Uploaded image for project: 'MariaDB MaxScale'
  1. MariaDB MaxScale
  2. MXS-2494

MySQLAuth load users query doesn't check mysql.user's plugin column for MariaDB 10.1+

    Details

      Description

      When MaxScale connects to a backend that is running MariaDB 10.0 or below and it is configured to use MySQLAuth, it properly checks the "plugin" column of mysql.user when determining which database users to load:

      https://github.com/mariadb-corporation/MaxScale/blob/maxscale-2.3.6/server/modules/authenticator/MySQLAuth/dbusers.cc#L48

      However, the queries for MariaDB 10.1 and MariaDB 10.2+ do not check the "plugin" column of mysql.user:

      https://github.com/mariadb-corporation/MaxScale/blob/maxscale-2.3.6/server/modules/authenticator/MySQLAuth/dbusers.cc#L57

      https://github.com/mariadb-corporation/MaxScale/blob/maxscale-2.3.6/server/modules/authenticator/MySQLAuth/dbusers.cc#L86

      As a consequence, the MySQLAuth authenticator can load user accounts that use authentication plugins like pam, unix_socket, gssapi, etc., which MySQLAuth can't actually support.

      In the best case scenario, this can just fill up MaxScale's MySQLAuth user database with useless junk.

      In the worst case scenario, this can cause subtle bugs that may be able to let people log into MaxScale with no password when they shouldn't be able to. I think I may be seeing at least one bug like this.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                markus makela markus makela
                Reporter:
                GeoffMontee Geoff Montee
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: