Troubleshooting authentication_oci Plugin

Troubleshoot the issues you find with the authentication_oci plugin.

Plugin Error Messages

The error messages are returned by the authentication_oci plugin and are logged to performance_schema.error_log.

Table 22-1 Plugin Error Messages

Error Description
MY-13813 (ER_AUTHENTICATION_OCI_INVALID_AUTHENTICATION_STRING)

Incorrect authentication string during CREATE USER or ALTER USER. Check your authentication string and retry.

To confirm your user is created correctly, run SHOW CREATE USER userName to display the user details.

The tenancy OCID and either user OCID or group mapping are mandatory.

MY-13814 (ER_AUTHENTICATION_OCI_NO_MATCHING_GROUPS) The user is not a member of the group listed in the authentication string. Ensure the user is a member of an IAM group mapped to a MySQL proxied user.
MY-13815 (ER_AUTHENTICATION_OCI_NO_GROUPS_FOUND) Specified user is not a member of an IAM group. Ensure your user is a member of a group mapped to the appropriate proxied user.
MY-13816 (ER_AUTHENTICATION_OCI_NONCE) API key mismatch. The public key retrieved from IAM does not correspond to the private key on the client. Ensure you are using the correct key pair and your public key is registered with the correct user in IAM and the correct private key, key path, and fingerprint are defined in your local config file.
MY-13810 (ER_AUTHENTICATION_OCI_DOWNLOAD_PUBLIC_KEY)

The public key for the specified user cannot be found. Ensure the user's API key is properly registered in IAM. To confirm your keys are correctly configured, attempt running a simple CLI command using the OCI CLI. A command such as oci os ns get, for example, returns the Object Storage namespace if you are using the proper user keys and config file. If your keys are not correct, a detailed error message is returned.

This error can also be raised in the event of a failure of communication between the MySQL server and the IAM service. Check the *_failure status variables for any increase in counter values. If there are no changes in the counter values, recheck your Tenancy OCID, User OCID, API Keys and fingerprint values.

Command-Line Client Error Messages

These error messages might be returned by the command-line clients if you cannot connect.

Table 22-2 Command-Line Client Error Messages

Error Description
ERROR 1827 (HY000): The password hash doesn't have the expected format.

The authentication string provided during CREATE USER or ALTER USER was incorrect.

Check the spelling of your parameters in the connection string. Ensure the OCIDs are correct - the tenancy OCID and the OCID of the IAM user. Make any corrections and retry.

ERROR 1045 (28000): Access denied for user <user>@<host>

The permissions have not been set up correctly for the user or for the authentication_oci plugin. This error can occur if you have not defined a policy statement for the mysql_dp_auth service in Identity and Access Management (IAM). It can also occur if a policy statement has been defined but it is not attached to the root compartment. See Prerequisites for information on the required policy statement.

Status Variables

The status variables of the authentication_oci plugin provide information on success or failure of connections to IMDS and IAM endpoints.

Table 22-3 Status Variables

Status Variable Description
authentication_oci_connection_failures Number of times the plugin received an unexpected reply (error > 405) from IAM endpoint for a GET or POST request
authentication_oci_connection_success Number of times the plugin received expected reply from IAM endpoint for a GET or POST request
authentication_oci_imds_failures Number of times the plugin failed to obtain the required information from IMDS.
authentication_oci_imds_success Number of times communication with IMDS was successful.
authentication_oci_principal_failures Number of times the plugin failed to obtain a JWT token
authentication_oci_principal_success Number of times a JWT token was successfully issued