MySQL_Session.cpp has a hard-coded check to only allow local connections for the "admin" user. I think this check should be removed for several reasons:
Absolutely, there are very good use cases for remote admin connections!
And in fact, since ProxySQL 1.4.1 the default admin-mysql_ifaces has changed from 127.0.0.1:6032 to 0.0.0.0:6032 , see #1103 .
Although, the change of default can create serious security threads, therefore the default admin user (admin) can only be used locally, not remotely.
The check is only performed if the admin user is named "admin", setting admin_credentials = "admin2:admin2" bypasses the check, which doesn't make much sense.
It makes a lot of sense to me. The idea is to prevent security issues: admin can only connect locally, any other user can connect remotely. This meant that you should configure a user for remote connections. If you don't configure a user for remote connection, a default installation needs to prevent security threats.
Further note: you can have multiple admin users:
admin-admin_credentials="admin:admin;userX:passX;admin2:pass2"
admin can only connect locally: the other users can connect remotely.
Fair enough, then I'd only suggest to document this behaviour.
This has been documented:
After the change in admin-admin_credentials, you have to do the following for the change to work remotely:
LOAD ADMIN VARIABLES TO RUNTIME;
I was looking for that info here:
https://github.com/sysown/proxysql/wiki/Global-variables
Most helpful comment
Absolutely, there are very good use cases for remote admin connections!
And in fact, since ProxySQL 1.4.1 the default
admin-mysql_ifaceshas changed from127.0.0.1:6032to0.0.0.0:6032, see #1103 .Although, the change of default can create serious security threads, therefore the default admin user (
admin) can only be used locally, not remotely.It makes a lot of sense to me. The idea is to prevent security issues:
admincan only connect locally, any other user can connect remotely. This meant that you should configure a user for remote connections. If you don't configure a user for remote connection, a default installation needs to prevent security threats.Further note: you can have multiple admin users:
admincan only connect locally: the other users can connect remotely.