[MXS-4688] Xpand unable to authenticate native users with maxscale passthrough - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 23.08.0
Component/s: Authenticator
Labels:
None
Environment:

Hide
Xpand Build : transylvania-18710 (beta 1)
MaxScale :
https://mdbe-ci-repo.mariadb.net/public/Maxscale/MXS-4506_2807b/centos/7/x86_64/maxscale-99.99.99-1.rhel.7.x86_64.rpm

Show
Xpand Build : transylvania-18710 (beta 1) MaxScale : https://mdbe-ci-repo.mariadb.net/public/Maxscale/MXS-4506_2807b/centos/7/x86_64/maxscale-99.99.99-1.rhel.7.x86_64.rpm

Description

With the authentication plugin set to clearpw_passthrouh, ldap users passed
through by maxscale are getting authenticated by xpand. But native xpand users
are not able to.

maxscale listner config:
==================
authenticator=pamauth
authenticator_options=pam_backend_mapping=clearpw_passthrough

client connection via maxscale
======================
[root@mcrae ~]# mysql --ssl -h mcrae -P 3307 -u xpanduser1 -ppassword
ERROR 1045 (HY000): [40960] Access denied: for user 'xpanduser1'@'10.2.12.190'
(using password: NO)

maxscale log:
==========
2023-07-31 11:00:37 info : (3) [MariaDBProtocol] Client from '10.2.12.190' is in progress of connecting to service 'Read-Only-Service' with SSL.
2023-07-31 11:00:37 info : (3) [MariaDBProtocol] Connection attributes: no attributes
2023-07-31 11:00:37 info : (3) [readconnroute] (Read-Only-Service); New session for server xpand1. Connections : 1
2023-07-31 11:00:37 info : (3) Started Read-Only-Service client session [3] for 'xpanduser1' from 10.2.12.190
2023-07-31 11:00:37 info : (3) Connected to 'xpand1' with thread id 318466
2023-07-31 11:00:37 error : (3) Authentication to 'xpand1' failed: 1045, #HY000: [40960] Access denied: for user 'xpanduser1'@'10.2.12.190' (using password: NO)
2023-07-31 11:00:37 error : (3) (Read-Only-Service); Authentication to 'xpand1' failed: 1045, #HY000: [40960] Access denied: for user 'xpanduser1'@'10.2.12.190' (using password: NO) (xpand1)
2023-07-31 11:00:37 info : (3) Stopped Read-Only-Service client session [3]
2023-07-31 11:00:37 info : Read 7 user@host entries from 'xpand1' for service 'Read-Only-Service'. The data was identical to existing user data.

Xpand log:
=======
2023-07-31 11:00:37.900626 UTC nid 2 oak012white.colo.sproutsys.com clxnode: INFO mysql/server/mysql_proto.c:180 auth_error(): Error authenticating Xpand user 'xpanduser1'@'10.2.12.190': Access denied: for user 'xpanduser1'@'10.2.12.190' (using password: NO)

With the above authentication settings we should allow both ldap and
native xpand users.

Attachments

Activity

Ascending order - Click to sort in descending order

Daman Saini (Inactive) added a comment - 2023-08-08 16:50 - edited

New build was provided by esa.korhonen

A new test build is available: https://mdbe-ci-repo.mariadb.net/public/Maxscale/MXS-4506_0208/
The new build uses standard authentication, you need to remove
authenticator=pam from the listener.
And have the following setting:
authenticator_options=passthrough=true

Per QA susil.behera fix is working now
With the above build and settings, now both ldap and xpand users can successfully passthrough maxscale unto xpand.
Xpand build used was "Xpand-transylvania-18728"

Daman Saini (Inactive) added a comment - 2023-08-08 16:50 - edited New build was provided by esa.korhonen A new test build is available: https://mdbe-ci-repo.mariadb.net/public/Maxscale/MXS-4506_0208/ The new build uses standard authentication, you need to remove authenticator=pam from the listener. And have the following setting: authenticator_options=passthrough=true Per QA susil.behera fix is working now With the above build and settings, now both ldap and xpand users can successfully passthrough maxscale unto xpand. Xpand build used was "Xpand-transylvania-18728"

Esa Korhonen added a comment - 2023-09-04 10:38

Fixed as part of ~~MXS-4506~~

Esa Korhonen added a comment - 2023-09-04 10:38 Fixed as part of MXS-4506

Daman Saini (Inactive) added a comment - 2023-09-13 05:52

In final build of 23.08.0 , Listener parameter for LDAP passthrough is changed to

authenticator_options=clear_pw_passthrough=true

Daman Saini (Inactive) added a comment - 2023-09-13 05:52 In final build of 23.08.0 , Listener parameter for LDAP passthrough is changed to authenticator_options=clear_pw_passthrough= true

People

Assignee:: Esa Korhonen

Reporter:: Daman Saini (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2023-07-31 21:57

Updated:: 2023-09-13 05:52

Resolved:: 2023-09-04 10:38

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB MaxScale