From 00a3d7eb56e078ace5f129a0ee1a955b639e0284 Mon Sep 17 00:00:00 2001
From: Markus Makela <markus.makela@mariadb.com>
Date: Fri, 28 Aug 2015 17:33:05 +0300
Subject: [PATCH 1/2] Made service permission checks less strict.

---
 server/core/dbusers.c | 18 ++++++++++--------
 server/core/service.c |  8 ++++----
 2 files changed, 14 insertions(+), 12 deletions(-)

diff --git a/server/core/dbusers.c b/server/core/dbusers.c
index f79193226..63055934f 100644
--- a/server/core/dbusers.c
+++ b/server/core/dbusers.c
@@ -2397,14 +2397,18 @@ bool check_service_permissions(SERVICE* service)
     if(mysql_real_connect(mysql,server->server->name,user,dpasswd,NULL,server->server->port,NULL,0) == NULL)
     {
 	skygw_log_write(LE,"%s: Error: Failed to connect to server %s(%s:%d) when"
-		" checking authentication user credentials and permissions.",
+		" checking authentication user credentials and permissions: %d %s",
 		 service->name,
 		 server->server->unique_name,
 		 server->server->name,
-		 server->server->port);
+		 server->server->port,
+                 mysql_errno(mysql),
+                 mysql_error(mysql));
 	mysql_close(mysql);
 	free(dpasswd);
-        return false;
+
+        /** We don't know enough about user permissions */
+        return true;
     }
 
     if(mysql_query(mysql,"SELECT user, host, password,Select_priv FROM mysql.user limit 1") != 0)
@@ -2414,6 +2418,7 @@ bool check_service_permissions(SERVICE* service)
             skygw_log_write(LE,"%s: Error: User '%s' is missing SELECT privileges"
                     " on mysql.user table. MySQL error message: %s",
                             service->name,user,mysql_error(mysql));
+             rval = false;
         }
         else
         {
@@ -2421,7 +2426,6 @@ bool check_service_permissions(SERVICE* service)
                     " MySQL error message: %s",
                             service->name,mysql_error(mysql));
 	}
-         rval = false;
     }
     else
     {
@@ -2432,9 +2436,8 @@ bool check_service_permissions(SERVICE* service)
                             service->name,mysql_error(mysql));
             mysql_close(mysql);
             free(dpasswd);
-            return false;
+            return true;
         }
-
         mysql_free_result(res);
     }
     if(mysql_query(mysql,"SELECT user, host, db FROM mysql.db limit 1") != 0)
@@ -2443,13 +2446,13 @@ bool check_service_permissions(SERVICE* service)
         {
             skygw_log_write(LE,"%s: Error: User '%s' is missing SELECT privileges on mysql.db table. MySQL error message: %s",
                             service->name,user,mysql_error(mysql));
+            rval = false;
         }
         else
         {
             skygw_log_write(LE,"%s: Error: Failed to query from mysql.db table. MySQL error message: %s",
                             service->name,mysql_error(mysql));
 	}
-        rval = false;
     }
     else
     {
@@ -2457,7 +2460,6 @@ bool check_service_permissions(SERVICE* service)
         {
             skygw_log_write(LE,"%s: Error: Result retrieval failed when checking for permissions to the mysql.db table: %s",
                             service->name,mysql_error(mysql));
-            rval = false;
         }
         else
         {
diff --git a/server/core/service.c b/server/core/service.c
index a281db608..bc534f6b7 100644
--- a/server/core/service.c
+++ b/server/core/service.c
@@ -235,11 +235,11 @@ GWPROTOCOL	*funcs;
 			{
 				LOGIF(LE, (skygw_log_write_flush(
 					LOGFILE_ERROR,
-					"Error : Unable to load users from %s:%d for "
-					"service %s.",
+					"Error : Unable to load users for "
+					"service %s listening at %s:%d.",
+                                        service->name,
 					(port->address == NULL ? "0.0.0.0" : port->address),
-					port->port,
-					service->name)));
+					port->port)));
 				
 				{
 					/* Try loading authentication data from file cache */

From 45227c8875b6184f13796ac5cc5d0f0e025dd3a1 Mon Sep 17 00:00:00 2001
From: Markus Makela <markus.makela@mariadb.com>
Date: Fri, 28 Aug 2015 17:39:17 +0300
Subject: [PATCH 2/2] Changed service permission checks to fail when user
 doesn't have access rights.

---
 server/core/config.c  | 2 +-
 server/core/dbusers.c | 6 ++++--
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/server/core/config.c b/server/core/config.c
index c0113d001..acf133a92 100644
--- a/server/core/config.c
+++ b/server/core/config.c
@@ -898,7 +898,7 @@ process_config_context(CONFIG_CONTEXT *context)
 					s = strtok_r(NULL, ",", &lasts);
 				}
 			}
-			else if (servers == NULL && !isInternalService(router))
+			else if (servers == NULL && !isInternalService(router) && strcmp(router,"binlogrouter"))
 			{
 				LOGIF(LE, (skygw_log_write_flush(
                                         LOGFILE_ERROR,
diff --git a/server/core/dbusers.c b/server/core/dbusers.c
index 63055934f..d28aecaeb 100644
--- a/server/core/dbusers.c
+++ b/server/core/dbusers.c
@@ -2396,19 +2396,21 @@ bool check_service_permissions(SERVICE* service)
 
     if(mysql_real_connect(mysql,server->server->name,user,dpasswd,NULL,server->server->port,NULL,0) == NULL)
     {
+        int my_errno = mysql_errno(mysql);
+
 	skygw_log_write(LE,"%s: Error: Failed to connect to server %s(%s:%d) when"
 		" checking authentication user credentials and permissions: %d %s",
 		 service->name,
 		 server->server->unique_name,
 		 server->server->name,
 		 server->server->port,
-                 mysql_errno(mysql),
+                 my_errno,
                  mysql_error(mysql));
 	mysql_close(mysql);
 	free(dpasswd);
 
         /** We don't know enough about user permissions */
-        return true;
+        return my_errno != ER_ACCESS_DENIED_ERROR;
     }
 
     if(mysql_query(mysql,"SELECT user, host, password,Select_priv FROM mysql.user limit 1") != 0)