Bug#33308536 - Default auth backend for old metadata is not valid

Issue
=====
WL#13906 changed the default authentication backend for the http_auth_backend
to metadata_cache which is not supported in metadata 1.0.

Fix
===
If old metadata is used then config generated during the bootstrap is going
to set up a file based authentication for the http_auth_backend.

RB: 26955
Reviewed by: Jan Kneschke <[email protected]>

Author: Tomasz Stepniak

router/src/router/src/config_generator.cc

@@ -423,25 +423,25 @@ void ConfigGenerator::init(
 
   // throws std::runtime_error, std::logic_error,
   connect_to_metadata_server(u, bootstrap_socket, bootstrap_options);
-  auto schema_version = mysqlrouter::get_metadata_schema_version(mysql_.get());
+  schema_version_ = mysqlrouter::get_metadata_schema_version(mysql_.get());
 
-  if (schema_version == mysqlrouter::kUpgradeInProgressMetadataVersion) {
+  if (schema_version_ == mysqlrouter::kUpgradeInProgressMetadataVersion) {
     throw std::runtime_error(
         "Currently the cluster metadata update is in progress. Please rerun "
         "the bootstrap when it is finished.");
   }
 
   if (!metadata_schema_version_is_compatible(kRequiredBootstrapSchemaVersion,
-                                             schema_version)) {
+                                             schema_version_)) {
     throw std::runtime_error(mysqlrouter::string_format(
         "This version of MySQL Router is not compatible with the provided "
         "MySQL InnoDB cluster metadata. Expected metadata version %s, "
         "got %s",
         to_string(kRequiredBootstrapSchemaVersion).c_str(),
-        to_string(schema_version).c_str()));
+        to_string(schema_version_).c_str()));
   }
 
-  metadata_ = mysqlrouter::create_metadata(schema_version, mysql_.get(),
+  metadata_ = mysqlrouter::create_metadata(schema_version_, mysql_.get(),
                                            bootstrap_options);
 
   // at this point we know the cluster type so let's do additional verifications
@@ -2020,6 +2020,42 @@ static void save_initial_dynamic_state(
   mdc_dynamic_state.save(state_stream);
 }
 
+/**
+ * Add proper authentication backend section to the config based on the
+ * metadata version. If needed it creates an empty authentication password
+ * file used in the config.
+ *
+ * @param[in] datadir - path of a router data directory
+ * @param[in] auth_backend_name - authentication backend section name
+ * @param[in] schema_version - metadata schema version
+ *
+ * @return http_auth_backend config section string
+ */
+static std::string create_http_auth_backend_section(
+    const mysql_harness::Path &datadir,
+    const std::string_view auth_backend_name,
+    const mysqlrouter::MetadataSchemaVersion schema_version) {
+  if (metadata_schema_version_is_compatible(kNewMetadataVersion,
+                                            schema_version)) {
+    return mysql_harness::ConfigBuilder::build_section(
+        std::string{"http_auth_backend:"}.append(auth_backend_name),
+        {{"backend", "metadata_cache"}});
+  } else {
+    const auto auth_backend_passwd_file =
+        datadir.join("auth_backend_passwd_file").str();
+    const auto open_res = open_ofstream(auth_backend_passwd_file);
+    if (!open_res) {
+      log_warning("Cannot create file '%s': %s",
+                  auth_backend_passwd_file.c_str(),
+                  open_res.error().message().c_str());
+    }
+
+    return mysql_harness::ConfigBuilder::build_section(
+        std::string{"http_auth_backend:"}.append(auth_backend_name),
+        {{"backend", "file"}, {"filename", auth_backend_passwd_file}});
+  }
+}
+
 /*static*/ std::string ConfigGenerator::gen_metadata_cache_routing_section(
     bool is_classic, bool is_writable, const Options::Endpoint endpoint,
     const Options &options, const std::string &metadata_key) {
@@ -2203,9 +2239,8 @@ std::string ConfigGenerator::generate_config_for_rest(
   config << mysql_harness::ConfigBuilder::build_section("rest_api", {});
 
   config << "\n\n";
-  config << mysql_harness::ConfigBuilder::build_section(
-      "http_auth_backend:" + auth_backend_name,
-      {{"backend", "metadata_cache"}});
+  config << create_http_auth_backend_section(datadir_path, auth_backend_name,
+                                             schema_version_);
 
   config << "\n\n";
   config << mysql_harness::ConfigBuilder::build_section(

router/src/router/src/config_generator.h

@@ -36,6 +36,7 @@
 
 #include "auto_cleaner.h"
 #include "mysql/harness/filesystem.h"
+#include "mysqlrouter/cluster_metadata.h"
 #include "mysqlrouter/datatypes.h"
 #include "mysqlrouter/keyring_info.h"
 #include "mysqlrouter/mysql_session.h"
@@ -617,6 +618,8 @@ class ConfigGenerator {
   SysUserOperationsBase *sys_user_operations_;
 #endif
 
+  mysqlrouter::MetadataSchemaVersion schema_version_;
+
 #ifdef FRIEND_TEST
   FRIEND_TEST(::ConfigGeneratorTest, fetch_bootstrap_servers_one);
   FRIEND_TEST(::ConfigGeneratorTest, fetch_bootstrap_servers_three);

router/tests/component/test_bootstrap.cc

@@ -2024,6 +2024,52 @@ TEST_F(RouterBootstrapTest, BootstrapRouterDuplicateEntry) {
   EXPECT_FALSE(router.expect_output("Could not delete file .*", true, 0ms));
 }
 
+TEST_F(RouterBootstrapTest, CheckAuthBackendWhenOldMetadata) {
+  TempDirectory bootstrap_directory;
+  const auto server_port = port_pool_.get_next_available();
+  const auto http_port = port_pool_.get_next_available();
+  const std::string json_stmts =
+      get_data_dir().join("bootstrap_gr_v1.js").str();
+
+  // launch mock server that is our metadata server for the bootstrap
+  auto &server_mock = launch_mysql_server_mock(json_stmts, server_port,
+                                               EXIT_SUCCESS, false, http_port);
+
+  set_mock_bootstrap_data(http_port, "test", {{"localhost", server_port}},
+                          {1, 0, 0}, "cluster-specific-id");
+
+  const auto base_listening_port = port_pool_.get_next_available();
+  std::vector<std::string> bootsrtap_params{
+      "--bootstrap=127.0.0.1:" + std::to_string(server_port), "-d",
+      bootstrap_directory.name(),
+      "--conf-base-port=" + std::to_string(base_listening_port)};
+
+  // launch the router in bootstrap mode
+  auto &router = launch_router_for_bootstrap(bootsrtap_params, EXIT_SUCCESS,
+                                             /*disable rest*/ false);
+
+  // add login hook
+  router.register_response("Please enter MySQL password for root: ",
+                           kRootPassword + "\n"s);
+
+  check_exit_code(router, EXIT_SUCCESS);
+
+  const std::string conf_file =
+      bootstrap_directory.name() + "/mysqlrouter.conf";
+
+  // check if valid authentication backend option was added to the config file
+  auto conf_file_content = get_file_output(conf_file);
+  auto conf_lines = mysql_harness::split_string(conf_file_content, '\n');
+  const auto passwd_file = mysql_harness::Path{
+      bootstrap_directory.name() + "/data/auth_backend_passwd_file"};
+  EXPECT_THAT(conf_lines,
+              ::testing::IsSupersetOf(
+                  {::testing::ContainsRegex("backend=file"),
+                   ::testing::ContainsRegex(std::string{"filename=.*"} +
+                                            passwd_file.str())}));
+  ASSERT_TRUE(passwd_file.exists());
+}
+
 int main(int argc, char *argv[]) {
   init_windows_sockets();
   ProcessManager::set_origin(Path(argv[0]).dirname());

router/tests/helpers/router_component_test.h

@@ -167,8 +167,9 @@ class RouterComponentBootstrapTest : virtual public RouterComponentTest {
       const std::vector<std::tuple<ProcessWrapper &, unsigned int>> &T);
 
   ProcessWrapper &launch_router_for_bootstrap(
-      std::vector<std::string> params, int expected_exit_code = EXIT_SUCCESS) {
-    params.push_back("--disable-rest");
+      std::vector<std::string> params, int expected_exit_code = EXIT_SUCCESS,
+      const bool disable_rest = true) {
+    if (disable_rest) params.push_back("--disable-rest");
     return ProcessManager::launch_router(
         params, expected_exit_code, /*catch_stderr=*/true, /*with_sudo=*/false,
         /*wait_for_notify_ready=*/std::chrono::seconds(-1));