[MDEV-19428] Port check_proxy_users system variable and related server feature from MySQL 5.7 Created: 2019-05-09  Updated: 2019-09-14  Resolved: 2019-05-20

Status: Closed
Project: MariaDB Server
Component/s: Authentication and Privilege System
Fix Version/s: N/A

Type: Task Priority: Major
Reporter: Geoff Montee (Inactive) Assignee: Sergei Golubchik
Resolution: Won't Do Votes: 0
Labels: upstream

Issue Links:
Relates
relates to MDEV-19431 Implement user mapping for all authen... Open

 Description   

MySQL 5.7 added the check_proxy_users system variable and related server feature. When this variable is enabled, the server performs proxy user mappings. This allows proxy users to be used with an authentication plugin, even if the authentication plugin itself does not map proxy users.

The mysql_native_password_proxy_users system variable can be used to enable/disable this behavior for the mysql_native_password authentication plugin.

If we port this feature, then maybe we would also want similar system variables to enable/disable this behavior for other authentication plugins, like ed25519 or gssapi.

https://dev.mysql.com/doc/refman/5.7/en/proxy-users.html

https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_check_proxy_users

https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_mysql_native_password_proxy_users

 Comments   
Comment by Sergei Golubchik [ 2019-05-09 ]

I don't think it's a good idea. Proxy users is a confusing concept on itself, introduced to give DBA an illusion that she can restrict plugin-side user mapping. And then MySQL abused that to make proxy users to define user mapping, not to restrict it.

SQL Standard way of doing stuff like that is SQL roles.

We might consider adding server-side user mapping feature, but it's unlilely that it'll be based on proxy users.

Comment by Geoff Montee (Inactive) [ 2019-05-09 ]

Hi serg,

I also thought it was a bit strange to use PROXY privileges to define user mappings. I haven't tested the implementation in MySQL 5.7 to see how it works, but it does sound pretty unintuitive. Anyway, I've created MDEV-19431 for user mapping in the server, in case we decide to implement it some other way.

Thanks!

Generated at Thu Feb 08 08:51:37 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.