Skip to content

Bug Report: Unmanaged VTTablet config verification does not check credentials server for passwords #17476

New issue
New issue
Open
Open
Bug Report: Unmanaged VTTablet config verification does not check credentials server for passwords#17476
Labels
Component: Authn/zAuthentication / Authorization / CertificatesType: Bug
@taneja-tj

Description

@taneja-tj
taneja-tj
opened on Jan 8, 2025

Overview of the Issue

When trying to run a tablet in unmanaged mode, there is a bug in the config verification code where it doesn't check the credentials server for passwords and erroneously returns the following error -
invalid config: database app user password not specified

I am trying to deploy an unmanaged tablet to connect to an external DB while putting the passwords in a file and facing this issue, which stops the tablet from starting

I have identified the cause for this issue and created a working patch for the same
In go/vt/vttablet/tabletserver/tabletenv/config.go in the verifyUnmanagedTabletConfig function, we have the following snippet

if c.DB.App.Password == "" {
    return errors.New("database app user password not specified")
}

This DB field is pulled from the global DBConfig, which has the following UserConfigs here

App          UserConfig `json:"app,omitempty"`
Dba          UserConfig `json:"dba,omitempty"`
Filtered     UserConfig `json:"filtered,omitempty"`
Repl         UserConfig `json:"repl,omitempty"`
Appdebug     UserConfig `json:"appdebug,omitempty"`
Allprivs     UserConfig `json:"allprivs,omitempty"`

These configs are only populated using flags, registered here

This flow completely ignores the Credentials server which is hooked into the connection process inside the connector class by calling the withCredentials function, causing this issue

Reproduction Steps

Start VTTablet with the following flags -

vttablet  
    --unmanaged
    --db_app_user example_user
    --db_repl_user example_user
    ... (other user flags, but no passwords)
    --db-credentials-server file
    --db-credentials-file /path/to/file/secrets.json 
    <other necessary flags...>

Format the /path/to/file/secrets.json as expected by the creds server -

{
  "example_user": ["password-string-here"],
}

With these conditions, the tablet should pull passwords from the file and start up, but instead returns the error
invalid config: database app user password not specified

Binary Version

(VTTablet) v21.0.0 using go1.22.5 linux/amd64

Operating System and Environment details

OS Version     - Debian GNU/Linux 11 (bullseye)
Kernel version - Linux 6.1.53-1
Architecture   - x86_64

Log Fragments

W0108 12:54:36.112216   62468 log.go:39] Failed to read in config : Config File "vtconfig" Not Found in "[<local-path>]". This is optional, and can be ignored if you are not using config files. For a detailed explanation, see https://github.com/vitessio/vitess/blob/main/doc/viper/viper.md#config-files.
Error: invalid config: database app user password not specified

Metadata

Metadata

Assignees

No one assigned

    Labels

    Component: Authn/zAuthentication / Authorization / CertificatesType: Bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions