Only refresh users on failed authentication

When backend authentication failed due to errors other than wrong credentials, the users were unconditionally reloaded. This caused a spike of activity whenever authentication failed for other reasons. Also fixed the test that checks for this to look for the correct error message.
2017-12-01 06:01:18 +02:00
parent 96d9c47016
commit 0506669738
2 changed files with 11 additions and 13 deletions
--- a/maxscale-system-test/crash_out_of_files.cpp
+++ b/maxscale-system-test/crash_out_of_files.cpp
@ -44,7 +44,7 @@ int main(int argc, char *argv[])
    Test->repl->close_connections();
    Test->stop_timeout();

-    Test->check_log_err((char *) "refresh rate limit exceeded", false);
+    Test->check_log_err((char *) "Refresh rate limit exceeded", false);
    Test->check_maxscale_alive();
    int rval = Test->global_result;
    delete Test;
--- a/server/modules/protocol/MySQL/MySQLBackend/mysql_backend.c
+++ b/server/modules/protocol/MySQL/MySQLBackend/mysql_backend.c
@ -329,7 +329,7 @@ bool is_error_response(GWBUF *buffer)
 * @param dcb Backend DCB where authentication failed
 * @param buffer Buffer containing the response from the backend
 */
-void log_error_response(DCB *dcb, GWBUF *buffer)
+static void handle_error_response(DCB *dcb, GWBUF *buffer)
 {
    uint8_t *data = (uint8_t*)GWBUF_DATA(buffer);
    size_t len = MYSQL_GET_PAYLOAD_LEN(data);
@ -354,6 +354,13 @@ void log_error_response(DCB *dcb, GWBUF *buffer)

        server_set_status(dcb->server, SERVER_MAINT);
    }
+    else if (errcode == ER_ACCESS_DENIED_ERROR ||
+             errcode == ER_DBACCESS_DENIED_ERROR ||
+             errcode == ER_ACCESS_DENIED_NO_PASSWORD_ERROR)
+    {
+        // Authentication failed, reload users
+        service_refresh_users(dcb->service);
+    }
 }

 /**
@ -474,7 +481,7 @@ gw_read_backend_event(DCB *dcb)
            {
                /** The server responded with an error */
                proto->protocol_auth_state = MXS_AUTH_STATE_FAILED;
-                log_error_response(dcb, readbuf);
+                handle_error_response(dcb, readbuf);
            }

            if (proto->protocol_auth_state == MXS_AUTH_STATE_CONNECTED)
@ -541,15 +548,6 @@ gw_reply_on_error(DCB *dcb, mxs_auth_state_t state)
    MXS_SESSION *session = dcb->session;
    CHK_SESSION(session);

-    /* Only reload the users table if authentication failed and the
-     * client session is not stopping. It is possible that authentication
-     * fails because the client has closed the connection before all
-     * backends have done authentication. */
-    if (state == MXS_AUTH_STATE_FAILED && session->state != SESSION_STATE_STOPPING)
-    {
-        service_refresh_users(session->service);
-    }
-
    GWBUF* errbuf = mysql_create_custom_error(1, 0, "Authentication with backend "
                                              "failed. Session will be closed.");

@ -809,7 +807,7 @@ gw_read_and_write(DCB *dcb)
            {
                /** The COM_CHANGE USER failed, generate a fake hangup event to
                 * close the DCB and send an error to the client. */
-                log_error_response(dcb, reply);
+                handle_error_response(dcb, reply);
            }
            else
            {