[#MDEV-30897] pam_user_map but with role mapping instead of user mapping

[MDEV-30897] pam_user_map but with role mapping instead of user mapping Created: 2023-03-21 Updated: 2023-05-19
Status:	Open
Project:	MariaDB Server
Component/s:	Plugin - pam
Fix Version/s:	None

Type:

Task

Priority:

Minor

Reporter:

Sylvain ARBAUDIE

Assignee:

Unassigned

Resolution:

Unresolved

Votes:

Labels:

None

Description

COuld it be feasible to have anothe pam plugin that maps and automatically assign a given role to users depending on their group ?

for example Alice and Bob are both part of the dba group in ldap./unix/AD/whatever, so they are automatically assigned to the dba group upon succesfull login.

reasoning for this is the following :
since user who delegate authentication to third party ike ldap/AD/unix socket/whatever care about security, there is littel chance they accept to map admin user to a single one since it removes all ability to effectively have an account accountability process with the audit plugin for exempla, but not only.

Comments

Comment by Sergei Golubchik [ 2023-05-19 ]

No, that's currently impossible. Authentication plugins, pam or anything else, only handle authentication, that is, they answer the question "who the user is". They do not handle authorization, that'd be the question "what the user is allowed to do". Roles are part of authorization, not authentication.

Generated at Thu Feb 08 10:19:43 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.

[MDEV-30897] pam_user_map but with role mapping instead of user mapping Created: 2023-03-21 Updated: 2023-05-19