Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-33479

Extend Unix socket authentication to support authentication_string

    XMLWordPrintable

Details

    • New Feature
    • Status: In Testing (View Workflow)
    • Critical
    • Resolution: Unresolved
    • 11.6
    • None

    Description

      This is to track PR https://github.com/MariaDB/server/pull/2671:

      Before this change the unix socket auth plugin returned true only when the OS socket user id matches the MariaDB user name.
      The authentication string was ignored.

      Now if an authentication string is defined with in unix_socket authentication rule, then the authentication string will be used to compare with the socket's user name, and the plugin will return a positive if matching.

      Make the plugin to fill in the @@external_user variable.

      This change is similar to MySQL commit of mysql/mysql-server@6ddbc58e.
      However there's one difference with above commit:

      For MySQL, both OS user matches DB user name and OS user matches the authentication string will be allowed to connect.
      For MariaDB, we only allows the OS user matches the authentication string to connect, if the authentication string is defined.
      This is because allowing both OS user names has risks and couldn't handle the case that a customer only wants to allow one single OS user to connect which doesn't matches the DB user name.

      If DB user is created with multiple unix_socket options for example:
      create user A identified via unix_socket as 'B' or unix_socket as 'C';
      Then both Unix user of B and C are accepted.

      Attachments

        Activity

          People

            alice Alice Sherepa
            TheLinuxJedi Andrew Hutchings
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

              Created:
              Updated:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.