[MXS-2267] Document which accounts PAM authenticators will actually use Created: 2019-01-16  Updated: 2020-08-25  Resolved: 2019-01-28

Status: Closed
Project: MariaDB MaxScale
Component/s: Authenticator, Documentation
Affects Version/s: 2.2.19, 2.3.2
Fix Version/s: 2.2.20, 2.3.4

Type: Task Priority: Major
Reporter: Geoff Montee (Inactive) Assignee: Esa Korhonen
Resolution: Fixed Votes: 0
Labels: None

Issue Links:
Relates
relates to MXS-2269 Document user and group mapping suppo... Closed
relates to MXS-334 Enable Pam.d Support Closed
relates to MXS-1716 "show dbusers ...service..." returns ... Closed
relates to MXS-2294 Document how to configure user and gr... Closed
Sprint: MXS-SPRINT-74

 Description   

Based on the query in the commit for MXS-1716, PAM authenticators will only actually use PAM accounts that meet certain conditions.

https://github.com/mariadb-corporation/MaxScale/commit/aa260cf6cf5a91682fa6176f70d3c55263cec57e

PAM authenticators will use an account if:

  • It uses the PAM plugin for authentication (plugin=pam in mysql.user).

And if:

  • It has global SELECT privileges;
  • Or it has some database-level privilege;
  • Or it some table-level privilege.

This should probably be documented:

https://mariadb.com/kb/en/mariadb-maxscale-23-pam-authenticator/
Generated at Thu Feb 08 04:12:53 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.