[MXS-4213] Proxy Protocol : access denied Without dynamic_node_detection=false - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 6.4.1
Fix Version/s: 22.08.0
Component/s: xpandmon
Labels:
None

Description

Issue
====
Default value of dynamic_node_detection is true
If we don't put dynamic_node_detection=false for the xpandmon monitor in
MaxScale config then the login attempts using proxy fails.

Backend issue appears to be that dynamically detected nodes are having
proxy_protocol off so users are getting access denied.

Below example is where karma075 is MaxScale and user1@clientIP, user2@clientIP
are Xpand users.

[root@vqc006a ~]#  mysql -A -h karma075 -u user1 -P 4008 -p

Enter password:

ERROR 1045 (28000): Access denied for user 'user1'@'10.2.14.177' (using

password: YES)

[root@vqc006a ~]#

[root@vqc006a ~]#

[root@vqc006a ~]#  mysql -A -h karma075 -u user2 -P 4008

ERROR 1045 (28000): Access denied for user 'user2'@'10.2.14.177' (using

password: NO)

[root@vqc006a ~]#

Expected Fix
=========
If our MaxScale understanding is right that one need atleast 1 bootstrap server
configuration to be defined by customer for “dynamic_node_detection”
feature to work and If the customer define "proxy_protocol=on" under server definition (in MaxScale
config) then any dynamic detection for that server nodes should have
proxy_protocol=on and
if customer Do Not put "proxy_protocol=on" then dynamic detection for that
server nodes should have proxy_protocol=off.

This way its conditional, more safe and will not effect non proxy environments.

Detailed Analysis
============
After checking traces from Maxscale and Xpand sides, its revealed that there is
no "proxy" packet.

When checked through maxctrl cmd, found that dynamically detected servers as
shown below have "proxy_protocol" set to off/false .

[root@karma075 ~]# maxctrl show servers | grep 'Server|proxy_protocol'

│ Server              │ Bootstrap1                                   │

│                     │     "proxy_protocol": true,                  │

│ Server              │ Bootstrap2                                   │

│                     │     "proxy_protocol": true,                  │

│ Server              │ Bootstrap3                                   │

│                     │     "proxy_protocol": true,                  │

│ Server              │ @@Clustrix:node-1                            │

│                     │     "proxy_protocol": false,                 │

│ Server              │ @@Clustrix:node-2                            │

│                     │     "proxy_protocol": false,                 │

│ Server              │ @@Clustrix:node-3                            │

│                     │     "proxy_protocol": false,                 │

Since these server entries are detected at the runtime, there is no way
customer can manually change this parameter's value. We tried with maxctrl and
it failed

[root@karma075 ~]# maxctrl alter server @@Clustrix:node-1 proxy_protocol true

Error: Server at http://127.0.0.1:8989 responded with 400 Bad Request to `PATCH

servers/@@Clustrix:node-1`

    "errors": [

            "detail": "Cannot update server '@@Clustrix:node-1' to '[10.2.15.126]:3306', server 'Bootstrap1' exists there already."

[root@karma075 ~]#

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

xpand_trace.txt
53 kB
2022-07-20 23:24
maxscale_trace.txt
9 kB
2022-07-20 23:24

Issue Links

relates to

MXS-4219 Settings of bootstrap servers are not correctly propagated to dynamic servers

Closed

Activity

People

Assignee:: markus makela

Reporter:: Christine Lieu (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2022-07-20 23:24

Updated:: 2022-07-27 22:11

Resolved:: 2022-07-25 12:21

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.