[MDEV-639] LP:966254 - connection is refused while excuting "flush privileges" Created: 2012-08-09  Updated: 2023-04-27

Status: Confirmed
Project: MariaDB Server
Component/s: Authentication and Privilege System
Affects Version/s: 5.1.67, 5.2.14, 5.3.12, 5.5.36, 10.0.10, 10.2, 10.3, 10.4, 10.5, 10.6
Fix Version/s: 10.4, 10.5, 10.6

Type: Bug Priority: Major
Reporter: Hickey Assignee: Oleksandr Byelkin
Resolution: Unresolved Votes: 1
Labels: Launchpad

Attachments: XML File LPexportBug966254.xml     File LPexportBug966254_flush_priv.diff    

 Description   

In such scenario, we hit the infinite looping of 'flush privileges' events between master and
slave(it's also a master but read-only), which caused the app connections periodic error
of "host is not allowed to connect to this MySQL server".

As for the "flush privileges" passing between master and slave, back and forth, could refer to
https://bugs.launchpad.net/percona-server/+bug/940404

The root problems caused the connection issue is due to the logic defect which explained
as below:

For 'flush privileges', acl_reload()would be called, and then acl_load() is called. The
global variable allow_all_hosts will set to 0 under the lock, as well as the modification
for acl_check_hosts.

But when client connections to server, acl_check_hosts() will be called, which logic is
list below:

bool acl_check_host(const char *host, const char *ip)
 
1496 {
 
1497 if (allow_all_hosts)         
1498 return 0;
 
1499 VOID(pthread_mutex_lock(&acl_cache->lock));
 
1500
 
1501 if ((host && hash_search(&acl_check_hosts,(uchar*) host,strlen(host))) ||
 
1502 (ip && hash_search(&acl_check_hosts,(uchar*) ip, strlen(ip))))
 
1503 {

in line 1497,we find that allow_all_hosts is used without any lock, which caused
inconsistent between allow_all_hosts and acl_check_hosts.

So there is a race risk, and in some special case which like we hit, that might be a
problem.

How to repeat:
NoN

Suggested fix:
check allow_all_hosts under the lock, just like this:

VOID(pthread_mutex_lock(&acl_cache->lock));
 
if (allow_all_hosts){
 
   VOID(pthread_mutex_unlock(&acl_cache->lock));         	
   return 0;
 
}



 Comments   
Comment by Rasmus Johansson (Inactive) [ 2012-03-28 ]

Re: connection is refused while excuting "flush privileges"
this bug is very easy to repeat

1.create user xx1

root@(none) 05:10:33>grant all on . to xx1@'127.0.0.1' identified by '123';
Query OK, 0 rows affected (0.00 sec)

2. run sh:

$cat flush_pri.sh
#!/bin/sh

for i in

{1..100000}

; do
mysql -uroot -e 'flush privileges' &
mysql -uxx1 -p123 -h127.0.0.1 -P3320 -e "select user()"
done

3.
$sh flush_pri.sh | grep 'host'
ERROR 1130 (HY000): Host '127.0.0.1' is not allowed to connect to this MySQL server
ERROR 1130 (HY000): Host '127.0.0.1' is not allowed to connect to this MySQL server
ERROR 1130 (HY000): Host '127.0.0.1' is not allowed to connect to this MySQL server
ERROR 1130 (HY000): Host '127.0.0.1' is not allowed to connect to this MySQL server
ERROR 1130 (HY000): Host '127.0.0.1' is not allowed to connect to this MySQL server
ERROR 1130 (HY000): Host '127.0.0.1' is not allowed to connect to this MySQL server
ERROR 1130 (HY000): Host '127.0.0.1' is not allowed to connect to this MySQL server
ERROR 1130 (HY000): Host '127.0.0.1' is not allowed to connect to this MySQL server
……
……
……

Comment by Rasmus Johansson (Inactive) [ 2012-03-28 ]

Re: connection is refused while excuting "flush privileges"
a simple patch for this bug.
based on Percona 5.5.18

Comment by Rasmus Johansson (Inactive) [ 2012-03-28 ]

a simple patch for this bug.
based on Percona 5.5.18

flush_priv.diff
LPexportBug966254_flush_priv.diff

Comment by Rasmus Johansson (Inactive) [ 2012-07-30 ]

Re: connection is refused while excuting "flush privileges"
http://bugs.mysql.com/bug.php?id=63178

this bug was fixed in MySQL 5.7.0

Noted in 5.7.0 changelog.

The server refused client connections while executing FLUSH
PRIVILEGES

Comment by Rasmus Johansson (Inactive) [ 2012-09-11 ]

Re: connection is refused while excuting "flush privileges"
./flush.sh | grep 'not allowed to '
ERROR 1130 (HY000): Host 'localhost' is not allowed to connect to this MySQL server
ERROR 1130 (HY000): Host 'localhost' is not allowed to connect to this MySQL server
ERROR 1130 (HY000): Host 'localhost' is not allowed to connect to this MySQL server
ERROR 1130 (HY000): Host 'localhost' is not allowed to connect to this MySQL server
ERROR 1130 (HY000): Host 'localhost' is not allowed to connect to this MySQL server
ERROR 1130 (HY000): Host 'localhost' is not allowed to connect to this MySQL server
ERROR 1130 (HY000): Host 'localhost' is not allowed to connect to this MySQL server
ERROR 1130 (HY000): Host 'localhost' is not allowed to connect to this MySQL server
ERROR 1130 (HY000): Host 'localhost' is not allowed to connect to this MySQL server
ERROR 1130 (HY000): Host 'localhost' is not allowed to connect to this MySQL server
ERROR 1130 (HY000): Host 'localhost' is not allowed to connect to this MySQL server
ERROR 1130 (HY000): Host 'localhost' is not allowed to connect to this MySQL server
ERROR 1130 (HY000): Host 'localhost' is not allowed to connect to this MySQL server
ERROR 1130 (HY000): Host 'localhost' is not allowed to connect to this MySQL server
ERROR 1130 (HY000): Host 'localhost' is not allowed to connect to this MySQL server
ERROR 1130 (HY000): Host 'localhost' is not allowed to connect to this MySQL server
ERROR 1130 (HY000): Host 'localhost' is not allowed to connect to this MySQL server
ERROR 1130 (HY000): Host 'localhost' is not allowed to connect to this MySQL server
ERROR 1130 (HY000): Host 'localhost' is not allowed to connect to this MySQL server
ERROR 1130 (HY000): Host 'localhost' is not allowed to connect to this MySQL server
ERROR 1130 (HY000): Host 'localhost' is not allowed to connect to this MySQL server
ERROR 1130 (HY000): Host 'localhost' is not allowed to connect to this MySQL server
ERROR 1130 (HY000): Host 'localhost' is not allowed to connect to this MySQL server
ERROR 1130 (HY000): Host 'localhost' is not allowed to connect to this MySQL server
ERROR 1130 (HY000): Host 'localhost' is not allowed to connect to this MySQL server
ERROR 1130 (HY000): Host 'localhost' is not allowed to connect to this MySQL server
ERROR 1130 (HY000): Host 'localhost' is not allowed to connect to this MySQL server
ERROR 1130 (HY000): Host 'localhost' is not allowed to connect to this MySQL server
ERROR 1130 (HY000): Host 'localhost' is not allowed to connect to this MySQL server
ERROR 1130 (HY000): Host 'localhost' is not allowed to connect to this MySQL server
ERROR 1130 (HY000): Host 'localhost' is not allowed to connect to this MySQL server
ERROR 1130 (HY000): Host 'localhost' is not allowed to connect to this MySQL server
ERROR 1130 (HY000): Host 'localhost' is not allowed to connect to this MySQL server
ERROR 1130 (HY000): Host 'localhost' is not allowed to connect to this MySQL server
ERROR 1130 (HY000): Host 'localhost' is not allowed to connect to this MySQL server

Comment by Rasmus Johansson (Inactive) [ 2012-09-11 ]

Launchpad bug id: 966254

Comment by Elena Stepanova [ 2014-04-14 ]

I couldn't reproduce the actual problem with refused connections; but based on the code, if it is a bug, it still exists everywhere, so I'm setting the versions accordingly.

Comment by Elena Stepanova [ 2021-02-25 ]

It appears I was missing a step – void FLUSH PRIVILEGES don't seem to cause the effect, at least on modern versions; but if something has changed in the privileges, then the failure can be reproduced easily.
The test case below is for reproducing purposes only, it can't be put into the regression suite, as it never ends unless it fais!

--delimiter $
 
--send
 
  LOOP
 
    CREATE USER u;
 
    DROP USER u;
 
    FLUSH PRIVILEGES;
 
  END LOOP $
 
--delimiter ;
 
 
 
while (1)
 
{
 
  --connect (con1,127.0.0.1,root,,test,$MASTER_MYPORT)
 
  SELECT connection_id();
 
  --disconnect con1
 
}

10.2 577c970c

 
connection_id()
 
231
 
disconnect con1;
 
bug.t                                    [ fail ]
 
        Test ended at 2021-02-26 01:12:23
 
 
 
CURRENT_TEST: bug.t
 
mysqltest: At line 15: query 'connect  con1,127.0.0.1,root,,test,$MASTER_MYPORT' failed: 1130: Host 'localhost' is not allowed to connect to this MariaDB server

If socket is used instead of TCP, the failure doesn't happen (replace "127.0.0.1" with "localhost" in the test case to try).

I'm raising the priority as we have had a practical complaint which may have had the same cause, even although it hasn't been confirmed.

Please also note that starting from 10.4 the server logs a warning when it happens, and the warning is weird:

10.4 901bcde2

 
2021-02-26  1:51:59 5 [Warning] Aborted connection 5 to db: 'unconnected' user: 'unauthenticated' host: 'localhost' (This connection closed normally without authentication)

Generated at Thu Feb 08 06:30:14 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.