Bug #90618 [ERROR]Failed to authenticate connection
Submitted: 25 Apr 2018 4:11 Modified: 15 Nov 2019 10:27
Reporter: Young Ju You Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Connection Handling Severity:S4 (Feature request)
Version:5.7.22 Enterprise OS:Red Hat (7.3)
Assigned to: CPU Architecture:x86

[25 Apr 2018 4:11] Young Ju You 
Description:
mysql-5.7.22 x86_64 Enterprise

mysql error log 

How to repeat:
mysql-5.7.22 x86_64 Enterprise

mysqld.log

[ERROR] Failed to authenticate connection
[ERROR] Failed to authenticate connection
[ERROR] Failed to authenticate connection
[ERROR] Failed to authenticate connection
[ERROR] Failed to authenticate connection
[ERROR] Failed to authenticate connection
[ERROR] Failed to authenticate connection
[25 Apr 2018 18:33] MySQL Verification Team 
that error comes from the thread pool plugin
[25 Apr 2018 18:36] MySQL Verification Team 
Repeatable for me,  in this example it causes error log to contain the message:

>mysql -uroot -p12345 -h192.168.1.107
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1130 (HY000): Host '192.168.1.107' is not allowed to connect to this MySQL server

The error was overly verbose previously,  see:
https://bugs.mysql.com/bug.php?id=86863

So the question is what should we do with this bug report?
o)  get rid of the error totally ?
o)  change the error text to include less/more info?
[26 May 2018 1:00] Bugs System 
No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
[28 Jun 2018 15:46] Jagat Jha 
Any further progress/update on this bug? I am aslo having same issue, it just fills the error log with below message.

[ERROR] Failed to authenticate connection
[31 Jul 2018 16:38] MySQL Verification Team 
For error messages to be useful, they should contain some kind of detail that the humans monitoring the system can act on. 

While I am not saying we need to post the username and password that the failed attempt used (that would violate basic security rules). The error message should generically say *why* this client failed to authenticate. Some possible reasons include: 

* invalid packet
* wrong credentials
* net_read_timeout timed out
* net_write_timeout timed out
* client never attempted to send any credentials to authenticate
* the SSL libraries disagreed about how to encrypt the session

Don't force the humans to trace all possible connections and/or guess. Give them a clue which failure path led to this message and what was happening at the time (example: "net_read_timeout waiting for username/password" or "timed out waiting for LDAP plugin to authenticate"). 

Knowing from which IP address the connection attempt came from would not reveal any secrets. That can also be part of the message.
[10 Sep 2018 13:24] Loren Sorensen 
Is this bug being worked?  I should not have to disable or re-invent my error log watcher/alerting just to accommodate a bogus error message, or worse, disable the enterprise thread pool plugin to keep my error log from filling up with junk.  When can we expect a fix for this?

5.7.23 Enterprise
Ubuntu 18.04.1 LTS
[15 Nov 2019 10:19] MySQL Verification Team 
this seems fixed in 5.7.26+ but I don't see it documented?
[15 Nov 2019 10:27] MySQL Verification Team 
removed the error messages in 5.7.26 under the change history entry:

https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-26.html

The Aborted_connects status variable was not incremented for unsuccessful connection attempts, if connections were managed by the thread_pool plugin. (Bug #28490126)