file with limited read permissions, and was wondering if it is safe to access it in the following way:
mysql -u root -p$(cat ~/.mysql_pass)
Browsing history, I see the command printed, not the literal value. So it seems like it's working the way I want it to.
I'm sure there are better ways of handling passwords, I would just like to know whether or not this one is leaving my password completely out in the open.
You've suggested using the following:
mysql -u root -p$(cat ~/.mysql_pass)
However, the subcommand will be expanded before mysql is executed and so even if this isn't available in the command history, it's entirely possible for someone to view the process list just after invocation and see your password.
I think a better approach is to use a mysql client options file and have the mysql command read the password from the options file.
Just type mysql -u root -p and you'll get a prompt to enter your password and it won't be stored in the history.