Details
-
Bug
-
Status: Stalled (View Workflow)
-
Critical
-
Resolution: Unresolved
-
24.02.3
-
None
-
None
-
MXS-SPRINT-218, MXS-SPRINT-230
Description
I'm trying to have PAM authentication for the REST API that only grants to users from a certain group.
On the MariaDB server side this could be done with our own pam_user_map PAM module and PROXY privileges, but as no actual user mapping is needed here, just group based authentication, I was trying to rather just use the standard pam_succeed_if module like this:
auth required pam_unix.so audit
|
auth required pam_succeed_if.so debug user ingroup mysql
|
account required pam_unix.so audit
|
I've also created two unix users unix_user and unix_mysql, with only the later being in the mysql group, and made sure that user maxscale is in the shadow group to be able to read /etc/shadow for password verification. (I see that there is PAM sandboxing process support now in 23.08, but only for listeners, not for the REST APIs admin_pam_readwrite_service)
Both the MariaDB and Maxscale test servers are running on the same machine, so both are using the same PAM setup and have the same unix users and groups.
When testing the above PAM service with MariaDB server I can log in as user unix_mysql but not as unix_user, as expected. In /var/log/audit I see respective messages a expected due to audit and debug options used in the service file:
Successful login with unix_mysql
Sep 15 18:23:55 ubuntu-focal auth_pam_tool: pam_succeed_if(mariadb_unix:auth): 'user' resolves to 'unix_mysql'
|
Sep 15 18:23:55 ubuntu-focal auth_pam_tool: pam_succeed_if(mariadb_unix:auth): requirement "user ingroup mysql" was met by user "unix_mysql"
|
Failed login due to missing mysql group membership for unix_user:
Sep 15 18:24:02 ubuntu-focal auth_pam_tool: pam_succeed_if(mariadb_unix:auth): 'user' resolves to 'unix_user'
|
Sep 15 18:24:02 ubuntu-focal auth_pam_tool: pam_succeed_if(mariadb_unix:auth): requirement "user ingroup mysql" not met by user "unix_user"
|
When trying to use the same PAM service with maxscale as admin_pam_readwrite_service=mariadb_unix I see different behavior though.
First of all both user_mysql and user_unix can both log in, the pam_succeed_if ingroup check seems to get ignored totally by Maxscale here.
Also I do not find the reqested audit and debug output anywhere. Not in syslog, not in
/var/log/audit, not in the maxscale log file in /var/log/maxscale/maxscale.log
Only when trying an actually invalid login with wrong user or password I'm seeing
2024-09-15 18:47:40 warning: PAM authentication of user 'foo' to service 'mariadb_unix' failed: 'Authentication failure'.
|
2024-09-15 18:47:40 warning: Authentication failed for 'foo', using password. Request: GET /auth
|
in the maxscale log file and
Sep 15 18:47:38 ubuntu-focal maxscale[4113]: pam_unix(mariadb_unix:auth): check pass; user unknown
|
Sep 15 18:47:38 ubuntu-focal maxscale[4113]: pam_unix(mariadb_unix:auth): authentication failure; logname= uid=996 euid=996 tty= ruser= rhost=
|
in the syslog / systemd journal.