sqlproxyccl: improve authentication throttle error

The sql proxy will throttle connection attempts if a (client IP, tenant cluster) pair has too many authentication failures. The error is usually caused by a misconfigured password in a connection pool. This change replaces the "connection attempt throttled" error message with "too many failed authentication attempts". There is a hint that includes this message but not all drivers are configured to log hints. Fixes #117552
cockroachdb · Jan 9, 2024 · 480882f · 480882f
1 parent ccdb498
commit 480882f
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 7 deletions.
diff --git a/pkg/ccl/sqlproxyccl/authentication_test.go b/pkg/ccl/sqlproxyccl/authentication_test.go
@@ -121,7 +121,7 @@ func TestAuthenticateThrottled(t *testing.T) {
 		require.Equal(t, msg, &pgproto3.ErrorResponse{
 			Severity: "FATAL",
 			Code:     "08C00",
-			Message:  "codeProxyRefusedConnection: connection attempt throttled",
+			Message:  "codeProxyRefusedConnection: too many failed authentication attempts",
 			Hint:     throttledErrorHint,
 		})
 
@@ -142,10 +142,10 @@ func TestAuthenticateThrottled(t *testing.T) {
 	_, err := authenticate(proxyToClient, proxyToServer, nil, /* proxyBackendKeyData */
 		func(status throttler.AttemptStatus) error {
 			require.Equal(t, throttler.AttemptInvalidCredentials, status)
-			return throttledError
+			return authThrottledError
 		})
 	require.Error(t, err)
-	require.Contains(t, err.Error(), "connection attempt throttled")
+	require.Contains(t, err.Error(), "too many failed authentication attempts")
 
 	proxyToServer.Close()
 	proxyToClient.Close()

diff --git a/pkg/ccl/sqlproxyccl/proxy_handler.go b/pkg/ccl/sqlproxyccl/proxy_handler.go
@@ -175,9 +175,9 @@ const throttledErrorHint string = `Connection throttling is triggered by repeate
 sure the username and password are correct.
 `
 
-var throttledError = errors.WithHint(
+var authThrottledError = errors.WithHint(
 	withCode(errors.New(
-		"connection attempt throttled"), codeProxyRefusedConnection),
+		"too many failed authentication attempts"), codeProxyRefusedConnection),
 	throttledErrorHint)
 
 // newProxyHandler will create a new proxy handler with configuration based on
@@ -432,7 +432,7 @@ func (handler *proxyHandler) handle(ctx context.Context, incomingConn net.Conn)
 	throttleTime, err := handler.throttleService.LoginCheck(throttleTags)
 	if err != nil {
 		log.Errorf(ctx, "throttler refused connection: %v", err.Error())
-		err = throttledError
+		err = authThrottledError
 		updateMetricsAndSendErrToClient(err, fe.Conn, handler.metrics)
 		return err
 	}
@@ -467,7 +467,7 @@ func (handler *proxyHandler) handle(ctx context.Context, incomingConn net.Conn)
 				ctx, throttleTags, throttleTime, status,
 			); err != nil {
 				log.Errorf(ctx, "throttler refused connection after authentication: %v", err.Error())
-				return throttledError
+				return authThrottledError
 			}
 			return nil
 		},