|
Re: [Bug 693108] [NEW] Authenticate by Linux system account
Hi, Olaf!
On Dec 21, Olaf van der Spek wrote:
> Could you add an option where the MySQL server does authentication by the Linux system
> account of the other end of the (local) connection?
>
> This will only work for local connections, but is very handy. Passwords would no longer
> be needed, making it both more secure and easier.
>
> In addition to user name/password, the privilege tables should contain a unix_account
> column.
>
> http://bugs.mysql.com/bug.php?id=49940
>
This is already implemented in 5.2.
See http://kb.askmonty.org/v/development-pluggable-authentication
and socket_peercred plugin therein
Regards,
Sergei
P.S. I see you really started moving feature requests from mysql bugdb
to mariadb. First update select, now this 
|
|
Re: [Bug 693108] Re: Authenticate by Linux system account
On Tue, Dec 21, 2010 at 7:05 PM, Sergei <693108@bugs.launchpad.net> wrote:
> This is already implemented in 5.2.
> See http://kb.askmonty.org/v/development-pluggable-authentication
> and socket_peercred plugin therein
Where are the socket_peercred docs?
> P.S. I see you really started moving feature requests from mysql bugdb
> to mariadb. First update select, now this
Hehe. Makes sense, doesn't it?
Olaf
|
|
Re: [Bug 693108] Re: Authenticate by Linux system account
Hi, Olaf!
On Dec 21, Olaf van der Spek wrote:
> On Tue, Dec 21, 2010 at 7:05 PM, Sergei <693108@bugs.launchpad.net> wrote:
> > This is already implemented in 5.2.
> > See http://kb.askmonty.org/v/development-pluggable-authentication
> > and socket_peercred plugin therein
>
> Where are the socket_peercred docs?
Same page. Did you look at it at all, or you just asking to keep the
thread going?
Regards,
Sergei
|
|
Re: [Bug 693108] Re: Authenticate by Linux system account
On Wed, Dec 22, 2010 at 1:07 PM, Sergei <693108@bugs.launchpad.net> wrote:
> Hi, Olaf!
>
> On Dec 21, Olaf van der Spek wrote:
>> On Tue, Dec 21, 2010 at 7:05 PM, Sergei <693108@bugs.launchpad.net> wrote:
>> > This is already implemented in 5.2.
>> > See http://kb.askmonty.org/v/development-pluggable-authentication
>> > and socket_peercred plugin therein
>>
>> Where are the socket_peercred docs?
>
> Same page. Did you look at it at all, or you just asking to keep the
> thread going?
I had seen the page before I submitted the feature request.
I expected a page or at least a section dedicated to the plugin.
For example, I have no idea how to install the plugin.
I also don't see how to setup system account -> db account mapping,
but it seems this isn't possible.
The bit about socket_peercred seemed just an example of the auth
plugin system to me, not as documentation of socket_peercred itself.
Olaf
|
|
Re: [Bug 693108] Re: Authenticate by Linux system account
Hi, Olaf!
On Dec 22, Olaf van der Spek wrote:
> On Wed, Dec 22, 2010 at 1:07 PM, Sergei <693108@bugs.launchpad.net> wrote:
> > Hi, Olaf!
> >
> > On Dec 21, Olaf van der Spek wrote:
> >> On Tue, Dec 21, 2010 at 7:05 PM, Sergei <693108@bugs.launchpad.net> wrote:
> >> > This is already implemented in 5.2.
> >> > See http://kb.askmonty.org/v/development-pluggable-authentication
> >> > and socket_peercred plugin therein
> >>
> >> Where are the socket_peercred docs?
> >
> > Same page. Did you look at it at all, or you just asking to keep the
> > thread going?
>
> I had seen the page before I submitted the feature request.
> I expected a page or at least a section dedicated to the plugin.
> For example, I have no idea how to install the plugin.
> I also don't see how to setup system account -> db account mapping,
> but it seems this isn't possible.
>
> The bit about socket_peercred seemed just an example of the auth
> plugin system to me, not as documentation of socket_peercred itself.
Hmm, I see.
I could add a page dedicated to socket_peercred, yes.
But it won't explain how to install it - it's documented here:
http://dev.mysql.com/doc/refman/5.5/en/install-plugin.html
And it won't talk about mapping, because socket_peercred cannot do that
in particular, and authentication plugins should not do that in general -
mapping is completely unrelated to authentication.
Still, if it is considered useful, I can copy the relevant part of the
http://kb.askmonty.org/v/development-pluggable-authentication page to
a special socket_peercred dedicated page.
Regards,
Sergei
|
|
Re: [Bug 693108] Re: Authenticate by Linux system account
On Mon, Dec 27, 2010 at 7:56 PM, Sergei <693108@bugs.launchpad.net> wrote:
> I could add a page dedicated to socket_peercred, yes.
>
> But it won't explain how to install it - it's documented here:
> http://dev.mysql.com/doc/refman/5.5/en/install-plugin.html
A link to that page would be nice. Although peercred is so useful that
it should be installed by default.
> And it won't talk about mapping, because socket_peercred cannot do that
> in particular, and authentication plugins should not do that in general -
> mapping is completely unrelated to authentication.
Why?
Normally, I can supply any user/pass I want. With peercred, I would
suddenly be restricted to a single MySQL user? That doesn't make
sense.
IMO mapping system -> MySQL account would be very useful.
>
> http://kb.askmonty.org/v/development-pluggable-authentication page to
> a special socket_peercred dedicated page.
I think that should be done.
Olaf
|
|
Re: Authenticate by Linux system account
done.
http://kb.askmonty.org/v/socket_peercred-authentication-plugin
|
|
Re: [Bug 693108] Re: Authenticate by Linux system account
On Mon, Jan 10, 2011 at 9:41 PM, Sergei <693108@bugs.launchpad.net> wrote:
> done.
Don't forget #6.
|
|
Re: Authenticate by Linux system account
what do you mean? add a link to how to use it?
there's link to pluggable auth page, it's enough, I think.
install by default? probably not just yet, may be later.
mapping? no, it's not part of the plugin, it does not belong to that layer.
|
|
Re: [Bug 693108] Re: Authenticate by Linux system account
On Mon, Jan 10, 2011 at 10:45 PM, Sergei <693108@bugs.launchpad.net> wrote:
> what do you mean? add a link to how to use it?
A link to install-plugin.html
> there's link to pluggable auth page, it's enough, I think.
>
> install by default? probably not just yet, may be later.
>
> mapping? no, it's not part of the plugin, it does not belong to that
> layer.
What layer does it belong to?
Olaf
|
|
Re: [Bug 693108] Re: Authenticate by Linux system account
Hi, Olaf!
On Jan 10, Olaf van der Spek wrote:
> On Mon, Jan 10, 2011 at 10:45 PM, Sergei <693108@bugs.launchpad.net> wrote:
> > what do you mean? add a link to how to use it?
>
> A link to install-plugin.html
done.
> > mapping? no, it's not part of the plugin, it does not belong to that
> > layer.
>
> What layer does it belong to?
To the server. Mapping should happen after the plugin has authenticated
he user. If we'd start implementing mapping in the plugins (like
Oracle started doing), we'd have to implement it in every plugin
(again, like Oracle has to do now). And if something has to be done in
every plugin - it's a sign that this functionality belongs to no plugin
in particular, it's not a plugin specific feature. It should be done
in the server.
Regards,
Sergei
|
|
Re: [Bug 693108] Re: Authenticate by Linux system account
On Wed, Jan 12, 2011 at 11:43 AM, Sergei <693108@bugs.launchpad.net> wrote:
>> > mapping? no, it's not part of the plugin, it does not belong to that
>> > layer.
>>
>> What layer does it belong to?
>
> To the server. Mapping should happen after the plugin has authenticated
> he user. If we'd start implementing mapping in the plugins (like
> Oracle started doing), we'd have to implement it in every plugin
> (again, like Oracle has to do now). And if something has to be done in
> every plugin - it's a sign that this functionality belongs to no plugin
> in particular, it's not a plugin specific feature. It should be done
> in the server.
The output of authentication is a MySQL user (from mysql.users). The
input varies and depends on the plugin.
Given that the server doesn't know about peercred details, how can it
do the mapping?
At the moment you assume a 1:1 mapping from system accounts to MySQL
accounts. An assumption that quite restricting and IMO invalid.
Olaf
|
|
Re: [Bug 693108] Re: Authenticate by Linux system account
On Wed, Mar 9, 2011 at 11:07 AM, Sergei <693108@bugs.launchpad.net> wrote:
> ** Changed in: maria
> Status: New => Fix Released
Could you include a link?
And/or respond to the mapping issue?
–
Olaf
|
|
Re: Authenticate by Linux system account
you misunderstood 
nothing else was implemented, besides what's already done.
I was simply going over old tickets, looking where we forgot to update the status.
The link was mentioned here:
https://bugs.launchpad.net/maria/+bug/693108/comments/7
To the mapping issue I responded here:
https://bugs.launchpad.net/maria/+bug/693108/comments/11
|
|
Re: [Bug 693108] Re: Authenticate by Linux system account
On Wed, Mar 9, 2011 at 7:03 PM, Sergei <693108@bugs.launchpad.net> wrote:
> you misunderstood
> nothing else was implemented, besides what's already done.
> I was simply going over old tickets, looking where we forgot to update the status.
>
> The link was mentioned here:
> https://bugs.launchpad.net/maria/+bug/693108/comments/7
>
> To the mapping issue I responded here:
https://bugs.launchpad.net/maria/+bug/693108/comments/12
Olaf
|
|
Re: Authenticate by Linux system account
No Olaf, please, let's not use one bug report for different things, renaming the synopsis.
I also want the mapping (although, I think it should be done on a different layer), but please, create a new bug report or, better, WL entry, instead of hijacking an existing one.
|
|
Re: Authenticate by Linux system account
Sure: https://bugs.launchpad.net/maria/+bug/733893
Where do I create WL entries?
|
|
Launchpad bug id: 693108
|
LPexportBug693108.xml