[MXS-1619] Maxscale v2.2 user authentication issue Created: 2018-01-19  Updated: 2021-06-21  Resolved: 2018-06-12

Status: Closed
Project: MariaDB MaxScale
Component/s: N/A
Affects Version/s: None
Fix Version/s: N/A

Type: Bug Priority: Major
Reporter: Chandranana Assignee: Unassigned
Resolution: Cannot Reproduce Votes: 0
Labels: None

Attachments: Text File MaxScale_log.txt    

 Description   

We are facing issues in user authentication in client server communication via Maxscale on s390x.

  • Connection via Maxscale with the user with password - Authentication fails : Access is denied.
  • Connection via Maxscale with the user with no password set - Connection is successful.

More details as below,we have a container with IPs as follows:
MaxScale 172.17.0.4
Master 172.17.0.8
Client 172.17.0.10
Slave 172.17.0.9

User With Password:

On Master server below are the users with their privileges:

MariaDB [(none)]> SELECT User, Host, Password FROM mysql.user;
--------------------- ----------------------------------------

User Host Password
-------------------------------------------------------------
root localhost  
repl 172.17.0.9 *A424E797037BF97C19A2E88CF7891C5C2038C039
maxuser 172.17.0.4 *5EDBD32E469DAE0CE10E6999C3899DEFCB9F12E0
maxuser 172.17.0.10 *5EDBD32E469DAE0CE10E6999C3899DEFCB9F12E0

-------------------------------------------------------------
4 rows in set (0.00 sec)

MariaDB [(none)]> show grants for 'maxuser'@'172.17.0.4';
--------------------------------------------------------------------------------------------------------------------------

Grants for maxuser@172.17.0.4

--------------------------------------------------------------------------------------------------------------------------

GRANT ALL PRIVILEGES ON . TO 'maxuser'@'172.17.0.4' IDENTIFIED BY PASSWORD '*5EDBD32E469DAE0CE10E6999C3899DEFCB9F12E0'

--------------------------------------------------------------------------------------------------------------------------
1 row in set (0.00 sec)

MariaDB [(none)]> show grants for 'maxuser'@'172.17.0.10';
---------------------------------------------------------------------------------------------------------------------------

Grants for maxuser@172.17.0.10

---------------------------------------------------------------------------------------------------------------------------

GRANT ALL PRIVILEGES ON . TO 'maxuser'@'172.17.0.10' IDENTIFIED BY PASSWORD '*5EDBD32E469DAE0CE10E6999C3899DEFCB9F12E0'

---------------------------------------------------------------------------------------------------------------------------
1 row in set (0.00 sec)

When we try to connect from client to mariadb master via maxscale we get the below error in red:

_ mysql -h 172.17.0.4 -u maxuser -p -P 4008 _

ERROR 1045 (28000): Access denied for user 'maxuser'@'172.17.0.10' (using password: YES)

Maxscale configuration is as below:
Maxscale.cnf

[maxscale]
threads=auto
log_info=true

[server1]
type=server
address=172.17.0.8
port=3306
protocol=MariaDBBackend

[server2]
type=server
address=172.17.0.9
port=3306
protocol=MariaDBBackend

[MariaDB-Monitor]
type=monitor
module=mariadbmon
servers=server1,server2
user=maxuser
passwd=maxpwd
monitor_interval=2000

[Read-Only-Service]
type=service
router=readconnroute
servers=server1,server2
user=maxuser
passwd=maxpwd
router_options=slave

[Read-Write-Service]
type=service
router=readwritesplit
servers=server1,server2
user=maxuser
passwd=maxpwd

[MaxAdmin-Service]
type=service
router=cli

[Read-Only-Listener]
type=listener
service=Read-Only-Service
protocol=MariaDBClient
port=4008
address=0.0.0.0

[Read-Write-Listener]
type=listener
service=Read-Write-Service
protocol=MariaDBClient
port=4006
address=0.0.0.0

[MaxAdmin-Listener]
type=listener
service=MaxAdmin-Service
protocol=maxscaled
socket=default
===================================================================================================================

User Without Password:
On master now we remove the password for the users with following command :
SET password for 'maxuser'@'172.17.0.4' = PASSWORD('') ;
SET password for 'maxuser'@'172.17.0.10' = PASSWORD('') ;

Users & privileges are as below:

MariaDB [(none)]> SELECT User, Host, Password FROM mysql.user;
-------------------------------------------------------------

User Host Password

-------------------------------------------------------------

root localhost  
repl 172.17.0.9 *A424E797037BF97C19A2E88CF7891C5C2038C039
maxuser 172.17.0.4  
maxuser 172.17.0.10  

-------------------------------------------------------------
4 rows in set (0.00 sec)

MariaDB [(none)]> show grants for 'maxuser'@'172.17.0.10';
--------------------------------------------------------

Grants for maxuser@172.17.0.10

--------------------------------------------------------

GRANT ALL PRIVILEGES ON . TO 'maxuser'@'172.17.0.10'

--------------------------------------------------------
1 row in set (0.00 sec)

MariaDB [(none)]> show grants for 'maxuser'@'172.17.0.4';
-------------------------------------------------------

Grants for maxuser@172.17.0.4

-------------------------------------------------------

GRANT ALL PRIVILEGES ON . TO 'maxuser'@'172.17.0.4'

-------------------------------------------------------
1 row in set (0.00 sec)

When we try to connect to master from client via maxscale without password being set, the connection is successful.

mysql -h 172.17.0.4 -u maxuser -p -P 4008
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 8
Server version: 10.0.0 2.2.1-maxscale

Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MySQL [(none)]>

======================================================================
To double check on the grants of users we tried following commands :
From Maxscale:
mysql -h 172.17.0.8 -u maxuser -p -e "show grants"
From Client:
mysql -h 172.17.0.8 -u maxuser -p -e "show grants"

All permissions are granted for these users.

Maxscale.log doesn't show any errors for authentication except error : Failed to read journal file: Expected 671088640 bytes, read 40 bytes. PFA the maxscale log.

Please refer to https://groups.google.com/forum/#!topic/maxscale/X19k13cHBfA for further communication on this.

Please let us know if there are any pointers on this, what could be missing to get this work.

 Comments   
Comment by Chandranana [ 2018-01-22 ]

Any update on this? Please let us know if any, as it will speed up our Maxscale testing.

Comment by Chandranana [ 2018-01-29 ]

Team,
Could you please provide your comments on this? Is there anything that we are missing?

Comment by dapeng huang [ 2018-01-29 ]

Are you sure your password is correct?
Does select password('###your_password##') equal to '*5EDBD32E469DAE0CE10E6999C3899DEFCB9F12E0'

Comment by Chandranana [ 2018-01-29 ]

The password that we enter is "maxpwd" for maxuser
In the table it is listed as : SELECT User, Host, Password FROM mysql.user;
--------------------------------------------------------------

User Host Password

--------------------------------------------------------------

root localhost  
repl 172.17.0.9 *A424E797037BF97C19A2E88CF7891C5C2038C039
maxuser 172.17.0.4 *5EDBD32E469DAE0CE10E6999C3899DEFCB9F12E0
maxuser 172.17.0.10 *5EDBD32E469DAE0CE10E6999C3899DEFCB9F12E0

--------------------------------------------------------------

4 rows in set (0.00 sec)

Password seems to be correct:
select password('maxpwd');
-------------------------------------------

password('maxpwd')

-------------------------------------------

*5EDBD32E469DAE0CE10E6999C3899DEFCB9F12E0

-------------------------------------------
1 row in set (0.00 sec)

Comment by Johan Wikman [ 2018-01-30 ]

If you do not see the same behaviour on an x86 platform, then I would guess (a pure guess) that this is somehow related to the fact that Linux on s390x is big-endian while Linux on x86 is little-endian.

Comment by ZhenweiYang [ 2020-10-27 ]

HI All,
I am confusing by the same issue.

My maxscale version is 2.5.5,
when I login with the correct password by DBeaver 7.2.2 (mysql jdbc 5.1.48 ), I got the same error: Access denied for user xxx

I checked log and found that the password is changing every time when I login.

And every thing is ok when use maxscale 2.4.1.

How I can fix this issue ?

[root@db_1111_middle_02-210-37 maxscale]# maxscale -V
MaxScale 2.5.5 - 91c3b76195d0057ddbe572bbb8d17f6ac6b09d5e
CMake flags: -DBUILD_TESTS=N -DBUILD_MMMON=Y -DBUILD_CDC=Y -DBUILD_GUI=Y -DPACKAGE=Y -DDISTRIB_SUFFIX=rhel.7

2020-10-27 16:45:15 info : (2) (find_user): Found matching user 'sysbench'@'10.0.0.108' for client 'sysbench'@'10.0.0.108' with sufficient privileges.
2020-10-27 16:45:15 warning: (2) [mariadbclient] (send_authetication_error): Authentication failed for user 'sysbench'@[10.0.0.108] to service 'EC-Read-Write-Service'. Originating listener: 'EC-Read-Write-Listener'. MariaDB error: 'Access denied for user 'sysbench'@'10.0.0.108' (using password: YES)'. Authenticator error: 'Client gave wrong password. Got hash D3F74539A8551F9E63802480A1CED6F100145437, expected B9049AE9D8054CF88C12F5DEAD8609EED695CF45'.
2020-10-27 16:45:15 info : (session_free): Stopped EC-Read-Write-Service client session [2]
2020-10-27 16:45:15 info : (update_users): Read 31 user@host entries from 'EC-server1' for service 'EC-Read-Write-Service'. The data was identical to existing user data.
2020-10-27 16:45:21 info : (3) (find_user): Found matching user 'sysbench'@'10.0.0.108' for client 'sysbench'@'10.0.0.108' with sufficient privileges.
2020-10-27 16:45:21 warning: (3) [mariadbclient] (send_authetication_error): Authentication failed for user 'sysbench'@[10.0.0.108] to service 'EC-Read-Write-Service'. Originating listener: 'EC-Read-Write-Listener'. MariaDB error: 'Access denied for user 'sysbench'@'10.0.0.108' (using password: YES)'. Authenticator error: 'Client gave wrong password. Got hash 477016F41A29F2EB2597BEABD5C9CB0278ACCA4B, expected B9049AE9D8054CF88C12F5DEAD8609EED695CF45'.

Comment by Karl Klepper [ 2021-06-21 ]

Same issue here, CentOS 8.

Tried both with MariaDB 10.3 and 10.5 and Maxscale 2.4 and 2.5. with docker volumes to make maxuser permanent.

MariaDB [(none)]> SELECT user, host, password FROM mysql.user ORDER BY 1;
-----------------------------------------------------------

user host password

-----------------------------------------------------------

maxuser % *6D77128EAE2D6A2B3132D6A486D2C36F1406B161
root localhost  
root %  

-----------------------------------------------------------
3 rows in set (0.009 sec)

master_1 | 2021-06-21 12:08:15 22 [Warning] Access denied for user 'maxuser'@'192.168.0.5' (using password: YES)

Same for slaves, of course. This is really unpleasant. What happens here?

~# id=$(docker ps -a | grep "_maxscale" | grep -v "xited" | awk '

{print $1}

') && docker exec -it $id maxscale -V
MaxScale 2.4.17 - a8bfbbe254095d931aed351871fee72ce9ea645c
CMake flags: -DBUILD_TESTS=N -DBUILD_MMMON=Y -DBUILD_CDC=Y -DBUILD_GUI=Y -DPACKAGE=Y -DDISTRIB_SUFFIX=rhel.8

Comment by Karl Klepper [ 2021-06-21 ]

Sorry forgot to list the rights, given by a tutorial:

GRANT SELECT ON mysql.user TO 'maxuser'@'%';
GRANT SELECT ON mysql.db TO 'maxuser'@'%';
GRANT SELECT ON mysql.tables_priv TO 'maxuser'@'%';
GRANT SELECT ON mysql.roles_mapping TO 'maxuser'@'%';
GRANT SHOW DATABASES ON . TO 'maxuser'@'%';

Comment by Karl Klepper [ 2021-06-21 ]

Another fact: I use docker. Here is my compose file

version: '2'
services:
master:
image: mariadb
environment:
MYSQL_ALLOW_EMPTY_PASSWORD: 'Y'
volumes:

  • ./sql/master:/docker-entrypoint-initdb.d
  • maxmaster:/var/lib/mysql
    command: mysqld --log-bin=mariadb-bin --binlog-format=ROW --server-id=3000 --log-slave-updates
    ports:
  • "4001:3306"

slave1:
image: mariadb
depends_on:

  • master
    environment:
    MYSQL_ALLOW_EMPTY_PASSWORD: 'Y'
    volumes:
  • ./sql/slave:/docker-entrypoint-initdb.d
  • maxslave1:/var/lib/mysql
    command: mysqld --log-bin=mariadb-bin --binlog-format=ROW --server-id=3001 --log-slave-updates
    ports:
  • "4002:3306"

slave2:
image: mariadb
depends_on:

  • master
    environment:
    MYSQL_ALLOW_EMPTY_PASSWORD: 'Y'
    volumes:
  • ./sql/slave:/docker-entrypoint-initdb.d
  • maxslave2:/var/lib/mysql
    command: mysqld --log-bin=mariadb-bin --binlog-format=ROW --server-id=3002 --log-slave-updates
    ports:
  • "4003:3306"

maxscale:
image: mariadb/maxscale
depends_on:

  • master
  • slave1
  • slave2
    volumes:
  • ./maxscale.cnf.d:/etc/maxscale.cnf.d
    ports:
  • "4006:4006" # readwrite port
  • "4008:4008" # readonly port
  • "8989:8989" # REST API port

volumes:
maxmaster:
maxslave1:
maxslave2:

Generated at Thu Feb 08 04:08:09 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.