[TLS] Use TiProxy with require issuer #464
Description
Bug Report
1. Minimal reproduce step (Required)
Get a TiDB cluster V6.5.1
CREATE USER that require issuer to connect
Get TiProxy latest
Get mysql client
Try to connect with user without SSL to TiProxy : OK
Try to connect with user_withSSL to TiProxy : NOK
Try to connect user_withSSL to TiDB:4000 : OK
MySQL [(none)]> show create user user_withSSL;
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| CREATE USER for user_withSSL@% |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| CREATE USER 'user_withSSL'@'%' IDENTIFIED WITH 'mysql_native_password' AS '*pwd' REQUIRE ISSUER '/CN=MyCN' PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY DEFAULT PASSWORD REUSE INTERVAL DEFAULT |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
TiProxy configuration :
# workdir = "./work"
[proxy]
graceful-close-conn-timeout = 15
pd-addrs = "ip_pd1:2379,ip_pd2:2379,ip_pd3:2379"
[log]
level = "debug"
[security]
min-tls-version = "1.2" # specify minimum TLS version
ssl-verify-server-cert = true
[security.cluster-tls]
# access to other components like TiDB or PD, will use this
ca = "/SSL/tidb-tiproxy_test/ca.crt"
cert = "/SSL/tidb-tiproxy_test/tiproxy.crt"
key = "/SSL/tidb-tiproxy_test/tiproxy.key"
[security.sql-tls]
# access to TiDB SQL(4000) port will use this
ssl-verify-server-cert = true
ca = "/SSL/tidb-tiproxy_test/ca.crt"
cert = "/SSL/tidb-tiproxy_test/client.crt"
key = "/SSL/tidb-tiproxy_test/client.key"
TiDB server config :
enable-telemetry = false
token-limit = 10000
[prepared-plan-cache]
enabled = true
[security]
auto-tls = true
cluster-ssl-ca = "/SSD/tls/ca.crt"
cluster-ssl-cert = "/SSD/tls/tidb.crt"
cluster-ssl-key = "/SSD/tls/tidb.pem"
ssl-ca = "/SSL/client/CA-cert.pem"
ssl-cert = "/SSL/client/Server-cert.pem"
ssl-key = "/SSL/client/Server-key.pem"
session-token-signing-cert="/SSL/tiproxy/tiproxy.crt"
session-token-signing-key="/SSL/tiproxy/tiproxy.key"
graceful-wait-before-shutdown=15
[tikv-client]
grpc-connection-count = 20
2. What did you expect to see? (Required)
When I try to connect with my user that requires issuer, I want to be connected successfuly
3. What did you see instead (Required)
Connection is refused
Error from TiProxy logs :
[2024/01/31 16:41:20.564 +01:00] [DEBUG] [main.proxy.conn.be.authenticator] [backend/authenticator.go:198] [backend does not support capabilities from proxy] [connID=2] [client_addr=127.0.0.1:37772] [addr=0.0.0.0:6000] [common=CLIENT_LONG_PASSWORD|CLIENT_FOUND_ROWS|CLIENT_LONG_FLAG|CLIENT_CONNECT_WITH_DB|CLIENT_LOCAL_FILES|CLIENT_PROTOCOL_41|CLIENT_INTERACTIVE|CLIENT_TRANSACTIONS|CLIENT_SECURE_CONNECTION|CLIENT_MULTI_STATEMENTS|CLIENT_MULTI_RESULTS|CLIENT_PLUGIN_AUTH|CLIENT_CONNECT_ATTS|CLIENT_DEPRECATE_EOF] [proxy=CLIENT_COMPRESS|CLIENT_ODBC|CLIENT_RESERVED|CLIENT_PLUGIN_AUTH_LENENC_CLIENT_DATA|CLIENT_ZSTD_COMPRESSION_ALGORITHM] [backend=CLIENT_SSL]
Error from TiDB logs :
[2024/01/31 16:44:07.202 +01:00] [ERROR] [privileges.go:540] ["global priv check ssl fail"] [authUser=user_withSSL [authHost=x.x.x.x]
[2024/01/31 16:44:07.202 +01:00] [WARN] [conn.go:687] ["open new session or authentication failure"] [conn=1303266525565682207] [error="[privilege:1045]Access denied for user 'user_withSSL'@'x.x.x.x' (using password: YES)"]
[2024/01/31 16:44:07.202 +01:00] [WARN] [server.go:644] ["Server.onConn handshake"] [conn=1303266525565682207] [error="[privilege:1045]Access denied for user 'user_withSSL'@'x.x.x.x' (using password: YES)"] ["remote addr"=x.x.x.x:43778]
4. What is your version? (Required)
TiProxy : 0.2.0
TiDB cluster : V6.5.1