Uploaded image for project: 'MariaDB MaxScale'
  1. MariaDB MaxScale
  2. MXS-3328

Persistent Connections on Maxscale 2.5 seem to break client authentication

    XMLWordPrintable

    Details

    • Sprint:
      MXS-SPRINT-121

      Description

      I'm seeing weird authentication failures for clients with 2.5.5 and a 3-node mariadb 10.5.8 galera cluster as backend in a testing setup when persistent connections are enabled. This doesn't seem to happen with 2.4.x.

      The issue manifests as follows. Soon after receiving connections, newer client connections start to fail. In the log the following is logged:

      2020-12-08 09:04:01   error  : (79) Invalid authentication message from backend 'gal3.lab'. Error code: 1045, Msg : #28000: Access denied for user 'redmine'@'10.0.63.186' (using password: YES)
      

      However there's no mysql client at 10.0.63.186 configured to use the username 'redmine'. This user is used in a client on another IP. Similarly, errors appear for that other user as well. In short, it seems that usernames and hosts are mixed up by maxscale when using persistent connections.

      Here's the relevant configuration used for this test:

      General:

      [maxscale]
      threads=auto
      admin_host=127.0.0.1
      admin_secure_gui=false
      

      Servers:

      [gal1]
      type=server
      address=gal1.lab
      port=3306
      persistpoolmax=300
      persistmaxtime=3600s
      proxy_protocol=on
      ssl=true
      ssl_verify_peer_certificate=true
      ssl_verify_peer_host=true
      ssl_ca_cert=/etc/maxscale/ssl/gal1.lab_chained_IR.crt
       
      [gal2]
      type=server
      address=gal2.lab
      port=3306
      persistpoolmax=300
      persistmaxtime=3600s
      proxy_protocol=on
      ssl=true
      ssl_verify_peer_certificate=true
      ssl_verify_peer_host=true
      ssl_ca_cert=/etc/maxscale/ssl/gal2.lab_chained_IR.crt
       
      [gal3]
      type=server
      address=gal3.lab
      port=3306
      persistpoolmax=300
      persistmaxtime=3600s
      proxy_protocol=on
      ssl=true
      ssl_verify_peer_certificate=true
      ssl_verify_peer_host=true
      ssl_ca_cert=/etc/maxscale/ssl/gal3.lab_chained_IR.crt
      

      Monitors:

      [Galera-Monitor]
      type=monitor
      module=galeramon
      servers=gal1, gal2, gal3
      user=maxscale-monitor
      password=*************
      monitor_interval=2000ms
      available_when_donor=true
      

      Routers:

      [Read-Write-Service]
      type=service
      router=readwritesplit
      servers=gal1, gal2, gal3
      user=maxscale
      password=****************
      master_accept_reads=true
      connection_keepalive=300s
      master_reconnection=true
      master_failure_mode=fail_on_write
      max_sescmd_history=1500
      prune_sescmd_history=true
      session_track_trx_state=true
      

      Listeners:

      [Read-Write-Listener]
      type=listener
      service=Read-Write-Service
      protocol=MariaDBClient
      address=10.0.63.250
      port=3306
      

      Lastly, I was wondering whether MXS-3275 is in anyway related to this?

      I'm available for more testing if needed. Thank you.

        Attachments

          Activity

            People

            Assignee:
            markus makela markus makela
            Reporter:
            gedia George Diamantopoulos
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Git Integration