Troubleshooting authentication

Plugin Error Messages

The error messages are returned by the authentication_oci plugin and are logged to performance_schema.error_log.

Table 22-1 Plugin Error Messages

Error	Description
`MY-13813 (ER_AUTHENTICATION_OCI_INVALID_AUTHENTICATION_STRING)`	Incorrect authentication string during `CREATE USER` or `ALTER USER`. Check your authentication string and retry. To confirm your user is created correctly, run `SHOW CREATE USER userName` to display the user details. The tenancy OCID and either user OCID or group mapping are mandatory.
`MY-13814 (ER_AUTHENTICATION_OCI_NO_MATCHING_GROUPS)`	The user is not a member of the group listed in the authentication string. Ensure the user is a member of an IAM group mapped to a MySQL proxied user.
`MY-13815 (ER_AUTHENTICATION_OCI_NO_GROUPS_FOUND)`	Specified user is not a member of an IAM group. Ensure your user is a member of a group mapped to the appropriate proxied user.
`MY-13816 (ER_AUTHENTICATION_OCI_NONCE)`	API key mismatch. The public key retrieved from IAM does not correspond to the private key on the client. Ensure you are using the correct key pair and your public key is registered with the correct user in IAM and the correct private key, key path, and fingerprint are defined in your local config file.
`MY-13810 (ER_AUTHENTICATION_OCI_DOWNLOAD_PUBLIC_KEY)`	The public key for the specified user cannot be found. Ensure the user's API key is properly registered in IAM. To confirm your keys are correctly configured, attempt running a simple CLI command using the OCI CLI. A command such as `oci os ns get`, for example, returns the Object Storage namespace if you are using the proper user keys and config file. If your keys are not correct, a detailed error message is returned. This error can also be raised in the event of a failure of communication between the MySQL server and the IAM service. Check the `*_failure` status variables for any increase in counter values. If there are no changes in the counter values, recheck your Tenancy OCID, User OCID, API Keys and fingerprint values.

Command-Line Client Error Messages

These error messages might be returned by the command-line clients if you cannot connect.

Table 22-2 Command-Line Client Error Messages

Error Description

Error	Description
`ERROR 1827 (HY000): The password hash doesn't have the expected format.`	The authentication string provided during `CREATE USER` or `ALTER USER` was incorrect. Check the spelling of your parameters in the connection string. Ensure the OCIDs are correct - the tenancy OCID and the OCID of the IAM user. Make any corrections and retry.
`ERROR 1045 (28000): Access denied for user <user>@<host>`	The permissions have not been set up correctly for the user or for the `authentication_oci` plugin. This error can occur if you have not defined a policy statement for the `mysql_dp_auth` service in Identity and Access Management (IAM). It can also occur if a policy statement has been defined but it is not attached to the root compartment. See Prerequisites for information on the required policy statement.

ERROR 1827 (HY000): The password hash doesn't
                                have the expected format.

The authentication string provided during CREATE USER or ALTER USER was incorrect.

Check the spelling of your parameters in the connection string. Ensure the OCIDs are correct - the tenancy OCID and the OCID of the IAM user. Make any corrections and retry.

ERROR 1045 (28000): Access denied for user
                                <user>@<host>

The permissions have not been set up correctly for the user or for the authentication_oci plugin. This error can occur if you have not defined a policy statement for the mysql_dp_auth service in Identity and Access Management (IAM). It can also occur if a policy statement has been defined but it is not attached to the root compartment. See Prerequisites for information on the required policy statement.

Status Variables

The status variables of the authentication_oci plugin provide information on success or failure of connections to IMDS and IAM endpoints.

Table 22-3 Status Variables

Status Variable	Description
`authentication_oci_connection_failures`	Number of times the plugin received an unexpected reply (error > 405) from IAM endpoint for a GET or POST request
`authentication_oci_connection_success`	Number of times the plugin received expected reply from IAM endpoint for a GET or POST request
`authentication_oci_imds_failures`	Number of times the plugin failed to obtain the required information from IMDS.
`authentication_oci_imds_success`	Number of times communication with IMDS was successful.
`authentication_oci_principal_failures`	Number of times the plugin failed to obtain a JWT token
`authentication_oci_principal_success`	Number of times a JWT token was successfully issued

Oracle Cloud Infrastructure Documentation