Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Won't Fix
-
2.1.9
-
None
Description
A PROXY grant allows one user to masquerade as another. MaxScale does not detect that a user shares the grants of another user and is allowed to authenticate.
To fix this problem, the SQL executed by the MySQLAuth module needs to be adjusted into the following form:
SELECT t.user, t.host, t.db, t.select_priv, t.password FROM |
(
|
SELECT u.user, u.host, d.db, u.select_priv, u.password |
FROM mysql.user AS u LEFT JOIN mysql.db AS d |
ON (u.user = d.user AND u.host = d.host) |
UNION |
SELECT u.user, u.host, t.db, u.select_priv, u.password |
FROM mysql.user AS u LEFT JOIN mysql.tables_priv AS t |
ON (u.user = t.user AND u.host = t.host) |
) AS t |
WHERE (t.user, t.host) NOT IN (SELECT user, host FROM mysql.proxies_priv) |
UNION
|
SELECT p.user, p.host, t.db, t.select_priv, t.password FROM |
(
|
SELECT u.user, u.host, d.db, u.select_priv, u.password |
FROM mysql.user AS u LEFT JOIN mysql.db AS d |
ON (u.user = d.user AND u.host = d.host) |
UNION |
SELECT u.user, u.host, t.db, u.select_priv, u.password |
FROM mysql.user AS u LEFT JOIN mysql.tables_priv AS t |
ON (u.user = t.user AND u.host = t.host) |
) AS t |
JOIN mysql.proxies_priv AS p |
ON (p.proxied_user = t.user AND p.proxied_host = t.host); |
With this, the grants of the account being proxied are returned instead of the user with the proxy grant.