Knowledge Drop

Securing looker-db.yml


Userlevel 5

Last tested: Oct 1, 2019
 

When moving a previously self-hosted instance to a MySQL backend, users are instructed to create a looker-db.yml file that contains the MySQL database credentials: https://docs.looker.com/setup-and-management/on-prem-mgmt/migrating-to-mysql#create_a_database_credentials_file

Those who do not want the clear text password for this configuration in a file on disk may optionally set environment variables for "LOOKER_DB" to accomplish the same thing.

You can set the environment variable "LOOKER_DB" to contain a list of key/values for each line in the looker-db.yml file.
export LOOKER_DB="dialect=mysql&host=localhost&username=root&password=&database=looker&port=3306"

We'd also recommend that they limit use of the MySQL user account created to the IP address used by your Looker server

It is important to also consider that, given Looker's encryption scheme, all sensitive data in the database is encrypted at rest.  If someone were to steal the database credentials, and access the database, the most sensitive of data, such as passwords, analytics db credentials, query cache etc, are all stored encrypted or hashed.

 

This content is subject to limited support.                

 

 

 


0 replies

Be the first to reply!

Reply