Uploaded image for project: 'MariaDB MaxScale'
  1. MariaDB MaxScale
  2. MXS-4213

Proxy Protocol : access denied Without dynamic_node_detection=false

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 6.4.1
    • Fix Version/s: 22.08.0
    • Component/s: xpandmon
    • Labels:
      None

      Description

      Issue
      ====
      Default value of dynamic_node_detection is true
      If we don't put dynamic_node_detection=false for the xpandmon monitor in
      MaxScale config then the login attempts using proxy fails.

      Backend issue appears to be that dynamically detected nodes are having
      proxy_protocol off so users are getting access denied.

      Below example is where karma075 is MaxScale and user1@clientIP, user2@clientIP
      are Xpand users.

      [root@vqc006a ~]#  mysql -A -h karma075 -u user1 -P 4008 -p
      Enter password:
      ERROR 1045 (28000): Access denied for user 'user1'@'10.2.14.177' (using
      password: YES)
      [root@vqc006a ~]#
      [root@vqc006a ~]#
      [root@vqc006a ~]#  mysql -A -h karma075 -u user2 -P 4008
      ERROR 1045 (28000): Access denied for user 'user2'@'10.2.14.177' (using
      password: NO)
      [root@vqc006a ~]#
      

      Expected Fix
      =========
      If our MaxScale understanding is right that one need atleast 1 bootstrap server
      configuration to be defined by customer for “dynamic_node_detection”
      feature to work and If the customer define "proxy_protocol=on" under server definition (in MaxScale
      config) then any dynamic detection for that server nodes should have
      proxy_protocol=on and
      if customer Do Not put "proxy_protocol=on" then dynamic detection for that
      server nodes should have proxy_protocol=off.

      This way its conditional, more safe and will not effect non proxy environments.

      Detailed Analysis
      ============
      After checking traces from Maxscale and Xpand sides, its revealed that there is
      no "proxy" packet.

      When checked through maxctrl cmd, found that dynamically detected servers as
      shown below have "proxy_protocol" set to off/false .

      [root@karma075 ~]# maxctrl show servers | grep 'Server|proxy_protocol'

      │ Server              │ Bootstrap1                                   │
      │                     │     "proxy_protocol": true,                  │
      │ Server              │ Bootstrap2                                   │
      │                     │     "proxy_protocol": true,                  │
      │ Server              │ Bootstrap3                                   │
      │                     │     "proxy_protocol": true,                  │
      │ Server              │ @@Clustrix:node-1                            │
      │                     │     "proxy_protocol": false,                 │
      │ Server              │ @@Clustrix:node-2                            │
      │                     │     "proxy_protocol": false,                 │
      │ Server              │ @@Clustrix:node-3                            │
      │                     │     "proxy_protocol": false,                 │
      

      Since these server entries are detected at the runtime, there is no way
      customer can manually change this parameter's value. We tried with maxctrl and
      it failed

      [root@karma075 ~]# maxctrl alter server @@Clustrix:node-1 proxy_protocol true
      Error: Server at http://127.0.0.1:8989 responded with 400 Bad Request to `PATCH
      servers/@@Clustrix:node-1`
      {
          "errors": [
              {
                  "detail": "Cannot update server '@@Clustrix:node-1' to '[10.2.15.126]:3306', server 'Bootstrap1' exists there already."
              }
          ]
      }
      [root@karma075 ~]# 
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              markus makela markus makela
              Reporter:
              clieu Christine Lieu
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.