Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-33479

Extend Unix socket authentication to support authentication_string



    • New Feature
    • Status: In Testing (View Workflow)
    • Critical
    • Resolution: Unresolved
    • 11.6
    • None


      This is to track PR https://github.com/MariaDB/server/pull/2671:

      Before this change the unix socket auth plugin returned true only when the OS socket user id matches the MariaDB user name.
      The authentication string was ignored.

      Now if an authentication string is defined with in unix_socket authentication rule, then the authentication string will be used to compare with the socket's user name, and the plugin will return a positive if matching.

      Make the plugin to fill in the @@external_user variable.

      This change is similar to MySQL commit of mysql/mysql-server@6ddbc58e.
      However there's one difference with above commit:

      For MySQL, both OS user matches DB user name and OS user matches the authentication string will be allowed to connect.
      For MariaDB, we only allows the OS user matches the authentication string to connect, if the authentication string is defined.
      This is because allowing both OS user names has risks and couldn't handle the case that a customer only wants to allow one single OS user to connect which doesn't matches the DB user name.

      If DB user is created with multiple unix_socket options for example:
      create user A identified via unix_socket as 'B' or unix_socket as 'C';
      Then both Unix user of B and C are accepted.




            alice Alice Sherepa
            TheLinuxJedi Andrew Hutchings
            0 Vote for this issue
            6 Start watching this issue



              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.