Bug #104621 MySQL 8.0.26: Access Denied during GRANT PROXY as root, when connected via TCP/I
Submitted: 13 Aug 2021 19:35 Modified: 17 Aug 2021 11:47
Reporter: Trevor Sullivan Email Updates:
Status: Can't repeat Impact on me:
Category:MySQL Server Severity:S3 (Non-critical)
Version:8.0.26 OS:Other (Official Docker image)
Assigned to: CPU Architecture:Any
Tags: authentication, proxy, Security, users

[13 Aug 2021 19:35] Trevor Sullivan
When I am logged into MySQL using a TCP/IP connection, I am unable to perform the GRANT PROXY command, even though I am logged in as root. However, if I connect to MySQL using the UNIX socket, I am able to successfully run the GRANT PROXY command.

NOTE: I am using the official MySQL container image on the Docker Hub, using Docker Desktop on Windows 10. See reproduction steps for specific details.

How to repeat:
First, spin up a MySQL 8.0.26 container and get an interactive Bash shell inside it.

docker run --name testmysqldeleteme --env MYSQL_ROOT_PASSWORD=123 --detach mysql:8.0.26
docker exec -it testmysqldeleteme bash


Then in the interactive Bash shell:

mysql --user root --password=123 --host

In the MySQL shell:

# Enable the check_proxy_users feature
SET GLOBAL check_proxy_users = 1;

# Enable proxy users for the mysql_native_password authentication plugin;
SET GLOBAL mysql_native_password_proxy_users = 1;

# Enable the no-login plugin for MySQL
# https://dev.mysql.com/doc/refman/8.0/en/no-login-pluggable-authentication.html
INSTALL PLUGIN mysql_no_login SONAME 'mysql_no_login.so';

# Create two users
CREATE USER trevor IDENTIFIED WITH mysql_native_password BY 'Trevor123';
CREATE USER trevor_proxy IDENTIFIED WITH mysql_no_login;

# Grant proxy privileges
GRANT PROXY ON trevor_proxy TO trevor;


NOTE: At this point, you should receive:

ERROR 1698 (28000): Access denied for user 'root'@''

Suggested fix:
I don't have any fixes to suggest. I am not familiar with the MySQL code base.
[17 Aug 2021 11:47] MySQL Verification Team
Hi Mr. Sullivan,

Thank you for your bug report.

I have attempted to reproduce this behaviour on the plain MySQL server , but I did not succeed.

Hence, this is some problem with Docker configuration for MySQL, which is not our area of expertise.

Can't repeat.