MariaDB Xpand System User Accounts

Overview

MariaDB Xpand relies on several system user accounts which are automatically created during the installation process.

Default OS Users

MariaDB Xpand creates the following OS user accounts by default during the installation process. Passwordless SSH should be configured between Xpand nodes for these accounts:

OS User

Description

xpand

Xpand process owner

xpandm

Used for administrative tasks, such as running the clx command

Default Database Users

MariaDB Xpand creates the following database user accounts by default during the installation process:

Database User

Description

root@127.0.0.1

Intended for database administration.

xpand@localhost

Used by the xpand OS user account to manage the MariaDB Xpand processes.

xpandm@localhost

Used by the xpandm OS user account for administrative tasks, such as running the clx command.

Custom Management User

Xpand requires a management user for certain tasks, such as for running the clx command. The xpandm user account is the default management user. However, you can also create a custom management user.

To create a custom management user:

  1. Create the OS user account with the custom name.

  2. Create a database user account for the custom management user (see below).

  3. Configure SSH for the custom management user.

Create a Database User

If you want to use a custom management user, you need to create a database user account for it. The database user should have sufficient privileges to connect to Xpand via Unix domain socket.

This action is performed on one Xpand node.

To create a database user account if your custom management user is named xpand_dba:

  1. Connect to Xpand:

    $ mysql --user=root --password
    
  2. Create the xpand_dba database user account:

    CREATE USER xpand_dba@localhost
       IDENTIFIED BY 'xpand_user_passwd';
    

    Passwords should meet your organization's password policies.

  3. Grant the xpand_dba database user account the proper privileges:

    GRANT ALL ON *.*
       TO xpand_dba@localhost;
    

SSH Configuration

Xpand depends on the xpand and xpandm user accounts.

Passwordless SSH should be configured between Xpand nodes for these accounts. Xpand can configure passwordless SSH with automation if the nodes are configured to allow password authentication for SSH. Otherwise, passwordless SSH may need to be configured on each node manually.

To determine which instructions to use, follow the procedure below.

This action is performed on each Xpand node.

  1. On each node, confirm that password authentication is enabled for SSH:

    $ sudo grep -i -E "^PasswordAuthentication" /etc/ssh/sshd_config
    
  2. If the result is "yes" on all nodes, use Automatic Setup:

    PasswordAuthentication yes
    
  3. If the result is "no" on any node, use Manual Setup:

    PasswordAuthentication no
    

Automatic Setup

All Xpand nodes should have the same password for the same user account, but the passwords should differ for each separate user account.

This action is performed on each Xpand node.

  1. Set the password for the xpand system user account:

    $ sudo passwd xpand
    
  2. Set the password for the xpandm system user account:

    $ sudo passwd xpandm
    

After per-node steps are completed, this action is performed on one Xpand node.

  1. Configure public keys for the xpand system user account:

    $ sudo clx pubkeyinstall -l xpand
    

    The command will prompt for the xpand user account password, and will then connect to each Xpand node to configure passwordless SSH.

  2. Configure public keys for the xpandm system user account:

    $ sudo clx pubkeyinstall -l xpandm
    

    The command will prompt for the xpandm user account password, and will then connect to each Xpand node to configure passwordless SSH.

Manual Setup

For compact instructions, we have shortened the sample SSH public key strings with [ ... ]. These instructions are used once for the xpandm user, and used a second time for the xpand user.

Each step of this action is performed on each Xpand node before moving to the next step.

  1. On each Xpand node, create an SSH key pair:

    $ ssh-keygen -t rsa
    
  2. On each Xpand node, copy the public key from ~/.ssh/id_rsa.pub:

    $ cat ~/.ssh/id_rsa.pub
    ssh-rsa AAAAB3NzaC[ ... ]Vk81q0FxYQm5 xpandm@xpand-node1
    
  3. On each Xpand node, add all of the public keys to ~/.ssh/authorized_keys:

    ssh-rsa AAAAB3NzaC[ ... ]Vk81q0FxYQm5 xpandm@xpand-node1
    ssh-rsa AAAAB3NzaC[ ... ]tqUkwyatF3nH xpandm@xpand-node2
    ssh-rsa AAAAB3NzaC[ ... ]PPI9ifXqjg8/ xpandm@xpand-node3
    

    This should include the public key for the current Xpand node and all other Xpand nodes.

  4. On each Xpand node, ensure proper file permissions of ~/.ssh/authorized_keys:

    chmod 0600 ~/.ssh/authorized_keys
    
  5. On each Xpand node, test passwordless SSH access to each other Xpand node:

    $ ssh 192.0.2.2
    

    Substitute the IP address of each other Xpand node.