I have a farm of production mysql servers that are currently protected by restricted passwords.
I would prefer to restrict access to these systems at network level, but have to account for the fact that some members of the dev community require read only access to debug applications issues.
I know that I can do this by creating mysql users that can authenticate at different levels from different ip subnets (eg 'user'@'10.0.0.8') but I'd like to avoid having to refactor code to introduce new users into the application (which would require a considerable QA effort).
Ideally, I just want to break the network link between where the mysql servers are (in a dedicated subnet) and the developers are (in a dedicated subnet) and allow the application servers continue to access the mysql servers as before.
It would seem like some sort of TCP based proxy with authentication would suit this purpose. In that way, I could create user specific accounts on the proxy that would create an audit trail and provide short-term on demand access to developers without having to tinker with the user database on the MySQL servers.
However, authentication options in software like HAProxy and MySQL proxy appear quite limited.
Has anyone implemented something similar?
0 Answers