Closed prateeksahu closed 4 days ago
Subsequent use of RBAC rules as given in examples:
filter_chains:
- filters:
- name: envoy.filters.network.mysql_proxy
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.mysql_proxy.v3.MySQLProxy
stat_prefix: sql_proxy
- name: envoy.filters.network.rbac
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC
stat_prefix: rbac
rules:
action: DENY
policies:
"product-viewer":
permissions:
- metadata:
filter: envoy.filters.network.mysql_proxy
path:
- key: users.mydatabase
value:
list_match:
one_of:
string_match:
exact: select
principals:
- any: true
- name: envoy.filters.network.tcp_proxy
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
stat_prefix: tcp_proxy
cluster: service_envoyproxy_io
does not block the queries as intended: Trace logs:
[2024-10-16 12:36:52.956][33976][trace][filter] [contrib/mysql_proxy/filters/network/source/mysql_decoder_impl.cc:169] mysql_proxy: decoding 37 bytes
[2024-10-16 12:36:52.956][33976][trace][filter] [contrib/mysql_proxy/filters/network/source/mysql_utils.cc:215] mysql_proxy: MYSQL-hdrseq 0, len 33
[2024-10-16 12:36:52.956][33976][trace][filter] [contrib/mysql_proxy/filters/network/source/mysql_decoder_impl.cc:182] mysql_proxy: seq 0, len 33
[2024-10-16 12:36:52.956][33976][trace][filter] [contrib/mysql_proxy/filters/network/source/mysql_decoder_impl.cc:15] mysql_proxy: parsing message, seq 0, len 33
[2024-10-16 12:36:52.956][33976][trace][filter] [contrib/mysql_proxy/filters/network/source/mysql_filter.cc:119] [Tags: "ConnectionId":"0"] mysql_proxy: query processed select * FROM mydatabase.users, result false, cmd type 3
[2024-10-16 12:36:52.956][33976][trace][filter] [contrib/mysql_proxy/filters/network/source/mysql_decoder_impl.cc:165] mysql_proxy: msg parsed, session in state 9
[2024-10-16 12:36:52.956][33976][trace][filter] [contrib/mysql_proxy/filters/network/source/mysql_decoder_impl.cc:212] mysql_proxy: 0 bytes remaining in buffer
[2024-10-16 12:36:52.956][33976][debug][rbac] [source/extensions/filters/network/rbac/rbac_filter.cc:90] checking connection: requestedServerName: , sourceIP: 127.0.0.1:46846, directRemoteIP: 127.0.0.1:46846,remoteIP: 127.0.0.1:46846, lo
calAddress: 127.0.0.1:10000, ssl: none, dynamicMetadata: filter_metadata {
key: "envoy.filters.network.mysql_proxy"
value {
}
}
[2024-10-16 12:36:52.956][33976][trace][filter] [source/common/tcp_proxy/tcp_proxy.cc:754] [Tags: "ConnectionId":"0"] downstream connection received 37 bytes, end_stream=false, has upstream true
[2024-10-16 12:36:52.956][33976][trace][connection] [source/common/network/connection_impl.cc:529] [Tags: "ConnectionId":"1"] writing 37 bytes, end_stream false
[2024-10-16 12:36:52.956][33976][trace][connection] [source/common/network/connection_impl.cc:614] [Tags: "ConnectionId":"1"] socket event: 2
I think that this because of the library which is used to parse SQL queries. The same problem has been observed in postgres filter. There is a proposal to use postgres library to parse SQL queries (it should also work for mysql), but requires some work and testing.
Thank you for the comment -- it saved me time since I was about to try my luck with postgres.
Are there any fixes apart from manual rebuild with the postgres library?
Also are you referring to include/sqlparser/SQLParser.h
library in SQLUtils?
Also, @cpakulski , looking at past few issues around this, it seems that simple statements should still be able to pass the filter. Can you explain if "select * from table;" is already too complex or if there might be some config issue for me here? If it is, please help me with a simple query that would work with the existing parser. I am doing some benchmarking and do not necessarily need to run complex queries.
Are there any fixes apart from manual rebuild with the postgres library? Also are you referring to include/sqlparser/SQLParser.h library in SQLUtils?
It is not a matter of simple manual rebuild. The potential parser must tokenize query and metadata must be extracted from that query. The potential new parser must be modified a bit to create Envoy-compatible metadata.
Can you explain if "select * from table;" is already too complex or if there might be some config issue for me here?
Simple queries work. I remember that long time ago I used RBAC and simple queries like select, update, insert and was able to create metadata and feed it to rbac filter.
Simple queries work. I remember that long time ago I used RBAC and simple queries like select, update, insert and was able to create metadata and feed it to rbac filter.
@cpakulski Thanks! In the above example I am trying simple select queries but was seeing parser errors still.
After a lot of attempts, I switched from using mysql
cli client to a python script to talk to the server and somehow those queries do get parsed fine. I think it might be that the mysql
client sends the query in a way that the current parser isn't able to parse it well.
However, the RBAC policy still doesnt work right: the emiited metadata is
[2024-10-17 17:36:25.302][164803][debug][rbac] [source/extensions/filters/network/rbac/rbac_filter.cc:90] checking connection: requestedServerName: , sourceIP: 127.0.0.1:43598, directRemoteIP: 127.0.0.1:43598,remoteIP: 127.0.0.1:43598,
localAddress: 127.0.0.1:10000, ssl: none, dynamicMetadata: filter_metadata {
key: "envoy.filters.network.mysql_proxy"
value {
fields {
key: "users.mydatabase"
value {
list_value {
values {
string_value: "select"
}
}
}
}
}
}
and my configured RBAC is:
- name: envoy.filters.network.rbac
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC
stat_prefix: rbac
rules:
action: DENY
policies:
"product-viewer":
permissions:
- metadata:
filter: envoy.filters.network.mysql_proxy
path:
- key: users.mydatabase
value:
list_match:
one_of:
string_match:
exact: select
principals:
- any: true
Could you please help if I am configuring my RBAC incorrectly in any way?
nevermind, I realized I had not enforced the RBAC with enforcement_type: CONTINUOUS
tag.
Thanks for the discussion, closing this -- Feel free to open it if you'd like to use it as tracker for the better parser.
I think it might be that the mysql client sends the query in a way that the current parser isn't able to parse it well.
It is also possible that mysql client by default sends encrypted traffic and mysql filter is not able to decode it.
It is also possible that mysql client by default sends encrypted traffic and mysql filter is not able to decode it.
Yeah, I did turn off TLS/SSL on both server and client, but yes, it might be mangling the query somehow.
Title: SQLProxy filter query parsing returns a false even after seemingly correctly parsing a query
Description: A simple envoy with SQLProxy filter does return SQL responses properly but stats show that the Query parser parsed with errors. Subsequently, no dynamic metadata seem to populate for further filters.
The SQLProxy should parse the query properly and emit relevent dynamic metadata.
Repro steps: Using latest(1.32) contrib binary from : https://github.com/envoyproxy/envoy/releases/download/v1.32.0/envoy-contrib-1.32.0-linux-x86_64 simple mysql docker setup: mysql.yaml
sample db_init/init.sql script:
envoy config yaml (picked from https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/network_filters/mysql_proxy_filter)
start sql server:
docker compose -f mysql.yaml up -d
run envoy proxy:./envoy-contrib-1.32.0-linux-x86_64 -c envoy.yaml --log-level trace
connect to sql using mysql client:mysql -h 127.0.0.1 -P 10000 -u root -prootpassword --ssl-mode=DISABLED -e "select * FROM mydatabase.users;"
Logs: Admin stats: mysql.sql_proxy.auth_switch_request: 2 mysql.sql_proxy.decoder_errors: 0 mysql.sql_proxy.login_attempts: 2 mysql.sql_proxy.login_failures: 0 mysql.sql_proxy.protocol_errors: 0 mysql.sql_proxy.queries_parse_error: 4 mysql.sql_proxy.queries_parsed: 0 mysql.sql_proxy.sessions: 2 mysql.sql_proxy.upgraded_to_ssl: 0
Trace logs: