mysqld_exporter icon indicating copy to clipboard operation
mysqld_exporter copied to clipboard
verified publisher icon prometheus

Password with '&' or '?' char make fail connection to MySQL

Open KuzinAndrey opened this issue 2 years ago • 6 comments

Host operating system: output of uname -a

[root@localhost ~]# uname -a
Linux localhost.localdomain 4.18.0-425.13.1.el8_7.x86_64 #1 SMP Tue Feb 21 19:25:54 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

mysqld_exporter version: output of mysqld_exporter --version

[root@localhost ~]# /usr/local/bin/mysqld_exporter --version
mysqld_exporter, version 0.15.0 (branch: HEAD, revision: 6ca2a42f97f3403c7788ff4f374430aa267a6b6b)
  build user:       root@c4fca471a5b1
  build date:       20230624-04:09:04
  go version:       go1.20.5
  platform:         linux/amd64
  tags:             netgo

MySQL server version

[root@localhost ~]# mysql -e "select version()"
+---------------------+
| version()           |
+---------------------+
| 10.10.5-MariaDB-log |
+---------------------+

mysqld_exporter command line flags

[root@localhost ~]# cat /etc/systemd/system/mysqld_exporter.service | grep Exec
ExecStart=/usr/local/bin/mysqld_exporter --web.listen-address=:9104 --config.my-cnf=/etc/mysqld_exporter.conf

What did you do that produced an error?

Generate password in ansible role:

- name: "Generate password for exporter user"
  ansible.builtin.set_fact:
    exporter_password: "{{ lookup('ansible.builtin.password', '/dev/null', length=25, chars=['ascii_letters','digits','.,:-+_^@#;&?()[]<>']) }}"
  run_once: true
  no_log: true
  delegate_to: localhost

After curl http://localhost:9104/metrics get errors in journalctl like:

2023-08-15T11:43:411Z caller=exporter.go:152 level=error msg="Error pinging mysqld" err="Error 1044 (42000): Access denied for user 'mysqld_exporter'@'localhost' to database '&lock_wait_timeout=2'"

I change manually password to "qwerty123456" and exporter going to work fine. Try to change password manually to "123456&qwerty?" and get same error.

Something going wrong here i think (found by 'lock_wait_timeout' and variable name 'timeoutParam'): https://github.com/prometheus/mysqld_exporter/blob/c0b5cc3797e09c3af7cbbcbcc9d36d657556505b/collector/exporter.go#L106

KuzinAndrey avatar Aug 15 '23 12:08 KuzinAndrey

Just got this, I was confused. Thank lord you filed this yesterday. This saved a lot of time :)

Pegasust avatar Aug 16 '23 20:08 Pegasust

There was '#' in my password, so I wrapped the password with '`' and that solved the problem. I hope useful to you. @KuzinAndrey

Yuanr006 avatar Sep 22 '23 11:09 Yuanr006

There are more characters that are problematic in general, not only ?& .. also quoting the password will not help in all cases (quoting with neither of these will help: '") Most probably problematic are @!: and probably more

Considering what mysql/mariadb generates for passwords in general (docker image based generation), there is a high probability that it will clash with the characters here. Source: https://github.com/MariaDB/mariadb-docker/blob/master/11.4/docker-entrypoint.sh#L363

We should stop trying to interpret the PW string or search for any characters - any passwords

EugenMayer avatar Mar 06 '24 14:03 EugenMayer

There is no problem with characters only (and yes, ! not working, even with quoting) but can't use long password too. It's annoying when you want use strong password.

rudlaps avatar Mar 07 '24 12:03 rudlaps

Password strength is mostly determined by length. Security guidelines (ex NIST 800-63) recommend length over complexity.

SuperQ avatar Mar 07 '24 13:03 SuperQ

Yes, but still, using special chars in the password shouldn't prohibit from using this exporter. Is there a way to escape is for the exporter?

mkl262 avatar Mar 07 '24 13:03 mkl262