Details
-
Task
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
2.3.3
-
None
-
MXS-SPRINT-75, MXS-SPRINT-76
Description
MaxScale's PAM authenticators support user and group mapping, but the documentation doesn't show how to configure it:
https://mariadb.com/kb/en/mariadb-maxscale-23-pam-authenticator/
The process should probably be documented, similar to the MariaDB Server documentation that describes how to configure it from start to finish:
Here's how I was able to configure it:
I started with a 2-node Galera Cluster and a MaxScale 2.3.3 instance with the following configuration:
[maxscale]
|
threads=4
|
syslog=1
|
maxlog=1
|
#log_to_shm=1
|
log_warning=1
|
log_notice=1
|
log_info=1
|
admin_host=127.0.0.1
|
admin_port=8989
|
admin_auth=1
|
admin_enabled=1
|
connector_plugindir=/usr/lib64/mysql/plugin/
|
|
|
[C1N1]
|
type=server
|
address=172.30.0.249
|
port=3306
|
protocol=MariaDBBackend
|
authenticator=PAMBackendAuth
|
|
|
[C1N2]
|
type=server
|
address=172.30.0.32
|
port=3306
|
protocol=MariaDBBackend
|
authenticator=PAMBackendAuth
|
|
|
[Galera-Monitor]
|
type=monitor
|
module=galeramon
|
servers=C1N1,
|
C1N2
|
user=maxscale
|
password=password
|
monitor_interval=10000
|
|
|
[Read-Listener]
|
type=listener
|
service=Splitter-Service
|
port=3306
|
protocol=MariaDBClient
|
authenticator=PAMAuth
|
|
|
[Splitter-Service]
|
type=service
|
router=readwritesplit
|
servers=C1N1,
|
C1N2
|
user=maxscale
|
password=password
|
max_slave_connections=100%
|
1.) First, on both backend nodes, I created the monitor user in PAM and set the user's password:
sudo adduser maxscale
|
sudo passwd maxscale
|
2.) Then, on both backend nodes and the maxscale node, I created the PAM user and group that I want to test:
sudo useradd alice
|
sudo passwd alice
|
sudo groupadd dba
|
sudo usermod -a -G dba alice
|
3.) Then, on both backend nodes and the maxscale node, I also had to create a PAM user with the same name as the MariaDB user that my group is going to be mapped to:
sudo useradd dba -g dba
|
Because of this:
4.) Then, on both backend nodes and the maxscale node, I compiled and installed the pam_user_map PAM module:
sudo yum install gcc pam-devel
|
wget https://raw.githubusercontent.com/MariaDB/server/10.4/plugin/auth_pam/mapper/pam_user_map.c
|
gcc pam_user_map.c -shared -lpam -fPIC -o pam_user_map.so
|
sudo install --mode=0755 pam_user_map.so /lib64/security/
|
5.) Then, on both backend nodes and the maxscale node, I configured my user and group mapping in /etc/security/user_map.conf:
@dba:dba
|
6.) Then, on both backend nodes, I installed the PAM authentication plugin:
INSTALL SONAME 'auth_pam';
|
7.) Then, on both backend nodes and the maxscale node, I configured the PAM service in /etc/pam.d/mariadb:
auth required pam_unix.so audit
|
auth optional pam_user_map.so
|
account required pam_unix.so audit
|
8.) Then, on both backend nodes, I gave the mysql user access to /etc/shadow:
sudo groupadd shadow
|
sudo usermod -a -G shadow mysql
|
sudo chown root:shadow /etc/shadow
|
sudo chmod g+r /etc/shadow
|
9.) Then, on the maxscale instance, I gave the maxscale user access to /etc/shadow:
sudo groupadd shadow
|
sudo usermod -a -G shadow maxscale
|
sudo chown root:shadow /etc/shadow
|
sudo chmod g+r /etc/shadow
|
10.) Then, on both backend nodes, I created my monitor user:
CREATE USER 'maxscale'@'%' IDENTIFIED VIA pam USING 'mariadb';
|
GRANT ALL PRIVILEGES ON *.* TO 'maxscale'@'%';
|
11.) Then, on both backend nodes, I created my dba user:
CREATE USER 'dba'@'%' IDENTIFIED BY 'strongpassword';
|
GRANT ALL PRIVILEGES ON *.* TO 'dba'@'%' ;
|
12.) Then, on the backend nodes, I created my anonymous proxy user.
First, I had to do some cleanup:
DELETE FROM mysql.db WHERE User='' AND Host='%';
|
FLUSH PRIVILEGES;
|
Because of this:
https://mariadb.com/kb/en/library/create-user/#fixing-a-legacy-default-anonymous-account
And then I created my anonymous proxy user:
CREATE USER ''@'%' IDENTIFIED VIA pam USING 'mariadb';
|
GRANT PROXY ON 'dba'@'%' TO ''@'%';
|
13.) Then, I restarted both backend nodes and maxscale.
14.) Then, I tested it out:
[ec2-user@ip-172-30-0-106 ~]$ mysql -u alice -h 172.30.0.106 -p
|
Enter password:
|
Welcome to the MariaDB monitor. Commands end with ; or \g.
|
Your MariaDB connection id is 5
|
Server version: 10.1.37-MariaDB MariaDB Server
|
|
|
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
|
|
|
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
|
|
|
MariaDB [(none)]> SELECT USER(), CURRENT_USER();
|
+--------------------------------------------------+----------------+
|
| USER() | CURRENT_USER() |
|
+--------------------------------------------------+----------------+
|
| alice@ip-172-30-0-106.us-west-2.compute.internal | dba@% |
|
+--------------------------------------------------+----------------+
|
1 row in set (0.001 sec)
|
Attachments
Issue Links
- relates to
-
-
- Closed
-
-
-
- Closed
-
-
MXS-334 Enable Pam.d Support
-
- Closed
-
-
MXS-1758 Support PAM group mapping, like MariaDB Server does
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-