Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-4691

Kerberize MariaDB -- add Kerberos authentication support to MariaDB

Details

    • 10.2.0-1, 10.1.10, 10.2.0-2

    Description

      This task identifies TODOs to add Kerberos authentication support to MariaDB.

      Kerberos is a standardised network authentication protocol providing mutual authentication of potential users and network service. Many commercial relational database management systems have already internalized support for Kerberos authentication. The goal of this project aims to adding cross-platform Kerberos authentication support to MariaDB database.

      User Scenario

      In this section, we give a normal use case.
      Suppose user Adam what to authentication against his Kerberos principal.

      Step 1 Create a login user in MariaDB and specify the kerberos as server side authentication plugin.

      CREATE USER 'adam' IDENTIFIED VIA kerberos AS 'adam/mariadb@lp';

      The gap between MariaDB username length and Kerberos principal name length make it error-prone to embedded a whole principal name into a MariaDB login name. We use a short name as MariaDB login name and identify the principal name with the AS clause. If the AS clause is absent when creating a user, the MariaDB login name is used as principal name implicitly.
      Step 2 At client side, Adam acquires a service ticket (or access token) to MariaDB.
      Step 3 Adam tries to login with short login name.

      $ mysql -u adam

      Step 4 If adam/mariadb@lp is a valid principal in Kerberos and the service ticket is not expired, Adam can login MariaDB passwordlessly; otherwise, he will receive an actionable error message.

      The Source Code

      Source codes will be located in the plugin/auth_kerberos directory.
      mysql_declar_plugin/mysql_declare_plugin_end macros can be used to define server side plugin and mysql_declare_client_plugin/mysql_end_client_plugin macros for client side.

      Client-Server Communication

      This section defines the message exchanges between client and server during Kerberos authentication.

      Step 1 Server sends the null-terminated SPN to the client (the SPN is given as server parameter, documented in yet another section).
      Step 2 Client receives SPN from server with vio->read_packet, creates a secure context with the SPN by gss_init_sec_context repeating until done.
      Step 3 Client writes the output token created by gss_init_sec_context to the server, using vio->write_packet.
      Step 4 Server acquire credential with gss_acquire_cred to get the initial server credential.
      Step 5 Server reads token created at step 3, checks the principal name enclosed in the token with its credential get in step 4 and accepts the access requests if recognizable otherwise fails the connection.

      Figure-out SPN

      This section describes the policy to identify a valid service principal name.

      For the server side plugin, an SPN is requried. The principal name is an option in configuration file (e.g. ~/.my.cfn) with 

      spn=primary/instance@realm

      or 

      spn=primary@machine.domain

      depending on its platform, where primary is the service name. If this option does not present, mysql is the default SPN.

      Cross-platform Requirements

      GSSAPI based Kerberos authentication is widely used in *nix world, while Windows also provides an SSPI based Kerberos authentication process. The plugin will support Windows-SSPI in addition to GSSAPi to maximize the compatibility.

      Links

      1. Configure Kerberos authentication in Oracle RDBMS. http://docs.oracle.com/cd/A97630_01/network.920/a96573/asokerb.htm
      2. Using Kerberos authentication with SQL Server. http://msdn.microsoft.com/en-us/library/cc280745(v=sql.105).aspx
      3. Configuring Kerberos for Sybase. http://www.sybase.com.hk/content/1029260/1029260.pdf
      4. The Kerberos network authentication service (v5). http://tools.ietf.org/html/rfc4120
      5. GSS-API C-binding. http://tools.ietf.org/html/rfc2744
      6. The Kerberos version 5 Generic Security Service Application Program Interface (GSS-API) mechanism: Version 2. http://tools.ietf.org/html/rfc4121
      7. MariaDB Pluggable Authentication. https://kb.askmonty.org/en/development-pluggable-authentication/
      8. How the Kerberos Version 5 Authentication Protocol Works. http://technet.microsoft.com/en-us/library/cc772815(v=ws.10).aspx
      9. SSPI/Kerberos Interoperability with GSSAPI. http://msdn.microsoft.com/en-us/library/ms995352.aspx
      10. Best Practices for Integrating Kerberos into Your Application. http://www.kerberos.org/software/appskerberos.pdf

      Attachments

        Issue Links

          relates to

          Task - A task that needs to be done. MDEV-6385 MariaDB Galera Authentication between nodes and SST

          • Major - Major loss of function.
          • Closed

          Task - A task that needs to be done. MDEV-6387 MariaDB LDAP integration

          • Major - Major loss of function.
          • Open

          Activity

            Ascending order - Click to sort in descending order
            View 24 older comments
            rharwood Robbie Harwood added a comment -

            SPN is configured in the [server] section of /etc/my.cnf.d/server.cnf (or similar) as kerberos_principal_name. Mechanism is configured through the GSSAPI layer; typically it will be Kerberos5 and SPNEGO, though this may vary with your system.

            rharwood Robbie Harwood added a comment - SPN is configured in the [server] section of /etc/my.cnf.d/server.cnf (or similar) as kerberos_principal_name. Mechanism is configured through the GSSAPI layer; typically it will be Kerberos5 and SPNEGO, though this may vary with your system.
            wlad Vladislav Vaintroub added a comment -

            There is a documentation for the plugin,
            https://mariadb.com/kb/en/mariadb/gssapi-authentication-plugin/

            with example of how to create service principal on Unix (on Windows, with active directory, the principal name could be determined by the plugin startup code, so it is a lesser concern)

            wlad Vladislav Vaintroub added a comment - There is a documentation for the plugin, https://mariadb.com/kb/en/mariadb/gssapi-authentication-plugin/ with example of how to create service principal on Unix (on Windows, with active directory, the principal name could be determined by the plugin startup code, so it is a lesser concern)
            hkropp Henning Kropp added a comment -

            Sorry, but this all is not very clear for me. I was able to follow the doc to created a GSSAPI user. But running mysql --plugin-dir=/usr/lib64/mysql/plugin/ -u maria-user is not working for me.

            From my understanding the client would need to be configured to use GSSAPI as well. And typically it needs the SPN name, so it knows the service to authenticate against.

            https://mariadb.com/kb/en/mariadb/gssapi-authentication-plugin/ is really thin concerning the client config. There is a list of properties, but where do I place them? Also the client certainly does not need the keytab of the server, but the docu tells you so. Could you please review?

            hkropp Henning Kropp added a comment - Sorry, but this all is not very clear for me. I was able to follow the doc to created a GSSAPI user. But running mysql --plugin-dir=/usr/lib64/mysql/plugin/ -u maria-user is not working for me. From my understanding the client would need to be configured to use GSSAPI as well. And typically it needs the SPN name, so it knows the service to authenticate against. https://mariadb.com/kb/en/mariadb/gssapi-authentication-plugin/ is really thin concerning the client config. There is a list of properties, but where do I place them? Also the client certainly does not need the keytab of the server, but the docu tells you so. Could you please review?
            hkropp Henning Kropp added a comment - - edited

            Oh, I realized this might just be a formatting issue :/ ... I read the bullet points as being related to the client properties, but they are not, right? Sorry for the confusion....

            Found my mistake, docu is also fine (except confusing formatting). Sorry for bothering you here.

            hkropp Henning Kropp added a comment - - edited Oh, I realized this might just be a formatting issue :/ ... I read the bullet points as being related to the client properties, but they are not, right? Sorry for the confusion.... Found my mistake, docu is also fine (except confusing formatting). Sorry for bothering you here.
            wlad Vladislav Vaintroub added a comment -

            The only thing client has to do is to login as GSSAPI user (e.g kinit, or Windows domain login), and point to the plugin-dir (sometimes default plugin dir works, but often it does not ). client does not have any additional configuration, current plugin API does not allow it.

            As for formatting, I do not see it as confusing, but maybe I miss something. I believe everyone can modify it, it is just a wiki, so you're welcome!

            wlad Vladislav Vaintroub added a comment - The only thing client has to do is to login as GSSAPI user (e.g kinit, or Windows domain login), and point to the plugin-dir (sometimes default plugin dir works, but often it does not ). client does not have any additional configuration, current plugin API does not allow it. As for formatting, I do not see it as confusing, but maybe I miss something. I believe everyone can modify it, it is just a wiki, so you're welcome!

            People

              wlad Vladislav Vaintroub
              qiushuang QIU Shuang
              Votes:
              6 Vote for this issue
              Watchers:
              13 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.