如何使用 Maxscale 设置 MySQL 用户
[英]How to setup MySQL users with Maxscale
问题描述
I'm setting up a 3 nodes (MariaDB 10.4) Galera cluster with 2 frontal servers.
我正在设置一个带有 2 个前端服务器的 3 个节点(MariaDB 10.4)Galera 集群。
Inside each of these frontal servers there is also a Maxscale 6 daemon.在这些前端服务器中的每一个中,还有一个 Maxscale 6 守护进程。
[listener]
type=listener
service=readwritesplit
protocol=MariaDBClient
address=127.0.0.1
port=3306
All of these servers are inside the 10.1.0.0/24 network.所有这些服务器都在10.1.0.0/24网络内。
At MariaDB, I've created users like CREATE USER 'user'@'10.1.0.%' but these can't authenticate.在 MariaDB,我创建了像CREATE USER 'user'@'10.1.0.%'这样的CREATE USER 'user'@'10.1.0.%'但这些用户无法进行身份验证。
Authentication failed for user 'user'@[127.0.0.1] to service 'readwritesplit'. Originating listener: 'listener'. MariaDB error: 'Access denied for user 'user'@'127.0.0.1' (using password: YES)'.
So I've RENAME 'user'@'10.1.0.%' TO 'user'@'127.0.0.1' .所以我将RENAME 'user'@'10.1.0.%' TO 'user'@'127.0.0.1' 。 Another authentication error.另一个身份验证错误。
maxscale[1109436]: Authentication to 'node1' failed: 1045, #28000: Access denied for user 'user'@'frontal1' (using password: YES)
I ended up to RENAME 'user'@'10.1.0.%' TO 'user'@'%' .我最终RENAME 'user'@'10.1.0.%' TO 'user'@'%' 。 All fine here of course.当然这里一切都很好。
As long as all servers are on the 10.1.0.% network, why users 'user'@'10.1.0.%' can't authenticate?只要所有服务器都在10.1.0.%网络上,为什么用户'user'@'10.1.0.%'无法进行身份验证?
1 个解决方案
解决方案1
1 2021-11-16 12:15:12
If you want to access from the local host (ie 127.0.0.1 ), you either need two separate users ( 'user'@'127.0.0.1' and 'user'@'10.1.0.%' ) or a grant that covers them both ( 'user'@'%' ).如果您想从本地主机(即127.0.0.1 )访问,您需要两个单独的用户( 'user'@'127.0.0.1'和'user'@'10.1.0.%' )或涵盖他们俩( 'user'@'%' )。 A more detailed description of this can be found in the MaxScale tutorial .可以在MaxScale 教程中找到对此的更详细说明。
You can make authentication handling with MaxScale significantly simpler by using the proxy_protocol feature in MaxScale.通过使用proxy_protocol中的proxy_protocol功能,您可以显着简化 MaxScale 的身份验证处理。 This would allow you to define users only once with the exact IP address they come from and let the proxy-protocol-networks variable in MariaDB control which MaxScale instances are allowed to act as proxies.这将允许您仅使用他们来自的确切 IP 地址定义用户一次,并让 MariaDB 中的proxy-protocol-networks变量控制允许哪些 MaxScale 实例充当代理。
The error 'user'@'127.0.0.1' means that the client was attempting to connect from the local host, ie by connecting to the loopback address.错误'user'@'127.0.0.1'意味着客户端试图从本地主机连接,即通过连接到环回地址。 This isn't covered by the 10.1.0.% host which explains why it failed.这不是10.1.0.%主机所涵盖的,这解释了它失败的原因。
Having converted the user to 'user'@'127.0.0.1' , the local login between the client and MaxScale worked but then the backend server rejected the authentication as the MaxScale host no longer matches the grant's network ( 127.0.0.1 ).将用户转换为'user'@'127.0.0.1' ,客户端和 MaxScale 之间的本地登录有效,但后端服务器拒绝了身份验证,因为 MaxScale 主机不再匹配授权网络 ( 127.0.0.1 )。
Using the % host causes all addresses to match which explains why it solved the problem.使用% host 会导致所有地址匹配,这解释了为什么它解决了问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.