The default parameters when setting up a database connection to MySQL do not allow the standard SSL options: --sl-ca, --ssl-cert, and --ssl-key which are as of MySQL Server 5.7. Is there a command line override or a way to do this?
There’s isn’t currently a way to do that, but perhaps chime in on a related issue at https://github.com/metabase/metabase/issues/1403
Is there not an easy way to do an power-user override of additional command line flags? Seems essential given how attack-ridden the Internet is.
I would love a solution to this.
I just managed to get this working and thought I'd share...
In addition to the usual username, password, host, and db, you also need 3 files accessible to metabase:
- A CA cert in PEM
- Your server certificate in PEM
- Your client key in DER (ideally read only permissions to the metabase user only)
From there, you can form your connection string like so:
postgres://<user>:<password>@<host>:<port>/<dbname>?ssl=true&sslmode=verify-ca&sslrootcert=<path to pem CA cert>&sslcert=<path to pem client cert>&sslkey=<path to DER client key>
All of this is passed to the Postgres JDBC connector with more details here: https://jdbc.postgresql.org/documentation/head/ssl-client.html
Hope that helps anyone else who might be trying to do this
@emil-binti Thank you for sharing. This topic is about SSL for the data source, which we are working on making a lot easier in version 0.40.
Your example is for the application database. This was only possible since 0.38.0.
By the way, you should not use user:pass@host
- it's deprecated, use this style instead:
postgres://<host>:<port>/<db>?user=<username>&password=<password>
For reference: https://www.metabase.com/docs/latest/operations-guide/configuring-application-database.html#upgrading-from-a-metabase-version-pre-038