Lots of work has already been done on the parent task, and I'm splitting this off to properly track it.
The dbproxy image and service in PAWS splits authentication and records the user in SQL comments so that there is some kind of reasonable tracking of the shared account for the wikireplicas used by PAWS.
This has been done with mysql-proxy in lua so far, which is great, but it has some interesting limitations when trying to do routing based on schema/database. You can only change backend connection if you maintain an authenticated pool.
Figure it out in mysql-proxy or T253134: Find an alternative solution for the mysql-proxy in PAWS