search

petoju / terraform-provider-mysql

Terraform MySQL provider – unofficial fork
https://registry.terraform.io/providers/petoju/mysql
Mozilla Public License 2.0
63 stars 40 forks source link

Provider ignores Authentication Plugin variable #75

Closed irtiza-baig-unmind closed 2 months ago

irtiza-baig-unmind commented 1 year ago

Hi there,

I am trying to use cleartext auth to login to our mysql database in AWS using IAM authentication but it seems the provider does not allow cleartext authentication despite being an acceptable input

Terraform Version

Terraform v1.0.11 Provider version: 3.0.33

Affected Resource(s)

Please list the resources as a list, for example:

If this issue appears to affect multiple resources, it may be an issue with Terraform's core, so please mention this.

Terraform Configuration Files

provider "mysql" {
  endpoint = jsondecode(data.aws_secretsmanager_secret_version.this.secret_string)["host"]
  username = "REDACTED"
  authentication_plugin = "cleartext"
  tls                   = true
# Tried both with password hardcoded or saved as MYSQL_PASSWORD. Same error
}

Debug Output

REDACTED

Expected Behavior

Provider creates the resources

Actual Behavior

What actually happened? 2023-04-04T14:30:10.594+0100 [DEBUG] provider.terraform-provider-mysql_v3.0.33: [mysql] 2023/04/04 14:30:10 connector.go:95: could not use requested auth plugin 'mysql_native_password': this user requires mysql native password authentication.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

  1. terraform apply

Important Factoids

Verified that the user does not need native password authentication. Host User Select_priv Insert_priv Update_priv Delete_priv Create_priv Drop_priv Reload_priv Shutdown_priv Process_priv File_priv Grant_priv References_priv Index_priv Alter_priv Show_db_priv Super_priv Create_tmp_table_priv Lock_tables_priv Execute_priv Repl_slave_priv Repl_client_priv Create_view_priv Show_view_priv Create_routine_priv Alter_routine_priv Create_user_priv Event_priv Trigger_priv Create_tablespace_priv ssl_type ssl_cipher x509_issuer x509_subject max_questions max_updates max_connections max_user_connections plugin authentication_string password_expired password_last_changed password_lifetime account_locked Load_from_S3_priv Select_into_S3_priv Invoke_lambda_priv Invoke_sagemaker_priv Invoke_comprehend_priv
% REDACTED Y Y Y Y N N N N N N Y N N Y N N N N N N N N N N N N N N N 0 0 0 0 AWSAuthenticationPlugin RDS N N N N N N N
petoju commented 1 year ago

I redacted the gist URL - please remove the GIST also from your account, as it contained a password and other details.

Try selecting all user rows from mysql.user like this:

SELECT * FROM mysql.user WHERE user='REDACTED';

-> this should show, whether there is no other auth row.

Why? I believe this issue means server returned that native password has to be used. There could be more users with different hosts while you are looking at incorrect one.

irtiza-baig-unmind commented 1 year ago

Hiya,

This produces the same thing as above. No other rows are returned

Host User Select_priv Insert_priv Update_priv Delete_priv Create_priv Drop_priv Reload_priv Shutdown_priv Process_priv File_priv Grant_priv References_priv Index_priv Alter_priv Show_db_priv Super_priv Create_tmp_table_priv Lock_tables_priv Execute_priv Repl_slave_priv Repl_client_priv Create_view_priv Show_view_priv Create_routine_priv Alter_routine_priv Create_user_priv Event_priv Trigger_priv Create_tablespace_priv ssl_type ssl_cipher x509_issuer x509_subject max_questions max_updates max_connections max_user_connections plugin authentication_string password_expired password_last_changed password_lifetime account_locked Load_from_S3_priv Select_into_S3_priv Invoke_lambda_priv Invoke_sagemaker_priv Invoke_comprehend_priv
% REDACTED Y Y Y Y N N N N N N Y N N Y N N N N N N N N N N N N N N N 0 0 0 0 AWSAuthenticationPlugin RDS N N N N N N N
petoju commented 1 year ago

This comes from go MySQL library, that gets it from packet, so I'm not completely convinced we can easily do anything about that.

Maybe try writing a small Go program using https://github.com/go-sql-driver/mysql , that connects there. Once we have it, we would know, what doesn't work and what works. Without that, it's difficult

irtiza-baig-unmind commented 1 year ago

I wrote a quick go app and am getting some incredibly strange behaviour: https://gist.github.com/irtiza-baig-unmind/256328a07d25f955025ae6f37b1ab09c

As soon as I append: &allowNativePasswords=false to the constructed DSN string we see the same error we're getting in the provider.

petoju commented 1 year ago

@irtiza-baig-unmind if I understand correctly, this clearly shows you need native password authentication, not plaintext. Even in your terraform.

irtiza-baig-unmind commented 1 year ago

I do not agree. Because when I run the provider with authentication_plugin=native or not including it all I get the error: Error: failed to connect to MySQL: could not connect to server: this user requires clear text authentication. If you still want to use it, please add 'allowCleartextPasswords=1' to your DSN

Running my go app with: 

    c := mysql.Config{
        User:                    "terraformci",
        Passwd:                  "TOKEN",
        Net:                     "tcp",
        Addr:                    "CONNECTION_URL:3306",
        TLSConfig:               "true",
        AllowCleartextPasswords: true,
        AllowNativePasswords:    true,
    }

Works. This seems to match up with what this user was trying to say in this issue: https://github.com/hashicorp/terraform-provider-mysql/issues/89