[R-SIG-Finance] RFC: quantmod::getSymbols.MySQL

Wed Oct 29 20:30:39 CET 2014

On 10/29/2014 10:36 AM, Mark Knecht wrote:
> On Wed, Oct 29, 2014 at 6:38 AM, Zachary Deane-Mayer
> <zach.mayer at gmail.com> wrote:
>> Hi Mark,
>>
>> It'd be a little cumbersome, but couldn't you also source() an R script at
>> the start of your session that loads the parameters from .my.cnf and passes
>> them to options()?
>>
>> Alternatively, maybe getSymbols.MySQL could look for a cnf_file option, and
>> then if that is not present look for a username and password?
>>
>> -Zach
>
> Hi Zach & Josh,
>     Yes, I'm sure there's lots of ways to do this, and as an individual
> user just working by myself I'll be happy for anything that works.
>
>     That said, the nice security feature about the way it was done
> before was TTBOMK the R environment never saw the MySQL username &
> password. That was previously all done completely outside of R. R Asks
> MySQL to get some data from a specific database. MySQL wasn't given a
> username and password so it automatically accesses .my.cnf which is
> secure. If it finds an entry with the right database name, then it
> gets username and password from that file, gets the data from the
> database and gives it back to R. If the username/password aren't there
> the user can pass them explicitly (as I'm doing with this recent
> change) or else he doesn't get access to that database.

Not being a user of the packages under discussion, other than RMySql 
(and assuming it is RMySQL you are talking about underneath), I am a bit 
confused about why you think this has been broken by changes to 
defaults? If anything, it seems to depend on R not doing anything, and 
letting the driver handle it. I still use this approach in my own 
packages that use RMySQL. I think it is the default if 
host/user/password are not explicitly specified in another way. I also 
believe it is generally considered the most secure approach because 
sensitive information is not left sitting around in more viewable 
places. Am I missing something (as usual)?

Paul

>
>     But going beyond that model consider a C++/GTK application that
> links calls to R under the hood using the Rinside package. (Something
> I'm just starting to play with now.) I'm in a GTK-based GUI, using C++
> code that runs R functions one of which is accessing MySQL to get
> price data. The results are loaded by R, indicators are calculated and
> I see them in my GTK GUI. Now, I send the compiled app to a friend.
> How would MySQL work in that case? Today he just puts an entry in
> .my.cnf on his machine and he's good to go. (NOTE: I'm not looking for
> an answer to this specific issue. In my specific case I may access
> MySQL from C and pass the data to R as it appears to be a lot faster.)
>
>     Anyway I don't think this is really a new feature. It's the
> standard MySQL security model. It used to work and was broken by the
> recent change to defaults. All that said I'll of course use what ever
> gets supported. I'm just pointing out the issue, not trying to create
> work for anyone.
>
> Cheers,
> Mark
>
> _______________________________________________
> R-SIG-Finance at r-project.org mailing list
> https://stat.ethz.ch/mailman/listinfo/r-sig-finance
> -- Subscriber-posting only. If you want to post, subscribe first.
> -- Also note that this is not the r-help list where general R questions should go.
>