Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-33479

Extend Unix socket authentication to support authentication_string

    XMLWordPrintable

Details

    Description

      This is to track PR https://github.com/MariaDB/server/pull/2671:

      Before this change the unix socket auth plugin returned true only when the OS socket user id matches the MariaDB user name.
      The authentication string was ignored.

      Now if an authentication string is defined with in unix_socket authentication rule, then the authentication string will be used to compare with the socket's user name, and the plugin will return a positive if matching.

      Make the plugin to fill in the @@external_user variable.

      This change is similar to MySQL commit of mysql/mysql-server@6ddbc58e.
      However there's one difference with above commit:

      For MySQL, both OS user matches DB user name and OS user matches the authentication string will be allowed to connect.
      For MariaDB, we only allows the OS user matches the authentication string to connect, if the authentication string is defined.
      This is because allowing both OS user names has risks and couldn't handle the case that a customer only wants to allow one single OS user to connect which doesn't matches the DB user name.

      If DB user is created with multiple unix_socket options for example:
      create user A identified via unix_socket as 'B' or unix_socket as 'C';
      Then both Unix user of B and C are accepted.

      Attachments

        Issue Links

          Activity

            People

              TheLinuxJedi Andrew Hutchings (Inactive)
              TheLinuxJedi Andrew Hutchings (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.