Changing Authentication Plugins in MySQL

8.4 Changing Authentication Plugins in MySQL

The purpose of this operation is to replace the deprecated authentication plugin with caching_sha2_password.

The dbtchplugin is an interactive script used to change the MySQL authentication plugin to caching_sha2_password for users. It must be run on the server where the authentication plugin change is required.

Note:

The dbtchplugin <23.4.2> script supports cnDBTier releases 23.4.x and beyond.

The dbtchplugin script performs the following steps:

Collecting Site Information:
In this phase, dbtchplugin script gathers data about the current site it is running on.
Preprocessing:
In this phase, if the root user's authentication plugin needs to be changed, dbtchplugin grants it the NDB_STORED_USER privilege. Additionally, it removes the unused healthchecker user if it exists.
Listing users with deprecated plugin:
In this phase, the script lists users using a deprecated authentication plugin. These are the users whose authentication plugin will be updated.
Change plugin to caching_sha2_password:
In this phase, the script updates the authentication plugin for the users listed in step 3.
Post-processing:
Revokes the NDB_STORED_USER privilege from root if it was granted in Step2. Then, it displays all MySQL users across all ndbapp instances.

Prerequisites

Before running the dbtchplugin script, ensure the following prerequisites are met:

dbtchplugin requires Bash version 4.3.
The source_me file is packaged along with the dbtchplugin script. This file must be sourced from the script as it sets the file path and variables required to run the dbtchplugin script. It must be source'ed from the directory where it is located. In the following command syntax, "./" represents the relative path.
```
source ./source_me
```
DBTIER_NAMESPACE must be set to the cndbtier namespace.

Installing dbtchplugin script

Source the source_me file which then performs the following actions:

Adds the /bin along with the script to the local file path.
Sets the cnDBTier namespace as DBTIER_NAMESPACE.
Sets the environment variable DBTIER_LIB with the path for the directory containing the libraries required by the dbtchplugin script.

# Source to set up the current bash shell before running dbtchplugin
cd Artifacts/Scripts/tools
source ./source_me

Table 8-2 dbtchplugin Script Options

Options	Descriptions
-h \| --help	Displays the help message and exits.
-u \| --usage	Displays the usage message and exits.
-v \| --version	Displays the version of the `dbtchplugin` script.
--debug	Displays the `DEBUG` log message to standard error, `stderr`.
--no-colors	Displays the output on default terminal font color instead of using `dbtchplugin` colors.
--use--regex	Forces the use of regular expressions instead of labels to find Kubernetes components such as, pod names, deployments, sts, svc, and so on.
--use--ipv4	Ensures that `dbtchplugin` operates using IPv4 only.
--use--ipv6	Ensures that `dbtchplugin` operates using IPv6 only.
--skip-namespace-test	Skips testing that the namespace if DBTIER_NAMESPACE exists in the current cluster.
--skip-tests	Skips sanity tests.
--tests-only	Runs only sanity tests.
--connect-timeout=<connect_timeout_in_seconds>	Displays the wait time (in seconds) before it tries to reconnect. This option is used by the `dbtchplugin` when running curl, mysql, mysqladmin and ssh. Default value: 15 seconds
--list-users-only	It lists the users with deprecated plugin only. Then, it exits.

Examples to use dbtchplugin script

Following are some example usages of dbtchplugin script:

To print dbtchplugin version and exit, run the following command:
```
dbtchplugin --version
```
To deprecate auth plugin with caching_sha2_password, run the following commands:
```
. ./source_me
$ dbtchplugin
```