[MDEV-20299] SET SESSION AUTHORIZATION - Jira

Details

Type: New Feature
Status: In Testing (View Workflow)
Priority: Critical
Resolution: Unresolved
Fix Version/s: 12.0
Component/s: Authentication and Privilege System
Labels:
- Preview_12.0
- beginner-friendly

Description

SET USER privilege gives the ability to specify an arbitrary definer for views and stored routines. That basically means that a SET USER user can execute commands as any other user.

To make this functionality more convenient to use, the server could allow SET USER user to "sudo" directly into any other user without authentication.

We'll implement a standard SET SESSION AUTHORIZATION statement that will do that. It should allow everything that is achievable in SP with an arbitrary definer. In particular, it'll bypass account lock, expired password, authentication, REQUIRE SSL checks, etc.

The standard syntax is:

<set session user identifier statement> ::=

        SET SESSION AUTHORIZATION <value specification>

The important part of the specs is

1) If a <set session user identifier statement> is executed and an SQL-transaction is currently active, then an exception condition is raised: invalid transaction state — active SQL-transaction.

(it's sqlstate 25001), and

4) If V is not equal to the current value of the SQL-session user identifier of the current SQL-session context, then the restrictions on the permissible values for V are implementation-defined.

That is, one can always set session authorization to themselves, and it's implementation-defined when one can change to another user. We'll define it as "if granted SET USER privilege"

It won't work inside transactions (standard specs), won't work in PS and in SP (because changing the user resets all PS and SP in the connection, so none can survive this statement)

Attachments

Issue Links

blocks

MXS-5130 Support for PARSEC auth plugin from MDEV-32618

Closed

MXS-5524 Use new SESSION AUTHORIZATION feature from 12.0

Closed

causes

MDEV-36384 Command-line client keeps showing database in prompt after changing user

Open

MDEV-36395 SET SESSION AUTHORIZATION is written in server audit log under the new user

Open

MDEV-36399 SET SESSION AUTHORIZATION allows an unrpivileged user to bypass resource limits

Closed

MDEV-36401 Access denied errors produced by SET SESSION AUTHORIZATION not reflected in status values

Closed

MDEV-36415 ER_NO_SUCH_USER for empty user name in SET SESSION AUTHORIZATION looks inconsistent

Open

MDEV-36430 User cannot SET SESSION AUTHORIZATION into its current_user if the host is a wildcard

Open

MDEV-36431 User identified via proxy cannot do SET SESSION AUTHORIZATION into itself

Open

MDEV-36589 Garbage written into slow log for SET SESSION AUTHORIZATION command, assertion fails

Closed

is blocked by

MDEV-21743 Split up SUPER privilege to smaller privileges

Closed

relates to

MDEV-36396 MTR view protocol does not notice a change of user

Open

MDEV-36405 Session tracking does not report changes from COM_CHANGE_USER

Open

MDEV-34386 Make SQL proxy authentication easier and safer

Open

(5 causes, 1 is blocked by, 3 relates to)

Activity

Ascending order - Click to sort in descending order

View 11 older comments

markus makela added a comment - 2025-02-25 08:17 - edited

One thing that I think might be a minor issue in using this as a "proxy authentication mechanism" is the connection attributes. I assume that the SET SESSION AUTHORIZATION <user> will reset those as well. They are often quite useful for debugging complex topologies where client applications are connecting through a proxy like MaxScale. Otherwise figuring out the real source IP is quite difficult, especially as proxy protocol would not always be usable in this sort of a scenario.

markus makela added a comment - 2025-02-25 08:17 - edited One thing that I think might be a minor issue in using this as a "proxy authentication mechanism" is the connection attributes. I assume that the SET SESSION AUTHORIZATION <user> will reset those as well. They are often quite useful for debugging complex topologies where client applications are connecting through a proxy like MaxScale. Otherwise figuring out the real source IP is quite difficult, especially as proxy protocol would not always be usable in this sort of a scenario.

Sergei Golubchik added a comment - 2025-03-04 12:30

use branch bb-12.0-MDEV-20299-authorization

Sergei Golubchik added a comment - 2025-03-04 12:30 use branch bb-12.0- MDEV-20299 -authorization

Sergei Golubchik added a comment - 2025-03-08 13:49

wlad, please, review three top commits in that branch:

c9ddeb31d8b MDEV-20299 SET SESSION AUTHORIZATION

bcdfb506020 cleanup: extract reusable code chunks

b9939bc7f3f fix error messages

Sergei Golubchik added a comment - 2025-03-08 13:49 wlad , please, review three top commits in that branch: c9ddeb31d8b MDEV-20299 SET SESSION AUTHORIZATION bcdfb506020 cleanup: extract reusable code chunks b9939bc7f3f fix error messages

Sergei Golubchik added a comment - 2025-03-11 20:20

updated the branch to reject SET SESSION AUTHORIZATION in an active transaction

Sergei Golubchik added a comment - 2025-03-11 20:20 updated the branch to reject SET SESSION AUTHORIZATION in an active transaction

Vladislav Vaintroub added a comment - 2025-03-12 20:34

Looks good, only please fix embedded build.

Vladislav Vaintroub added a comment - 2025-03-12 20:34 Looks good, only please fix embedded build.

People

Assignee:: Elena Stepanova

Reporter:: Sergei Golubchik

Votes:: 3 Vote for this issue

Watchers:: 11 Start watching this issue

Dates

Created:: 2019-08-08 18:11

Updated:: 6 days ago 19:27

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server