Bug #92115 wb_admin_meb_common.py _validate_user_access incorrectly intreprets mysqlbackup
Submitted: 22 Aug 2018 5:17 Modified: 17 Sep 2018 22:17
Reporter: Nate Marler Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Workbench: Administration Severity:S2 (Serious)
Version:8.0.12 Build 13312926 SE (64 bits) Comme OS:Windows
Assigned to: CPU Architecture:Any

[22 Aug 2018 5:17] Nate Marler 
Description:
Workbench's MySQL Enterprise Backup's prerequisites page uses wb_admin_meb_common.py:_validate_user_access for MEB account validation. From comments that appear in the file: the function attempts to work by analyzing the return text from a known-bogus mysqlbackup.exe command that it constructs and calls. The problem is that it incorrectly interprets an "access denied" warning as an error, and based on that, denies account validation. This makes it impossible to get past the MEB prerequisites page, and thus the S2 severity rating

How to repeat:
1. Open Workbench's MEB prerequisites page
2. Satisfy the prerequisites for Path to MEB Executable, and Backup Home Directory
3. Use the provided button to create a new Backup User account and see that it fails with "Access denied for backup account"
4. Confirm in log file that the failure is caused by the _validate_user_access function

Now, confirm the account is in fact valid:

5. Grant the new backup user the Schema Privilege to DROP in the "mysql" schema (I think this is another bug related to step 3 above that I will report next)
6. Reproduce the raw response by opening shell and manually running the command that the _validate_user_access function generated:

shell> mysqlbackup.exe --defaults-file=C:\MySQLBackupHome\.meb_tmp_config --no-history-logging backup

7. Now, remove the --no-history-logging option, and add the --backup-dir option (make sure that the directory it points to exists and is empty):

shell> mysqlbackup.exe --defaults-file=C:\MySQLBackupHome\.meb_tmp_config --backup-dir=C:\MySQLBackupHome\Backups backup

8. See that the backup will succeed, and see that the mysql.backup_progress and mysql.backup_history tables are created and populated - all which demonstrates that the backup user account is in fact valid for backups, and that the _validate_user_access function's interpretation of mysqlbackup's output is incorrect

Workaround:
(a) Step 5 above, grant the user DROP in the mysql schema
(b) Change line 1091 in wb_admin_meb_common.py:_validate_user_access to:

        ret_val = True #False

Suggested fix:
Rewrite _validate_user_access to properly interpret mysqlbackup's warnings as warnings, and not as errors
[22 Aug 2018 6:34] MySQL Verification Team 
Hello Nate Marler,

Thank you for the report and feedback!

regards,
Umesh
[12 Sep 2018 8:27] Miguel Tadeu Mota 
Posted by developer:
 
commit id: 5ef4886ff2706bb74d058cb8c2ec789f37130439

Updated the grants necessary to operate MEB.
[17 Sep 2018 22:17] Christine Cole 
Posted by developer:
 
Fixed as of the upcoming MySQL Workbench 8.0.13 release, and here's the changelog entry:

Insufficient privilege was granted during the attempt to create a new
MySQL Enterprise Backup user account. Although valid prerequisite backup
information was provided, the validation script returned the following
error message: Access denied for backup account.

Thank you for the bug report.
[7 Mar 2019 1:44] Rob Risetto 
Hi,

I'm getting the same error message using Workbench 8.0.15. 
Is there a bug fix coming for for 8.0.15?