[MXS-1551] Ip white list for proxy - Jira

Details

Type: New Feature
Status: Closed (View Workflow)
Priority: Major
Resolution: Done
Affects Version/s: None
Fix Version/s: 2.2.0
Component/s: mariadbmon
Labels:
None

Description

Current MaxScale's Authentication mechanism has a limit, MaxScale's host should be added to every

{Username, Password}

tuple, as descriped in the Configuration Docments;

If there is a ip white list mechanism, put MaxScale's host in the white list, Server Authentication skip those host in the list will let MaxScale be much easier to use, especially in cloud environment;

Proposal:
1. server privide a white ip list variable;
2. In mysql monitor, after connected to backend, set host to the white list;

Attachments

Issue Links

is blocked by

MDEV-15501 Dynamic config `proxy_protocol_networks`

Closed

Activity

Ascending order - Click to sort in descending order

dapeng huang created issue - 2017-11-29 07:23

dapeng huang made changes - 2017-11-29 07:24

Field	Original Value	New Value
Description	Current MaxScale's Authentication mechanism has a limit, MaxScale's host should be added to every {Username, Password} tuple, as descriped in the Configuration Docments; If there is a ip white list mechanism, put MaxScale's host in the white list, Server Authentication skip those host in the list will let MaxScale be much easier to use, especially in cloud environment; Proposal: 1. server privide a write ip list variable; 2. In mysql monitor, after connected to backend, set host to the write list;	Current MaxScale's Authentication mechanism has a limit, MaxScale's host should be added to every {Username, Password} tuple, as descriped in the Configuration Docments; If there is a ip white list mechanism, put MaxScale's host in the white list, Server Authentication skip those host in the list will let MaxScale be much easier to use, especially in cloud environment; Proposal: 1. server privide a white ip list variable; 2. In mysql monitor, after connected to backend, set host to the write list;

dapeng huang made changes - 2017-11-29 07:39

Description

Current MaxScale's Authentication mechanism has a limit, MaxScale's host should be added to every {Username, Password} tuple, as descriped in the Configuration Docments;

If there is a ip white list mechanism, put MaxScale's host in the white list, Server Authentication skip those host in the list will let MaxScale be much easier to use, especially in cloud environment;

Proposal:
1. server privide a white ip list variable;
2. In mysql monitor, after connected to backend, set host to the write list;

dapeng huang made changes - 2017-11-29 08:33

Component/s

MySQLMon [ 11630 ]

markus makela added a comment - 2017-11-29 08:43

Fixed in 10.3 when PROXY protocol is added.

markus makela added a comment - 2017-11-29 08:43 Fixed in 10.3 when PROXY protocol is added.

markus makela added a comment - 2017-11-29 09:19 - edited

dapeng Can you check if the PROXY protocol (~~MDEV-11159~~) is something that would solve your problem?

markus makela added a comment - 2017-11-29 09:19 - edited dapeng Can you check if the PROXY protocol ( MDEV-11159 ) is something that would solve your problem?

markus makela made changes - 2017-11-29 09:19

Fix Version/s

2.2 [ 22647 ]

dapeng huang added a comment - 2017-11-29 11:36

thanks it exactly what we need, but if MySQLMon can add host to @@GLOBAL.proxy_protocol_networks could be better, cause we may dynamically add or remove mxs nodes for a mysql cluster;

dapeng huang added a comment - 2017-11-29 11:36 thanks it exactly what we need, but if MySQLMon can add host to @@GLOBAL.proxy_protocol_networks could be better, cause we may dynamically add or remove mxs nodes for a mysql cluster;

markus makela added a comment - 2017-11-29 12:00

That's a slightly dangerous thing from a security perspective as it depends only on the authentication of the monitor user but it should be doable. This assumes that the MaxScale user has the permissions to add itself into the list of allowed proxied networks.

markus makela added a comment - 2017-11-29 12:00 That's a slightly dangerous thing from a security perspective as it depends only on the authentication of the monitor user but it should be doable. This assumes that the MaxScale user has the permissions to add itself into the list of allowed proxied networks.

Johan Wikman made changes - 2018-01-02 09:27

Rank

Ranked higher

Johan Wikman made changes - 2018-02-13 09:17

Rank

Ranked higher

dapeng huang made changes - 2018-03-08 01:02

Link

This issue is blocked by ~~MDEV-15501~~ [ ~~MDEV-15501~~ ]

Johan Wikman made changes - 2018-03-20 08:43

Rank

Ranked higher

markus makela added a comment - 2018-03-26 07:10

Closing this as Done since 2.2 implemented PROXY Protocol support. If you want MaxScale to automatically add itself to the list of proxied hosts, please open a separate feature request for it.

markus makela added a comment - 2018-03-26 07:10 Closing this as Done since 2.2 implemented PROXY Protocol support. If you want MaxScale to automatically add itself to the list of proxied hosts, please open a separate feature request for it.

markus makela made changes - 2018-03-26 07:10

Fix Version/s		2.2.0 [ 22514 ]
Fix Version/s	2.2 [ 22647 ]
Resolution		Done [ 10200 ]
Status	Open [ 1 ]	Closed [ 6 ]

Sergei Golubchik made changes - 2021-12-06 21:30

Workflow

MariaDB v3 [ 84154 ]

MariaDB v4 [ 137846 ]

People

Assignee:: Unassigned

Reporter:: dapeng huang

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2017-11-29 07:23

Updated:: 2018-03-26 07:10

Resolved:: 2018-03-26 07:10

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB MaxScale

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration