[CONJ-1054] Threadsafety of CredentialPlugin in v3.x Created: 2023-02-14  Updated: 2023-10-25  Resolved: 2023-03-02

Status: Closed
Project: MariaDB Connector/J
Component/s: authentication
Affects Version/s: 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.1.0, 3.1.1, 3.1.2
Fix Version/s: 3.1.3

Type: Bug Priority: Major
Reporter: Mathieu Assignee: Diego Dupin
Resolution: Fixed Votes: 0
Labels: None


 Description   

Hey all. We have a custom CredentialPlugin linked to AWS SecretManager (for auto credential rotation). We have been using this plugin for a few months over multiple datasources (same app).

We recently switched from Spring Boot 2.6.x to 2.7.x, which upgraded the mariadb driver from 2.x to 3.x. From this upgrade we started seeing login failures, ie wrong username for the datasource. It was mostly working well, but there was some connection creation that were completely messed up in regards to users vs actual datasource being connecting to.

By looking at the code, it seems a single instance of a CredentialPlugin is used. The problem is that state is kept in that instance between the 'initialize' & 'get' calls. If 2 connection creations over 2 different threads happen at the same time, there will be a race condition, mix-matching the returned credentials.

We are wondering if there was a change in behavior in that regard from 2.x to 3.x. If not, we will look into other things that were upgraded in the stack. But even then, the way CredentialPlugin is implemented, it seems that it should ensure no 2 threads could call it at the same time.

Thanks!



 Comments   
Comment by Cyrille Mastchenko [ 2023-02-21 ]

I work with Mathieu,
Our application open connections to multiple databases with different credentials (from 10 to 50 databases).
For each database we use HickariCP to manage pool of connection, always opening new connections
to allow the application to answer all its APIs calls.

Does the 'thread problem' we hit with the credential plugin exist also for all the other plugin loaded by java 'ServiceLoader.load' call ?
Looking at the authentification plugin code (CachingSha2PasswordPlugin and NativePasswordPlugin (that we use with Mysql 5.7 and 8.0),
each implementation has class variables 

  private String authenticationData;
 
  private byte[] seed;

Since ServiceLoader.load create only singleton in the application, class variable can/will be overwriten between threads managing different connections creating problems ?

Comment by Diego Dupin [ 2023-03-01 ]

Yes, there is indeed a change that have introduce that kind of issue. (loader is static in 3.x, while it's loaded each time on 2.x)

This concerns only Credential plugins (not authentication plugins)

Comment by Mathieu [ 2023-03-01 ]

Thanks for confirming. Let me know if you would welcome a fix contribution (would be an Autodesk contribution).

Comment by Cyrille Mastchenko [ 2023-03-01 ]

Does the plugin should be more of a 'factory' then ? the initialize more a 'static getInstance' ?
I understand that change the way the plugin work and may break it for other 'plugin users'.
Does the plugin 'examples' in the driver github also will react badly the same way ?

Generated at Thu Feb 08 03:20:16 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.