Bug #107291 Access denied when connecting over socket
Submitted: 13 May 15:43 Modified: 24 Jun 7:04
Reporter: Michal Kralik Email Updates:
Status: Open Impact on me:
None 
Category:MySQL Router Severity:S2 (Serious)
Version:8.0.29 OS:CentOS (7)
Assigned to: CPU Architecture:x86
Tags: access denied, socket

[13 May 15:43] Michal Kralik 
Description:
A new user cannot connect over socket, but can connect over TCP.
After connecting via TCP, the socket connection starts working.
The socket connection for read-only mode does not work at all.

Restarting MySQL Router does not help.

MySQL 8.0.29
MySQL Router 8.0.29
CentOS 7 (3.10.0-1160.21.1.el7.x86_64)

MySQL running in InnoDB Cluster with 2 replicas

{
    "clusterName": "mysql1",
    "defaultReplicaSet": {
        "name": "default",
        "primary": "1.2.3.4:3320",
        "ssl": "REQUIRED",
        "status": "OK_NO_TOLERANCE",
        "statusText": "Cluster is NOT tolerant to any failures.",
        "topology": {
            "1.2.3.4:3320": {
                "address": "1.2.3.4:3320",
                "memberRole": "PRIMARY",
                "mode": "R/W",
                "readReplicas": {},
                "replicationLag": null,
                "role": "HA",
                "status": "ONLINE",
                "version": "8.0.29"
            },
            "5.6.7.8:3320": {
                "address": "5.6.7.8:3320",
                "memberRole": "SECONDARY",
                "mode": "R/O",
                "readReplicas": {},
                "replicationLag": null,
                "role": "HA",
                "status": "ONLINE",
                "version": "8.0.29"
            }
        },
        "topologyMode": "Single-Primary"
    },
    "groupInformationSourceMember": "1.2.3.4:3320"
}

MySQL Router config

[DEFAULT]

user=mysqlrouter
keyring_path=/var/lib/mysqlrouter/keyring
master_key_path=/etc/mysqlrouter/mysqlrouter.key
connect_timeout=5
read_timeout=30
dynamic_state=/var/lib/mysqlrouter/state.json
client_ssl_cert=/var/lib/mysqlrouter/router-cert.pem
client_ssl_key=/var/lib/mysqlrouter/router-key.pem
client_ssl_mode=PREFERRED
server_ssl_mode=AS_CLIENT
server_ssl_verify=DISABLED
unknown_config_option=error
max_total_connections=30000

[logger]
level=INFO

[metadata_cache:bootstrap]
cluster_type=gr
router_id=3
user=router1
metadata_cluster=mysql1
ttl=0.5
auth_cache_ttl=-1
auth_cache_refresh_interval=2
use_gr_notifications=0

[routing:bootstrap_rw]
bind_address=0.0.0.0
bind_port=6446
socket=/run/mysqlrouter/mysql.sock
destinations=metadata-cache://mysql1/?role=PRIMARY
routing_strategy=first-available
protocol=classic

[routing:bootstrap_ro]
bind_address=0.0.0.0
bind_port=6447
socket=/run/mysqlrouter/mysqlro.sock
destinations=metadata-cache://mysql1/?role=SECONDARY
routing_strategy=round-robin-with-fallback
protocol=classic

[routing:bootstrap_x_rw]
bind_address=0.0.0.0
bind_port=6448
socket=/run/mysqlrouter/mysqlx.sock
destinations=metadata-cache://mysql1/?role=PRIMARY
routing_strategy=first-available
protocol=x

[routing:bootstrap_x_ro]
bind_address=0.0.0.0
bind_port=6449
socket=/run/mysqlrouter/mysqlxro.sock
destinations=metadata-cache://mysql1/?role=SECONDARY
routing_strategy=round-robin-with-fallback
protocol=x

How to repeat:
1. Connect to MySQL Router on port 6446
2. Create a new user
CREATE USER IF NOT EXISTS 'connecttest'@'%' IDENTIFIED BY 'asdasdasd1';

3. Connect via socket (the password is correct)
# mysql -u connecttest -p -S /run/mysqlrouter/mysql.sock
Enter password:
ERROR 1045 (28000): Access denied for user 'connecttest'@'host' (using password: YES)

4. Connect via TCP
# mysql -u connecttest -p -h localhost -P 6446
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.

5. Connect via socket - at this point the connection starts working
# mysql -u connecttest -p -S /run/mysqlrouter/mysql.sock
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.

6. Connect via ro socket - this never works
# mysql -u connecttest -p -S /run/mysqlrouter/mysqlro.sock
Enter password:
ERROR 1045 (28000): Access denied for user 'connecttest'@'host' (using password: YES)
[20 May 13:42] MySQL Verification Team 
Hi Mr. Kralik,

Can you please give us the reasons why are you trying to connect our client CLI to the read-only socket of the router.  You have to use options that would change nothing at all, which is not how our CLI works by default.

Next, please check the privileges of that user that is attempting this connection ....

Last, but not least, describe to us how is router connected to the cluster and are all replicas configured for read and write operations.
[21 Jun 1:00] Bugs System 
No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
[24 Jun 7:04] Michal Kralik 
Sorry, for some reason I did not receive email notification for your follow up.

We use MySQL router to connect to an InnoDB Cluster.
We'd like to use a socket to connect to MySQL router instead of TCP connections.

The user has proper privileges since you can connect through TCP with the same user.

I don't understand your question regarding "connect our CLI to the read-only socket of router".
In the example I demonstrate connection with "mysql" cli to the router either via socket or TCP where the socket connection does not work but TCP does. I does not seem this is expected.

My understanding of the read-only socket of MySQL Router is that it connects you to a read-only replica of the InnoDB Cluster.

Router is connected to the cluster as described in the MySQL Router config I attached. It uses TCP connections. Let me know what debugging information you'd need here.

One replica is R/W and the other is R/O - as described in the output from MySQL replica config.