MySQL Forums
Forum List  »  Security

Re: MySQL workbench password rotation
Posted by: Georgi Kodinov
Date: April 08, 2020 09:50AM

How would that auto-update work exactly ? You will need to find all clients and update them somehow. Tricky !

How do you solve this for your OS logins (if you're using the same secrets manager) ?
Does the secrets manager you're using have e.g. a PAM module ?
If it does you can make mysql server authenticate its users against it directly (instead of against the password hashes you stored into mysql.user).
Read e.g. https://dev.mysql.com/doc/refman/8.0/en/pam-pluggable-authentication.html on how is this done.

If your secrets manager doesn't do this then how do you store the passwords from it into mysql.user ?
Are you executing some sort of automated set of SET PASSWORD sequences ?
If I was your user I would be seriously worried in this case since you'd know my password and can impersonate me at all times.

You maybe need to describe what are you doing exactly and then take some professional advice from e.g. https://www.mysql.com/support/.

I will talk here about the scenarios that I've seen working:

1. local mysqld authentication against secrets stored into mysql.user. Possibly with automatic password rotation and quality controls. Users have a separate password for mysql and it's their responsibility to set it, rotate it and store it in a safe place. MySQL has some tools to offer for that: forced password rotation, strength, time between reuses etc.
2. external authentication. All secrets are maintained in a trusted third party (e.g. an LDAP server or active directory). In this case mysql.user is not filled in with logins but instead with "roles" that define the sets of privileges. And all actual logins are authenticated against the trusted 3rd party. And the mapping between them and the "roles" in mysql.user is also maintained externally.
3. PKI authentication. Passwords are largely not used. Instead the server insists on having a valid and properly signed certificate. And the privileges in mysql are kind of based on the certificate kind and mapped to a set of mysql.user "roles". All access is managed into a PKI provider.

If your scenario is not one of these then you may want to give it some consideration and try to morph it into one of the above types IMHO.

Georgi "Joro" Kodinov
MySQL SrvGen team lead
Plovdiv, Bulgaria

Options: ReplyQuote


Subject
Views
Written By
Posted
292
February 16, 2020 10:28AM
Re: MySQL workbench password rotation
139
April 08, 2020 09:50AM


Sorry, you can't reply to this topic. It has been closed.

Content reproduced on this site is the property of the respective copyright holders. It is not reviewed in advance by Oracle and does not necessarily represent the opinion of Oracle or any other party.