Uploaded image for project: 'MariaDB MaxScale'
  1. MariaDB MaxScale
  2. MXS-2544

PAMAuth doesn't check role permissions

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.3.7
    • Fix Version/s: 2.4.1
    • Component/s: Authenticator
    • Labels:
      None
    • Sprint:
      MXS-SPRINT-84, MXS-SPRINT-85, MXS-SPRINT-86

      Description

      MySQLAuth was fixed to check role permissions in MXS-872. It looks like PAMAuth needs a similar fix. See here:

      https://github.com/mariadb-corporation/MaxScale/blob/maxscale-2.3.7/server/modules/authenticator/PAM/PAMAuth/pam_instance.cc#L205

      Let's say that you define a PAM user like this:

      CREATE ROLE 'admin_role';
      GRANT ALL PRIVILEGES ON *.* TO 'admin_role';
      CREATE USER 'pamuser'@'%' IDENTIFIED VIA pam USING 'mariadb';
      GRANT 'admin_role' TO 'pamuser'@'%';
      SET DEFAULT ROLE 'admin_role' FOR 'pamuser'@'%';
      

      Currently, MaxScale will not recognize the PAM user, because it assumes that it has no privileges. The MaxScale log will contain entries like this:

      2019-06-04 10:07:03   notice : Service 'db-service-pam' started (3/12)
      2019-06-04 10:11:02   notice : Loaded 0 users for service db-service-pam
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                esa.korhonen Esa Korhonen
                Reporter:
                GeoffMontee Geoff Montee
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: