This document does not list the full set of required privileges.
When a user tries to connect with the privileges listed in the document, they will see the following error in the Maxscale error log:
2022-05-24 23:21:56 error : Failed to query server '@@Xpand:node-1' for user account info. Query 'SELECT * FROM system.users; SELECT u.username, u.host, a.dbname, a.privileges FROM system.user_acl AS a LEFT JOIN system.users AS u ON (u.user = a.role); SHOW DATABASES;' failed. Error 1045: [11281] Permission denied: User 'maxscale'@'10.70.120.%' is missing SELECT on `system`.`users`.; transaction aborted.
If the SELECT privilege is granted on the `system`.`users` table, users still see the following error in the Maxscale error log:
2022-05-24 23:23:35 error : Failed to query server '@@Xpand:node-1' for user account info. Multiquery element 'SELECT u.username, u.host, a.dbname, a.privileges FROM system.user_acl AS a LEFT JOIN system.users AS u ON (u.user = a.role);' failed. Error 1045: [11281] Permission denied: User 'maxscale'@'10.70.120.%' is missing SELECT on `system`.`user_acl`.; transaction aborted.
If the SELECT privilege is also granted on the `system`.`user_acl` table, then connections are successful.
However, there might be other permissions missing as the "maxscale" user still can't use customer databases due to the following error in the MaxScale error log:
2022-05-24 23:48:26 warning: (26) [MariaDBProtocol] Authentication failed for user 'horizonApp'@[10.70.120.51] to service 'Xpand-Service'. Originating listener: 'xpand_listener'. MariaDB error: 'Unknown database 'database_name''.
Another comment from Luke Smith via docs-talk slack channel
So the next thing it wanted was show databases permission. Though I believe I see the issue, it seems this is just for the monitor user, not for an actual database proxy user(one that checks auth/grants/etc).
So maybe we are just missing that documentation or I was looking in the wrong place. Maybe just adding that fact that creating an "app_user/service_user" needs to also have X or link to X might be sufficient.
Thanks again for the help!
Anne Strasser (Inactive)
added a comment - Another comment from Luke Smith via docs-talk slack channel
So the next thing it wanted was show databases permission. Though I believe I see the issue, it seems this is just for the monitor user, not for an actual database proxy user(one that checks auth/grants/etc).
So maybe we are just missing that documentation or I was looking in the wrong place. Maybe just adding that fact that creating an "app_user/service_user" needs to also have X or link to X might be sufficient.
Thanks again for the help!
The user used for the monitor and the user used for the service need a disjoint set of rights. However, since the tutorial uses the same user for both the monitor and the service, this may not be obvious.
Johan Wikman
added a comment - I think this is a documentation problem.
The user used for the monitor and the user used for the service need a disjoint set of rights. However, since the tutorial uses the same user for both the monitor and the service, this may not be obvious.
Another comment from Luke Smith via docs-talk slack channel
So the next thing it wanted was show databases permission. Though I believe I see the issue, it seems this is just for the monitor user, not for an actual database proxy user(one that checks auth/grants/etc).
So maybe we are just missing that documentation or I was looking in the wrong place. Maybe just adding that fact that creating an "app_user/service_user" needs to also have X or link to X might be sufficient.
Thanks again for the help!