实现命令行非明文密码连接TiDB的方法

在命令行中连接TiDB的过程中，为了保护密码不被明文获取，可以使用非明文密码连接。本文记录了几种非明文连接 TiDB 的方式。

方式一：命令行输入方式

[root@iZuf6d7xln13sovvijl68rZ ~]# mysql -uroot -P4000 -h10.0.0.86 ERROR 1045 (28000): Access denied for user root@10.0.0.83 (using password: NO) [root@iZuf6d7xln13sovvijl68rZ ~]# mysql -uroot -P4000 -h10.0.0.86 -p Enter password: Welcome to the MariaDB monitor. Commands end with ; or \g. Your MySQL connection id is 691323 Server version: 5.7.25-TiDB-v6.1.0-alpha TiDB Server (Apache License 2.0) Community Edition, MySQL 5.7 compatible Copyright (c) 2000, 2018, ***, MariaDB Corporation Ab and others. Type help; or \h for help. Type \c to clear the current input statement. MySQL [(none)]>

正常方式下需要通过 -p 输入密码的方式连接 TiDB。

方式二：环境变量方式

[root@iZuf6d7xln13sovvijl68rZ ~]# export MYSQL_PWD=passw0RD [root@iZuf6d7xln13sovvijl68rZ ~]# mysql -uroot -P4000 -h10.0.0.86 Welcome to the MariaDB monitor. Commands end with ; or \g. Your MySQL connection id is 691477 Server version: 5.7.25-TiDB-v6.1.0-alpha TiDB Server (Apache License 2.0) Community Edition, MySQL 5.7 compatible Copyright (c) 2000, 2018, ***, MariaDB Corporation Ab and others. Type help; or \h for help. Type \c to clear the current input statement. MySQL [(none)]>

通过设定 MYSQL_PWD 环境变量方式，可以直接在命令行连接时传入密码，不需要指定 -p 选项。

取消 MYSQL_PWD 环境变量设置的步骤如下:

[root@iZuf6d7xln13sovvijl68rZ ~]# export MYSQL_PWD= [root@iZuf6d7xln13sovvijl68rZ ~]# mysql -uroot -P4000 -h10.0.0.86 ERROR 1045 (28000): Access denied for user root@10.0.0.83 (using password: NO)

方式三：配置文件方式

在 /etc/my.cnf 配置下添加 [mysql] 对应的配置

[root@iZuf6d7xln13sovvijl68rZ ~]# head -n2 /etc/my.cnf [mysql] password=passw0RD [root@iZuf6d7xln13sovvijl68rZ ~]# mysql -uroot -P4000 -h10.0.0.86 Welcome to the MariaDB monitor. Commands end with ; or \g. Your MySQL connection id is 691787 Server version: 5.7.25-TiDB-v6.1.0-alpha TiDB Server (Apache License 2.0) Community Edition, MySQL 5.7 compatible Copyright (c) 2000, 2018, ***, MariaDB Corporation Ab and others. Type help; or \h for help. Type \c to clear the current input statement. MySQL [(none)]>

取消设置只需要将 my.cnf 中的配置文件删除即可。

方式四：mysql_config_editor 方式

[root@iZuf6d7xln13sovvijl68rZ ~]# ./mysql_config_editor print --all [root@iZuf6d7xln13sovvijl68rZ ~]# ./mysql_config_editor set --login-path=test --user=root --host=10.0.0.83 --port=3000 --password Enter password: [root@iZuf6d7xln13sovvijl68rZ ~]# ./mysql_config_editor print --all [test] to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 753 Server version: 5.7.25-TiDB-v6.1.0-alpha TiDB Server (Apache License 2.0) Community Edition, MySQL 5.7 compatible Copyright (c) 2000, 2022, *** and/or its affiliates. *** is a registered trademark of *** Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type help; or \h for help. Type \c to clear the current input statement. mysql> \q

取消设置按照如下步骤：

[root@iZuf6d7xln13sovvijl68rZ ~]# ./mysql_config_editor remove --login-path=test [root@iZuf6d7xln13sovvijl68rZ ~]# ./mysql_config_editor print --all [root@iZuf6d7xln13sovvijl68rZ ~]#

方式五：Socket 方式连接

Socket 方式只能本地连接

[root@iZuf6d7xln13sovvijl68rZ scripts]# cd /tidb-deploy/tidb-3000/scripts [root@iZuf6d7xln13sovvijl68rZ scripts]# cat run_tidb.sh #!/bin/bash set -e # WARNING: This file was auto-generated. Do not edit! # All your edit might be overwritten! DEPLOY_DIR=/tidb-deploy/tidb-3000 cd "${DEPLOY_DIR}" || exit 1 exec env GODEBUG=madvdontneed=1 bin/tidb-server \ -P 3000 \ --status="10080" \ --host="0.0.0.0" \ --advertise-address="10.0.0.83" \ --store="tikv" \ --initialize-insecure \ --path="10.0.1.185:2379,10.0.2.29:2379,10.0.0.88:2379" \ --log-slow-query="/tidb-deploy/tidb-3000/log/tidb_slow_query.log" \ --config=conf/tidb.toml \ --socket="/tidb-deploy/tidb-3000/tidb.sock" \ --log-file="/tidb-deploy/tidb-3000/log/tidb.log" 2>> "/tidb-deploy/tidb-3000/log/tidb_stderr.log" [root@iZuf6d7xln13sovvijl68rZ scripts]# tiup cluster e-insecure --path=10.0.1.185:2379,10.0.2.29:2379,10.0.0.88:2379 --log-slow-query=/tidb-deploy/tidb-3000/log/tidb_slow_query.log --config=conf/tidb.toml --socket=/tidb-deploy/tidb-3000/tidb.sock --log-file=/tidb-deploy/tidb-3000/log/tidb.log root 15292 12885 0 17:26 pts/9 00:00:00 grep --color=auto tidb-server [root@iZuf6d7xln13sovvijl68rZ scripts]# ll /tidb-deploy/tidb-3000/tidb.sock srwxr-xr-x 1 root root 0 5月 5 17:25 /tidb-deploy/tidb-3000/tidb.sock [root@iZuf6d7xln13sovvijl68rZ scripts]# mysql -uroot -hlocalhost -S /tidb-deploy/tidb-3000/tidb.sock Welcome to the MariaDB monitor. Commands end with ; or \g. Your MySQL connection id is 403 Server version: 5.7.25-TiDB-v6.1.0-alpha TiDB Server (Apache License 2.0) Community Edition, MySQL 5.7 compatible Copyright (c) 2000, 2018, ***, MariaDB Corporation Ab and others. Type help; or \h for help. Type \c to clear the current input statement. MySQL [(none)]> show processlist; +------+------+-----------+------+---------+------+------------+------------------+ | Id | User | Host | db | Command | Time | State | Info | +------+------+-----------+------+---------+------+------------+------------------+ | 403 | root | localhost | NULL | Query | 0 | autocommit | show processlist | +------+------+-----------+------+---------+------+------------+------------------+ 1 row in set (0.00 sec)