Details
-
New Feature
-
Status: Closed (View Workflow)
-
Critical
-
Resolution: Won't Fix
-
2.5.10
-
None
-
All
-
MXS-SPRINT-137, MXS-SPRINT-138, MXS-SPRINT-139
Description
GSSAPI authenticator documentation says:
"The keytab file must be placed in the configured default location which almost always is /etc/krb5.keytab.
To take GSSAPI authentication into use, add the following to the listener.
authenticator=GSSAPIAuth
authenticator_options=principal_name=mariadb/localhost.localdomain@EXAMPLE.COM
Change the principal name to the same value you configured for the MariaDB server.
After the listeners are configured, add the following to all servers that use GSSAPI users.
authenticator=GSSAPIBackendAuth"
I'm no expert on GSSAPI, but it seems like the principal_name should be set on a per-server basis rather than in the listener, since each of the backend MariaDB servers uses a different principal_name in its gssapi_principal_name variable for the GSSAPI plugin.
Additionally, I think that we should be able to specify a separate keytab file for each server, since each of the backend servers has its own keytab, and the keytab location can be set via the gssapi_keytab_path variable on the DB server. The default keytab in /etc/krb5.keytab may be used by some other app. Even though it's possible to add principals to the default keytab, messing with the customer's non-MariaDB keytab files is probably not a great idea, because if we accidentally overwrite it, that could break something else.
We currently have a customer who wants to set this up on MaxScale and three backend DB servers, but I can't figure out any way to make it work with the current options available.
Attachments
Issue Links
- is blocked by
-
MXS-3733 Add keytab filepath configuration option to GSSAPI authenticator
- Closed