Page MenuHomePhabricator
Create Task
Maniphest T105046

By default, have /usr/local/bin/sql use a read-only account when connecting to mysql
Closed, ResolvedPublic
Actions

Description

To avoid accidental destruction of a DB, having the sql script by default use a read-only account on the master server for the db cluster. Passing a --write flag (or something like that) will use the normal wikiadmin account, which can make updates. But make the user intentionally indicate they want to make changes.

Also, it would be nice to add a flag which allows (defaults?) using a slave, for casual lookups that won't be affected by slave lag.

Details

SubjectRepoBranchLines +/-
sql command: use slave server unless '--write' provided as an option before DBoperations/puppetproduction+14 -6
Customize query in gerrit

Related Objects

Event Timeline

csteipp created this task.Jul 7 2015, 5:04 PM
csteipp raised the priority of this task from to Needs Triage.
csteipp updated the task description. (Show Details)
csteipp added a project: Security-Other.
csteipp added subscribers: csteipp, JAnstee_WMF.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 7 2015, 5:04 PM
Krinkle added a project: Deployments.Jul 7 2015, 5:08 PM
Krinkle set Security to None.
Krenair subscribed.Jul 7 2015, 5:09 PM
jcrespo subscribed.EditedJul 7 2015, 5:16 PM

This is particular harmful in the case of sqldump, where with the current defaults it will block all writes (--lock-tables) on the master for its full duration. It should be sent *always* to a slave (as mysqldump is a read-only operation) and using the --single-transaction option of mysqldump.

Sending the queries by default to a slave *may* work because as all slaves are in read_only mode, writes would automatically fail and return an error to the user. However, we should tell all users before changing it (does any script rely on sql to be executed automatically?). A "--master" or "--write" could always be forced even for reads on the master.

As an operator/DBA, I can tell you that more than most of the outages are human caused!

Krenair claimed this task.Jul 7 2015, 5:17 PM
gerritbot subscribed.Jul 7 2015, 6:22 PM

Change 223365 had a related patch set uploaded (by Alex Monk):
sql command: use slave server unless '--write' provided as an option

https://gerrit.wikimedia.org/r/223365

gerritbot added a project: Patch-For-Review.Jul 7 2015, 6:22 PM
thcipriani moved this task from To Triage to In-progress on the Deployments board.Jul 13 2015, 6:20 PM
thcipriani triaged this task as Medium priority.Aug 12 2015, 4:23 PM
thcipriani moved this task from In-progress to Externally Blocked on the Deployments board.
gerritbot added a comment.Aug 20 2015, 4:01 PM

Change 223365 merged by Yuvipanda:
sql command: use slave server unless '--write' provided as an option before DB

https://gerrit.wikimedia.org/r/223365

yuvipanda mentioned this in rOPUP0f48051066b2: sql command: use slave server unless '--write' provided as an option before DB.Aug 20 2015, 4:02 PM
Krenair closed this task as Resolved.Aug 20 2015, 4:33 PM
Krenair mentioned this in T110115: Possible to run writes (e.g. UPDATE) on Beta Cluster replica.Aug 24 2015, 10:25 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL