The definition of Percona Advisors by ChatGPT is the following:
Percona Advisors can help organizations implement robust security measures to protect their databases and sensitive data.
It is partially true. The reason why we have Percona Advisors is to encode years of our database expertise and share it with the community, to automatically identify potential performance, configuration, and security issues, and let users resolve them before they become real incidents.
Percona Advisors is an open source framework, meaning you can create your own checks by following our documentation. Right now even if you create your own advisors, they will overwrite existing Percona checks. So it is only for debugging and testing purposes. We plan to extend the framework to enable innovation and contributions from the community. By default Percona Monitoring and Management (PMM) comes with basic advisor checks, whereas registered and paid tiers get much more. See more about it on our subscription page.
In this blog post, I will show how Percona Advisors work and demonstrate various checks in action.
Preparation
Percona Monitoring and Management (PMM)
Install PMM by following the documentation. I will deploy it on my Kubernetes cluster with the helm chart.
1 | helm install pmm --set service.type="LoadBalancer" percona/pmm |
Create your Percona Platform account
Navigate to https://portal.percona.com to create an account if you don’t have one already. By just creating an account you will get access to more advisors for free, whereas I myself on a paid tier enjoy the full power of sophisticated checks.
This is the number of checks that PMM has by default right after installation:
Once PMM is connected to the Platform, PMM downloads advisors automatically. With the paid subscription I get the following list:
Register PMM in the Platform
The process of registering PMM in the Platform is described in the documentation. In short:
- Fetch the token from https://portal.percona.com/profile
- Add this token in the PMM Settings -> Percona Platform section.
Action
Checks in action
I will deploy a MySQL cluster with Group Replication and monitor it with PMM. For the sake of simplicity and speed, I will use Percona Operator for MySQL (based on Percona Server for MySQL which is in tech preview).
As a result, I see the following checks firing up:
For example “Passwords don’t expire, as default_password_lifetime=0” checks alerts that the password expiration is not enabled:
Please consider imposing an expiry time for passwords by setting default_password_lifetime to a positive integer, indicating how many days can go by before the user has to renew their password; This will help prevent brute force attacks and risks of data leaks.
Embed checks in your CICD pipeline
With PMM API you can easily automate database compliance checks with your existing CICD pipelines.
Get all the services with failed checks:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 | $ curl -k --request POST --url https://PMM_SERVER/v1/management/SecurityChecks/ListFailedServices --header 'accept: application/json' --header 'content-type: application/json' --header 'Authorization: Bearer eyJrIjoiZTZxZFdyWG9GYklKNEVBZ1kwRU9OUTZIdnA4bFdlNXIiLCJuIjoidHN0IiwiaWQiOjF9' { "result": [ { "service_name": "default-test-cluster-mysql-2", "service_id": "/service_id/0df4c5b6-ad15-4324-a70c-05fe3900b1d2", "warning_count": 6, "notice_count": 4 }, { "service_name": "default-test-cluster-mysql-1", "service_id": "/service_id/4f1ebbec-9383-41fd-9a32-60114e11b7aa", "warning_count": 6, "notice_count": 4 }, { "service_name": "default-test-cluster-mysql-0", "service_id": "/service_id/7e3cae47-3ee1-4488-883b-21b7450fb0d2", "error_count": 1, "warning_count": 6, "notice_count": 4 } ] } |
Now get all the failed checks for a specific service:
1 2 3 4 5 6 | curl -k --request POST --url https://PMM_SERVER/v1/management/SecurityChecks/FailedChecks --header 'accept: application/json' --header 'content-type: application/json' --header 'Authorization: Bearer eyJrIjoiZTZxZFdyWG9GYklKNEVBZ1kwRU9OUTZIdnA4bFdlNXIiLCJuIjoidHN0IiwiaWQiOjF9' --data '{"service_id":"/service_id/4f1ebbec-9383-41fd-9a32-60114e11b7aa"}' |
This is the example of a summary of one check:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 | { "summary": "Passwords don't expire, as default_password_lifetime=0", "description": "Please consider imposing an expiry time for passwords by setting default_password_lifetime to a positive integer, indicating how many days can go by before the user having to renew their password; This will help prevent brute force attacks and risks of data leaks.", "severity": "SEVERITY_WARNING", "labels": { "agent_id": "/agent_id/e8528c89-8858-4591-800a-e5edde56df57", "agent_type": "qan-mysql-perfschema-agent", "alert_id": "/stt/a47e962529bc87c7ef98ba832e4d6ca20454ed65", "alertname": "mysql_configuration_variables6", "cluster": "test-cluster", "interval_group": "standard", "node_id": "/node_id/8abc903c-556d-47ca-85fe-8eec92cfbc66", "node_name": "default-test-cluster-mysql-1", "node_type": "container", "service_id": "/service_id/4f1ebbec-9383-41fd-9a32-60114e11b7aa", "service_name": "default-test-cluster-mysql-1", "service_type": "mysql", "severity": "warning", "stt_check": "1" }, "read_more_url": "https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html#sysvar_default_password_lifetime", "service_name": "default-test-cluster-mysql-1", "service_id": "/service_id/4f1ebbec-9383-41fd-9a32-60114e11b7aa", "check_name": "mysql_configuration_variables6", "alert_id": "/stt/a47e962529bc87c7ef98ba832e4d6ca20454ed65" }, |
Conclusion
Day-2 operations for databases are complex. Keeping your database secure and performant before it is too late can be achieved without human intervention. In this blog post, we showed how Percona Advisors can help with it.
