A lot of users are using the PAMAuth and MySQLAuth authenticators at the same time with the same services. With the current design, a listener and a server can only each have one authenticator. Therefore, this kind of configuration requires a lot of duplication:
- Every listener needs to be duplicated for every client-side authenticator.
- Every server needs to be duplicated for every backend authenticator.
- Every dependent service also needs to be duplicated.
It seems like it should be possible to change the design to support all MariaDBClient-compatible authenticators on the same listener at the same time. I think this will be even more important as users start to use even more authentication plugins on a more regular basis, such as ed25519 and gssapi.
MariaDB Server supports all authentication plugins on the same port, so I think MaxScale should also be able to do it. When a user tries to log in to MariaDB Server, it checks the plugin column of the mysql.user table to decide which plugin to use to authenticate the user:
MaxScale could do something similar. For example, it could have an "authentication dispatcher" class of some kind. This class could query the mysql.user table to determine which authentication plugin each user account uses, and write it to an SQLite table. e.g.:
When a user tries to log in to MaxScale, the "authentication dispatcher" can determine which authenticator to use for that user by checking the plugin mapping for that user account.
In MariaDB 10.4, a user account can be configured to use several different authentication plugins in a pre-configured order. This information is stored in the mysql.global_priv table.
If we wanted to support multiple authentication plugins in MaxScale too, then we could probable extend the mapping table schema to include an additional order column. e.g.: