MySQL主从中仿制账号密码能够加密吗?
建立MySQL主从仿制后,你会发现仿制账号的暗码是明文存储在mysq.mysql.slave_master_info这张体系表的User_password字段傍边,前期MySQL版别中,账号暗码存储在master.info文件中。如下事例所示:
mysql> select * from mysql.slave_master_info\G
*************************** 1. row ***************************
Number_of_lines: 33
Master_log_name: mysql_binlog.000001
Master_log_pos: 1165
Host: 192.168.9.154
User_name: repl
User_password: ReL@wpL#123456
Port: 3306
Connect_retry: 60
Enabled_ssl: 0
Ssl_ca:
Ssl_capath:
Ssl_cert:
Ssl_cipher:
Ssl_key:
Ssl_verify_server_cert: 0
Heartbeat: 30
Bind:
Ignored_server_ids: 0
Uuid: da5deebc-9b54-11ef-b5d0-0050569739e5
Retry_count: 86400
Ssl_crl:
Ssl_crlpath:
Enabled_auto_position: 0
Channel_name:
Tls_version:
Public_key_path:
Get_public_key: 1
Network_namespace:
Master_compression_algorithm: uncompressed
Master_zstd_compression_level: 3
Tls_ciphersuites: NULL
Source_connection_auto_failover: 0
Gtid_only: 0
1 row in set (0.00 sec)
mysql>
那么在建立主从仿制的时分,有没有办法将这个账号暗码加密呢?检索了一些材料,在当时这个时刻点,一切的MySQL版别都没有供给办法将其加密。也就是说,当时阶段,没有任何办法加密这个账号暗码。切当的说是官方没有供给任何办法。彻底疏忽了这个安全隐患。
官方文档[How To Encypt Replication Credentials In mysql.slave_master_info (Doc ID 2623399.1)]中也给出了简略答复。 至于怎么躲避暗码明文存储的一些危险问题,官方给出的主张如下:
Ensure that the master info repository can be accessed only by the database administrator.
[...]
Use a restricted access mode to protect database backups that include log tables or log files containing passwords."
个人强烈主张在创立仿制账号时,一定要严厉约束这个账号的IP地址,以及账号的权限。不要颁发过大的权限。
--在MySQL主/从库中:创立数据同步的账号(从库也创立相同账号,便利切换)
create user repl@'192.168.xxx.xx%' identified by "xxxxxxx";
flush privileges;
grant replication slave on . to 'repl'@'192.168.xxx.xx%';
flush privileges;
