[MXS-3328] Persistent Connections on Maxscale 2.5 seem to break client authentication - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 2.5.5
Fix Version/s: 2.5.6
Component/s: mariadbbackend, readwritesplit
Labels:
- galera
Environment:
Debian Buster 10.7

Sprint:
MXS-SPRINT-121

Description

I'm seeing weird authentication failures for clients with 2.5.5 and a 3-node mariadb 10.5.8 galera cluster as backend in a testing setup when persistent connections are enabled. This doesn't seem to happen with 2.4.x.

The issue manifests as follows. Soon after receiving connections, newer client connections start to fail. In the log the following is logged:

2020-12-08 09:04:01   error  : (79) Invalid authentication message from backend 'gal3.lab'. Error code: 1045, Msg : #28000: Access denied for user 'redmine'@'10.0.63.186' (using password: YES)

However there's no mysql client at 10.0.63.186 configured to use the username 'redmine'. This user is used in a client on another IP. Similarly, errors appear for that other user as well. In short, it seems that usernames and hosts are mixed up by maxscale when using persistent connections.

Here's the relevant configuration used for this test:

General:

[maxscale]

threads=auto

admin_host=127.0.0.1

admin_secure_gui=false

Servers:

[gal1]

type=server

address=gal1.lab

port=3306

persistpoolmax=300

persistmaxtime=3600s

proxy_protocol=on

ssl=true

ssl_verify_peer_certificate=true

ssl_verify_peer_host=true

ssl_ca_cert=/etc/maxscale/ssl/gal1.lab_chained_IR.crt

[gal2]

type=server

address=gal2.lab

port=3306

persistpoolmax=300

persistmaxtime=3600s

proxy_protocol=on

ssl=true

ssl_verify_peer_certificate=true

ssl_verify_peer_host=true

ssl_ca_cert=/etc/maxscale/ssl/gal2.lab_chained_IR.crt

[gal3]

type=server

address=gal3.lab

port=3306

persistpoolmax=300

persistmaxtime=3600s

proxy_protocol=on

ssl=true

ssl_verify_peer_certificate=true

ssl_verify_peer_host=true

ssl_ca_cert=/etc/maxscale/ssl/gal3.lab_chained_IR.crt

Monitors:

[Galera-Monitor]

type=monitor

module=galeramon

servers=gal1, gal2, gal3

user=maxscale-monitor

password=*************

monitor_interval=2000ms

available_when_donor=true

Routers:

[Read-Write-Service]

type=service

router=readwritesplit

servers=gal1, gal2, gal3

user=maxscale

password=****************

master_accept_reads=true

connection_keepalive=300s

master_reconnection=true

master_failure_mode=fail_on_write

max_sescmd_history=1500

prune_sescmd_history=true

session_track_trx_state=true

Listeners:

[Read-Write-Listener]

type=listener

service=Read-Write-Service

protocol=MariaDBClient

address=10.0.63.250

port=3306

Lastly, I was wondering whether ~~MXS-3275~~ is in anyway related to this?

I'm available for more testing if needed. Thank you.

Attachments

Activity

People

Assignee:: markus makela

Reporter:: George Diamantopoulos

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2020-12-08 15:02

Updated:: 2020-12-11 14:28

Resolved:: 2020-12-11 14:28

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.