DOC: config: use CREATE USER for mysql-check
CREATE USER has been the standard way of creating users since
MySQL-5.0 (2005).
The current syntax of INSERT INTO mysql.user won't actually work
on MariaDB-10.4+.
Because haproxy doesn't use any resources the MySQL executable comment
syntax provides resource contraints to make it more palatable
to risk adverse users.
/*!50701 is a syntax recognised by MySQL and MariaDB 5.7.1+ when
resource contraints where added.
/*M!100201 is a MariaDB executable comment syntax recognised for MariaDB
for the 10.2.1 where the MAX_STATEMENT_TIME was added.
This patch may be backported as far as 2.0.
(cherry picked from commit d3e7dc498baeab3535fcaf48f8983138d35442f5)
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from commit 9dc310dc520fb5fbc9dbd9594f7cfaa1472372fe)
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from commit a1d2bbc1cea4368f0349de996a1722985e762e1f)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit a4edd252d45d8a96b8a594dd12d0d1f015f1f8f3)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 2d8032d..d8b246f 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -7082,12 +7082,13 @@
one Client Authentication packet, and one QUIT packet, to correctly close
MySQL session. We then parse the MySQL Handshake Initialization packet and/or
Error packet. It is a basic but useful test which does not produce error nor
- aborted connect on the server. However, it requires adding an authorization
- in the MySQL table, like this :
+ aborted connect on the server. However, it requires an unlocked authorised
+ user without a password. To create a basic limited user in MySQL with
+ optional resource limits:
- USE mysql;
- INSERT INTO user (Host,User) values ('<ip_of_haproxy>','<username>');
- FLUSH PRIVILEGES;
+ CREATE USER '<username>'@'<ip_of_haproxy|network_of_haproxy/netmask>'
+ /*!50701 WITH MAX_QUERIES_PER_HOUR 1 MAX_UPDATES_PER_HOUR 0 */
+ /*M!100201 MAX_STATEMENT_TIME 0.0001 */;
If you don't specify a username (it is deprecated and not recommended), the
check only consists in parsing the Mysql Handshake Initialization packet or