a) The joiner doesn't need the sst auth in first place (since auth happens on donor).
b) The donor doesn't need to pass wsrep_sst_xtrabackup the user:password either. The wsrep_sst_common can directly parse the my.cnf file.
c) There already seems to be some masking present with sst_auth_real / wsrep_sst_auth but that doesn't seem to be working.
#b is the easiest fix for this, but also requires fixing in wsrep_sst.cc to not pass user:pass
a) The joiner doesn't need the sst auth in first place (since auth happens on donor).
b) The donor doesn't need to pass wsrep_sst_ xtrabackup the user:password either. The wsrep_sst_common can directly parse the my.cnf file.
c) There already seems to be some masking present with sst_auth_real / wsrep_sst_auth but that doesn't seem to be working.
#b is the easiest fix for this, but also requires fixing in wsrep_sst.cc to not pass user:pass