[MXS-4248] Improve logging for enable_root_user not enabled instead of "Authentication failed for user Created: 2022-08-19  Updated: 2022-08-29  Resolved: 2022-08-29

Status: Closed
Project: MariaDB MaxScale
Component/s: N/A
Affects Version/s: None
Fix Version/s: N/A

Type: Task Priority: Major
Reporter: Claudio Nanni Assignee: markus makela
Resolution: Not a Bug Votes: 0
Labels: None

Sprint: MXS-SPRINT-165

 Description   

When a user is considered a fully privileges user (not sure how the matching is done) and enable_root_user is disabled, the error message returned is a plain:

warning: (9) [MariaDBProtocol] Authentication failed for user 'claudio'@[192.168.1.135] to service 'Read-Write-Service'. Originating listener: 'Read-Write-Listener'. MariaDB error: 'Access denied for user 'claudio'@'192.168.1.135' (using password: YES)'.

The user of course was perfectly able to login directly to the backends.

It took me some time to find out that 'claudio'@'%' had too many privileges and was considered as 'root' and so denied login.

I think it would be useful to log a more meaningful message like:

Fully privileges users are not allowed to login set enable_root_user=1 if needed.



 Comments   
Comment by markus makela [ 2022-08-29 ]

That's not how the parameter works:

    // If "root" user is being accepted when not allowed, block it now.
 
    if (res.type == UserEntryType::USER_ACCOUNT_OK && !sett.service.allow_root_user && user == "root")
 
    {
 
        res.type = UserEntryType::ROOT_ACCESS_DENIED;
 
        MXB_INFO("Client '%s'@'%s' blocked because '%s' is false.", userz, hostz, CN_ENABLE_ROOT_USER);
 
        return res;
 
    }

The enable_root_user affects only users whose literal name is root.

Generated at Thu Feb 08 04:27:16 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.