Uploaded image for project: 'MariaDB MaxScale'
  1. MariaDB MaxScale
  2. MXS-2497

Support all MariaDBClient-compatible authenticators on the same listener

    XMLWordPrintable

Details

    • New Feature
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Fixed
    • 2.2.21, 2.3.6
    • 2.5.0
    • Authenticator
    • None

    Description

      A lot of users are using the PAMAuth and MySQLAuth authenticators at the same time with the same services. With the current design, a listener and a server can only each have one authenticator. Therefore, this kind of configuration requires a lot of duplication:

      • Every listener needs to be duplicated for every client-side authenticator.
      • Every server needs to be duplicated for every backend authenticator.
      • Every dependent service also needs to be duplicated.

      It seems like it should be possible to change the design to support all MariaDBClient-compatible authenticators on the same listener at the same time. I think this will be even more important as users start to use even more authentication plugins on a more regular basis, such as ed25519 and gssapi.

      MariaDB Server supports all authentication plugins on the same port, so I think MaxScale should also be able to do it. When a user tries to log in to MariaDB Server, it checks the plugin column of the mysql.user table to decide which plugin to use to authenticate the user:

      https://mariadb.com/kb/en/library/mysqluser-table/

      MaxScale could do something similar. For example, it could have an "authentication dispatcher" class of some kind. This class could query the mysql.user table to determine which authentication plugin each user account uses, and write it to an SQLite table. e.g.:

      CREATE TABLE user_account_plugin_mappings (
         user char(80),
         host char(60),
         plugin char(64),
         PRIMARY KEY (user, host)
      );
      

      When a user tries to log in to MaxScale, the "authentication dispatcher" can determine which authenticator to use for that user by checking the plugin mapping for that user account.

      In MariaDB 10.4, a user account can be configured to use several different authentication plugins in a pre-configured order. This information is stored in the mysql.global_priv table.

      https://mariadb.com/kb/en/library/mysqlglobal_priv-table/

      If we wanted to support multiple authentication plugins in MaxScale too, then we could probable extend the mapping table schema to include an additional order column. e.g.:

      CREATE TABLE user_account_plugin_mappings (
         user char(80),
         host char(60),
         order int,
         plugin char(64),
         PRIMARY KEY (user, host, order)
      );
      

      Attachments

        Issue Links

          Activity

            People

              esa.korhonen Esa Korhonen
              GeoffMontee Geoff Montee (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.