SYSTEM Cited by 1 source

PlanetScale user query frontend

What it is

The user query frontend is the PlanetScale ingress service that sits between a customer's MySQL client connection and the underlying Vitess cluster. The Password Roles post describes it as "a service responsible for all user-facing functionality for PlanetScale databases".

Its authorization role is narrow and load-bearing:

1. Accept the customer's MySQL-protocol connection with whatever password they created in the PlanetScale dashboard.
2. Authenticate the password against the external credential store (fields: Display name, Role, password_sha1_hash, password_sha2_hash).
3. Look up the password's role (read-only, write-only, read/write, admin).
4. Rewrite the security principal on the connection to one of three synthetic usernames — planetscale-reader, planetscale-writer, or planetscale-admin — that the downstream Vitess table ACL recognises.
5. Forward the query to Vitess, which sees only a fixed principal and evaluates its invariant ACL file.

The frontend is how PlanetScale decouples per-tenant credential dynamism from per-pod ACL config static-ness: the ACL file on every vttablet stays identical, and all per-customer state lives in the credential DB behind the frontend.

Why it shows up on this wiki

The user query frontend is the ingress-service half of the external-credential-store-with-principal-rewrite pattern. It illustrates why managed-database platforms on top of systems with static-config authorization (like Vitess table ACL, but generalisable to any configuration-file-driven authz mechanism) need a stateful ingress layer — the alternative is either sacrificing the "credentials take effect immediately" guarantee or multiplying per-pod ACL state by customer cardinality.

Minimal-viable page: the frontend is named in the source but not deeply described. The post discloses its role in the authz path but leaves its deployment topology, VTGate relationship, connection-pooling model, session-principal caching behaviour, and revocation-propagation semantics unspecified. Future PlanetScale posts that describe any of those axes would extend this page.

Seen in

• sources/2026-04-21-planetscale-behind-the-scenes-how-we-built-password-roles — canonical disclosure of the frontend's authorization role: password authentication against the credential store, role lookup, and on-the-fly rewrite of the security principal to one of three synthetic Vitess usernames.

Related

• systems/planetscale — managed-database product the frontend fronts.
• systems/vitess — downstream substrate.
• systems/vitess-table-acl — the static-config authz mechanism whose principal surface the frontend rewrites into.
• systems/mysql — wire protocol the frontend terminates and re-originates.
• concepts/on-the-fly-security-principal-rewrite — the design primitive the frontend implements.
• concepts/external-credential-store — where the password, role, and hash state live.
• patterns/external-credential-store-with-principal-rewrite — canonicalised pattern the frontend is the ingress half of.