[#MXS-4681] Encrypted passwords are persisted in plaintext

[MXS-4681] Encrypted passwords are persisted in plaintext Created: 2023-07-25 Updated: 2024-01-04 Resolved: 2023-08-03
Status:	Closed
Project:	MariaDB MaxScale
Component/s:	Core
Affects Version/s:	2.5.26, 6.4.7, 22.08.6, 23.02.1
Fix Version/s:	2.5.28, 6.4.9, 22.08.8, 23.02.3

Type:

Bug

Priority:

Major

Reporter:

Massimo

Assignee:

markus makela

Resolution:

Fixed

Votes:

Labels:

None

Environment:

Centos 7

Description

adding a service in maxscale with dynamic change is necessary to add the user and password. Passing the Encrypted password to the command, end up to confirm the service has been created but the password on the /var/lib/maxscale/maxscale.cnf.d/Read-Service.cnf end up to show store as clear password.

maxctrl create service Read-Service readconnroute user=service_user password=2KVMANFl502A2398E42A8C670825770EED948CCBD764E1B67......
OK

cat Read-Service.cnf
[Read-Service]
router_options=slave
password=This_is_my_pwd_clear
router=readconnroute
type=service
user=service_user

So the encryption is already on. There are few things to clear and update on the documentation as well:

can i pass the encrypted pwd ?
can i pass the clear pwd?
how maxscale undestant if the pwd i am passing is the encrypted or not
for sure if the encrypted is on, the file should not store the clear password

Comments

Comment by markus makela [ 2023-08-03 ]

The passwords are now re-encrypted with the encryption key whenever they are persisted. This also causes the passwords to be stored in their encrypted form in the database for MaxScale 6.4 when configuration synchronization is used.

Generated at Thu Feb 08 04:30:23 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.

[MXS-4681] Encrypted passwords are persisted in plaintext Created: 2023-07-25 Updated: 2024-01-04 Resolved: 2023-08-03