Uploaded image for project: 'MariaDB MaxScale'
  1. MariaDB MaxScale
  2. MXS-4146

Xpand MaxScale Tutorial in KB doesn't work

Details

    • MXS-SPRINT-159

    Description

      This was originally reported in the docs-talk slack channel by Luke Smith.

      Luke reported a problem with this KB documentation page about using MaxScale with Xpand, which is generated from this page in GitHub.

      This document does not list the full set of required privileges.

      When a user tries to connect with the privileges listed in the document, they will see the following error in the Maxscale error log:

      2022-05-24 23:21:56   error  : Failed to query server '@@Xpand:node-1' for user account info. Query 'SELECT * FROM system.users; SELECT u.username, u.host, a.dbname, a.privileges FROM system.user_acl AS a LEFT JOIN system.users AS u ON (u.user = a.role); SHOW DATABASES;' failed. Error 1045: [11281] Permission denied: User 'maxscale'@'10.70.120.%' is missing SELECT on `system`.`users`.; transaction aborted.
      

      If the SELECT privilege is granted on the `system`.`users` table, users still see the following error in the Maxscale error log:

      2022-05-24 23:23:35   error  : Failed to query server '@@Xpand:node-1' for user account info. Multiquery element 'SELECT u.username, u.host, a.dbname, a.privileges FROM system.user_acl AS a LEFT JOIN system.users AS u ON (u.user = a.role);' failed. Error 1045: [11281] Permission denied: User 'maxscale'@'10.70.120.%' is missing SELECT on `system`.`user_acl`.; transaction aborted.
      

      If the SELECT privilege is also granted on the `system`.`user_acl` table, then connections are successful.

      However, there might be other permissions missing as the "maxscale" user still can't use customer databases due to the following error in the MaxScale error log:

      2022-05-24 23:48:26   warning: (26) [MariaDBProtocol] Authentication failed for user 'horizonApp'@[10.70.120.51] to service 'Xpand-Service'. Originating listener: 'xpand_listener'. MariaDB error: 'Unknown database 'database_name''.
      

      Attachments

        Activity

          Another comment from Luke Smith via docs-talk slack channel

          So the next thing it wanted was show databases permission. Though I believe I see the issue, it seems this is just for the monitor user, not for an actual database proxy user(one that checks auth/grants/etc).
          So maybe we are just missing that documentation or I was looking in the wrong place. Maybe just adding that fact that creating an "app_user/service_user" needs to also have X or link to X might be sufficient.
          Thanks again for the help!

          AnneStrasser Anne Strasser (Inactive) added a comment - Another comment from Luke Smith via docs-talk slack channel So the next thing it wanted was show databases permission. Though I believe I see the issue, it seems this is just for the monitor user, not for an actual database proxy user(one that checks auth/grants/etc). So maybe we are just missing that documentation or I was looking in the wrong place. Maybe just adding that fact that creating an "app_user/service_user" needs to also have X or link to X might be sufficient. Thanks again for the help!
          johan.wikman Johan Wikman added a comment -

          I think this is a documentation problem.

          The user used for the monitor and the user used for the service need a disjoint set of rights. However, since the tutorial uses the same user for both the monitor and the service, this may not be obvious.

          johan.wikman Johan Wikman added a comment - I think this is a documentation problem. The user used for the monitor and the user used for the service need a disjoint set of rights. However, since the tutorial uses the same user for both the monitor and the service, this may not be obvious.
          markus makela markus makela added a comment -

          Changed this to a Task since it's not a bug and doesn't belong in the release notes.

          markus makela markus makela added a comment - Changed this to a Task since it's not a bug and doesn't belong in the release notes.

          People

            johan.wikman Johan Wikman
            AnneStrasser Anne Strasser (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.