MySQL user accounts within the Cluster can be divided into two different groups:
- application-level users: the unprivileged user accounts,
- system-level users: the accounts needed to automate the cluster deployment and management tasks, such as PXC Health checks or ProxySQL integration.
As these two groups of user accounts serve different purposes, they are considered separately in the following sections.
There are no unprivileged (general purpose) user accounts created by default. If you need general purpose users, please run commands below:
$ kubectl run -it --rm percona-client --image=percona:5.7 --restart=Never -- mysql -hcluster1-pxc -uroot -proot_password mysql> GRANT ALL PRIVILEGES ON database1.* TO 'user1'@'%' IDENTIFIED BY 'password1';
MySQL password here should not exceed 32 characters due to the replication-specific limit introduced in MySQL 5.7.5.
Verify that the user was created successfully. If successful, the following command will let you successfully login to MySQL shell via ProxySQL:
$ kubectl run -it --rm percona-client --image=percona:5.7 --restart=Never -- bash -il percona-client:/$ mysql -h cluster1-proxysql -uuser1 -ppassword1 mysql> SELECT * FROM database1.table1 LIMIT 1;
You may also try executing any simple SQL statement to ensure the permissions have been successfully granted.
To automate the deployment and management of the cluster components, the Operator requires system-level PXC users.
Credentials for these users are stored as a Kubernetes Secrets object.
The Operator requires to be deployed before the PXC Cluster is started. The name
of the required secrets (
my-cluster-secrets by default) should be set in
spec.secretsName option of the
deploy/cr.yaml configuration file.
The following table shows system users’ names and purposes.
These users should not be used to run an application.
|User Purpose||Username||Password Secret Key||Description|
|Admin||root||root||Database administrative user, can be used by the application if needed|
|ProxySQLAdmin||proxyadmin||proxyadmin||ProxySQL administrative user, can be used to add general-purpose ProxySQL users|
|Backup||xtrabackup||xtrabackup||User to run backups|
|Cluster Check||clustercheck||clustercheck||User for liveness checks and readiness checks|
|Monitoring||monitor||monitor||User for internal monitoring purposes and PMM agent|
|PMM Server Password||should be set through the operator options||pmmserver||Password used to access PMM Server|
|Operator Admin||operator||operator||Database administrative user, should be used only by the Operator|
The default name of the Secrets object for these users is
my-cluster-secrets and can be set in the CR for your cluster in
spec.secretName to something different. When you create the object yourself,
it should match the following simple format:
apiVersion: v1 kind: Secret metadata: name: my-cluster-secrets type: Opaque data: root: cm9vdF9wYXNzd29yZA== xtrabackup: YmFja3VwX3Bhc3N3b3Jk monitor: bW9uaXRvcg== clustercheck: Y2x1c3RlcmNoZWNrcGFzc3dvcmQ= proxyadmin: YWRtaW5fcGFzc3dvcmQ= pmmserver: c3VwYXxefHBheno= operator: b3BlcmF0b3JhZG1pbg==
The example above matches what is shipped in deploy/secrets.yaml which contains default passwords. You should NOT use these in production, but they are present to assist in automated testing or simple use in a development environment.
As you can see, because we use the
data type in the Secrets object, all
values for each key/value pair must be encoded in base64. To do this you can
echo -n "password" | base64 in your local shell to get valid
When there is a change in user secrets, the Operator creates the necessary transaction to change passwords. This rotation happens almost instantly (the delay can be up to a few seconds), and it’s not needed to take any action beyond changing the password.
Please don’t change
secretName option in CR, make changes inside
the secrets object itself.
To make development and testing easier,
file contains default passwords for PXC system users.
These development mode credentials from
|Secret Key||Secret Value|
Do not use the default PXC user passwords in production!