Uploaded image for project: 'MariaDB MaxScale'
  1. MariaDB MaxScale
  2. MXS-2527

Parameter to force locally-cached user credential expiration in sensitive environments.

    Details

    • Type: New Feature
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.2.21, 2.3.7
    • Fix Version/s: 2.5.0
    • Component/s: Authenticator, Core
    • Labels:
      None

      Description

      Currently MaxScale caches user credentials causing a (known) situation where after a password is changed on a back-end server, MaxScale successfully authenticates the user with the locally cached old password, and then fails to route the query due to the changed credentials on the back end.

      We already have users_refresh_time, which limits how often locally cached user credentials can be re-checked when they fail authentication.

      A similar parameter, something like local_password_age, could define a time-limit for how long a user credential will be held in the local cache, evicting the credential after the time runs out. This could be set aggressively in sensitive environments, so that if a user credential were changed on the back-end, this change would be reflected quickly in MaxScale.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                toddstoffel Todd Stoffel
                Reporter:
                juan.vera Juan
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: