search

pingcap / tiflow

This repo maintains DM (a data migration platform) and TiCDC (change data capture for TiDB)
Apache License 2.0
430 stars 287 forks source link

DM to read password from environment #11666

Open mzhang77 opened 1 month ago

mzhang77 commented 1 month ago

Is your feature request related to a problem?

ight now, dm requires storing password in config file:

## ******** Downstream TiDB instance configuration ********** 
target-database: 
# Configuration of the downstream database instance. 
host: "n.n.n.n" 
port: 4000 
user: "root" 
password: "NElUoZylDevEjgPKvcJdF0Akdn2D"
# If the password is not null, it is recommended to use a password encrypted with dmctl.

This is still unsafe.

Describe the feature you'd like

DM to read password from environment variable. For example:

password: env("DM_PASSWORD")

When use it, user need to set the environment variable first:

export DM_PASSWORD=password
dmctl start-task ...

Describe alternatives you've considered

There are ways to workaround this security breach, but it's nice if DM can handle it.

Teachability, Documentation, Adoption, Migration Strategy

No response

lance6716 commented 1 month ago

A DM worker may replicate to different TiDB cluster with different password. And I'm not sure if environment variables are loaded at process start. If so, when need to change downstream password we need to restart DM workers. 🤔

also cc @OliverS929