Bug #49876 users coming via proxy don't have proper originating ip address
Submitted: 22 Dec 2009 12:28 Modified: 5 Jan 2010 17:15
Reporter: Bogdan Kecman Email Updates:
Status: Won't fix Impact on me:
None 
Category:MySQL Proxy: Core Severity:S4 (Feature request)
Version:0.7 OS:Any
Assigned to: CPU Architecture:Any

[22 Dec 2009 12:28] Bogdan Kecman 
Description:
When connecting via mysql proxy (stand alone or via enterprise monitor agent) user does not carry on the source address it is coming from hence if you have 

dbuser@10.1.2.3 

user with some permissions introducing proxy in to the mix will make mysql see this user as

dbuser@proxyIP

hence if you have thousand users on the system you have to modify them all to compensate for this, and if you have scenario like

dbuser@ip1 - read only privileges
dbuser@ip2 - read/write privileges

there is no way to implement it as both users will be seen from mysql as dbuser@proxyip

How to repeat:
connect to mysql server via proxy

Suggested fix:
let proxy pass by the information where the client originated from so that mysql grant system can properly authorize client (requires changes in both proxy and mysql server)
[22 Dec 2009 12:37] Kay Roepke 
While I agree that this would be great, it's extremely unlikely to happen any time soon, if at all, because this feature would require changes to the mysql protocol, with all the compatibility concerns that brings with it.
[29 Dec 2009 7:15] Bogdan Kecman 
Will the something like this solve this feature request without changing the protocol ?:

function read_auth()
    local c = proxy.connection.client
    local s = proxy.connection.server
end

...
...

proxy.queries:append(1, 
  proto.to_response_packet({
    username = c.username .. "-" .c.src.address,
    response = c.response,
    charset  = 8,
    database = c.default_db,
    max_packet_size = 1 * 1024 * 1024
  })
)
return proxy.PROXY_SEND_QUERY
[29 Dec 2009 10:23] Kay Roepke 
Unfortunately it won't, because the server takes the originating IP address from the network socket itself (and is correct to do so).
No matter what we come up with on the proxy side, it always needs some kind of change in the server itself, whether it is a protocol addition to explicitely set the source address to use for authentication/authorization or a more flexible permission system.
Using MySQL Proxy needs mysql users configured for its originating address, there's no way around it.
[5 Jan 2010 17:15] Enterprise Tools JIRA Robot 
Gary Whizin writes: 
can't fix this