Details
-
New Feature
-
Status: In Review (View Workflow)
-
Critical
-
Resolution: Unresolved
-
None
-
None
Description
This is to track PR https://github.com/MariaDB/server/pull/2671:
Before this change the unix socket auth plugin returned true only when the OS socket user id matches the MariaDB user name.
The authentication string was ignored.
Now if an authentication string is defined with in unix_socket authentication rule, then the authentication string will be used to compare with the socket's user name, and the plugin will return a positive if matching.
Make the plugin to fill in the @@external_user variable.
This change is similar to MySQL commit of mysql/mysql-server@6ddbc58e.
However there's one difference with above commit:
For MySQL, both OS user matches DB user name and OS user matches the authentication string will be allowed to connect.
For MariaDB, we only allows the OS user matches the authentication string to connect, if the authentication string is defined.
This is because allowing both OS user names has risks and couldn't handle the case that a customer only wants to allow one single OS user to connect which doesn't matches the DB user name.
If DB user is created with multiple unix_socket options for example:
create user A identified via unix_socket as 'B' or unix_socket as 'C';
Then both Unix user of B and C are accepted.