Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

option to support empty password in cnf #686

Closed
hueyvle opened this issue Nov 29, 2022 · 5 comments · Fixed by #742
Closed

option to support empty password in cnf #686

hueyvle opened this issue Nov 29, 2022 · 5 comments · Fixed by #742

Comments

@hueyvle
Copy link

hueyvle commented Nov 29, 2022

Host operating system: output of uname -a

uname -a
Linux icmmaster 3.10.0-1160.76.1.el7.x86_64 #1 SMP Wed Aug 10 16:21:17 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

mysqld_exporter version: output of mysqld_exporter --version

node_exporter --version
node_exporter, version 1.1.2 (branch: HEAD, revision: b597c1244d7bef49e6f3359c87a56dd7707f6719)
build user: root@f07de8ca602a
build date: 20210305-09:29:10
go version: go1.15.8
platform: linux/amd64

MySQL server version

5.5.68-MariaDB

mysqld_exporter command line flags

mysqld_exporter --config.my-cnf /home/user/monitoring/conf/.mysql_exporter.cnf --collect.global_status --collect.info_schema.innodb_metrics --collect.auto_increment.columns --collect.info_schema.processlist --collect.binlog_size --collect.info_schema.tablestats --collect.global_variables --collect.info_schema.query_response_time --collect.info_schema.userstats --collect.info_schema.tables --collect.perf_schema.tablelocks --collect.perf_schema.file_events --collect.perf_schema.eventswaits --collect.perf_schema.indexiowaits --collect.perf_schema.tableiowaits --collect.slave_status --web.listen-address=0.0.0.0:9104

cat /home/user/monitoring/conf/.mysql_exporter.cnf
[client]
user=metricsexporter
password=

What did you do that produced an error?

  1. create user 'metricsexporter'@'%' with no password
  2. grant PROCESS, REPLICATION CLIENT, SELECT to user 'metricsexporter'@'%'
  3. I can log in with "mysql -u metricexporter --skip-password"

What did you expect to see?

mysqld_exporter to run with skip password option when password is set to null

What did you see instead?

Nov 28 21:56:45 myhost mysqld_exporter: level=info ts=2022-11-29T05:56:45.246Z caller=mysqld_exporter.go:284 msg="Error parsing my.cnf" file=/home/icmanage/monitoring/conf/.mysql_exporter.cnf err="password or ssl-key should be specified under [client] in /home/icmanage/monitoring/conf/.mysql_exporter.cnf"
@hueyvle
Copy link
Author

hueyvle commented Nov 29, 2022

I'm looking for an option to use mysqld_exporter with no password. (Yes I know the security risk, it is not under my control)

@johnnybubonic
Copy link

Recent versions of mysqld (Enterprise) and mariadb don't even require passwords for root; they use PAM authentication. By default.

https://dev.mysql.com/doc/refman/8.0/en/pam-pluggable-authentication.html
https://mariadb.com/kb/en/authentication-plugin-pam/

Please remove the hard requirement for a ~/.my.cnf. There is no reason to require it and can even present a security risk as it requires plaintext creds.

@strafer
Copy link

strafer commented Jun 15, 2023
edited
Loading

I have a different reason for the same need: I'm trying to set up a connection of mysqld_exporter version 0.15.0-rc.0 with authentication by certificate to the MySQL server 8.0.32.
In version 0.14.0 everything works fine: I specified the corresponding parameters ssl-* in the client section of the my.cnf file (without specifying password at all) and the exporter connects perfectly. But when switching to 0.15.0-rc.0 with the same configuration and the same MySQL server, the error no password specified in section or parent appears in the log and the connection to the server is not established.
Is it possible to return the old logic of behavior in the absence of a password or add an option to explicitly select certificate authentication?

@SuperQ
Copy link
Member

SuperQ commented Jun 15, 2023

@strafer Good catch, we should actually support no password. I think the no password check is a simple mistake in the changes to the config package.

SuperQ added a commit that referenced this issue Jun 15, 2023
@SuperQ
Allow empty passwords
0e0cef6 
Empty passwords are allowed for UNIX socket connections and when using
TLS auth.

Fixes: #686

Signed-off-by: SuperQ <superq@gmail.com>
@SuperQ SuperQ mentioned this issue Jun 15, 2023
Merged
SuperQ added a commit that referenced this issue Jun 15, 2023
@SuperQ
Allow empty passwords
27904bf 
Empty passwords are allowed for UNIX socket connections and when using
TLS auth.

Fixes: #686

Signed-off-by: SuperQ <superq@gmail.com>
SuperQ added a commit that referenced this issue Jun 15, 2023
@SuperQ
Allow empty passwords
d867de4 
Empty passwords are allowed for UNIX socket connections and when using
TLS auth.

Fixes: #686

Signed-off-by: SuperQ <superq@gmail.com>
@batbattur
Copy link

batbattur commented Feb 9, 2024
edited
Loading

Has this been fixed?

I am running into this error:

caller=tls_config.go:277 level=info msg="TLS is disabled." http2=false address=[::]:9104
caller=exporter.go:152 level=error msg="Error pinging mysqld" err="Error 1045 (28000): Access denied for user 'exporter'@'::1' (using password: NO)"

With the following setup:

/etc/mysqld_exporter.cnf:

[client]
host=localhost
user=exporter
password=

[Service]
Type=simple
Restart=alwaysExecStart=/usr/bin/exporters/mysqld_exporter --config.my-cnf="/etc/mysqld_exporter.cnf"

[Install]
WantedBy=multi-user.target

Edit: Fixed by setting host to 127.0.0.1 instead of localhost.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Allow empty passwords prometheus/mysqld_exporter
5 participants
@SuperQ @johnnybubonic @strafer @batbattur @hueyvle