[MDEV-6385] MariaDB Galera Authentication between nodes and SST Created: 2014-06-25  Updated: 2019-10-10  Resolved: 2019-10-09

Status: Closed
Project: MariaDB Server
Component/s: Documentation
Fix Version/s: N/A

Type: Task Priority: Major
Reporter: Aleksej Trofimov Assignee: Kenneth Dyer (Inactive)
Resolution: Fixed Votes: 4
Labels: authentication, galera, kerberos, sst

Issue Links:
Relates
relates to MDEV-4691 Kerberize MariaDB -- add Kerberos aut... Closed
relates to MDEV-27246 Implement a method to add IPs to allo... Closed

 Description   

Considering authentication requirements between MariaDB Galera Nodes, we would like to suggest several changes to be mate within MariaDB Galera Cluster:
1) Authentication methods should be implemented between MariaDB Galera cluster nodes based either on Kerberos/AD/LDAP. The reason behind this requirement is that in current implementation there is a possibility to attach any node to the cluster with full dump of data inside the database and future access to this data by changing credentials in database.
2) SST methods based on xtrabackup require login/password of user having access to database be written in a plain-text format. We would like to suggest modifying this section to either save credential in encrypted format, or adding Kerberos authentication.



 Comments   
Comment by Vladislav Vaintroub [ 2018-07-26 ]

mariabackup uses C client. C clients transparently load authentication plugins when required (when user identifies with auth.plugin). We have a plugin that supports Kerberos (auth_gssapi - server side, auth_gssapi_client -client side)

what SST scripts do , I've no good idea really

Comment by Jacob Moorman (Inactive) [ 2019-04-12 ]

Geoff to re-assess this ticket based on current state of documentation and make a specific recommendation on ticket about any outstanding needs.

Comment by Geoff Montee (Inactive) [ 2019-04-13 ]

The following text has been added:

Some authentication plugins do not require a password. For example, the unix_socket and gssapi authentication plugins do not require a password. If you are using a user account that does not require a password in order to log in, then you can just leave the password component of wsrep_sst_auth empty. For example:

[mariadb]
...
wsrep_sst_auth = mariabackup:

https://mariadb.com/kb/en/library/introduction-to-state-snapshot-transfers-ssts/#authentication

https://mariadb.com/kb/en/library/mariabackup-sst-method/#authentication-and-privileges

https://mariadb.com/kb/en/library/xtrabackup-v2-sst-method/#authentication-and-privileges

The following section about unix_socket authentication has also been added to the mariabackup and xtrabackup-v2 SST pages:

It is possible to use the unix_socket authentication plugin for the user account that performs SSTs. This would provide the benefit of not needing to configure a plain-text password in wsrep_sst_auth.

The user account would have to have the same name as the operating system user account that is running the mysqld process. On many systems, this is the user account configured as the user option, and it tends to default to mysql.

For example, if the unix_socket authentication plugin is already installed, then you could execute the following to create the user account:

CREATE USER 'mysql'@'localhost' IDENTIFIED VIA unix_socket;
GRANT RELOAD, PROCESS, LOCK TABLES, REPLICATION CLIENT ON . TO 'mysql'@'localhost';

And then to configure wsrep_sst_auth, you could set the following in a server option group in an option file prior to starting up a node:

[mariadb]
...
wsrep_sst_auth = mysql:

https://mariadb.com/kb/en/library/mariabackup-sst-method/#passwordless-authentication-unix-socket

https://mariadb.com/kb/en/library/xtrabackup-v2-sst-method/#passwordless-authentication-unix-socket

And the following section about gssapi authentication has also been added to the mariabackup and xtrabackup-v2 SST pages:

It is possible to use the gssapi authentication plugin for the user account that performs SSTs. This would provide the benefit of not needing to configure a plain-text password in wsrep_sst_auth.

The following steps would need to be done beforehand:

  • You need a KDC running MIT Kerberos or Microsoft Active Directory.
  • You will need to create a keytab file for the MariaDB server.
  • You will need to install the package containing the gssapi authentication plugin.
  • You will need to install the plugin in MariaDB, so that the gssapi authentication plugin is available to use.
  • You will need to configure the plugin.
  • You will need to create a user account that authenticates with the gssapi authentication plugin, so that the user account can be used for SSTs. This user account will need to correspond with a user account that exists on the backend KDC.

For example, you could execute the following to create the user account in MariaDB:

CREATE USER 'mariabackup'@'localhost' IDENTIFIED VIA gssapi;
GRANT RELOAD, PROCESS, LOCK TABLES, REPLICATION CLIENT ON . TO 'mariabackup'@'localhost';

And then to configure wsrep_sst_auth, you could set the following in a server option group in an option file prior to starting up a node:

[mariadb]
...
wsrep_sst_auth = mariabackup:

https://mariadb.com/kb/en/library/mariabackup-sst-method/#passwordless-authentication-gssapi

https://mariadb.com/kb/en/library/xtrabackup-v2-sst-method/#passwordless-authentication-gssapi

Comment by Geoff Montee (Inactive) [ 2019-05-01 ]

Thanks, valerii!

I reassigned to KennethDyer for review by the documentation team.

Generated at Thu Feb 08 07:11:30 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.