[英]How to setup MySQL users with Maxscale
I'm setting up a 3 nodes (MariaDB 10.4) Galera cluster with 2 frontal servers.我正在设置一个带有 2 个前端服务器的 3 个节点(MariaDB 10.4)Galera 集群。
Inside each of these frontal servers there is also a Maxscale 6 daemon.在这些前端服务器中的每一个中,还有一个 Maxscale 6 守护进程。
[listener]
type=listener
service=readwritesplit
protocol=MariaDBClient
address=127.0.0.1
port=3306
All of these servers are inside the 10.1.0.0/24
network.所有这些服务器都在10.1.0.0/24
网络内。
At MariaDB, I've created users like CREATE USER 'user'@'10.1.0.%'
but these can't authenticate.在 MariaDB,我创建了像CREATE USER 'user'@'10.1.0.%'
这样的CREATE USER 'user'@'10.1.0.%'
但这些用户无法进行身份验证。
Authentication failed for user 'user'@[127.0.0.1] to service 'readwritesplit'. Originating listener: 'listener'. MariaDB error: 'Access denied for user 'user'@'127.0.0.1' (using password: YES)'.
So I've RENAME 'user'@'10.1.0.%' TO 'user'@'127.0.0.1'
.所以我将RENAME 'user'@'10.1.0.%' TO 'user'@'127.0.0.1'
。 Another authentication error.另一个身份验证错误。
maxscale[1109436]: Authentication to 'node1' failed: 1045, #28000: Access denied for user 'user'@'frontal1' (using password: YES)
I ended up to RENAME 'user'@'10.1.0.%' TO 'user'@'%'
.我最终RENAME 'user'@'10.1.0.%' TO 'user'@'%'
。 All fine here of course.当然这里一切都很好。
As long as all servers are on the 10.1.0.%
network, why users 'user'@'10.1.0.%'
can't authenticate?只要所有服务器都在10.1.0.%
网络上,为什么用户'user'@'10.1.0.%'
无法进行身份验证?
If you want to access from the local host (ie 127.0.0.1
), you either need two separate users ( 'user'@'127.0.0.1'
and 'user'@'10.1.0.%'
) or a grant that covers them both ( 'user'@'%'
).如果您想从本地主机(即127.0.0.1
)访问,您需要两个单独的用户( 'user'@'127.0.0.1'
和'user'@'10.1.0.%'
)或涵盖他们俩( 'user'@'%'
)。 A more detailed description of this can be found in the MaxScale tutorial .可以在MaxScale 教程中找到对此的更详细说明。
You can make authentication handling with MaxScale significantly simpler by using the proxy_protocol
feature in MaxScale.通过使用proxy_protocol
中的proxy_protocol
功能,您可以显着简化 MaxScale 的身份验证处理。 This would allow you to define users only once with the exact IP address they come from and let the proxy-protocol-networks
variable in MariaDB control which MaxScale instances are allowed to act as proxies.这将允许您仅使用他们来自的确切 IP 地址定义用户一次,并让 MariaDB 中的proxy-protocol-networks
变量控制允许哪些 MaxScale 实例充当代理。
The error 'user'@'127.0.0.1'
means that the client was attempting to connect from the local host, ie by connecting to the loopback address.错误'user'@'127.0.0.1'
意味着客户端试图从本地主机连接,即通过连接到环回地址。 This isn't covered by the 10.1.0.%
host which explains why it failed.这不是10.1.0.%
主机所涵盖的,这解释了它失败的原因。
Having converted the user to 'user'@'127.0.0.1'
, the local login between the client and MaxScale worked but then the backend server rejected the authentication as the MaxScale host no longer matches the grant's network ( 127.0.0.1
).将用户转换为'user'@'127.0.0.1'
,客户端和 MaxScale 之间的本地登录有效,但后端服务器拒绝了身份验证,因为 MaxScale 主机不再匹配授权网络 ( 127.0.0.1
)。
Using the %
host causes all addresses to match which explains why it solved the problem.使用%
host 会导致所有地址匹配,这解释了为什么它解决了问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.