[MXS-2497] Support all MariaDBClient-compatible authenticators on the same listener - Jira

XML

Word

Printable

Details

Type: New Feature
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 2.2.21, 2.3.6
Fix Version/s: 2.5.0
Component/s: Authenticator
Labels:
None

Epic Link:
Router Improvements
Sprint:
MXS-SPRINT-96, MXS-SPRINT-97, MXS-SPRINT-98

Description

A lot of users are using the PAMAuth and MySQLAuth authenticators at the same time with the same services. With the current design, a listener and a server can only each have one authenticator. Therefore, this kind of configuration requires a lot of duplication:

Every listener needs to be duplicated for every client-side authenticator.
Every server needs to be duplicated for every backend authenticator.
Every dependent service also needs to be duplicated.

It seems like it should be possible to change the design to support all MariaDBClient-compatible authenticators on the same listener at the same time. I think this will be even more important as users start to use even more authentication plugins on a more regular basis, such as ed25519 and gssapi.

MariaDB Server supports all authentication plugins on the same port, so I think MaxScale should also be able to do it. When a user tries to log in to MariaDB Server, it checks the plugin column of the mysql.user table to decide which plugin to use to authenticate the user:

https://mariadb.com/kb/en/library/mysqluser-table/

MaxScale could do something similar. For example, it could have an "authentication dispatcher" class of some kind. This class could query the mysql.user table to determine which authentication plugin each user account uses, and write it to an SQLite table. e.g.:

CREATE TABLE user_account_plugin_mappings (

   user char(80),

   host char(60),

   plugin char(64),

   PRIMARY KEY (user, host)

);

When a user tries to log in to MaxScale, the "authentication dispatcher" can determine which authenticator to use for that user by checking the plugin mapping for that user account.

In MariaDB 10.4, a user account can be configured to use several different authentication plugins in a pre-configured order. This information is stored in the mysql.global_priv table.

https://mariadb.com/kb/en/library/mysqlglobal_priv-table/

If we wanted to support multiple authentication plugins in MaxScale too, then we could probable extend the mapping table schema to include an additional order column. e.g.:

CREATE TABLE user_account_plugin_mappings (

   user char(80),

   host char(60),

   order int,

   plugin char(64),

   PRIMARY KEY (user, host, order)

);

Attachments

Issue Links

blocks

MXS-1605 PamAuth - Option to Failback to Default Authentication

Closed

relates to

MXS-485 Authentication plugin skeleton

Closed

MXS-615 Authentication as Module

Closed

MXS-2499 MaxScale still authenticates clients locally when proxy_protocol=on

Closed

Activity

People

Assignee:: Esa Korhonen

Reporter:: Geoff Montee (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2019-05-16 20:05

Updated:: 2024-07-07 17:12

Resolved:: 2020-01-28 11:02

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.