Skip to content
logo
Percona Operator for MySQL
Application and system users
Initializing search
    percona/k8spxc-docs
    percona/k8spxc-docs
    • Welcome
      • System Requirements
      • Design and architecture
      • Comparison with other solutions
      • Install with Helm
      • Install with kubectl
      • Install on Minikube
      • Install on Google Kubernetes Engine (GKE)
      • Install on Amazon Elastic Kubernetes Service (AWS EKS)
      • Install on Microsoft Azure Kubernetes Service (AKS)
      • Install on OpenShift
      • Generic Kubernetes installation
      • Multi-cluster and multi-region deployment
      • Application and system users
        • Unprivileged users
        • System Users
          • YAML Object Format
          • Password Rotation Policies and Timing
          • Marking System Users In MySQL
        • Development Mode
      • Changing MySQL Options
      • Anti-affinity and tolerations
      • Labels and annotations
      • Local Storage support
      • Defining environment variables
      • Load Balancing with HAProxy
      • Load Balancing with ProxySQL
      • Transport Encryption (TLS/SSL)
      • Data at rest encryption
      • Telemetry
        • About backups
        • Configure storage for backups
        • Make scheduled backups
        • Make on-demand backup
        • Store operations logs for point-in-time recovery
        • Enable compression for backups
        • Restore from a previously saved backup
        • Copy backup to a local machine
        • Delete the unneeded backup
      • Upgrade Database and Operator
      • Horizontal and vertical scaling
      • Monitor with Percona Monitoring and Management (PMM)
      • Add sidecar containers
      • Restart or pause the cluster
      • Crash recovery
      • Initial troubleshooting
      • Exec into the container
      • Check the logs
      • Special debug images
      • How to install Percona XtraDB Cluster in multi-namespace (cluster-wide) mode
      • How to upgrade Percona XtraDB Cluster manually
      • How to use private registry
      • How to restore backup to a new Kubernetes-based environment
      • How to use backups and asynchronous replication to move an external database to Kubernetes
      • Monitor Kubernetes
      • Custom Resource options
      • Percona certified images
      • Versions compatibility
      • Operator API
      • Frequently Asked Questions
      • Old releases (documentation archive)
      • Copyright and licensing information
      • Trademark policy
      • Release notes index
      • Percona Operator for MySQL based on Percona XtraDB Cluster 1.13.0 (2023-07-11)
      • Percona Operator for MySQL based on Percona XtraDB Cluster 1.12.0 (2022-12-07)
      • Percona Operator for MySQL based on Percona XtraDB Cluster 1.11.0 (2022-06-03)
      • Percona Distribution for MySQL Operator 1.10.0 (2021-11-24)
      • Percona Distribution for MySQL Operator 1.9.0 (2021-08-09)
      • Percona Kubernetes Operator for Percona XtraDB Cluster 1.8.0 (2021-05-26)
      • Percona Kubernetes Operator for Percona XtraDB Cluster 1.7.0 (2021-02-02)
      • Percona Kubernetes Operator for Percona XtraDB Cluster 1.6.0 (2020-09-09)
      • Percona Kubernetes Operator for Percona XtraDB Cluster 1.5.0 (2020-07-21)
      • Percona Kubernetes Operator for Percona XtraDB Cluster 1.4.0 (2020-04-29)
      • Percona Kubernetes Operator for Percona XtraDB Cluster 1.3.0 (2020-01-06)
      • Percona Kubernetes Operator for Percona XtraDB Cluster 1.2.0 (2019-09-20)
      • Percona Kubernetes Operator for Percona XtraDB Cluster 1.1.0 (2019-07-15)
      • Percona Kubernetes Operator for Percona XtraDB Cluster 1.0.0 (2019-05-29)

    • Unprivileged users
    • System Users
      • YAML Object Format
      • Password Rotation Policies and Timing
      • Marking System Users In MySQL
    • Development Mode

    Users¶

    MySQL user accounts within the Cluster can be divided into two different groups:

    • application-level users: the unprivileged user accounts,
    • system-level users: the accounts needed to automate the cluster deployment and management tasks, such as Percona XtraDB Cluster Health checks or ProxySQL integration.

    As these two groups of user accounts serve different purposes, they are considered separately in the following sections.

    Unprivileged users¶

    There are no unprivileged (general purpose) user accounts created by default. If you need general purpose users, please run commands below:

    $ kubectl run -it --rm percona-client --image=percona:8.0 --restart=Never -- mysql -hcluster1-pxc -uroot -proot_password
mysql> GRANT ALL PRIVILEGES ON database1.* TO 'user1'@'%' IDENTIFIED BY 'password1';

    Note

    MySQL password here should not exceed 32 characters due to the replication-specific limit introduced in MySQL 5.7.5.

    Verify that the user was created successfully. If successful, the following command will let you successfully login to MySQL shell via ProxySQL:

    $ kubectl run -it --rm percona-client --image=percona:8.0 --restart=Never -- bash -il
percona-client:/$ mysql -h cluster1-proxysql -uuser1 -ppassword1
mysql> SELECT * FROM database1.table1 LIMIT 1;

    You may also try executing any simple SQL statement to ensure the permissions have been successfully granted.

    System Users¶

    To automate the deployment and management of the cluster components, the Operator requires system-level Percona XtraDB Cluster users.

    Credentials for these users are stored as a Kubernetes Secrets object. The Operator requires Kubernetes Secrets before Percona XtraDB Cluster is started. It will either use existing Secrets or create a new Secrets object with randomly generated passwords if it didn’t exist. The name of the required Secret (cluster1-secrets by default) should be set in the spec.secretsName option of the deploy/cr.yaml configuration file.

    The following table shows system users’ names and purposes.

    Warning

    These users should not be used to run an application.

    User Purpose Username Password Secret Key Description
    Admin root root Database administrative user, can be used by the application if needed
    ProxySQLAdmin proxyadmin proxyadmin ProxySQL administrative user, can be used to add general-purpose ProxySQL users
    Backup xtrabackup xtrabackup The user to run backups, granted all privileges for the point-in-time recovery needs
    Cluster Check clustercheck clustercheck User is deprecated in v1.12.0, unavailable in one of the next releases
    Monitoring monitor monitor User for internal monitoring purposes like liveness/readiness checks and PMM agent
    PMM Server Password should be set through the operator options pmmserver Password used to access PMM Server. Password-based authorization method is deprecated since the Operator 1.11.0. Use token-based authorization instead
    Operator Admin operator operator Database administrative user, should be used only by the Operator
    Replication replication replication Administrative user needed for cross-site Percona XtraDB Cluster

    YAML Object Format¶

    The default name of the Secrets object for these users is cluster1-secrets and can be set in the CR for your cluster in spec.secretName to something different. When you create the object yourself, it should match the following simple format:

    apiVersion: v1
kind: Secret
metadata:
  name: cluster1-secrets
type: Opaque
stringData:
  root: root_password
  xtrabackup: backup_password
  monitor: monitory
  clustercheck: clustercheckpassword
  proxyadmin: admin_password
  operator: operatoradmin
  replication: repl_password

    The example above matches what is shipped in deploy/secrets.yaml which contains default passwords. You should NOT use these in production, but they are present to assist in automated testing or simple use in a development environment.

    As you can see, because we use the stringData type when creating the Secrets object, all values for each key/value pair are stated in plain text format convenient from the user’s point of view. But the resulting Secrets object contains passwords stored as data - i.e., base64-encoded strings. If you want to update any field, you’ll need to encode the value into base64 format. To do this, you can run echo -n "password" | base64 --wrap=0 (or just echo -n "password" | base64 in case of Apple macOS) in your local shell to get valid values. For example, setting the Admin user’s password to new_password in the cluster1-secrets object can be done with the following command:

    $ kubectl patch secret/cluster1-secrets -p '{"data":{"root": "'$(echo -n new_password | base64 --wrap=0)'"}}'

    $ kubectl patch secret/cluster1-secrets -p '{"data":{"root": "'$(echo -n new_password | base64)'"}}'

    Password Rotation Policies and Timing¶

    When there is a change in user secrets, the Operator creates the necessary transaction to change passwords. This rotation happens almost instantly (the delay can be up to a few seconds), and it’s not needed to take any action beyond changing the password.

    Note

    Please don’t change secretName option in CR, make changes inside the secrets object itself.

    Starting from the Operator version 1.13.0 system users are created with the PASSWORD EXPIRE NEVER policy. Also, same policy is automatically applied to system users on existing clusters when the Operator is upgraded to 1.13.0.

    Marking System Users In MySQL¶

    Starting with MySQL 8.0.16, a new feature called Account Categories has been implemented, which allows us to mark our system users as such. See the official documentation on this feature for more details.

    Development Mode¶

    To make development and testing easier, deploy/secrets.yaml secrets file contains default passwords for Percona XtraDB Cluster system users.

    These development mode credentials from deploy/secrets.yaml are:

    Secret Key Secret Value
    root root_password
    xtrabackup backup_password
    monitor monitor
    clustercheck clustercheckpassword
    proxyadmin admin_password
    operator operatoradmin
    replication repl_password

    Warning

    Do not use the default Percona XtraDB Cluster user passwords in production!

    Contact Us

    For free technical help, visit the Percona Community Forum.

    To report bugs or submit feature requests, open a JIRA ticket.

    For paid support and managed or consulting services , contact Percona Sales.

    Last update: 2023-10-12
    Percona LLC and/or its affiliates, © 2009 - 2023
    Made with Material for MkDocs

    Cookie consent

    We use cookies to recognize your repeated visits and preferences, as well as to measure the effectiveness of our documentation and whether users find what they're searching for. With your consent, you're helping us to make our documentation better. Read more about Percona Cookie Policy.