Uploaded image for project: 'MariaDB MaxScale'
  1. MariaDB MaxScale
  2. MXS-2494

MySQLAuth load users query doesn't check mysql.user's plugin column for MariaDB 10.1+

    XMLWordPrintable

Details

    Description

      When MaxScale connects to a backend that is running MariaDB 10.0 or below and it is configured to use MySQLAuth, it properly checks the "plugin" column of mysql.user when determining which database users to load:

      https://github.com/mariadb-corporation/MaxScale/blob/maxscale-2.3.6/server/modules/authenticator/MySQLAuth/dbusers.cc#L48

      However, the queries for MariaDB 10.1 and MariaDB 10.2+ do not check the "plugin" column of mysql.user:

      https://github.com/mariadb-corporation/MaxScale/blob/maxscale-2.3.6/server/modules/authenticator/MySQLAuth/dbusers.cc#L57

      https://github.com/mariadb-corporation/MaxScale/blob/maxscale-2.3.6/server/modules/authenticator/MySQLAuth/dbusers.cc#L86

      As a consequence, the MySQLAuth authenticator can load user accounts that use authentication plugins like pam, unix_socket, gssapi, etc., which MySQLAuth can't actually support.

      In the best case scenario, this can just fill up MaxScale's MySQLAuth user database with useless junk.

      In the worst case scenario, this can cause subtle bugs that may be able to let people log into MaxScale with no password when they shouldn't be able to. I think I may be seeing at least one bug like this.

      Attachments

        Issue Links

          Activity

            People

              markus makela markus makela
              GeoffMontee Geoff Montee (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.