Uploaded image for project: 'MariaDB MaxScale'
  1. MariaDB MaxScale
  2. MXS-5087

adding KMS support to maxscale password hashing features

    XMLWordPrintable

Details

    • New Feature
    • Status: Open (View Workflow)
    • Major
    • Resolution: Unresolved
    • None
    • None
    • maxkeys, maxpasswd
    • None

    Description

      Actually security of maxscale mariadb users is based on a non-encrypted file located on the maxscale server.

      • maxkeys
        it is generated by maxkeys, called .secrets and stored by default in /var/lib/maxscale ( but can be changed at creation time )

      it would be greatr if we could give maxkeys some parameters so that the secret is directly send to a KMS which xwould be defined on the command line

      somethiong along the lines of :
      maxkeys --host= --port= --key= --cert= --ca=

      on the stdout it should provide with necessary information to retrieve the created secret later on.

      • maxxpasswd
        To hash the password we have to call on the maxpasswd function. this would be great if we could feed it the info retrieved from maxkeys to allow it to encrypt the password using the KMS secret.

      something along the lines oif :
      maxpasswd --host= --port= --key= --cert= --ca= --token= PASSWORD_TO_HASH

      it would still reply with the hash on the stdout.

      • maxscale cnf file
        in the [masxcale] section, we could add a a pârameter which is the pasword related secret token/id and add a switch telling maxscale to use the already defined key manager.

      Attachments

        Issue Links

          Activity

            People

              maxmether Max Mether
              SylvainArbaudie Sylvain ARBAUDIE
              Votes:
              3 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.