0

I have the gist of how to connect to a MySQL server, however my dilemma is using passwords. Here are some of the things I am looking at.

  1. Architecture will be 1 core service which as of right now will be set up as a digest authentication service. Note: In the future I will also have it set up for kerberos authentication.
  2. The service will have a schema it will need to be able to access in MySQL. Also the micro services will have their own schemas that they will also need to be able to access.
  3. The database will be localhost initially but will eventually be moved (in production) to a separate server altogether.

Given the requirements above, I cannot give the services users that are restricted to localhost and have no password associated with them (nor would I want that in the event the server was hacked). So how can I have access to the database without using any plain text passwords (I don't want it stored in the code)?

Maybe I am just not understanding something here that could make my life so much easier so again I look towards the wisdom of the many here. Thanks in advance!

Some things that I should maybe mention: I plan on using go-martini as my http router, I'd like to be able to set up OAuth Provider, I will need to manage user sessions and authentication (right now not as important as I'm trying to get the core part of the service setup)

Edit: To clarify some information;

  1. I do not have an AD, kerberos, or any other LDAP service to use and would be hard pressed to set them up at this time in a VM I use for development.
  2. The service should not be dependent on any of those items as SSO is a much later requirement in this project.
  3. Strictly speaking it will be deployed in environments where there are none of those available and this is non-negotiable.
  4. I also am specifically developing the services in Go and the clients in React.

Note: I do not need someone to correct MY question. I would appreciate it if you do not change the context of my question to suite the answer you wish to give me. That is not what StackOverflow is about, it is also quite rude to do that. Thank you.

Jonathan Hall
  • 75,165
  • 16
  • 143
  • 189
Maxs728
  • 591
  • 2
  • 8
  • 18
  • 1
    For the original localhost solution I'd propose using a [auth_socket authentication](https://dev.mysql.com/doc/refman/8.0/en/socket-pluggable-authentication.html) for your webserver user. Authentication without password based on the unix user matching the mysql user. I suggest you start with a risk assessment to ensure the cost/benefit is there. Also check what/how your go mysql implementation supports authentication plugins. The auth_socket requires no client authentication plugin support. – danblack Feb 14 '19 at 05:49
  • Ok so I can see how that would work. Actually I think I have used something similar to this with postgres. That would solve the connection for the service... Maybe would it work since the service is the proxy here that I require it to be on the same server with the db but the micro services could be remotely connected to the proxy? would that even work? – Maxs728 Feb 14 '19 at 06:02
  • auth_socket can't work remotely. Might need to look at kerberos for that. – danblack Feb 14 '19 at 06:19
  • I will have to think that through then.. I don't have a kerberos environment right now to do that with... That said I actually seem to be missing the plugin all together? – Maxs728 Feb 14 '19 at 06:28
  • I ran this query `SELECT PLUGIN_NAME, PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS order by PLUGIN_NAME ASC;` – Maxs728 Feb 14 '19 at 06:29
  • Possible duplicate of [What is the best way to keep passwords configurable, without having them too easily available to the casual human reader?](https://stackoverflow.com/questions/258299/what-is-the-best-way-to-keep-passwords-configurable-without-having-them-too-eas) – Jonathan Hall Feb 14 '19 at 06:52
  • @Flimzy, No not in the slightest is it a duplicate of that. Though they share a common thought.. I'm not wanting to store any passwords. Additionally I don't know who edited my topic but this is specific to GoLang and MySql which is not to be confused with MSSQL or SQL Server. Lastly I'm trying to achieve something that isn't permanently tied to being on the same server with the DB which I will for now go with the sock but that isn't the actual solution I need and this is for service to database not client to database. My digest table will handle client to database sessions. – Maxs728 Feb 15 '19 at 05:35

0 Answers0