Fuel for OpenStack

The wsrep_sst_auth option is superfluous

Bug #1662522 reported by Gabor Orosz
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fuel for OpenStack
Confirmed
Medium
Fuel Sustaining
Fuel for OpenStack 10.x-updates

Bug Description

According to the Galera cluster documentation (http://galeracluster.com/documentation-webpages/mysqlwsrepoptions.html#wsrep-sst-auth) the wsrep-sst-auth parameter is used only for State Snapshot Transfers that utilizes logical state transfer method. Currently, there is only one logical state transfer method is available in Galera, which is the mysqldump one.
As Fuel deploys and configures the controllers to use the xtrabackup-v2 method for SST, therefore this wsrep-sst-auth option is superfluous and needs to be removed from the MySQL configuration file.

Revision history for this message
Oleksiy Molchanov (omolchanov) wrote :

Gabor, does it break anything? If not, I see no reason to remove it.

Changed in fuel:
status: New → Incomplete
Revision history for this message
Gabor Orosz (gabor.orosz) wrote :

Hi Oleksiy,

From security perspective it is a problem as the my.cnf is world readable at the moment. At least the file permissions need to be changed.

Revision history for this message
Gabor Orosz (gabor.orosz) wrote :

After doing some testing on this topic, I had to realize that on the donor side this credential is necessary for innobackupex to be able to create the backup. So, in my opinion the Galera documentation is a bit misleading in this aspect. However, due to the file permissions, this sensitive information is currently world readable on the controllers.

Oleksiy Molchanov (omolchanov)
Changed in fuel:
assignee: nobody → Fuel Sustaining (fuel-sustaining-team)
milestone: none → 10.x-updates
importance: Undecided → Medium
status: Incomplete → Confirmed
tags: added: area-library
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.