Updating Database User Passwords
Rotating user passwords is a common procedure that all businesses follow on a regular basis. This should be no different when Tungsten Clustering is in use however the process needs to be handled with care to ensure uninterrupted operations.
The procedure below provides the basic steps required to change the database user account associated with Tungsten. This would be the user that is configured by
the replication-user option that is used by the Tungsten processes.
The first step is to place the cluster into MAINTENANCE mode:
shell> cctrlcctrl> set policy maintenanceIf you are running a Composite Active/Passive, Composite Active/Active or a Composite Dynamic Active/Active topology, then you should place all clusters into MAINTENANCE at this step, by issuing the command at the top-level composite cluster, for example:
shell> cctrlcctrl> use globalcctrl> set policy maintenanceOn the primary node, connect to mysql as the root user and issue the password change (This example assumes the DB user is called
tungsten):shell> mysql -u root -pmysql> select @@hostname; <-- Execute this to check and ensure you are connected to the primarymysql> set password for tungsten@'%' = password('new_pass');mysql> flush privilegesOn all remaining nodes, connect to mysql as the root user and issue the following:
shell> mysql -u root -pmysql> flush privilegesAt this point, tungsten services will now show as offline, however because we are in MAINTENANCE, applications will still be connected.
To bring process online with the new password, we now need to update the
/etc/tungsten/tungsten.iniand update the password accordingly for thereplication-userentry. After updating this on every host, issue the following, also on every host:shell> tpm updateReturn the cluster to AUTOMATIC mode:
shell> cctrlcctrl> set policy automaticIf you are running a Composite Active/Passive, Composite Active/Active or a Composite Dynamic Active/Active topology, and you have completed the above update on all nodes in all clusters, then you can place all clusters back into AUTOMATIC at this step, by issuing the command at the top-level composite cluster, for example:
shell> cctrlcctrl> use globalcctrl> set policy automatic
Using MySQL 8.0.14+?
If you are running version 8.0.14 or later of MySQL, you may want to consider making use of a new MySQL feature that allows user accounts to have dual passwords. Doing so would eliminate the offline state of Tungsten components in the above example. This process would look like the following:
The first step is to place the cluster into MAINTENANCE mode:
shell> cctrlcctrl> set policy maintenanceIf you are running a Composite Active/Passive, Composite Active/Active or a Composite Dynamic Active/Active topology, then you should place all clusters into MAINTENANCE at this step, by issuing the command at the top-level composite cluster, for example:
shell> cctrlcctrl> use globalcctrl> set policy maintenanceOn the primary node, connect to mysql as the root user and issue the DDL below (This example assumes the DB user is called
tungsten):shell> mysql -u root -pmysql> select @@hostname; <-- Execute this to check and ensure you are connected to the primarymysql> ALTER USER tungsten@'%' IDENTIFIED BY 'second_pass' RETAIN CURRENT PASSWORD;mysql> flush privilegesOn all remaining nodes, connect to mysql as the root user and issue the following:
shell> mysql -u root -pmysql> flush privilegesWe now need to update the
/etc/tungsten/tungsten.iniand update the password accordingly for thereplication-userentry. After updating this on every host, issue the following, also on every host:shell> tpm updateReturn the cluster to AUTOMATIC mode:
shell> cctrlcctrl> set policy automaticIf you are running a Composite Active/Passive, Composite Active/Active or a Composite Dynamic Active/Active topology, and you have completed the above update on all nodes in all clusters, then you can place all clusters back into AUTOMATIC at this step, by issuing the command at the top-level composite cluster, for example:
shell> cctrlcctrl> use globalcctrl> set policy automaticWhen all systems that utilise the account have been updated to use the new password, issue the following on the primary node:
shell> mysql -u root -pmysql> select @@hostname; <-- Execute this to check and ensure you are connected to the primarymysql> ALTER USER tungsten@'%' DISCARD OLD PASSWORD;mysql> flush privileges
Updating passwords for Connectors and Applications
It is not possible to update application user passwords without incurring downtime, the same applies if you are updating the user associated with the
application-user option that the connectors use.
To change these user accounts the process would be as follows:
On the primary node, connect to mysql as the root user and issue the password change
shell> mysql -u root -pmysql> select @@hostname; <-- Execute this to check and ensure you are connected to the primarymysql> set password for app_user@'%' = password('new_pass');mysql> flush privilegesOn all remaining nodes, connect to mysql as the root user and issue the following:
shell> mysql -u root -pmysql> flush privilegesAt this point, applications and/or connectors will be offline.
To bring connectors online with the new password, we need to update the
/etc/tungsten/tungsten.iniand update the password accordingly for theapplication-userentry. After updating this on every connector host, issue the following, also on every connector host:shell> tpm updateIf you are using Proxy mode, you will also need to update the password for application users within the
user.mapfile.After updating the file, the connector will automatically detect a change and reload.
As with the main Tungsten account, if you are running MySQL 8.0.14+ you can also make the process simpler with minimal to zero downtime by utilising the DUAL password feature. For application and connector users, this process is explained in "Dual-Passwords and MySQL 8"