Uploaded image for project: 'MariaDB MaxScale'
  1. MariaDB MaxScale
  2. MXS-1657

Use authentication fails on backend servers with a large number of grants

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Minor
    • Resolution: Incomplete
    • 2.1.13
    • N/A
    • Authenticator
    • None
    • Ubuntu, DEB packages from MariaDB.org

    Description

      While similar to MXS-306 (and possibly related to MXS-356), this doesn't seem to be the same bug. We had two different environments on which we're trying to use MaxScale for security purposes (by locking down access from some machines to specific users, via dbfwfilter).

      TCPdump shows the following query running from the MaxScale node to a MySQL backend: 

      SELECT u.user, u.host, d.db, u.select_priv, u.password
      		 
      FROM mysql.user AS u 
      LEFT JOIN mysql.db AS d
      		 
      ON (u.user = d.user AND u.host = d.host) WHERE u.user NOT IN ('root')
      		 
      UNION
      		 
      SELECT u.user, u.host, t.db, u.select_priv, u.password
      		 
      FROM mysql.user AS u LEFT JOIN mysql.tables_priv AS t
      		 
      ON (u.user = t.user AND u.host = t.host) WHERE u.user NOT IN ('root');

      On server A, the query above returns 1620 rows and everything works fine. On server B, the same query (when run it manually, on the mysql CLI), it returns 2485 rows.

      As I said before, for server A, it loads the authenticantion information just fine, but for backend server B, we get the following in the maxscale logs:

      2018-02-08 14:38:46   notice : Started MaxScale log flusher.
      		 
      2018-02-08 14:38:49   error  : [MySQLAuth] Failed to load users: Lost connection to MySQL server during query
      		 
      2018-02-08 14:38:49   info   : [MySQLAuth] Added user: INSERT OR REPLACE INTO mysqlauth_users VALUES ('maxuser', '%', NULL, 1, 'A1328B81CED7AA9EFFAF8CC6DB1D0C540CDED1DA')
      		 
      2018-02-08 14:38:49   info   : [MySQLAuth] Added user: INSERT OR REPLACE INTO mysqlauth_users VALUES ('maxuser', 'localhost', NULL, 1, 'A1328B81CED7AA9EFFAF8CC6DB1D0C540CDED1DA')
      		 
      2018-02-08 14:38:49   notice : [MySQLAuth] [Firewall Service DEV] No users were loaded but 'inject_service_user' is enabled. Enabling service credentials for authentication until database users have been successfully loaded.

      This seems to be related to the internal, in-memory, sqlite database (or memory allocation allowed for it): it works 'fine' for relatively small/simpler complexity for credentials, but fails with larger sets.

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. MXS-306 User authentication fails when using a large number of users

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MXS-356 Connection timeouts for authentication are not configurable

          • Major - Major loss of function.
          • Closed

          Activity

            People

              Unassigned Unassigned
              augustobott Augusto Bott
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.