Pass `--mysql_clientcert_auth_method` flag to Vitess

Question

Pass `--mysql_clientcert_auth_method` flag to Vitess

Tener opened this issue a year ago · 1 comments

vitess-operator does not pass --mysql_clientcert_auth_method flag to Vitess. As a result, no client certificate subject verification is performed for MySQL and any user can connect as any other user, independently of the certificate subject, so long as the certificate used for connection is valid.

Answer 1 · 2023-12-06T18:10:30.000Z

Looks like I've misunderstood the meaning for this flag; in practice it seems like without choosing clientcert auth method using --mysql_auth_server_impl=clientcert the certificate subject is ignored. I think this is worth documenting, but nonetheless this issue is invalid.