MySQL Forums
Forum List  »  Security

Re: Permission oddity/issue Mysql 8
Posted by: Jordan Brown
Date: July 12, 2023 06:51PM

@Harin:

Seems like you've at least been around here in these Forums for awhile and may be working with Mysql/Oracle directly or have some relationship there, but if you're able to escalate the investigation and fix for this bug with the MySQL/Oracle folks, that be great! Maybe at minimum comment in that bug report that I submitted (bug link sent in previous post)

Some more background on how this issue was found/came about:

This issue was originally found during our migration from AWS Aurora Mysql 2.x (mysql 5.7.x) to AWS Aurora Mysql 3.x (mysql 8.x). Amazon Aurora in 3.x (mysql 8) moved their related AWS access grants that previously in Aurora Mysql 2.x were granted directly on the db user (where applicable) to DB roles, so those same permissions are now granted to db users via db roles. Immediately after we upgraded, since AWS aurora uses db roles, now this issue showed up as we have several db users needed access to other related AWS services like s3 through aurora. Our existing permissions set directly on the db users (similar to what was posted here showing the bug) broke when a db role was added (it could be any arbitrary db role even one without any additional permissions but here it was the AWS db roles automatically applied to the db user post migration to give them the BAU access to the AWS services like s3 they already had access to). I'm sure the impact of this bug is larger due to Amazon aurora's now use of db roles for their permissioning.

I have been working with AWS support in parallel. I also spun up a straight mysql 8.x RDS db and was able to replicate this same issue on straight mysql 8.x. That's when I posted this forum message as it was a mysql issue. AWS support said to submit the same thing myself as a bug report through mysql / oracle, and after you commented, I did the same since it's not expected behavior of mysql 8 and should not be causing the issue. So far, AWS Aurora mysql internal team, understandably, has been unwilling to escalate / comment on the bug with their contacts in Mysql (which I'm sure they have and I'm sure could help from a grass roots campaign level). I am working the angle over there that they should want to since their use of DB roles for related AWS access for Aurora causes greater chances of this issue showing up for their customers post migration to Aurora Mysql 3.x (mysql 8.x). Let's see where it goes and if they're willing to help push!

But yeah your help here would be appreciated, if you're able. It's either we wait as long as we can and hope this bug gets fixed soon or what most likely will happen is we'll have to tweak our permission policy as we'd really like to move to a more role based strategy, but with this bug currently it will make that transition more difficult. So yeah would be great to get this fixed in a timely manner. We can hold off on our permission strategy changes for a bit as we have some short workarounds but they're definitely not ideal.

Thanks for your time!

Options: ReplyQuote


Subject
Views
Written By
Posted
633
June 14, 2023 09:13PM
Re: Permission oddity/issue Mysql 8
380
July 12, 2023 06:51PM


Sorry, you can't reply to this topic. It has been closed.

Content reproduced on this site is the property of the respective copyright holders. It is not reviewed in advance by Oracle and does not necessarily represent the opinion of Oracle or any other party.