As mentioned in Connection Volume Management, to allow for the need to perform administrative operations even when 如连接卷管理中所述,为了允许即使在用于普通连接的接口上已经建立了max_connections connections are already established on the interfaces used for ordinary connections, the MySQL server permits a single administrative connection to users who have the CONNECTION_ADMIN privilege (or the deprecated SUPER privilege).max_connections连接时也需要执行管理操作,MySQL服务器允许与具有CONNECTION_ADMIN权限(或已弃用的SUPER权限)的用户进行单次管理连接。
Additionally, as of MySQL 8.0.14, the server permits dedicating a TCP/IP port for administrative connections, as described in the following sections.此外,从MySQL 8.0.14开始,服务器允许为管理连接专用TCP/IP端口,如以下部分所述。
The administrative connection interface has these characteristics:管理连接接口具有以下特点:
The server enables the interface only if the 只有在启动时设置admin_address system variable is set at startup to indicate the IP address for it. admin_address系统变量以指示其IP地址时,服务器才会启用该接口。If 如果未设置admin_address is not set, the server maintains no administrative interface.admin_address,则服务器不维护任何管理接口。
The admin_port system variable specifies the interface TCP/IP port number (default 33062).admin_port系统变量指定接口TCP/IP端口号(默认33062)。
There is no limit on the number of administrative connections, but connections are permitted only for users who have the 管理连接的数量没有限制,但只允许具有SERVICE_CONNECTION_ADMIN privilege.SERVICE_CONNECION_ADMIN权限的用户连接。
The create_admin_listener_thread system variable enables DBAs to choose at startup whether the administrative interface has its own separate thread. The default is OFF; that is, the manager thread for ordinary connections on the main interface also handles connections for the administrative interface.create_admin_listener_thread系统变量使DBA能够在启动时选择管理接口是否有自己的单独线程。默认设置为OFF;也就是说,主接口上普通连接的管理器线程也处理管理接口的连接。
These lines in the server 服务器my.cnf file enable the administrative interface on the loopback interface and configure it to use port number 33064 (that is, a port different from the default):my.cnf文件中的这些行启用环回接口上的管理接口,并将其配置为使用端口号33064(即与默认端口不同的端口):
[mysqld] admin_address=127.0.0.1 admin_port=33064
MySQL client programs connect to either the main or administrative interface by specifying appropriate connection parameters. If the server running on the local host is using the default TCP/IP port numbers of 3306 and 33062 for the main and administrative interfaces, these commands connect to those interfaces:MySQL客户端程序通过指定适当的连接参数连接到主界面或管理界面。如果本地主机上运行的服务器对主接口和管理接口使用默认的TCP/IP端口号3306和33062,则这些命令将连接到这些接口:
mysql --protocol=TCP --port=3306 mysql --protocol=TCP --port=33062
Prior to MySQL 8.0.21, the administrative interface supports encrypted connections using the connection-encryption configuration that applies to the main interface. As of MySQL 8.0.21, the administrative interface has its own configuration parameters for encrypted connections. 在MySQL 8.0.21之前,管理界面支持使用适用于主界面的连接加密配置的加密连接。从MySQL 8.0.21开始,管理界面有自己的加密连接配置参数。These correspond to the main interface parameters but enable independent configuration of encrypted connections for the administrative interface:这些对应于主接口参数,但允许独立配置管理接口的加密连接:
The admin_tls_ and xxxadmin_ssl_ system variables are like the xxxtls_ and xxxssl_ system variables, but they configure the TLS context for the administrative interface rather than the main interface.xxx
The --admin-ssl option is like the --ssl option, but it enables or disables support for encrypted connections on the administrative interface rather than the main interface.--admin-ssl选项类似于--ssl选项,但它启用或禁用管理界面而不是主界面上对加密连接的支持。
Because support for encrypted connections is enabled by default, it is normally unnecessary to specify --admin-ssl. As of MySQL 8.0.26, --admin-ssl is deprecated and subject to removal in a future MySQL version.
For general information about configuring connection-encryption support, see Section 6.3.1, “Configuring MySQL to Use Encrypted Connections”, and Section 6.3.2, “Encrypted Connection TLS Protocols and Ciphers”. 有关配置连接加密支持的一般信息,请参阅第6.3.1节,“配置MySQL以使用加密连接”和第6.3.2节,“加密连接TLS协议和密码”。That discussion is written for the main connection interface, but the parameter names are similar for the administrative connection interface. Use that discussion together with the following remarks, which provide information specific to the administrative interface.该讨论是针对主连接接口编写的,但管理连接接口的参数名称相似。将该讨论与以下备注一起使用,这些备注提供了特定于管理界面的信息。
TLS configuration for the administrative interface follows these rules:管理界面的TLS配置遵循以下规则:
If --admin-ssl is enabled (the default), the administrative interface supports encrypted connections. For connections on the interface, the applicable TLS context depends on whether any nondefault administrative TLS parameter is configured:
If all administrative TLS parameters have their default values, the administrative interface uses the same TLS context as the main interface.
If any administrative TLS parameter has a nondefault value, the administrative interface uses the TLS context defined by its own parameters. (This is the case if any admin_tls_ or xxxadmin_ssl_ system variable is set to a value different from its default.) If a valid TLS context cannot be created from those parameters, the administrative interface falls back to the main interface TLS context.xxx
If --admin-ssl is disabled (for example, by specifying --admin-ssl=OFF, encrypted connections to the administrative interface are disabled. This is true even if administrative TLS parameters have nondefault values because disabling --admin-ssl takes precedence.
It is also possible to disable encrypted connections on the administrative interface without specifying --admin-ssl in negated form. Set the admin_tls_version system variable to the empty value to indicate that no TLS versions are supported. For example, these lines in the server my.cnf file disable encrypted connections on the administrative interface:
[mysqld] admin_tls_version=''
Examples:
This configuration in the server 服务器my.cnf file enables the administrative interface, but does not set any of the TLS parameters specific to that interface:my.cnf文件中的此配置启用了管理界面,但没有设置特定于该界面的任何TLS参数:
[mysqld] admin_address=127.0.0.1
As a result, the administrative interface supports encrypted connections (because encryption is supported by default when the administrative interface is enabled), and uses the main interface TLS context. 因此,管理接口支持加密连接(因为默认情况下启用管理接口时支持加密),并使用主接口TLS上下文。When clients connect to the administrative interface, they should use the same certificate and key files as for ordinary connections on the main interface. For example (enter the command on a single line):当客户端连接到管理界面时,它们应该使用与主界面上的普通连接相同的证书和密钥文件。例如(在一行中输入命令):
mysql --protocol=TCP --port=33062
--ssl-ca=ca.pem
--ssl-cert=client-cert.pem
--ssl-key=client-key.pemThis server configuration enables the administrative interface and sets the TLS certificate and key file parameters specific to that interface:此服务器配置启用管理接口,并设置特定于该接口的TLS证书和密钥文件参数:
[mysqld] admin_address=127.0.0.1 admin_ssl_ca=admin-ca.pem admin_ssl_cert=admin-server-cert.pem admin_ssl_key=admin-server-key.pem
As a result, the administrative interface supports encrypted connections using its own TLS context. When clients connect to the administrative interface, they should use certificate and key files specific to that interface. For example (enter the command on a single line):因此,管理接口支持使用其自己的TLS上下文的加密连接。当客户端连接到管理接口时,他们应该使用特定于该接口的证书和密钥文件。例如(在一行中输入命令):
mysql --protocol=TCP --port=33062
--ssl-ca=admin-ca.pem
--ssl-cert=admin-client-cert.pem
--ssl-key=admin-client-key.pem