The password is empty for the root
user when deploying a StarRocks cluster from fresh installation. This can be a
security concern. This document describes steps to change root password and still the operator can manage the cluster
correctly.
In the following examples, mysql_password
is taken as the password for the root user, it can be replaced with any
password chosen for the root.
A StarRocks cluster is deployed and up with empty root password by the operator.
Connect to StarRocks FE with a MySQL client and change the root user password.
mysql
-h <FE_IP/FE_SERVICE> -P 9030 -u root
# change root password to `mysql_password`
MySQL [(none)]> SET PASSWORD = PASSWORD('mysql_password');
There are two ways to deploy StarRocks cluster:
- Deploy StarRocks cluster with
StarRocksCluster
CR yaml. - Deploy StarRocks cluster with Helm chart.
Therefore, there are two ways to inject the MYSQL_PWD environment variable into StarRocks components.
-
Create a secret rootcredential with the key password to store the root password
kubectl create secret generic rootcredential --from-literal=password=mysql_password
-
Add the following snippets to
starRocksFeSpec/starRocksBeSpec/starRocksCnSpec
respectively if the corresponding components are deployed.# for starRocksFeSpec feEnvVars: - name: "MYSQL_PWD" valueFrom: secretKeyRef: name: rootcredential key: password # for starRocksBeSpec beEnvVars: - name: "MYSQL_PWD" valueFrom: secretKeyRef: name: rootcredential key: password # for starRocksCnSpec cnEnvVars: - name: "MYSQL_PWD" valueFrom: secretKeyRef: name: rootcredential key: password
-
Apply the crd yaml
kubectl apply -f <crd_yaml>
It will trigger a rolling restart of the cluster, wait until the cluster restart completed.
If you are using the kube-starrocks
Helm chart, add the following snippets to values.yaml
.
starrocks:
# create secrets if necessary.
secrets:
- name: rootcredential
data:
password: mysql_password
starrocksFESpec:
feEnvVars:
- name: "MYSQL_PWD"
valueFrom:
secretKeyRef:
name: rootcredential
key: password
starrocksBeSpec:
beEnvVars:
- name: "MYSQL_PWD"
valueFrom:
secretKeyRef:
name: rootcredential
key: password
starrocksCnSpec:
cnEnvVars:
- name: "MYSQL_PWD"
valueFrom:
secretKeyRef:
name: rootcredential
key: password
If you are using the starrocks
Helm chart, add the following snippets to values.yaml
.
# create secrets if necessary.
secrets:
- name: rootcredential
data:
password: mysql_password
starrocksFESpec:
feEnvVars:
- name: "MYSQL_PWD"
valueFrom:
secretKeyRef:
name: rootcredential
key: password
starrocksBeSpec:
beEnvVars:
- name: "MYSQL_PWD"
valueFrom:
secretKeyRef:
name: rootcredential
key: password
starrocksCnSpec:
cnEnvVars:
- name: "MYSQL_PWD"
valueFrom:
secretKeyRef:
name: rootcredential
key: password
Run the following command to upgrade the cluster.
helm upgrade <release_name> <chart_path> -f values.yaml
It will trigger a rolling restart of the cluster, wait until the cluster restart completed.
After the pods are restarted, run the following command to check the correctness of the password.
kubectl exec <podName> -- sh -c 'echo $MYSQL_PWD'