Bug #105776 | Simplify or automate the GR recovery user management | ||
---|---|---|---|
Submitted: | 2 Dec 2021 16:12 | Modified: | 6 Mar 2022 19:30 |
Reporter: | Simon Mudd (OCA) | Email Updates: | |
Status: | Closed | Impact on me: | |
Category: | MySQL Server: Group Replication | Severity: | S3 (Non-critical) |
Version: | 8.0.26 | OS: | Any |
Assigned to: | CPU Architecture: | Any | |
Tags: | cleanup, gr, group replication, lots of accounts, recovery user, use single account |
[2 Dec 2021 16:12]
Simon Mudd
[2 Dec 2021 16:29]
MySQL Verification Team
Hello Simon, Thank you for the reasonable feature request! regards, Umesh
[2 Dec 2021 16:39]
Simon Mudd
Related: if you disable the accounts (thinking they are not used) nothing obvious will happen until the group member has to recover, then it will fail. This could happen a long time later and would not be obvious until the recovery fails so can be problematic.
[2 Dec 2021 18:25]
Kenny Gryp
Changing this back to bug, this is not a feature request. The expected behavior is to have the mysql user removed when the member is removed from the cluster. We tried to repeat the problem and the users do get deleted in our tests. Can you share the exact steps taken to reproduce this?
[2 Dec 2021 18:30]
Kenny Gryp
In 8.0.17 we added functionality to track and clean up these internal users, read more on https://dev.mysql.com/doc/relnotes/mysql-shell/8.0/en/news-8-0-17.html
[3 Dec 2021 8:15]
Simon Mudd
ok, I then need to confirm procedures used with colleagues. I just saw the symptoms and if the current code should be handling things properly this may be an error at our end. I will check and come back to you.
[3 Dec 2021 12:40]
Eduardo Ortega
From the release notes: > In addition Cluster.removeInstance() no longer removes all recovery accounts on the > instance being removed. It now removes the recovery account of the instance being > removed on the primary and waits for the changes to be replicated before actually > removing the instance from the group I wonder whether the left-over accounts are from hosts that fail fully and therefore cannot be cleanly removed with `cluster.removeInstance()`? Or whether the accounts don't get deleted when removal is done as part of a `cluster.rescan()`?
[8 Dec 2021 17:33]
Miguel Araujo
>>> I wonder whether the left-over accounts are from hosts that fail fully and therefore cannot be cleanly removed with `cluster.removeInstance()`? Exactly, that's the only scenario on which the recovery account of that instance being removed is actually *not* dropped. That's seen when removing instances that are either unreachable or offline (GR stopped) and only by using the 'force' options the instance can be removed from the Cluster. In practice, only the Metadata is updated. The reason behind that is that we couldn't know which was the account to be dropped. However, since 8.0.17 the internal recovery accounts info is stored in the Metadata, and therefore, the account can be removed in such cases. Confirming this as a bug.
[9 Dec 2021 8:23]
Simon Mudd
Thanks for the update and clarifications.
[6 Mar 2022 19:30]
Margaret Fisher
Posted by developer: Changelog entry added for MySQL Shell 8.0.29: If an instance was added to an InnoDB Cluster using MySQL Clone, and Ctrl+C or the waitRecovery: 0 option was used to let recovery take place in the background, the recovery account from the donor instance was used instead of the recovery account created for the new instance. If the new instance was later removed with a Cluster.removeInstance command, the recovery account created for it was not dropped, since AdminAPI was only checking for the recovery account that was actually in use on the instance (the donor’s account). The account removal logic now considers the account created for the instance and cleans it up even if it was not used.