[MXS-2496] Service user with roles causes false warnings Created: 2019-05-16  Updated: 2020-08-25  Resolved: 2019-05-28

Status: Closed
Project: MariaDB MaxScale
Component/s: Authenticator
Affects Version/s: 2.3.6
Fix Version/s: 2.3.8

Type: Bug Priority: Minor
Reporter: Kyle Joiner (Inactive) Assignee: markus makela
Resolution: Fixed Votes: 0
Labels: None


 Description   

When using roles to assign privileges for the maxscale user for services there are some privilege warnings that do not seem to effect operation:

2019-05-16 13:08:57 warning: [Galera-Service] User 'maxscale' is missing the SHOW DATABASES privilege. This means that MaxScale cannot see all databases and authentication can fail.
 
2019-05-16 13:08:57 warning: [Galera-Service] User 'maxscale' is missing the SHOW DATABASES privilege. This means that MaxScale cannot see all databases and authentication can fail


MariaDB [(none)]> SHOW GRANTS FOR 'maxscale'@'xxxxxxxxxx.com';
 
+---------------------------------------------------------------------------------------------------------------------------------+
 
| Grants for maxscale@xxxxxxxxxx.com |
 
+---------------------------------------------------------------------------------------------------------------------------------+
 
| GRANT maxscale_role TO 'maxscale'@'xxxxxxxxxx.com' |
 
| GRANT USAGE ON *.* TO 'maxscale'@'xxxxxxxxxx.com' IDENTIFIED BY PASSWORD '*xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' |
 
+---------------------------------------------------------------------------------------------------------------------------------+
 
2 rows in set (0.00 sec)
 
MariaDB [(none)]> SHOW GRANTS FOR 'maxscale_role';
 
+---------------------------------------------------------------------------------------+
 
| Grants for maxscale_role |
 
+---------------------------------------------------------------------------------------+
 
| GRANT SHOW DATABASES, REPLICATION SLAVE, REPLICATION CLIENT ON *.* TO 'maxscale_role' |
 
| GRANT SELECT ON `mysql`.`roles_mapping` TO 'maxscale_role' |
 
| GRANT SELECT ON `mysql`.`tables_priv` TO 'maxscale_role' |
 
| GRANT SELECT ON `mysql`.`user` TO 'maxscale_role' |
 
| GRANT SELECT ON `mysql`.`db` TO 'maxscale_role' |
 
+---------------------------------------------------------------------------------------+
 
5 rows in set (0.00 sec)
 
MariaDB [(none)]> SELECT user, host, default_role FROM mysql.user WHERE user = 'maxscale' AND host = 'xxxxxxxxxx.com';
 
+----------+---------------------------+---------------+
 
| user | host | default_role |
 
+----------+---------------------------+---------------+
 
| maxscale | xxxxxxxx.com | maxscale_role |
 
+----------+---------------------------+---------------+
 
1 row in set (0.00 sec)



 Comments   
Comment by markus makela [ 2019-05-17 ]

Looks like a false positive: the code looks for a specific grant for the user which would explain why it thinks the grant isn't there. Using SHOW GRANTS is a bit better as it'll show the "resolved" grants even with composite roles.

Generated at Thu Feb 08 04:14:33 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.