Skip to content

SYSTEM Cited by 1 source

PlanetScale user query frontend

What it is

The user query frontend is the PlanetScale ingress service that sits between a customer's MySQL client connection and the underlying Vitess cluster. The Password Roles post describes it as "a service responsible for all user-facing functionality for PlanetScale databases".

Its authorization role is narrow and load-bearing:

  1. Accept the customer's MySQL-protocol connection with whatever password they created in the PlanetScale dashboard.
  2. Authenticate the password against the external credential store (fields: Display name, Role, password_sha1_hash, password_sha2_hash).
  3. Look up the password's role (read-only, write-only, read/write, admin).
  4. Rewrite the security principal on the connection to one of three synthetic usernames — planetscale-reader, planetscale-writer, or planetscale-admin — that the downstream Vitess table ACL recognises.
  5. Forward the query to Vitess, which sees only a fixed principal and evaluates its invariant ACL file.

The frontend is how PlanetScale decouples per-tenant credential dynamism from per-pod ACL config static-ness: the ACL file on every vttablet stays identical, and all per-customer state lives in the credential DB behind the frontend.

Why it shows up on this wiki

The user query frontend is the ingress-service half of the external-credential-store-with-principal-rewrite pattern. It illustrates why managed-database platforms on top of systems with static-config authorization (like Vitess table ACL, but generalisable to any configuration-file-driven authz mechanism) need a stateful ingress layer — the alternative is either sacrificing the "credentials take effect immediately" guarantee or multiplying per-pod ACL state by customer cardinality.

Minimal-viable page: the frontend is named in the source but not deeply described. The post discloses its role in the authz path but leaves its deployment topology, VTGate relationship, connection-pooling model, session-principal caching behaviour, and revocation-propagation semantics unspecified. Future PlanetScale posts that describe any of those axes would extend this page.

Seen in

Last updated · 319 distilled / 1,201 read