MySQL DB managed accounts require wildcard access

Hello,

I am seeking clarification regarding the requirements for managed accounts in MySQL DB assets. Specifically, I am encountering an issue when attempting to reset the password for a MySQL account that is restricted to (Localhost) access.

When I initiate a password change for an account that only has (Localhost) access, I receive the following error message:

"Searching for unrestricted MySQL user account 'user'@'%' - Account Not Found"

This leads me to question whether managed accounts for MySQL DB assets require wildcard (%) access to function correctly. Does the password reset functionality depend on having an account with unrestricted access (i.e., 'user'@'%')?

Any insights, recommendations, or best practices regarding this would be greatly appreciated.

Thank you in advance for your assistance.

Parents
  • Hi,

    Safeguard supports restricted MySQL accounts as well as unrestricted accounts. By default, MySQL accounts can login to the MySQL server from any source. An account can also be restricted to a specific host, or range of IP addresses.

    If the account name contains the character '@', the string following the '@' character describes the permitted source. The '%' character can be used as a wildcard, Examples:

    john : Permit John to login from any host (default)

    John@%: Permit John to login from any host

    John@10.1.%: Permit John to log in from any IP address in 10.1.xx

    To allow Safeguard to manage the account, a restriction must include the IP address of the Safeguard appliances since SPP performs a check password by logging in as the account and this can be a Check Password task from any SPP node in a cluster.

    Thanks!

  • Hi Tawfiq,

    the account has already permission to login from SPP host, it has John@SPP1.xx.com permission.

    However, when trying to change its password from PAM, i noticed in log file that it searches for John@% instead, and gives change password failure.

  • some of the logs are missing in the screenshot ending with 353.png

    Does it make a difference if using SPP IP address in the MySQL permissions instead of SPP hostnames?

    Also make sure the Connection Timeout in Connection tab is increased from default 20 seconds in case its timing out before it can verify further?

    Thanks!

  • Hello Tawfiq,

    I have tried with IP instead and extended the timeout, but unfortunately it is not affecting as well.

    Logs:

    Queuing task.
    Starting task.
    Connecting with asset sa_com_majd_alqaser (172.26.2.42).
    Successfully enabled SSL for connection.
    Looking up user information for oneid_manager.
    Searching for unrestricted MySql user account 'oneid_manager'@'%'
    Account oneid_manager not found, or is suspended.
    Password for account oneid_manager has not been changed.
    Saving task results.
    Task completed with failure.

    2024-07-24T11:10:56+03:00 Information Platform framework version 7.5.0.2226
    2024-07-24T11:10:56+03:00 Information Initializing ChangePassword platform task 4086ab45-4994-11ef-985e-1a3b6ccd0151
    2024-07-24T11:10:56+03:00 Debug ############### Operation Parameters ################
    2024-07-24T11:10:56+03:00 Debug Timeout                        60
    2024-07-24T11:10:56+03:00 Debug AssetName                      sa_com_majd_alqaser
    2024-07-24T11:10:56+03:00 Debug Address                        172.26.2.42
    2024-07-24T11:10:56+03:00 Debug Port                           3306
    2024-07-24T11:10:56+03:00 Debug FuncUserName                   pam_service_account
    2024-07-24T11:10:56+03:00 Debug FuncPassword                   **secret**
    2024-07-24T11:10:56+03:00 Debug UseSsl                         False
    2024-07-24T11:10:56+03:00 Debug AccountUserName                oneid_manager
    2024-07-24T11:10:56+03:00 Debug NewPassword                    **secret**
    2024-07-24T11:10:56+03:00 Debug Connecting as DRIVER=MySQL ODBC 8.0 Unicode Driver;SERVER=172.26.2.42;PORT=3306;EncryptPassword=yes;Option=3;GET_SERVER_PUBLIC_KEY=1;Uid=pam_service_account;Pwd=***;
    2024-07-24T11:10:56+03:00 Debug Query description: SslInUseQuery
    2024-07-24T11:10:56+03:00 Debug query string:show session status like 'ssl_version'
    2024-07-24T11:10:56+03:00 Debug Query result: Executed
    2024-07-24T11:10:56+03:00 Debug Query description: MaxNameLenQuery
    2024-07-24T11:10:56+03:00 Debug query string:select character_maximum_length from information_schema.columns where table_schema = 'mysql' and table_name = 'user' and column_name = 'user'
    2024-07-24T11:10:56+03:00 Debug Query result: Executed
    2024-07-24T11:10:56+03:00 Error Retrieved max username len:32
    2024-07-24T11:10:56+03:00 Debug Query description: UserExistsQuery
    2024-07-24T11:10:56+03:00 Debug query string:select count(user) from mysql.user where user = ? and host = ?
    2024-07-24T11:10:56+03:00 Debug param0: (VarChar): oneid_manager  (len:32)
    2024-07-24T11:10:56+03:00 Debug param1: (VarChar): %  (len:0)
    2024-07-24T11:10:56+03:00 Debug Query result: Executed

    Account configured for localhost and PAM IP access as below:

    Screenshot 2024-07-24 111724

  • Thanks for the update.

    There should be more logs under this line that are missing from the reply above:
    ----

    2024-07-24T11:10:56+03:00 Debug Query result: Executed

    .........

    ----

    Does it work fine if you edit the permission to use 10.29.3.%

    Are you using a SPP cluster where there are 3 nodes? Since you will need to allow access from any SPP node in the cluster because the Change Password could be done by any SPP node, you may have to use the IP range with a wild card anyways right?

    Thanks!

Reply
  • Thanks for the update.

    There should be more logs under this line that are missing from the reply above:
    ----

    2024-07-24T11:10:56+03:00 Debug Query result: Executed

    .........

    ----

    Does it work fine if you edit the permission to use 10.29.3.%

    Are you using a SPP cluster where there are 3 nodes? Since you will need to allow access from any SPP node in the cluster because the Change Password could be done by any SPP node, you may have to use the IP range with a wild card anyways right?

    Thanks!

Children
No Data