The mysql_migrate_keyring utility migrates keys between one keyring component and another. It supports offline and online migrations.mysql_migrate_keyring实用程序可以在一个密钥环组件和另一个组件之间迁移密钥。它支持离线和在线迁移。
Invoke mysql_migrate_keyring like this (enter the command on a single line):像这样调用mysql_migrate_keyring(在一行中输入命令):
mysql_migrate_keyring --component-dir=dir_name
--source-keyring=name
--destination-keyring=name
[other options
]
For information about key migrations and instructions describing how to perform them using mysql_migrate_keyring and other methods, see Section 6.4.4.13, “Migrating Keys Between Keyring Keystores”.有关密钥迁移的信息以及描述如何使用mysql_migrate_keyring和其他方法执行密钥迁移的说明,请参阅第6.4.4.13节,“在密钥库之间迁移密钥”。
mysql_migrate_keyring supports the following options, which can be specified on the command line or in the mysql_migrate_keyring支持以下选项,可以在命令行或选项文件的[mysql_migrate_keyring]
group of an option file. [mysql_migrate_ keyring]
组中指定。For information about option files used by MySQL programs, see Section 4.2.2.2, “Using Option Files”.有关MySQL程序使用的选项文件的信息,请参阅第4.2.2.2节,“使用选项文件”。
Table 4.21 mysql_migrate_keyring Options选项
--component-dir | |
--defaults-extra-file | |
--defaults-file | |
--defaults-group-suffix | |
--destination-keyring | |
--destination-keyring-configuration-dir | |
--get-server-public-key | |
--help | |
--host | |
--login-path | .mylogin.cnf 读取登录路径选项 |
--no-defaults | |
--online-migration | |
--password | |
--port | |
--print-defaults | |
--server-public-key-path | |
--socket | |
--source-keyring | |
--source-keyring-configuration-dir | |
--ssl-ca | |
--ssl-capath | |
--ssl-cert | |
--ssl-cipher | |
--ssl-crl | |
--ssl-crlpath | |
--ssl-fips-mode | |
--ssl-key | |
--ssl-mode | |
--tls-ciphersuites | |
--tls-version | |
--user | |
--verbose | |
--version |
--help
, -h
Display a help message and exit.显示帮助消息并退出。
The directory where keyring components are located. This is typically the value of the 键环组件所在的目录。这通常是本地MySQL服务器的plugin_dir
system variable for the local MySQL server.plugin_dir
系统变量的值。
--component-dir
, --source-keyring
, and --destination-keyring
are mandatory for all keyring migration operations performed by mysql_migrate_keyring. --component-dir
、--source-keyring
和--destination-keyring
对于mysql_migrate_keyring执行的所有密钥环迁移操作都是必需的。In addition, the source and destination components must differ, and both components must be properly configured so that mysql_migrate_keyring can load and use them.此外,源组件和目标组件必须不同,并且必须正确配置这两个组件,以便mysql_migrate_keyring可以加载和使用它们。
--defaults-extra-file=
file_name
Read this option file after the global option file but (on Unix) before the user option file. If the file does not exist or is otherwise inaccessible, an error occurs. If 在全局选项文件之后读取此选项文件,但(在Unix上)在用户选项文件之前读取。如果文件不存在或无法访问,则会发生错误。如果file_name
is not an absolute path name, it is interpreted relative to the current directory.file_name
不是绝对路径名,则会相对于当前目录进行解释。
For additional information about this and other option-file options, see Section 4.2.2.3, “Command-Line Options that Affect Option-File Handling”.有关此选项和其他选项文件选项的更多信息,请参阅第4.2.2.3节,“影响选项文件处理的命令行选项”。
Use only the given option file. If the file does not exist or is otherwise inaccessible, an error occurs. 仅使用给定的选项文件。如果文件不存在或无法访问,则会发生错误。If 如果file_name
is not an absolute path name, it is interpreted relative to the current directory.file_name
不是绝对路径名,则会相对于当前目录进行解释。
Exception: Even with 异常:即使使用--defaults-file
, client programs read .mylogin.cnf
.--defaults-file
,客户端程序也会读取.mylogin.cnf
。
For additional information about this and other option-file options, see Section 4.2.2.3, “Command-Line Options that Affect Option-File Handling”.有关此选项和其他选项文件选项的更多信息,请参阅第4.2.2.3节,“影响选项文件处理的命令行选项”。
Read not only the usual option groups, but also groups with the usual names and a suffix of 不仅要读取常用的选项组,还要读取具有常用名称和后缀str
. str
的组。For example, mysql_migrate_keyring normally reads the 例如,mysql_migrate_keyring通常读取[mysql_migrate_keyring]
group. If this option is given as --defaults-group-suffix=_other
, mysql_migrate_keyring also reads the [mysql_migrate_keyring_other]
group.[mysql_migrate_keyring]
组。如果将此选项设置为--defaults-group-suffix=_other
,mysql_migrate_keyring也会读取[mysql_migrate_keyring_other]
组。
For additional information about this and other option-file options, see Section 4.2.2.3, “Command-Line Options that Affect Option-File Handling”.有关此选项和其他选项文件选项的更多信息,请参阅第4.2.2.3节,“影响选项文件处理的命令行选项”。
The destination keyring component for key migration. The format and interpretation of the option value is the same as described for the 密钥迁移的目标密钥环组件。选项值的格式和解释与--source-keyring
option.--source-keyring
选项的描述相同。
--component-dir
, --source-keyring
, and --destination-keyring
are mandatory for all keyring migration operations performed by mysql_migrate_keyring. --component-dir
、--source-keyring
和--destination-keyring
对于mysql_migrate_keyring执行的所有密钥环迁移操作都是必需的。In addition, the source and destination components must differ, and both components must be properly configured so that mysql_migrate_keyring can load and use them.此外,源组件和目标组件必须不同,并且必须正确配置这两个组件,以便mysql_migrate_keyring可以加载和使用它们。
--destination-keyring-configuration-dir=
dir_name
This option applies only if the destination keyring component global configuration file contains 仅当目标密钥环组件全局配置文件包含"read_local_config": true
, indicating that component configuration is contained in the local configuration file. The option value specifies the directory containing that local file."read_local_config": true
时,此选项才适用,表示组件配置包含在本地配置文件中。选项值指定包含该本地文件的目录。
Request from the server the public key required for RSA key pair-based password exchange. 从服务器请求基于RSA密钥对的密码交换所需的公钥。This option applies to clients that authenticate with the 此选项适用于使用caching_sha2_password
authentication plugin. For that plugin, the server does not send the public key unless requested. caching_sha2_password
身份验证插件进行身份验证的客户端。对于该插件,除非请求,否则服务器不会发送公钥。This option is ignored for accounts that do not authenticate with that plugin. It is also ignored if RSA-based password exchange is not used, as is the case when the client connects to the server using a secure connection.对于不使用该插件进行身份验证的帐户,此选项将被忽略。如果不使用基于RSA的密码交换,它也会被忽略,就像客户端使用安全连接连接到服务器的情况一样。
If 如果给定了--server-public-key-path=
is given and specifies a valid public key file, it takes precedence over file_name
--get-server-public-key
.--server-public-key-path=file_name
并指定了一个有效的公钥文件,则它优先于--get-server-public-key
。
For information about the 有关caching_sha2_password
plugin, see Section 6.4.1.2, “Caching SHA-2 Pluggable Authentication”.caching_sha2_password
插件的信息,请参阅第6.4.1.2节,“缓存SHA-2可插拔身份验证”。
--host=
, host_name
-h
host_name
The host location of the running server that is currently using one of the key migration keystores. 当前正在使用其中一个密钥迁移密钥存储库的运行服务器的主机位置。Migration always occurs on the local host, so the option always specifies a value for connecting to a local server, such as 迁移始终发生在本地主机上,因此该选项始终指定连接到本地服务器的值,例如localhost
, 127.0.0.1
, ::1
, or the local host IP address or host name.localhost
、127.0.0.1
、::1
或本地主机IP地址或主机名。
Read options from the named login path in the 从.mylogin.cnf
login path file. .mylogin.cnf
登录路径文件中的指定登录路径读取选项。A “login path” is an option group containing options that specify which MySQL server to connect to and which account to authenticate as. “登录路径”是一个选项组,其中包含指定要连接到哪个MySQL服务器以及要作为哪个帐户进行身份验证的选项。To create or modify a login path file, use the mysql_config_editor utility. 要创建或修改登录路径文件,请使用mysql_config_editor实用程序。See Section 4.6.7, “mysql_config_editor — MySQL Configuration Utility”.请参阅第4.6.7节,“mysql_config编辑器--mysql配置实用程序”。
For additional information about this and other option-file options, see Section 4.2.2.3, “Command-Line Options that Affect Option-File Handling”.有关此选项和其他选项文件选项的更多信息,请参阅第4.2.2.3节,“影响选项文件处理的命令行选项”。
Do not read any option files. If program startup fails due to reading unknown options from an option file, 不要读取任何选项文件。如果程序启动因从选项文件中读取未知选项而失败,则使用--no-defaults
can be used to prevent them from being read.--no-defaults
来阻止读取它们。
The exception is that the 例外的是,.mylogin.cnf
file is read in all cases, if it exists. .mylogin.cnf
文件在所有情况下都会被读取(如果存在的话)。This permits passwords to be specified in a safer way than on the command line even when 这允许以比命令行更安全的方式指定密码,即使使用--no-defaults
is used. --no-defaults
。To create 要创建.mylogin.cnf
, use the mysql_config_editor utility. .mylogin.cnf
,请使用mysql_config_editor实用程序。See Section 4.6.7, “mysql_config_editor — MySQL Configuration Utility”.请参阅第4.6.7节,“mysql_config编辑器--mysql配置实用程序”。
For additional information about this and other option-file options, see Section 4.2.2.3, “Command-Line Options that Affect Option-File Handling”.有关此选项和其他选项文件选项的更多信息,请参阅第4.2.2.3节,“影响选项文件处理的命令行选项”。
This option is mandatory when a running server is using the keyring. It tells mysql_migrate_keyring to perform an online key migration. The option has these effects:当正在运行的服务器正在使用密钥环时,此选项是必需的。它会告诉mysql_migrate_keyring执行在线密钥迁移。该选项具有以下效果:
mysql_migrate_keyring connects to the server using any connection options specified; these options are otherwise ignored.mysql_migrate_keyring使用指定的任何连接选项连接到服务器;否则这些选项将被忽略。
After mysql_migrate_keyring connects to the server, it tells the server to pause keyring operations. 当mysql_migrate_keyring连接到服务器后,它会“通知”服务器暂停keyring操作。When key copying is complete, mysql_migrate_keyring tells the server it can resume keyring operations before disconnecting.当密钥复制完成时,mysql_migrate_keyring告诉服务器它可以在断开连接之前恢复keyring操作。
--password[=
, password
]-p[
password
]
The password of the MySQL account used for connecting to the running server that is currently using one of the key migration keystores. MySQL帐户的密码,用于连接到当前正在使用其中一个密钥迁移密钥库的运行服务器。The password value is optional. 密码值是可选的。If not given, mysql_migrate_keyring prompts for one. 如果没有给出,mysql_migrate_keyring会提示输入一个。If given, there must be no space between 如果给定,则--password=
or -p
and the password following it. If no password option is specified, the default is to send no password.--password=
或-p
与其后面的密码之间不得有空格。如果未指定密码选项,则默认情况下不发送密码。
Specifying a password on the command line should be considered insecure. To avoid giving the password on the command line, use an option file. 在命令行上指定密码应被视为不安全。为了避免在命令行上输入密码,请使用选项文件。See Section 6.1.2.1, “End-User Guidelines for Password Security”.请参阅第6.1.2.1节,“密码安全最终用户指南”。
To explicitly specify that there is no password and that mysql_migrate_keyring should not prompt for one, use the 要明确指定没有密码并且mysql_migrate_keyring不应提示输入密码,请使用--skip-password
option.--skip-password
选项。
--port=
, port_num
-P
port_num
For TCP/IP connections, the port number for connecting to the running server that is currently using one of the key migration keystores.对于TCP/IP连接,用于连接到当前正在使用密钥迁移密钥存储库之一的正在运行的服务器的端口号。
Print the program name and all options that it gets from option files.打印程序名称及其从选项文件中获取的所有选项。
For additional information about this and other option-file options, see Section 4.2.2.3, “Command-Line Options that Affect Option-File Handling”.有关此选项和其他选项文件选项的更多信息,请参阅第4.2.2.3节,“影响选项文件处理的命令行选项”。
--server-public-key-path=
file_name
The path name to a file in PEM format containing a client-side copy of the public key required by the server for RSA key pair-based password exchange. PEM格式文件的路径名,该文件包含服务器基于RSA密钥对进行密码交换所需的公钥客户端副本。This option applies to clients that authenticate with the 此选项适用于使用sha256_password
or caching_sha2_password
authentication plugin. sha256_password
或caching_sha2_password
身份验证插件进行身份验证的客户端。This option is ignored for accounts that do not authenticate with one of those plugins. It is also ignored if RSA-based password exchange is not used, as is the case when the client connects to the server using a secure connection.对于未使用这些插件之一进行身份验证的帐户,此选项将被忽略。如果不使用基于RSA的密码交换,它也会被忽略,就像客户端使用安全连接连接到服务器的情况一样。
If 如果给定了--server-public-key-path=
is given and specifies a valid public key file, it takes precedence over file_name
--get-server-public-key
.--server-public-key-path=file_name
并指定了一个有效的公钥文件,则它优先于--get-server-public-key
。
For 对于sha256_password
, this option applies only if MySQL was built using OpenSSL.sha256_password
,此选项仅适用于使用OpenSSL构建MySQL的情况。
For information about the 有关sha256_password
and caching_sha2_password
plugins, see Section 6.4.1.3, “SHA-256 Pluggable Authentication”, and Section 6.4.1.2, “Caching SHA-2 Pluggable Authentication”.sha256_password
和caching_sha2_password
插件的信息,请参阅第6.4.1.3节,“SHA-256可插拔身份验证”和第6.4.1.2节,“缓存SHA-2可插拔身份认证”。
--socket=
, path
-S
path
For Unix socket file or Windows named pipe connections, the socket file or named pipe for connecting to the running server that is currently using one of the key migration keystores.对于Unix套接字文件或Windows命名管道连接,用于连接到当前正在使用密钥迁移密钥库之一的运行服务器的套接字文件或命名管道。
On Windows, this option applies only if the server was started with the 在Windows上,此选项仅在服务器启动时启用了named_pipe
system variable enabled to support named-pipe connections. named_pipe
系统变量以支持命名管道连接时适用。In addition, the user making the connection must be a member of the Windows group specified by the 此外,进行连接的用户必须是named_pipe_full_access_group
system variable.named_pipe_full_access_group
系统变量指定的Windows组的成员。
The source keyring component for key migration. 用于密钥迁移的源密钥环组件。This is the component library file name specified without any platform-specific extension such as 这是指定的组件库文件名,没有任何特定于平台的扩展名,如.so
or .dll
. .so
或.dll
。For example, to use the component for which the library file is 例如,要使用库文件为component_keyring_file.so
, specify the option as --source-keyring=component_keyring_file
.component_keyring_file.so
的组件,请将选项指定为--source-keyring=component_keyring_file
。
--component-dir
, --source-keyring
, and --destination-keyring
are mandatory for all keyring migration operations performed by mysql_migrate_keyring. --component-dir
、--source-keyring
和--destination-keyring
对于mysql_migrate_keyring执行的所有密钥环迁移操作都是必需的。In addition, the source and destination components must differ, and both components must be properly configured so that mysql_migrate_keyring can load and use them.此外,源组件和目标组件必须不同,并且必须正确配置这两个组件,以便mysql_migrate_keyring可以加载和使用它们。
--source-keyring-configuration-dir=
dir_name
This option applies only if the source keyring component global configuration file contains 仅当源密钥环组件全局配置文件包含"read_local_config": true
, indicating that component configuration is contained in the local configuration file. The option value specifies the directory containing that local file."read_local_config": true
时,此选项才适用,表示组件配置包含在本地配置文件中。选项值指定包含该本地文件的目录。
Options that begin with 以--ssl开头的选项指定是否使用加密连接到服务器,并指示在哪里查找ssl密钥和证书。请参见加密连接的命令选项。--ssl
specify whether to connect to the server using encryption and indicate where to find SSL keys and certificates. See Command Options for Encrypted Connections.
--ssl-fips-mode={OFF|ON|STRICT}
Controls whether to enable FIPS mode on the client side. The 控制是否在客户端启用FIPS模式。--ssl-fips-mode
option differs from other --ssl-
options in that it is not used to establish encrypted connections, but rather to affect which cryptographic operations to permit. xxx
--ssl-fips-mode
选项与其他--ssl-xxx
选项的不同之处在于,它不用于建立加密连接,而是影响允许的加密操作。See Section 6.8, “FIPS Support”.请参阅第6.8节,“FIPS支持”。
These 允许使用以下--ssl-fips-mode
values are permitted:--ssl-fips-mode
值:
OFF
: Disable FIPS mode.:禁用FIPS模式。
ON
: Enable FIPS mode.:启用FIPS模式。
STRICT
: Enable “strict” FIPS mode.:启用“严格”FIPS模式。
If the OpenSSL FIPS Object Module is not available, the only permitted value for 如果OpenSSL FIPS对象模块不可用,则--ssl-fips-mode
is OFF
. --ssl-fips-mode
的唯一允许值为OFF
。In this case, setting 在这种情况下,将--ssl-fips-mode
to ON
or STRICT
causes the client to produce a warning at startup and to operate in non-FIPS mode.--ssl-fips-mode
设置为ON
或STRICT
会导致客户端在启动时产生警告,并在非fips模式下运行。
--tls-ciphersuites=
ciphersuite_list
The permissible ciphersuites for encrypted connections that use TLSv1.3. The value is a list of one or more colon-separated ciphersuite names. 允许的密码适用于使用TLSv1.3的加密连接。该值是一个或多个冒号分隔的密码套件名称的列表。The ciphersuites that can be named for this option depend on the SSL library used to compile MySQL. 可以为此选项命名的密码套件取决于用于编译MySQL的SSL库。For details, see Section 6.3.2, “Encrypted Connection TLS Protocols and Ciphers”.有关详细信息,请参阅第6.3.2节,“加密连接TLS协议和密码”。
The permissible TLS protocols for encrypted connections. The value is a list of one or more comma-separated protocol names. 加密连接的允许TLS协议。该值是一个或多个逗号分隔的协议名称的列表。The protocols that can be named for this option depend on the SSL library used to compile MySQL. 可以为此选项命名的协议取决于用于编译MySQL的SSL库。For details, see Section 6.3.2, “Encrypted Connection TLS Protocols and Ciphers”.有关详细信息,请参阅第6.3.2节,“加密连接TLS协议和密码”。
--user=
, user_name
-u
user_name
The user name of the MySQL account used for connecting to the running server that is currently using one of the key migration keystores.MySQL帐户的用户名,用于连接到当前正在使用其中一个密钥迁移密钥库的运行服务器。
--verbose
, -v
Verbose mode. Produce more output about what the program does.详细模式。生成更多关于程序功能的输出。
--version
, -V
Display version information and exit.显示版本信息并退出。