This feature is ONLY available when using MySQL v8.0.14+ and any tungsten version in bridge mode with no additional configuration.
The use of dual passwords combined with Proxy Mode is only supported with Tungsten version 7.1.0+, by following the procedure outlined below.
Starting from MySQL 8.0.14+ it is possible to configure user accounts to have two passwords. This allows for easy password rotation without downtime by allowing you to set a new password for the user whilst retaining the previous password, either indefinitly or for a period of time. For more information on this feature, view the MySQL documentation here
From version 7.1.0 of Tungsten Connector it is now possible to make use of this feature when using Proxy based authentication (If you are using Bridge mode, then this feature can be used with any Tungsten release)
To make use of this feature, first of all you need to configure the account with the new password, using syntax along the lines of:
mysql>ALTER USER app_user@'%' IDENTIFIED BY 'second_pass' RETAIN CURRENT PASSWORD;
mysql>flush privileges;
Next, in the connector user.map
file, you add the additional password for the given user,
adding an entry with the following syntax format:
@dual <user>[@<host>] <second_pass>
Where <user> is the exact username that must have been defined earlier in the user.map
as a regular entry. (See Section 7.6.1, “user.map
File Format”
Note that an optional host can be specified next to the user, separated with a @ sign. In this case, the dual password must be defined (and can be different) for each user@host tuple
No connector restart will be needed, the user.map
will be reloaded automatically after being updated
If/when you then choose to discard the old password, first of all edit the user.map
and update the
original entry swapping out the oldPassword for the newPassword:
<user> <second_pass> <service> <affinity>
Then issue the syntax in MySQL to discard the old pasword:
mysql> ALTER USER app_user@'%' DISCARD OLD PASSWORD;
You can then remove the @dual entry from the user.map
when convenient.