Bug #89959 | Replication fails when users are created using caching_sha2_password | ||
---|---|---|---|
Submitted: | 8 Mar 2018 10:59 | Modified: | 19 Nov 2018 6:29 |
Reporter: | Giuseppe Maxia (OCA) | Email Updates: | |
Status: | Not a Bug | Impact on me: | |
Category: | MySQL Server: Replication | Severity: | S2 (Serious) |
Version: | 8.0.4 | OS: | Any |
Assigned to: | CPU Architecture: | Any | |
Tags: | auth, replication |
[8 Mar 2018 10:59]
Giuseppe Maxia
[8 Mar 2018 12:52]
MySQL Verification Team
Hello Giuseppe, Thank you for the report and feedback. Observed reported issue but also noted that slave connected when I restarted slave. Thanks, Umesh
[8 Mar 2018 12:53]
MySQL Verification Team
test results
Attachment: 89959_8.0.4.results (application/octet-stream, text), 10.58 KiB.
[8 Mar 2018 13:02]
Giuseppe Maxia
Hi Umesh, Thanks for verifying the issue. In the meantime, I have seen that there is also another method to gain a correct connection, in addition to running a query using the regular client. We can add GET_MASTER_PUBLIC_KEY to the "CHANGE MASTER TO" statement, and the connection succeeds. The manual explains this option (https://dev.mysql.com/doc/refman/8.0/en/change-master-to.html) although it is not clear why the regular connection with another client solves the issue. I'd say that the bug I reported is probably a matter of RTFM (albeit the docs could tell more about the problem, and especially they could mention this issue when announcing the change of default authentication plugin.) However, if the problem can be solved by a connection from a different client, I think there is a different problem, which is the master is trusting a client that should not be trusted.
[8 Mar 2018 13:51]
Giuseppe Maxia
One more thing. The addition of GET_MASTER_PUBLIC_KEY=1 does not solve the issue for group replication, while the previous connection with a regular client does. So, for the time being, I'd like to keep this bug report active, until more testing can be performed.
[9 Mar 2018 6:05]
Harin Vadodaria
Hi Giuseppe, For group replication, in additional to options related to SSL following options are available for configuring RSA public key: 1. --group-replication-recovery-get-public-key 2. --group-replication-recovery-public-key-path Please see: https://dev.mysql.com/doc/refman/8.0/en/group-replication-options.html The reason why regular connection with other client solve the issue is explained here: https://dev.mysql.com/doc/refman/8.0/en/caching-sha2-pluggable-authentication.html#caching... Caching_sha2_password creates an in-memory cache after first successful authentication through secure channel for a given user account. This cache allows fast authentication based on sha256 scramble for subsequent connection. This cache may be cleared(fully or partially) as a part of user management operations.
[9 Mar 2018 8:30]
Rene' Cannao'
If I understand this correctly, does this mean that replication can only perform a "Full Authentication via RSA Key Exchange" and not a "Full Authentication via SSL/TLS" ?
[9 Mar 2018 9:20]
Harin Vadodaria
No, replication can perform full authentication using TLS too.
[16 May 2018 8:59]
MySQL Verification Team
Bug #90883 marked as duplicate of this one
[19 Nov 2018 6:29]
Sujatha Sivakumar
Please refer 'Important' note from documentation link: https://dev.mysql.com/doc/refman/8.0/en/change-master-to.html Important To connect to the replication master using a user account that authenticates with the caching_sha2_password plugin, you must either set up a secure connection as described in Section 17.3.9, “Setting Up Replication to Use Encrypted Connections”, or enable the unencrypted connection to support password exchange using an RSA key pair. The caching_sha2_password authentication plugin is the default for new users created from MySQL 8.0 (for details, see Section 6.5.1.3, “Caching SHA-2 Pluggable Authentication”). If the user account that you create or use for replication (as specified by the MASTER_USER option) uses this authentication plugin, and you are not using a secure connection, you must enable RSA key pair-based password exchange for a successful connection. The above content clearly states that a secure connection is must, for a replication slave user account, to connect to the replication master that authenticates with the caching_sha2_password plugin. In the absence of secure connection, the connection attempt will fail. In the reported bug scenario secure connection was not available hence replication slave failed to connect as expected. Hence closing this report as "Not a bug".
[12 Apr 2019 9:08]
MySQL Verification Team
Bug #94993 marked as duplicate of this one