Reset root password on Galera Cluster (Percona or MariaDB)

Reset MySQL root password for Galera Cluster ( Percona Xtradb / MariaDB )

We have known methods to reset MySQL root password but in this post we’ll see how that works for a Galera Cluster; may it be Percona XtraDB Cluster or MariaDB Galera cluster.

Basically a Galera Cluster is bunch of MySQL nodes working together in synchronous replication. The user credential is common to all (Ideally of-course)! Let’s see how straight  forward it is to reset password on a Percona Xtradb Cluster lab.

To reset the root password on a standard MySQL instance you may choose either of init-file or skip-grant-tables way.

1) init-file:

Add init-file to mysql configuration file:
vi /etc/my.cnf
init-file=/tmp/init.sql

Create an init-file:
vi /tmp/init.sql
SET PASSWORD FOR 'kedar'@'localhost' = PASSWORD('do-not-forget-passwords');

Restart mysqld: 
service mysqld restart

2) skip-grant-tables

Add skip-grant-tables to my.cnf under [mysqld] section
vi /etc/my.cnf
skip-grant-tables

Restart mysqld: 
service mysqld restart

Execute update SQL:
mysql> update mysql.user set password=password('unforgetful-password') where user='kedar' and host='localhost';
(You cannot issue commands to GRANT-tables)

Remove skip-grant-tables from my.cnf

Restart mysqld:
service mysqld restart

## /etc/init.d/mysqld restart --skip-grant-tables (use this if you don't like to edit my.cnf)

I would not say these are the only methods to recover a lost root (or equivalent) password as people have been doing crazy things since ages.

For a single MySQL instance this would be the end of the quest and you’d have the new password. What about our cluster which is not one node!

If I say “we will have to perform this exercise on all the cluster nodes – restart all the nodes.”

You’d scream: “Why – o – why?”

I slang RTFineM: “The user changes are not replicated across the cluster as they’re poor little non-transactional MyISAM tables. Galera would replicate only InnoDB and XtraDB storage engines.
(http://galeracluster.com/documentation-webpages/userchanges.html)

So ofcourse MyISAM table modifications (DMLs) will not replicate, which we did through init-file. Galera Cluster does replicate the DDLs and that’s how the privilege system is sustained!

You’d say: With above password reset steps, we have already gained access to one of the node on Galera cluster and we know a fact that “Galera Cluster does replicate the DDLs.” Does that light a bulb here!?

You can reset password on one of the cluster node and once it rejoin the cluster, reissue the DDL to change the password! That should replicate, shouldn’t it? We don’t need to restart all the cluster nodes!

I am like ¯\_(ツ)_/¯ let’s see…

[root@PXC-02 ~]# cat /tmp/init.sql
SET PASSWORD FOR 'root'@'localhost' = PASSWORD('reset-password-node');
[root@PXC-02 ~]# service mysqld restart
Shutting down MySQL (Percona XtraDB Cluster)..... SUCCESS!
Starting MySQL (Percona XtraDB Cluster).... SUCCESS!
[root@PXC-02 ~]# read -s pw
[root@PXC-02 ~]# mysql -ukedar -p$pw
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 18
Server version: 5.5.34-25.9-log Percona XtraDB Cluster (GPL) 5.5.34-25.9, Revision 607, wsrep_25.9.r3928

Copyright (c) 2009-2013 Percona LLC and/or its affiliates
Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

(kedar@localhost) [(none)]>SET PASSWORD FOR 'kedar'@'localhost' = PASSWORD('this-one-replicates');
Query OK, 0 rows affected (0.04 sec)


... on other node ...


[root@PXC-03 ~]# mysql -ukedar -p$pw
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 11
Server version: 5.5.34-25.9-log Percona XtraDB Cluster (GPL) 5.5.34-25.9, Revision 607, wsrep_25.9.r3928

Copyright (c) 2009-2013 Percona LLC and/or its affiliates
Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

(kedar@localhost) [(none)]>

oh wow… thanks to you TIL that we do not need to restart all the nodes on Galera Cluster to reset root password.

Conclusion

To reset password on Galera Cluster you need to reset it on one of the cluster node and reissue the DDL/GRANT command to get it replicated to all nodes.

1 comment
Leave a Reply

Your email address will not be published. Required fields are marked *