[MXS-4146] Xpand MaxScale Tutorial in KB doesn't work Created: 2022-05-24  Updated: 2022-07-11  Resolved: 2022-06-07

Status: Closed
Project: MariaDB MaxScale
Component/s: Documentation
Affects Version/s: None
Fix Version/s: 2.5.21, 6.4.1, 22.08.0

Type: Task Priority: Major
Reporter: Anne Strasser (Inactive) Assignee: Johan Wikman
Resolution: Fixed Votes: 0
Labels: None

Sprint: MXS-SPRINT-159

 Description   

This was originally reported in the docs-talk slack channel by Luke Smith.

Luke reported a problem with this KB documentation page about using MaxScale with Xpand, which is generated from this page in GitHub.

This document does not list the full set of required privileges.

When a user tries to connect with the privileges listed in the document, they will see the following error in the Maxscale error log:

2022-05-24 23:21:56   error  : Failed to query server '@@Xpand:node-1' for user account info. Query 'SELECT * FROM system.users; SELECT u.username, u.host, a.dbname, a.privileges FROM system.user_acl AS a LEFT JOIN system.users AS u ON (u.user = a.role); SHOW DATABASES;' failed. Error 1045: [11281] Permission denied: User 'maxscale'@'10.70.120.%' is missing SELECT on `system`.`users`.; transaction aborted.

If the SELECT privilege is granted on the `system`.`users` table, users still see the following error in the Maxscale error log:

2022-05-24 23:23:35   error  : Failed to query server '@@Xpand:node-1' for user account info. Multiquery element 'SELECT u.username, u.host, a.dbname, a.privileges FROM system.user_acl AS a LEFT JOIN system.users AS u ON (u.user = a.role);' failed. Error 1045: [11281] Permission denied: User 'maxscale'@'10.70.120.%' is missing SELECT on `system`.`user_acl`.; transaction aborted.

If the SELECT privilege is also granted on the `system`.`user_acl` table, then connections are successful.

However, there might be other permissions missing as the "maxscale" user still can't use customer databases due to the following error in the MaxScale error log:

2022-05-24 23:48:26   warning: (26) [MariaDBProtocol] Authentication failed for user 'horizonApp'@[10.70.120.51] to service 'Xpand-Service'. Originating listener: 'xpand_listener'. MariaDB error: 'Unknown database 'database_name''.



 Comments   
Comment by Anne Strasser (Inactive) [ 2022-05-25 ]

Another comment from Luke Smith via docs-talk slack channel

So the next thing it wanted was show databases permission. Though I believe I see the issue, it seems this is just for the monitor user, not for an actual database proxy user(one that checks auth/grants/etc).
So maybe we are just missing that documentation or I was looking in the wrong place. Maybe just adding that fact that creating an "app_user/service_user" needs to also have X or link to X might be sufficient.
Thanks again for the help!

Comment by Johan Wikman [ 2022-06-06 ]

I think this is a documentation problem.

The user used for the monitor and the user used for the service need a disjoint set of rights. However, since the tutorial uses the same user for both the monitor and the service, this may not be obvious.

Comment by markus makela [ 2022-07-11 ]

Changed this to a Task since it's not a bug and doesn't belong in the release notes.

Generated at Thu Feb 08 04:26:32 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.