[MDEV-33387] Require Multiple Authentication Plugins Concurrently - MFA - Jira

XML

Word

Printable

Details

Type: New Feature
Status: In Progress (View Workflow)
Priority: Critical
Resolution: Unresolved
Fix Version/s: 11.9
Component/s: Authentication and Privilege System
Labels:
None

Description

Ability to require multiple authentication steps concurrently for specific users, the compliment of the new OR logic, for example, forcing a user to log in with both Unix Socket and mysql_native_password together to be able to start a session:

CREATE USER root@localhost IDENTIFIED VIA unix_socket AND mysql_native_password;

Update 1. Currently, we do not plan to support mix of AND and OR for the same user is not supported, for simplicity

Update 2. markus makela points out that MySQL multi-factor authentication supports multiple different passwords, and there are client CLI options supporting it (--password2, --password3). That would require some protocol overhaul, as well as support for multiple passwords in all connectors. At first, we can either support at most one password based plugin, for multifactor, or else require that all passwords are the same - but, SET PASSWORD won't probably work as desired.

Attachments

Issue Links

blocks

MXS-5334 Support MariaDB multi-factor authentication (logical AND)

Closed

is duplicated by

MDEV-35179 Add multi-plugin authentication

Closed

relates to

MXS-5413 Add compatibility layer for MySQL multi-factor authentication

Open

Activity

People

Assignee:: Vladislav Vaintroub

Reporter:: Juan

Votes:: 1 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2022-11-08 16:59

Updated:: 5 days ago 00:05

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.