In the case of maxadmin this would be straightforward, but not so in the case of maxctrl (the REST-API based replacement for maxadmin).

dshjoshi, could you have a look at this.

Giving access to maxadmin for specific Linux group access would be doable. However, as maxadmin is being phased out that does not seem like time well spent.

However, making it possible to configure the REST-API of MaxScale to use Active Directory or LDAP for the authentication seems quite sensible and is something that probably would fit in the 2.3 timeframe.

Agree with you johan.wikman, we should support LDAP and AD for REST-API - Let us add it as an 2.3 item.

johan.wikmanLet us get estimate for this

@Dipti Do you have an update on this?

LDAP support for REST-API authorization is not entirelly trivial.

I think the basic use-case is that you, using maxctrl or the REST-API directly using curl, should be able to get your authorization provided from LDAP (or AD). The problem is that any back and forth communication between MaxScale and the client is not really possible since the protocol is HTTP.

What could be done is that MaxScale would simply take the provided username and password and use them for logging into an LDAP server to find out the rights of the user. The problem with that approach is that MaxScale would have access to the cleartext password of the user, which from a security perspective is not good. However, I suppose a security conscious organization could setup a dedicated LDAP server just for MaxScale, in which case the situation is security wise basically the same as it currently is.

The estimate is based upon this approach.

Seems like this is not that complex after all, so cut down on the estimate.

Some prototype code for this exists on the MXS-1662 branch.