[MXS-3077] But after upgrading from Version 2.4 to 2.5, we are not able to connect with our RDS instance. Created: 2020-07-18  Updated: 2020-08-20  Resolved: 2020-08-20

Status: Closed
Project: MariaDB MaxScale
Component/s: Authenticator
Affects Version/s: 2.5.0
Fix Version/s: N/A

Type: Bug Priority: Major
Reporter: sunni kumar Assignee: Esa Korhonen
Resolution: Won't Fix Votes: 0
Labels: None
Environment:

Ubuntu-16.04 LTS
Aurora MySQL RDS
maxscale 2.5.1

Sprint: MXS-SPRINT-111, MXS-SPRINT-112, MXS-SPRINT-113

 Description   

Currently, we are using Aurora Mysql Rds with Maxscale Version 2.4. which works perfectly fine. But after upgrading from Version 2.4 to 2.5, we are not able to connect with our RDS instance. I will share with you configuration file & Logs, kindly check and let me know what is the issue.

Aurora does not allow us to give permission to this table.

mysql> SELECT a.user, a.host, a.role FROM mysql.roles_mapping AS a;
 
ERROR 1142 (42000): SELECT command denied to user 'maxscale'@'%' for table 'roles_mapping'
 
mysql>.

NOTE:- My Aurora mysql Credential works fine while connected traditionally.

mysql -u maxscale -h Aurora-DB-Sting -p

But while Try to connect like this throw an error 

mysql -u maxscale -p -h127.0.0.1 -P4001
 
Enter password:
 
ERROR 1045 (28000): Access denied for user 'maxscale'@'127.0.0.1' (using password: YES)

cat /etc/maxscale.cnf

[maxscale]
 
threads=auto
 
 
 
[Aurora-Monitor-One]
 
type=monitor
 
module=auroramon
 
servers=node1
 
user=user=username
 
password=password
 
monitor_interval=2500
 
 
 
[Aurora-Monitor-Two]
 
type=monitor
 
module=auroramon
 
servers=node2
 
user=username
 
password=password
 
monitor_interval=2500
 
 
 
[MaxRows]
 
type=filter
 
module=maxrows
 
max_resultset_rows=10000
 
max_resultset_size=10485760
 
 
 
[DatabaseFirewall-whitelist]
 
type=filter
 
module=dbfwfilter
 
action=allow
 
rules=/etc/maxscale-rules.d/whitelist-rules.txt
 
log_no_match=true
 
 
 
[DatabaseFirewall-blacklist]
 
type=filter
 
module=dbfwfilter
 
action=block
 
rules=/etc/maxscale-rules.d/blacklist-rules.txt
 
 
 
[MyMasking]
 
type=filter
 
module=masking
 
warn_type_mismatch=always
 
large_payload=abort
 
rules=/etc/maxscale.modules.d/masking_PII.json
 
prevent_function_usage=false
 
 
 
[RWONE]
 
type=service
 
router=readconnroute
 
router_options=slave
 
servers=node1
 
user=username
 
password=password
 
connection_timeout=1000
 
filters= DatabaseFirewall-whitelist|DatabaseFirewall-blacklist|MaxRows|MyMasking
 
 
 
[RWTWO]
 
type=service
 
router=readconnroute
 
router_options=slave
 
servers=node2
 
user=username
 
password=password
 
connection_timeout=1000
 
filters= DatabaseFirewall-whitelist|DatabaseFirewall-blacklist|MaxRows|MyMasking
 
 
 
[RWONE-listener]
 
type=listener
 
service=RWONE
 
protocol=MySQLClient
 
address=0.0.0.0
 
port=4001
 
 
 
[RWTWO-listener]
 
type=listener
 
service=RWTWO
 
protocol=MySQLClient
 
address=0.0.0.0
 
port=4002
 
 
 
[node1]
 
type=server
 
address=RDS-AURORA-HOST
 
port=3306
 
protocol=MySQLBackend
 
persistpoolmax=50
 
persistmaxtime=3600
 
 
 
[node2]
 
type=server
 
address=RDS-AURORA-HOST
 
port=3306
 
protocol=MySQLBackend
 
persistpoolmax=50
 
persistmaxtime=3600

sudo tail -f /var/log/maxscale/maxscale.log

2020-07-17 19:05:01   warning: Protocol module 'mysqlclient' has been deprecated, use 'mariadbclient' instead.
 
2020-07-17 19:05:01   warning: (node2) persistmaxtime: Specifying durations without a suffix denoting the unit has been deprecated: 3600. Use the suffixes 'h' (hour), 'm' (minute) 's' (second) or 'ms' (milliseconds).
 
2020-07-17 19:05:01   warning: (node1) persistmaxtime: Specifying durations without a suffix denoting the unit has been deprecated: 3600. Use the suffixes 'h' (hour), 'm' (minute) 's' (second) or 'ms' (milliseconds).
 
2020-07-17 19:05:01   warning: The MaxScale GUI is enabled but encryption for the REST API is not enabled, the GUI will not be enabled. Configure `admin_ssl_key` and `admin_ssl_cert` to enable HTTPS or add `admin_secure_gui=false` to allow use of the GUI without encryption.
 
2020-07-17 19:05:01   notice : Started REST API on [127.0.0.1]:8989
 
2020-07-17 19:05:01   notice : Server 'node2' charset: latin1
 
2020-07-17 19:05:01   notice : Server 'node1' charset: latin1
 
2020-07-17 19:05:02   notice : Server 'node1' version: 5.6.10-log
 
2020-07-17 19:05:02   notice : Read 11 user@host entries from 'node1' for service 'RWONE'.
 
2020-07-17 19:05:02   notice : Server 'node2' version: 5.6.10-log
 
2020-07-17 19:05:02   notice : Read 13 user@host entries from 'node3' for service 'RWTWO'.
 
2020-07-17 19:05:04   notice : Starting a total of 2 services...
 
2020-07-17 19:05:04   notice : (RWTWO-listener) Listening for connections at [0.0.0.0]:4002
 
2020-07-17 19:05:04   notice : Service 'RWTWO' started (1/2)
 
2020-07-17 19:05:04   notice : (RWONE-listener) Listening for connections at [0.0.0.0]:4001
 
2020-07-17 19:05:04   notice : Service 'RWONE' started (2/2)
 
2020-07-17 19:05:23   warning: (1) [mariadbclient] Authentication failed for user 'maxscale'@[127.0.0.1] to service 'RWONE'. Originating listener: 'RWONE-listener'. MariaDB error: 'Access denied for user 'username'@'127.0.0.1' (using password: YES)'.



 Comments   
Comment by Esa Korhonen [ 2020-07-20 ]

The user accounts seem to have been loaded normally:
2020-07-17 19:05:02 notice : Read 11 user@host entries from 'node1' for service 'RWONE'.

The roles_mapping table is not loaded on old server versions (there would be error messages in the log if it tried).
Enabling info log ("log_info=1") may help as it will print more detailed authentication errors.

Comment by Esa Korhonen [ 2020-08-20 ]

Closing for now due to inaction.

Generated at Thu Feb 08 04:18:47 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.