Status: Closed (View Workflow)
MXS-SPRINT-129, MXS-SPRINT-130, MXS-SPRINT-138, MXS-SPRINT-139
*strong text*At present, MaxScale can do a lot of what MariaDB server can do with PAM - except for group mapping. This is a request to upgrade that support to the fuller parity with the server.
Ideally, the installation and deployment would mimic the ways and means used when the server is so configured. Yet certain higher features of the server syntax such as explicitly defined ROLES and syntactically explicit GRANT PROXY do not need to be supported in the same exact way.
MaxScale is a required part of XPAND deployments. Current sales priority for XPAND is so called "performance option", whereby MDB server is bypassed altogether, and the workload is distributed by MaxScale directly to the nodes of XPAND cluster. XPAND does not support LDAP at present.
A customer wants to use Active Directory in this configuration. Currently we can satisfy the authentication part (including two phase) using MaxScale. The theory is that it a good deal easier and architecturally better to add group mapping to MaxScale than to build a whole PAM apparatus in XPAND.
Easier - very likely
Architecturally Better: XPAND is presented to the market as a "smart engine". When it operates under MDB Server, all security is handled by PAM of the server. "Performance option" is just that, performance option. It relies on MaxScale for many serious things, from workload distribution to transaction replay. Given that MaxScale also provides security checks and even access controls, it is certainly stands to reason that not duplicating the functionality is better than duplicating it.
1. General corporate policies -
a. are users treated as individuals, or are the assigned to groups? "Yes, assigned to groups in AD. We need to be able to map these groups into small number of XPAND users, each representing a business role"
b. If so, can one user be in multiple groups? "yes. initially, the first group retrieved by PAM should be used as default. Additional refinements may be considered for later"
2. Required operation with database:
a. Authentication by Active Directory on every connect request is assumed, but:
b. Is two-factor authentication for database access required? "No"
c. Mapping of AD groups into database users (associating users with business roles and so minimizing grant maintenance requirements)? "Yes, as above"
3. Business rules.
a. We hear canned applications are using session pooling. Is it true? If so, what is the current access control scheme? "We have one schema per application. Applications are all microservices. All users are validated by the app server, all database connections go under the same userid"
i. Authentication by web server or app server? "Yes, as above"
1. If so, do all sessions use the same userid, or "Yes now"
2. Are sessions grouped somehow into "business roles"? If so, are these roles obtained from Active Directory groupings or are they maintained elsewhere? "maybe in a future"
b. Will there be, in addition to canned application(s), and "ad hoc" access from general tools (like SQL tools, BI tools, or even Client tools)? "Correct. this is the primary reason why LDAP support is required (something which would not be really critical if canned applications was all there was to it)"
i. If affirmative - what is the security model? Individual grants for each user, group grants for business roles? "The latter, mainly. In specific cases where a single individual has specific database privileges, we are fine creating a dedicated group in AD"
4. Deployment models
a. Will MaxScale be the required component, or do you plan load balancers on app server or Clients to deal with XPAND cluster (and its scale up and down events)? "Yes"