From bec33be672ae338fb1cf0fe418eac5d29a71ea58 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Markus=20M=C3=A4kel=C3=A4?= Date: Tue, 27 Nov 2018 09:02:00 +0200 Subject: [PATCH 1/4] Backport to 2.2: Simplify mxs1743_rconn_bitmask The test now uses maxctrl to count how many connections there are. This helps avoid creating new users on the database and works around the slave syncing problems. --- .../mxs1743_rconn_bitmask.cpp | 40 +++++-------------- 1 file changed, 10 insertions(+), 30 deletions(-) diff --git a/maxscale-system-test/mxs1743_rconn_bitmask.cpp b/maxscale-system-test/mxs1743_rconn_bitmask.cpp index 3aaefa042..13dee92df 100644 --- a/maxscale-system-test/mxs1743_rconn_bitmask.cpp +++ b/maxscale-system-test/mxs1743_rconn_bitmask.cpp @@ -39,53 +39,33 @@ int main(int argc, char** argv) test.tprintf("Checking that both the master and slave are used"); std::vector connections; - test.set_timeout(60); - test.repl->connect(); - execute_query_silent(test.repl->nodes[0], "DROP USER IF EXISTS 'mxs1743'@'%'"); - test.try_query(test.repl->nodes[0], "%s", "CREATE USER 'mxs1743'@'%' IDENTIFIED BY 'mxs1743'"); - test.try_query(test.repl->nodes[0], "%s", "GRANT ALL ON *.* TO 'mxs1743'@'%'"); - - test.tprintf("Syncing slaves"); - test.stop_timeout(); - test.repl->fix_replication(); - test.repl->sync_slaves(); - test.set_timeout(60); - test.tprintf("Opening new connections to verify readconnroute works"); for (int i = 0; i < 20; i++) { - // Open a connection and make sure it works test.set_timeout(20); - MYSQL* conn = open_conn(test.maxscales->readconn_master_port[0], test.maxscales->IP[0], - "mxs1743", "mxs1743", false); + MYSQL* conn = test.maxscales->open_readconn_master_connection(); test.try_query(conn, "SELECT 1"); connections.push_back(conn); test.stop_timeout(); } - // Give the connections a few seconds to establish - sleep(5); + int rc; + char* s1 = test.maxscales->ssh_node_output(0, "maxctrl --tsv list servers|grep server1|cut -f 4", true, &rc); + char* s2 = test.maxscales->ssh_node_output(0, "maxctrl --tsv list servers|grep server2|cut -f 4", true, &rc); - test.tprintf("Checking the number of connections"); - std::string query = "SELECT COUNT(*) AS connections FROM information_schema.processlist WHERE user = 'mxs1743'"; - char master_connections[1024]; - char slave_connections[1024]; - test.set_timeout(60); - find_field(test.repl->nodes[0], query.c_str(), "connections", master_connections); - find_field(test.repl->nodes[1], query.c_str(), "connections", slave_connections); - test.expect(strcmp(master_connections, slave_connections) == 0, + test.expect(strcmp(s1, s2) == 0, "Master and slave shoud have the same amount of connections: %s != %s", - master_connections, slave_connections); + s1, s2); - for (auto a: connections) + free(s1); + free(s2); + + for (auto a : connections) { mysql_close(a); } - execute_query_silent(test.repl->nodes[0], "DROP USER 'mxs1743'@'%'"); - test.repl->disconnect(); - return test.global_result; } From 9def07ab4ad485b4b47c3c2b03f2f288dd07bba5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Markus=20M=C3=A4kel=C3=A4?= Date: Tue, 15 Jan 2019 18:24:14 +0200 Subject: [PATCH 2/4] Document connection_timeout behavior The fact that a warning is logged was not documented. --- Documentation/Getting-Started/Configuration-Guide.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/Documentation/Getting-Started/Configuration-Guide.md b/Documentation/Getting-Started/Configuration-Guide.md index 1ecc81c90..1a689214e 100644 --- a/Documentation/Getting-Started/Configuration-Guide.md +++ b/Documentation/Getting-Started/Configuration-Guide.md @@ -1096,6 +1096,12 @@ default. To enable them, define the timeout in seconds in the service's configuration section. A value of zero is interpreted as no timeout, the same as if the parameter is not defined. +**Warning:** If a connection is idle for longer than the configured connection +timeout, it will be forcefully disconnected and a warning will be logged in the +MaxScale log file. If you are performing long-running maintenance operations +(e.g. `ALTER TABLE`) either do them with a direct connection to the server or +set `connection_timeout` to zero before executing them. + Example: ``` From 1e1836354be5b55b69ada1b3c961a8ff14ce66c5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Markus=20M=C3=A4kel=C3=A4?= Date: Sat, 12 Jan 2019 04:55:35 +0200 Subject: [PATCH 3/4] MXS-2257: Extend password encryption tutorial Fixed the documentation on the arguments to maxkeys, which is a directory, and added a short paragraph about alternative key file locations. Also documented that keys are read from the directory where the `datadir` parameter points to. --- .../Getting-Started/Configuration-Guide.md | 3 +++ Documentation/Tutorials/Encrypting-Passwords.md | 17 ++++++++++++++--- 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/Documentation/Getting-Started/Configuration-Guide.md b/Documentation/Getting-Started/Configuration-Guide.md index 1a689214e..2e57dec92 100644 --- a/Documentation/Getting-Started/Configuration-Guide.md +++ b/Documentation/Getting-Started/Configuration-Guide.md @@ -468,6 +468,9 @@ Set the directory where the data files used by MariaDB MaxScale are stored. Modules can write to this directory and for example the binlogrouter uses this folder as the default location for storing binary logs. +This is also the directory where the password encryption key is read from that +is generated by `maxkeys`. + ``` datadir=/home/user/maxscale_data/ ``` diff --git a/Documentation/Tutorials/Encrypting-Passwords.md b/Documentation/Tutorials/Encrypting-Passwords.md index ec587db4c..4ebc3a8f0 100644 --- a/Documentation/Tutorials/Encrypting-Passwords.md +++ b/Documentation/Tutorials/Encrypting-Passwords.md @@ -3,13 +3,16 @@ There are two options for representing the password, either plain text or encrypted passwords may be used. In order to use encrypted passwords a set of keys must be generated that will be used by the encryption and decryption -process. To generate the keys use the `maxkeys` command and pass the name of the -secrets file in which the keys are stored. +process. To generate the keys, use the `maxkeys` command. ``` -maxkeys /var/lib/maxscale/.secrets +maxkeys ``` +By default the key file will be generated in `/var/lib/maxscale`. If a different +directory is required, it can be given as the first argument to the program. For +more information, see `maxkeys --help`. + Once the keys have been created the `maxpasswd` command can be used to generate the encrypted password. @@ -21,6 +24,10 @@ maxpasswd plainpassword The username and password, either encrypted or plain text, are stored in the service section using the `user` and `password` parameters. +If a custom location was used for the key file, give it as the first argument to +`maxpasswd` and pass the password to be encrypted as the second argument. For +more information, see `maxkeys --help`. + Here is an example configuration that uses an encrypted password. ``` @@ -32,3 +39,7 @@ servers=dbserv1, dbserv2, dbserv3 user=maxscale password=96F99AA1315BDC3604B006F427DD9484 ``` + +If the key file is not in the default location, the +[`datadir`](../Getting-Started/Configuration-Guide.md#datadir) parameter must be +set to the directory that contains it. From 97c0c76321e713a6576a738f5ee616bdcda0144d Mon Sep 17 00:00:00 2001 From: Esa Korhonen Date: Wed, 23 Jan 2019 11:19:42 +0200 Subject: [PATCH 4/4] MXS-2267 Document requirements for an accepted PAM user The requirements are typical of MaxScale authenticators. Also, fixes the fallback PAM service. --- .../Authenticators/PAM-Authenticator.md | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/Documentation/Authenticators/PAM-Authenticator.md b/Documentation/Authenticators/PAM-Authenticator.md index 0b2a2748e..a909814ea 100644 --- a/Documentation/Authenticators/PAM-Authenticator.md +++ b/Documentation/Authenticators/PAM-Authenticator.md @@ -29,13 +29,15 @@ protocol=MariaDBBackend authenticator=PAMBackendAuth ``` -The client PAM authenticator will fetch user entries with `plugin='pam'` from -the `mysql.user` table. The entries should also have a PAM service name set in -the `authetication_string` column. The matching PAM service in the operating -system PAM config will be used for authenticating a user. If the -`authetication_string` for an entry is empty, a fallback service (e.g. `other`) -is used. If a username@host has multiple matching entries, they will all be -attempted until authentication succeeds or all fail. +The PAM authenticator fetches user entries with `plugin='pam'` from +the `mysql.user` table of a backend. The user accounts also need to have either +the global SELECT-privilege or a database or a table-level privilege. The PAM +service name of a user is read from the `authetication_string`-column. The +matching PAM service in the operating system PAM config is used for +authenticating the user. If the `authetication_string` for a user is empty, +the fallback service `mysql` is used. If a username@host-combination matches +multiple rows, they will all be attempted until authentication succeeds or all +services fail. PAM service configuration is out of the scope of this document, see [The Linux-PAM System Administrators' Guide