diff --git a/charts/tidb-cluster/templates/scripts/_initialize_tidb_users.py.tpl b/charts/tidb-cluster/templates/scripts/_initialize_tidb_users.py.tpl index 19fa043669..487d8a4951 100755 --- a/charts/tidb-cluster/templates/scripts/_initialize_tidb_users.py.tpl +++ b/charts/tidb-cluster/templates/scripts/_initialize_tidb_users.py.tpl @@ -1,5 +1,6 @@ import os, MySQLdb host = '{{ template "cluster.name" . }}-tidb' +permit_host = {{ .Values.tidb.permitHost | default "%" | quote }} port = 4000 password_dir = '/etc/tidb/password' conn = MySQLdb.connect(host=host, port=port, user='root', connect_timeout=5) @@ -12,12 +13,14 @@ for file in os.listdir(password_dir): if user == 'root': conn.cursor().execute("set password for 'root'@'%%' = %s;", (password,)) else: - conn.cursor().execute("create user %s@'%%' identified by %s;", (user, password,)) -conn.cursor().execute("flush privileges;") -conn.commit() + conn.cursor().execute("create user %s@%s identified by %s;", (user, permit_host, password,)) {{- if .Values.tidb.initSql }} with open('/data/init.sql', 'r') as sql: for line in sql.readlines(): conn.cursor().execute(line) conn.commit() {{- end }} +if permit_host != '%%': + conn.cursor().execute("update mysql.user set Host=%s where User='root';", (permit_host,)) +conn.cursor().execute("flush privileges;") +conn.commit() diff --git a/charts/tidb-cluster/templates/tidb-initializer-job.yaml b/charts/tidb-cluster/templates/tidb-initializer-job.yaml index d419268cd5..66bac07927 100644 --- a/charts/tidb-cluster/templates/tidb-initializer-job.yaml +++ b/charts/tidb-cluster/templates/tidb-initializer-job.yaml @@ -1,4 +1,4 @@ -{{- if or .Values.tidb.passwordSecretName .Values.tidb.initSql }} +{{- if or .Values.tidb.passwordSecretName .Values.tidb.permitHost .Values.tidb.initSql }} apiVersion: batch/v1 kind: Job metadata: diff --git a/charts/tidb-cluster/values.yaml b/charts/tidb-cluster/values.yaml index 120d2730db..b8bb86f9f4 100644 --- a/charts/tidb-cluster/values.yaml +++ b/charts/tidb-cluster/values.yaml @@ -263,6 +263,9 @@ tidb: # kubectl create secret generic tidb-secret --from-literal=root= --namespace= # If unset, the root password will be empty and you can set it after connecting # passwordSecretName: tidb-secret + # permitHost is the host which will only be allowed to connect to the TiDB. + # If unset, defaults to '%' which means allow any host to connect to the TiDB. + # permitHost: 127.0.0.1 # initSql is the SQL statements executed after the TiDB cluster is bootstrapped. # initSql: |- # create database app;