Uploaded image for project: 'MariaDB MaxScale'
  1. MariaDB MaxScale
  2. MXS-2294

Document how to configure user and group mapping for PAM authenticators

    Details

    • Sprint:
      MXS-SPRINT-75, MXS-SPRINT-76

      Description

      MaxScale's PAM authenticators support user and group mapping, but the documentation doesn't show how to configure it:

      https://mariadb.com/kb/en/mariadb-maxscale-23-pam-authenticator/

      The process should probably be documented, similar to the MariaDB Server documentation that describes how to configure it from start to finish:

      https://mariadb.com/kb/en/library/configuring-pam-authentication-and-user-mapping-with-unix-authentication/

      Here's how I was able to configure it:

      I started with a 2-node Galera Cluster and a MaxScale 2.3.3 instance with the following configuration:

      [maxscale]
      threads=4
      syslog=1
      maxlog=1
      #log_to_shm=1
      log_warning=1
      log_notice=1
      log_info=1
      admin_host=127.0.0.1
      admin_port=8989
      admin_auth=1
      admin_enabled=1
      connector_plugindir=/usr/lib64/mysql/plugin/
       
      [C1N1]
      type=server
      address=172.30.0.249
      port=3306
      protocol=MariaDBBackend
      authenticator=PAMBackendAuth
       
      [C1N2]
      type=server
      address=172.30.0.32
      port=3306
      protocol=MariaDBBackend
      authenticator=PAMBackendAuth
       
      [Galera-Monitor]
      type=monitor
      module=galeramon
      servers=C1N1,
              C1N2
      user=maxscale
      password=password
      monitor_interval=10000
       
      [Read-Listener]
      type=listener
      service=Splitter-Service
      port=3306
      protocol=MariaDBClient
      authenticator=PAMAuth
       
      [Splitter-Service]
      type=service
      router=readwritesplit
      servers=C1N1,
              C1N2
      user=maxscale
      password=password
      max_slave_connections=100%
      

      1.) First, on both backend nodes, I created the monitor user in PAM and set the user's password:

      sudo adduser maxscale
      sudo passwd maxscale
      

      2.) Then, on both backend nodes and the maxscale node, I created the PAM user and group that I want to test:

      sudo useradd alice
      sudo passwd alice
      sudo groupadd dba
      sudo usermod -a -G dba alice 
      

      3.) Then, on both backend nodes and the maxscale node, I also had to create a PAM user with the same name as the MariaDB user that my group is going to be mapped to:

      sudo useradd dba -g dba
      

      Because of this:

      https://mariadb.com/kb/en/library/user-and-group-mapping-with-pam/#pam-user-with-same-name-as-mapped-mariadb-user-must-exist

      4.) Then, on both backend nodes and the maxscale node, I compiled and installed the pam_user_map PAM module:

      sudo yum install gcc pam-devel
      wget https://raw.githubusercontent.com/MariaDB/server/10.4/plugin/auth_pam/mapper/pam_user_map.c 
      gcc pam_user_map.c -shared -lpam -fPIC -o pam_user_map.so 
      sudo install --mode=0755 pam_user_map.so /lib64/security/ 
      

      5.) Then, on both backend nodes and the maxscale node, I configured my user and group mapping in /etc/security/user_map.conf:

      @dba:dba
      

      6.) Then, on both backend nodes, I installed the PAM authentication plugin:

      INSTALL SONAME 'auth_pam';
      

      7.) Then, on both backend nodes and the maxscale node, I configured the PAM service in /etc/pam.d/mariadb:

      auth required pam_unix.so audit
      auth optional pam_user_map.so
      account required pam_unix.so audit
      

      8.) Then, on both backend nodes, I gave the mysql user access to /etc/shadow:

      sudo groupadd shadow
      sudo usermod -a -G shadow mysql
      sudo chown root:shadow /etc/shadow
      sudo chmod g+r /etc/shadow
      

      9.) Then, on the maxscale instance, I gave the maxscale user access to /etc/shadow:

      sudo groupadd shadow
      sudo usermod -a -G shadow maxscale
      sudo chown root:shadow /etc/shadow
      sudo chmod g+r /etc/shadow
      

      10.) Then, on both backend nodes, I created my monitor user:

      CREATE USER 'maxscale'@'%' IDENTIFIED VIA pam USING 'mariadb';
      GRANT ALL PRIVILEGES ON *.* TO 'maxscale'@'%';
      

      11.) Then, on both backend nodes, I created my dba user:

      CREATE USER 'dba'@'%' IDENTIFIED BY 'strongpassword';
      GRANT ALL PRIVILEGES ON *.* TO 'dba'@'%' ;
      

      12.) Then, on the backend nodes, I created my anonymous proxy user.

      First, I had to do some cleanup:

      DELETE FROM mysql.db WHERE User='' AND Host='%';
      FLUSH PRIVILEGES;
      

      Because of this:

      https://mariadb.com/kb/en/library/create-user/#fixing-a-legacy-default-anonymous-account

      And then I created my anonymous proxy user:

      CREATE USER ''@'%' IDENTIFIED VIA pam USING 'mariadb';
      GRANT PROXY ON 'dba'@'%' TO ''@'%';
      

      13.) Then, I restarted both backend nodes and maxscale.

      14.) Then, I tested it out:

      [ec2-user@ip-172-30-0-106 ~]$ mysql -u alice -h 172.30.0.106 -p
      Enter password:
      Welcome to the MariaDB monitor.  Commands end with ; or \g.
      Your MariaDB connection id is 5
      Server version: 10.1.37-MariaDB MariaDB Server
       
      Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
       
      Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
       
      MariaDB [(none)]> SELECT USER(), CURRENT_USER();
      +--------------------------------------------------+----------------+
      | USER()                                           | CURRENT_USER() |
      +--------------------------------------------------+----------------+
      | alice@ip-172-30-0-106.us-west-2.compute.internal | dba@%          |
      +--------------------------------------------------+----------------+
      1 row in set (0.001 sec)
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                esa.korhonen Esa Korhonen
                Reporter:
                GeoffMontee Geoff Montee
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: