Skip to content

MySQL statsdb access

Archived (pre-2022)

Preserved for reference only -- likely outdated. View original | Last updated: March 2020

Prerequisites

For this root access to mysql is needed: ssh into the given mysql server and execute {{sudo mysql}}.

Production OWF MySQL access

Request:    “Master access”, “Production MySQL access”, “Read access to MySQL database”

Solution:    First off: We do not, under any circumstances, grant access to the master! Too much harm could be done to production, even with read-only queries.

So everybody asking for production database access will get an account on statsdb. Statsdb is the MySQL replica, used for lengthy read queries both by production jobs and individuals.

Because this means access to personal data of our users we want to keep track of who’s having access and create individual mysql users:

  1. Create encrypted database password
    First create a random string to be used as the password.
    Use MySQL shell to hash it (see below)
    The result ("*A583..." in the example) is what we are going to store in the databags
  2. Add/update a databag for the user in ChefThe databag needs to be under data_bags/users and have at least these fields:
    id (this will be they mysql username)
    "statsdb2" as part of the tags
    db_password with the MySQL hashed password taken from step 1
  3. Commit the changes to git
  4. Run chef-client on statsdb.prd-aws.fyber.com

Example for getting the MySQL password hash

mysql> select password('replacethiswithrandompwd');
+-------------------------------------------+
| password('replacethiswithrandompwd')      |
+-------------------------------------------+
| *A583DEA9338BFF2C2956B9953FC0AC799C9DCF28 |
+-------------------------------------------+
1 row in set (0.00 sec)

Example of a minimal user databag

{
  "id": "testuser",
  "comment": "Test User",
  "email": "test.user@fyber.com",
  "tags": [
    "statsdb2"
  ],
  "db_password": "*A583DEA9338BFF2C2956B9953FC0AC799C9DCF28"
}