Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
2.2.21, 2.3.6
-
None
Description
When MaxScale connects to a backend that is running MariaDB 10.0 or below and it is configured to use MySQLAuth, it properly checks the "plugin" column of mysql.user when determining which database users to load:
However, the queries for MariaDB 10.1 and MariaDB 10.2+ do not check the "plugin" column of mysql.user:
As a consequence, the MySQLAuth authenticator can load user accounts that use authentication plugins like pam, unix_socket, gssapi, etc., which MySQLAuth can't actually support.
In the best case scenario, this can just fill up MaxScale's MySQLAuth user database with useless junk.
In the worst case scenario, this can cause subtle bugs that may be able to let people log into MaxScale with no password when they shouldn't be able to. I think I may be seeing at least one bug like this.