Upgrading MaxScale from 1.3 to 1.4

This document describes upgrading MaxScale from version 1.3 to 1.4.

For more detailed information about MaxScale 1.4, please refer to: MaxScale 1.4.3 release notes MaxScale 1.4.2 release notes MaxScale 1.4.1 release notes MaxScale 1.4.0 release notes

Installation

Before starting the upgrade, we strongly recommend you back up your current configuration file.

Service user permissions

The service users now also need SELECT privileges on mysql.tables_priv. This is required for the resolution of table level grants. To grant SELECT privileges for the service user, replace the user and hostname in the following example.

GRANT SELECT ON mysql.tables_priv TO 'username'@'maxscalehost';

Password encryption

MaxScale 1.4 upgrades the used password encryption algorithms to more secure ones. This requires that the password files are recreated with the maxkeys tool. For more information about how to do this, please read the installation guide: MariaDB MaxScale Installation Guide

SSL

The SSL configuration parameters are now a part of the listeners. If a service used the old style SSL configuration parameters, the values should be moved to the listener which is associated with that service.

Here is an example of an old style configuration.

[RW Split Router]
type=service
router=readwritesplit
servers=server1,server2,server3,server4
user=jdoe
passwd=BD26E4139A15280CA882264AA1551C70
ssl=required
ssl_cert=/home/user/certs/server-cert.pem
ssl_key=/home/user/certs/server-key.pem
ssl_ca_cert=/home/user/certs/ca.pem
ssl_version=TLSv12

[RW Split Listener]
type=listener
service=RW Split Router
protocol=MySQLClient
port=3306

And here is the new, 1.4 compatible configuration style.

[RW Split Router]
type=service
router=readwritesplit
servers=server1,server2,server3,server4
user=jdoe
passwd=BD26E4139A15280CA882264AA1551C70

[RW Split Listener]
type=listener
service=RW Split Router
protocol=MySQLClient
port=3306
ssl=required
ssl_cert=/home/user/certs/server-cert.pem
ssl_key=/home/user/certs/server-key.pem
ssl_ca_cert=/home/user/certs/ca.pem
ssl_version=TLSv12

Please also note that the enabled SSL mode is no longer supported due to the inherent security issues with allowing SSL and non-SSL connections on the same port. In addition to this, SSLv3 is no longer supported due to vulnerabilities found in it.