Uploaded image for project: 'MariaDB MaxScale'
  1. MariaDB MaxScale
  2. MXS-3526

GSSAPI authenticator supports only one principal and only the default location for the keytab

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Closed (View Workflow)
    • Priority: Critical
    • Resolution: Won't Fix
    • Affects Version/s: 2.5.10
    • Fix Version/s: 6.2.0
    • Component/s: Authenticator
    • Labels:
      None
    • Environment:
      All
    • Sprint:
      MXS-SPRINT-137, MXS-SPRINT-138, MXS-SPRINT-139

      Description

      GSSAPI authenticator documentation says:

      "The keytab file must be placed in the configured default location which almost always is /etc/krb5.keytab.

      To take GSSAPI authentication into use, add the following to the listener.

      authenticator=GSSAPIAuth
      authenticator_options=principal_name=mariadb/localhost.localdomain@EXAMPLE.COM
      Change the principal name to the same value you configured for the MariaDB server.

      After the listeners are configured, add the following to all servers that use GSSAPI users.

      authenticator=GSSAPIBackendAuth"

      I'm no expert on GSSAPI, but it seems like the principal_name should be set on a per-server basis rather than in the listener, since each of the backend MariaDB servers uses a different principal_name in its gssapi_principal_name variable for the GSSAPI plugin.

      Additionally, I think that we should be able to specify a separate keytab file for each server, since each of the backend servers has its own keytab, and the keytab location can be set via the gssapi_keytab_path variable on the DB server. The default keytab in /etc/krb5.keytab may be used by some other app. Even though it's possible to add principals to the default keytab, messing with the customer's non-MariaDB keytab files is probably not a great idea, because if we accidentally overwrite it, that could break something else.

      We currently have a customer who wants to set this up on MaxScale and three backend DB servers, but I can't figure out any way to make it work with the current options available.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              esa.korhonen Esa Korhonen
              Reporter:
              jim.parks@mariadb.com Jim Parks (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.