73 lines
3.4 KiB
Plaintext
73 lines
3.4 KiB
Plaintext
HOWTO distribute user privileges in a MySQL Cluster.
|
|
|
|
This text is a short description how to distribute MySQL
|
|
privilege tables to all connected MySQL servers belonging to
|
|
a MySQL Cluster. This enables adding and removing users to
|
|
the system as well as defining grants for various privileges
|
|
in a more or less transparent manner. Flushing of grants
|
|
might be needed to make changes visible on already opened
|
|
connections.
|
|
|
|
The procedure is based on moving the privilege tables from local
|
|
storage (MyISAM) to distributed storage (ndbcluster). To
|
|
simplify the procedure a number of store procedures have been
|
|
defined to more or less automate the procedure.
|
|
The procedures can be created by running the script ndb_dist_priv.sql
|
|
(which you find in storage/ndb/tools/ or share/mysql/ depending
|
|
on your distribution of the mysql files) through "mysql"
|
|
Example:
|
|
"mysql <connect-options> --user root < storage/ndb/tool/ndb_dist_priv.sql"
|
|
|
|
IMPORTANT: Prior to performing the actual distribution it is recommended
|
|
to backup the current privilege tables, using for example mysqldump:
|
|
"mysqldump <connect-options> --user root mysql user db tables_priv columns_priv procs_priv"
|
|
|
|
The actual procedure can be initiated by running the stored procedure
|
|
mysql_cluster_move_privilege_tables once on any connected MySQL server:
|
|
"call mysql.mysql_cluster_move_privileges();"
|
|
|
|
NOTE: This procedure will create two sets of backups of the privilege tables
|
|
as well, one local and one distributed. These are used to revert the tables
|
|
if anything goes wrong during the distribution process.
|
|
|
|
To verify that the procedure was successful one can do the following query:
|
|
"select mysql.mysql_cluster_privileges_are_distributed();"
|
|
which should return 1 if procedure was successful.
|
|
|
|
NOTE: If a MySQL server is disconnected from the cluster while the privilege
|
|
tables are being moved the local privilege tables will need to be dropped and
|
|
refreshed when the MySQL server has reconnected:
|
|
use mysql;
|
|
select mysql_cluster_privileges_are_distributed();
|
|
0
|
|
drop table if exists user db tables_priv columns_priv procs_priv;
|
|
show tables;
|
|
select mysql_cluster_privileges_are_distributed();
|
|
1
|
|
|
|
In case cluster being restarted with resetting of all tables (--inital)
|
|
the privilege tables will be lost after the they have been moved. If no
|
|
MySQL server is available to revert the tables (either from the local backup
|
|
tables or from a mysqldump file). If a new MYSQL server needs to be connected
|
|
to the cluster to perform restoring the privilege tables it will need to be
|
|
started with the flag --skip-grant-tables. After the local tables have been
|
|
restored they can be distributed again by again calling:
|
|
"call mysql.mysql_cluster_move_privileges();"
|
|
After that the MySQL server should be restarted without the --skip-grant-tables
|
|
flag.
|
|
|
|
Once privilige tables have been stored in ndb they will be part of
|
|
ndb backups. However, if one want to restore these tables from a backup
|
|
one has to give an new option flag --restore-privilege-tables to ndb_restore.
|
|
|
|
Known limitations:
|
|
All changes to privilege tables are automatically distributed when the
|
|
privilege tables have been moved to ndb. However, since privilege data
|
|
is cached per connection, a remote change will not be vissible until one
|
|
do a:
|
|
"flush privileges;"
|
|
|
|
If for some reason want to revert distribution of privilege tables back
|
|
to local tables this has to be done on each mysqld by running:
|
|
"call mysql.mysql_cluster_restore_local_privileges();"
|