Bug #89404 inconsistent support of CIDR or subnet notation
Submitted: 25 Jan 2018 11:51 Modified: 26 Jan 2018 4:20
Reporter: Geert Vanderkelen Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: Group Replication Severity:S4 (Feature request)
Version:8.0.4 OS:Any
Assigned to: CPU Architecture:Any
Tags: authentication, group_replication

[25 Jan 2018 11:51] Geert Vanderkelen 
Description:
For users, it is possible to provided a subnet, for example, 'geert'@'192.168.14.0/255.255.255.0'. This is a great help for restricting access. See https://dev.mysql.com/doc/refman/8.0/en/account-names.html

For Group Replication, we can whitelist hosts, and now also networks with 8.0.4, restricting who (what?) can join the group. And this notation supports CIDR.

Problem is: MySQL user accounting does not support CIDR; group replication whitelisting does. It would be OK if group replication whitelisting supports network masks like user accounts, but sadly not.

In a world of scripting, we now need to define two network variables: one to create the users, the other for whitelisting group replication members. This is owkay workaround, but being a bit more consistent would be preferred (reducing errors etc..).

How to repeat:

[mysqld]
# works OK with /24
group_replication_ip_whitelist = "localhost,192.168.56.0/255.255.255.0"

2018-01-25T11:22:38.438521Z 15 [ERROR] [MY-011254] Plugin group_replication reported: '[GCS] Invalid IP or subnet mask in the whitelist: 192.168.56.0/255.255.255.0'

When using CIDR in users:

mysql> CREATE USER 'geert'@'192.168.56.0/24';
Query OK

$ mysql -ugeert -hmysqld1 
ERROR 1045 (28000): Access denied for user 'geert'@'192.168.56.1' (using password: NO)

mysql> CREATE USER 'geert'@'192.168.56.0/255.255.255.0';
Query OK

$ mysql -ugeert -hmysqld1 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 38...

Suggested fix:
Add support for CIDR for user accounts OR/AND support network masks in group replication.
[26 Jan 2018 4:20] MySQL Verification Team 
Hey Geert,

I agree with you 100% so I verified it but I dropped the severity to S4 (feature request) as I can't agree it's an S3 bug. Valid point in any way, thanks for reporting it.

all best
Bogdan
[21 Jun 2021 20:27] MySQL Verification Team 
https://bugs.mysql.com/bug.php?id=104081 marked as duplicate of this one.
[23 Jun 2021 19:40] Romolo de Almeida Alves 
At first occourency, bug #89404, the last message update was  "26 Jan 2018", more than one year ago, 21 mysql updates after... and this security option (critical at my entended) maintain as an request. 

Reading the documentation, appear that THIS IS NOT AN NEW FEATURE. The documentation says that may use subnet notation as replace of CIDR. But dont work as it.

So, PLEASE, anyone with access to online documentation, UPDATE AND IMPROVE MYSQL DOCUMENTATION with this details, so other people dont loss "its precious time" debbuging this question; and most important at all, consider this at engineering a new environment  project.

Im really disappointed about this.

Many regards,
Romolo.