[MDEV-31341] skip-name-resolve mode doesn't work with user@localhost Created: 2023-05-25  Updated: 2023-06-26  Resolved: 2023-06-26

Status: Closed
Project: MariaDB Server
Component/s: Authentication and Privilege System
Affects Version/s: 10.11.3
Fix Version/s: N/A

Type: Bug Priority: Major
Reporter: Sebastian Weiser Assignee: Sergei Golubchik
Resolution: Not a Bug Votes: 0
Labels: None
Environment:

Windows


 Description   

The documentation for skip-name-resolve says:
> All host values in the GRANT tables must be IP addresses (or localhost).
(https://mariadb.com/kb/en/server-system-variables/#skip_name_resolve)
However, "localhost" doesn't work with said variable set to 1 (I've only tested it on Windows).

I have a user repl_status@localhost configured. This works fine with skip-name-resolve=0. With skip-name-resolve=1, I get one of the following warnings in the log file (depending what IP version is used):
>[Warning] Access denied for user 'repl_status'@'::1' (using password: YES)
>[Warning] Access denied for user 'repl_status'@'127.0.0.1' (using password: YES)

Also note that the log file has warnings during startup for ignored entries like this:
> [Warning] 'user' entry 'root@c-2tcmqb3' ignored in --skip-name-resolve mode.
(Where c-2tcmqb3 is the host name.)
There is no such warning for @localhost.

Option 1: localhost isn't supposed to work: Then the documentation is wrong and the warning is missing.
Option 2: localhost is supposed to work: Well, it doesn't.

Side note: HeidiSQL has a dialog window for user accounts, in which it displays lines with host names in grey color when skip-name-resolve=1. It doesn't do that for localhost.

 Comments   
Comment by Sergei Golubchik [ 2023-06-20 ]

I'm not sure I understand what is the bug here. What doesn't work, exactly?
"localhost" is a hard-coded value meaning "local connection via unix socket or named pipe". If you connect using TCP/IP, you need skip_name_resolve=0 to resolve 127.0.0.1 or ::1

Comment by Sebastian Weiser [ 2023-06-26 ]

The bug is that the implementation does not match the documentation (or at least the way I interpret the documentation). Whether that means that the documentation is wrong or the implementation is not for me to say.

I understand from the documentation: The special term "localhost" will still work with skip_name_resolve=1.
In reality, it doesn't.

For reference, this is what the doc says exactly:

If set to 1 [...]. All host values in the GRANT tables must be IP addresses (or localhost).

I read: "localhost" is fine if skip_name_reslove=1.

Comment by Sergei Golubchik [ 2023-06-26 ]

Yes, "localhost" is fine. But it doesn't mean you can connect as 'repl_status'@'127.0.0.1'. Because 127.0.0.1 is not equal to localhost. It's an ip address that needs to be resolved to match localhost. And you have disabled name resolution.

If you connect as repl_status@localhost (via named pipes) you'll be able to connect if skip_name_reslove=1.

Generated at Thu Feb 08 10:23:07 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.