[#MXS-3043] Database grants in user_accounts_file should add the database to the list of known databases

[MXS-3043] Database grants in user_accounts_file should add the database to the list of known databases Created: 2020-06-17 Updated: 2022-11-07 Resolved: 2022-11-07
Status:	Closed
Project:	MariaDB MaxScale
Component/s:	Authenticator, mariadbclient
Affects Version/s:	6.4.3, 22.08.2
Fix Version/s:	6.4.4, 22.08.3

Type:

Bug

Priority:

Major

Reporter:

Andrey

Assignee:

Esa Korhonen

Resolution:

Fixed

Votes:

Labels:

None

Attachments:

db_names.diff

Description

When using a "user_accounts_file" with database privileges given to users, those databases are not added to the list of known databases. This means that if MaxScale does not know about the database (always the case when using "file_only_always"-mode) and user attempts to login directly to it, MaxScale will reject the user. Change this so that any manual db-level grants cause the database name to be known to MaxScale.

Original description:

It happens that MaxScale can be deployed on the non-trusted location. It means providing access to mysql.user is unsafe from there. Instead, only one specific MySQL account should be used from there and I'd like to pre-define it and prevent gathering other users from MySQL cluster. How it can be done?

Comments

Comment by markus makela [ 2020-06-18 ]

One option is that we use the user and password configured for a service as the only allowed credentials.

Comment by Andrey [ 2020-06-19 ]

Yes, it works, but as a side effect and works badly. If the service account exists but has insufficient privileges, it depends on both MySQL servers in the cluster available. Unless all of MySQL servers are available, inject_service_user is true and this crutch works. As soon as all MySQL servers become available, inject_service_user becomes false and because no users are loaded due to permissions, new connections to MaxScale become rejected.

Comment by markus makela [ 2021-10-25 ]

I think this is solved by the addition of the user_accounts_file feature to 6.2. Combining it with user_accounts_file_usage=file_only_always skips the loading of the users from the database and allows a set number of users to be used.

Comment by Andrey [ 2021-11-02 ]

According to the description, it looks what I need. I'll update the issue as soon as 6.2 be released and I check how it works.

Comment by Andrey [ 2021-11-06 ]

I've built from the branch the new version and it's really working as expected! But with a small disadvantage: database names don't load from user_accounts_file. In case the client makes a connection to a specific database, it gets fails with the error Unknown database 'XXX'. As an option, I suggest that you consider a patch that allows using database names listed in section db of the file user_accounts_file. db_names.diff

Another suggestion – parameters user and password should not be mandatory if user_accounts_file_usage=file_only_always.

Comment by Esa Korhonen [ 2022-11-07 ]

Fixed, will be published in next versions.

Generated at Thu Feb 08 04:18:32 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.

[MXS-3043] Database grants in user_accounts_file should add the database to the list of known databases Created: 2020-06-17 Updated: 2022-11-07 Resolved: 2022-11-07