|
I see that with MXS-1325, we have enabled connecting to backend server via SHA256 user. However it does not work for Xpand. It works fine if I alter user to have mysql_native_password. See below.
Setup:
Maxscale <- SSL -> Xpand(Sha256)
Single node Xpand server with SSL enabled and maxscale user with SHA256 password.
MaxScale 22.08.1 connecting to Xpand via SSL
Xpand User:
MySQL [(none)]> alter user maxscale@'karma075.colo.sproutsys.com' IDENTIFIED WITH sha256_password BY 'Sproutr0x#';
|
Query OK, 0 rows affected (0.05 sec)
|
Grants for Maxscale User:
MySQL [(none)]> show grants for maxscale@'karma075.colo.sproutsys.com';
|
+-----------------------------------------------------------------------------------------+
|
| Grants for maxscale@karma075.colo.sproutsys.com |
|
+-----------------------------------------------------------------------------------------+
|
| GRANT SHOW DATABASES ON *.* TO 'maxscale'@'karma075.colo.sproutsys.com' |
|
| GRANT SELECT ON `system`.`membership` TO 'maxscale'@'karma075.colo.sproutsys.com' |
|
| GRANT SELECT ON `system`.`nodeinfo` TO 'maxscale'@'karma075.colo.sproutsys.com' |
|
| GRANT SELECT ON `system`.`softfailed_nodes` TO 'maxscale'@'karma075.colo.sproutsys.com' |
|
| GRANT SELECT ON `system`.`users` TO 'maxscale'@'karma075.colo.sproutsys.com' |
|
| GRANT SELECT ON `system`.`user_acl` TO 'maxscale'@'karma075.colo.sproutsys.com' |
|
+-----------------------------------------------------------------------------------------+
|
6 rows in set (0.00 sec)
|
On Maxscale, I have following configuration for service:
[xpand1]
|
type=server
|
address=karma060.colo.sproutsys.com
|
port=3306
|
protocol=mariadbbackend
|
ssl=true
|
Maxscale Starts fine:
[root@karma075 ~]# maxctrl list servers
|
┌──────────────────────────┬─────────────────────────────┬──────┬─────────────┬─────────────────┬──────┐
|
│ Server │ Address │ Port │ Connections │ State │ GTID │
|
├──────────────────────────┼─────────────────────────────┼──────┼─────────────┼─────────────────┼──────┤
|
│ xpand1 │ karma060.colo.sproutsys.com │ 3306 │ 0 │ Master, Running │ │
|
├──────────────────────────┼─────────────────────────────┼──────┼─────────────┼─────────────────┼──────┤
|
│ @@Backend-Monitor:node-1 │ 10.2.15.149 │ 3306 │ 0 │ Master, Running │ │
|
└──────────────────────────┴─────────────────────────────┴──────┴─────────────┴─────────────────┴──────┘
|
From logs:
2022-08-29 23:21:28 notice : [xpandmon] Backend-Monitor: Monitoring Xpand cluster state using node karma060.colo.sproutsys.com:3306.
|
2022-08-29 23:21:28 notice : Created server '@@Backend-Monitor:node-1' at 10.2.15.149:3306
|
2022-08-29 23:21:28 info : [xpandmon] Updated Xpand node in bookkeeping: 1, '10.2.15.149', 3306, 3581.
|
2022-08-29 23:21:28 notice : Using HS256 for JWT signatures
|
2022-08-29 23:21:28 warning: The MaxScale GUI is enabled but encryption for the REST API is not enabled, the GUI will not be enabled. Configure `admin_ssl_key` and `admin_ssl_cert` to enable HTTPS or add `admin_secure_gui=false` to allow use of the GUI without encryption.
|
2022-08-29 23:21:28 notice : Started REST API on [127.0.0.1]:8989
|
2022-08-29 23:21:28 warning: [xpandmon] Backend-Monitor: Health check round had not completed when next tick arrived.
|
2022-08-29 23:21:28 notice : Starting a total of 1 services...
|
2022-08-29 23:21:28 notice : (Read-Only-Listener); Listening for connections at [0.0.0.0]:3306
|
2022-08-29 23:21:28 warning: Service 'Read-Only-Service' has a listener but no servers
|
2022-08-29 23:21:28 notice : Service 'Read-Only-Service' started (1/1)
|
2022-08-29 23:21:29 error : Failed to query server '@@Backend-Monitor:node-1' for user account info. Connection to [10.2.15.149]:3306 failed. Error 1045: [38912] Access denied: for user 'maxscale'@'karma075.colo.sproutsys.com' (using password: YES)
|
2022-08-29 23:21:30 error : Failed to query server '@@Backend-Monitor:node-1' for user account info. Connection to [10.2.15.149]:3306 failed. Error 1045: [38912] Access denied: for user 'maxscale'@'karma075.colo.sproutsys.com' (using password: YES)
|
From Maxscale host, i can connect to this user via mariadb client:
[root@karma075 ~]# mariadb -h karma060 -u maxscale -p'Sproutr0x#' --ssl
|
Welcome to the MariaDB monitor. Commands end with ; or \g.
|
Your MySQL connection id is 3335169
|
Server version: 5.0.45-Xpand-mainline1-17846
|
|
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
|
|
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
|
|
MySQL [(none)]> \s
|
--------------
|
mariadb Ver 15.1 Distrib 10.6.8-4-MariaDB, for Linux (x86_64) using readline 5.1
|
|
Connection id: 3335169
|
Current database:
|
Current user: maxscale@10.2.12.212
|
SSL: Cipher in use is ECDHE-RSA-AES256-GCM-SHA384
|
Current pager: stdout
|
Using outfile: ''
|
Using delimiter: ;
|
Server: MySQL
|
Server version: 5.0.45-Xpand-mainline1-17846
|
Protocol version: 10
|
Connection: karma060 via TCP/IP
|
Server characterset: utf8
|
Db characterset: utf8
|
Client characterset: utf8
|
Conn. characterset: utf8
|
TCP port: 3306
|
Clustrix: 1 sec
|
|
|
--------------
|
When I alter user to have mysql_native_password, it starts to work fine - no errors.
MySQL [(none)]> alter user maxscale@'karma075.colo.sproutsys.com' IDENTIFIED WITH mysql_native_password BY 'Sproutr0x#';
|
Query OK, 0 rows affected (0.04 sec)
|
|
maxscale.cnf
maxscale.log