Explains how to setup CA PAM to allow controlling a MySQL account's password.
Release : 3.4
Component : PRIVILEGED ACCESS MANAGEMENT
For CA PAM to be able to control a MySQL account's password it is necessary to first setup a master account in MySQL and PAM accordingly.
An account name in MySQL consists of a username and the name of the client host from which the user must connect to the server.
MySQL account names have the format 'user_name'@'host_name'.
It is possible to use for the host_name the % wildcard character to set up an account that enables the user to connect from any host in an entire domain or only a subnet.
In case of a PAM Cluster (e.g. pam1.mulan04dom.ca.com and pam2.mulan04dom.ca.com) the master account needs to be able to login from any node of the cluster to the database.
Hence, it is necessary to create the master account in MySQL e.g. the following way:
CREATE USER 'pwd_admin'@'pam%.mulan04dom.ca.com' IDENTIFIED BY 'some_pass'; GRANT ALL PRIVILEGES ON *.* TO 'pwd_admin'@'pam%.mulan04dom.ca.com' WITH GRANT OPTION; FLUSH PRIVILEGES;
The master account can then be setup in PAM e.g.
The actual MySQL target account to control e.g. is 'monty' and is allowed to login from any host, i.e.
[mysql]> SELECT User, Host FROM mysql.user WHERE USER = 'monty'; +-------+------+ | User | Host | +-------+------+ | monty | % | +-------+------+
It needs to be setup in PAM accordingly:
Note, only when defining a master account ("Use the following account to change password") for a MySQL target account it is possible to specify the host_name Qualifier of this account.
To confirm all works correctly all accounts should appear in sync:
and the login to the MySQL database succeeds with the password retrieved from PAM:
# mysql --database=mysql -u 'monty' -h RH77.mulan04dom.ca.com -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 33088 Server version: 8.0.18-commercial MySQL Enterprise Server - Commercial Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql>