Uploaded image for project: 'MariaDB MaxScale'
  1. MariaDB MaxScale
  2. MXS-5265

Strange behavior of admin_pam_readwrite_service

    XMLWordPrintable

Details

    • Bug
    • Status: Stalled (View Workflow)
    • Critical
    • Resolution: Unresolved
    • 24.02.3
    • N/A
    • None
    • None
    • MXS-SPRINT-218, MXS-SPRINT-230

    Description

      I'm trying to have PAM authentication for the REST API that only grants to users from a certain group.

      On the MariaDB server side this could be done with our own pam_user_map PAM module and PROXY privileges, but as no actual user mapping is needed here, just group based authentication, I was trying to rather just use the standard pam_succeed_if module like this:

      auth required pam_unix.so audit
      auth required pam_succeed_if.so debug user ingroup mysql
      account required pam_unix.so audit
      

      I've also created two unix users unix_user and unix_mysql, with only the later being in the mysql group, and made sure that user maxscale is in the shadow group to be able to read /etc/shadow for password verification. (I see that there is PAM sandboxing process support now in 23.08, but only for listeners, not for the REST APIs admin_pam_readwrite_service)

      Both the MariaDB and Maxscale test servers are running on the same machine, so both are using the same PAM setup and have the same unix users and groups.

      When testing the above PAM service with MariaDB server I can log in as user unix_mysql but not as unix_user, as expected. In /var/log/audit I see respective messages a expected due to audit and debug options used in the service file:

      Successful login with unix_mysql

      Sep 15 18:23:55 ubuntu-focal auth_pam_tool: pam_succeed_if(mariadb_unix:auth): 'user' resolves to 'unix_mysql'
      Sep 15 18:23:55 ubuntu-focal auth_pam_tool: pam_succeed_if(mariadb_unix:auth): requirement "user ingroup mysql" was met by user "unix_mysql"
      

      Failed login due to missing mysql group membership for unix_user:

      Sep 15 18:24:02 ubuntu-focal auth_pam_tool: pam_succeed_if(mariadb_unix:auth): 'user' resolves to 'unix_user'
      Sep 15 18:24:02 ubuntu-focal auth_pam_tool: pam_succeed_if(mariadb_unix:auth): requirement "user ingroup mysql" not met by user "unix_user"
      

      When trying to use the same PAM service with maxscale as admin_pam_readwrite_service=mariadb_unix I see different behavior though.

      First of all both user_mysql and user_unix can both log in, the pam_succeed_if ingroup check seems to get ignored totally by Maxscale here.

      Also I do not find the reqested audit and debug output anywhere. Not in syslog, not in
      /var/log/audit, not in the maxscale log file in /var/log/maxscale/maxscale.log

      Only when trying an actually invalid login with wrong user or password I'm seeing

      2024-09-15 18:47:40   warning: PAM authentication of user 'foo' to service 'mariadb_unix' failed: 'Authentication failure'.
      2024-09-15 18:47:40   warning: Authentication failed for 'foo', using password. Request: GET /auth
      

      in the maxscale log file and

      Sep 15 18:47:38 ubuntu-focal maxscale[4113]: pam_unix(mariadb_unix:auth): check pass; user unknown
      Sep 15 18:47:38 ubuntu-focal maxscale[4113]: pam_unix(mariadb_unix:auth): authentication failure; logname= uid=996 euid=996 tty= ruser= rhost=
      

      in the syslog / systemd journal.

      Attachments

        Activity

          People

            esa.korhonen Esa Korhonen
            hholzgra Hartmut Holzgraefe
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.