[MXS-2294] Document how to configure user and group mapping for PAM authenticators Created: 2019-01-26  Updated: 2019-03-13  Resolved: 2019-02-25

Status: Closed
Project: MariaDB MaxScale
Component/s: Authenticator, Documentation
Affects Version/s: 2.3.3
Fix Version/s: 2.3.5

Type: Task Priority: Major
Reporter: Geoff Montee (Inactive) Assignee: Esa Korhonen
Resolution: Fixed Votes: 0
Labels: None

Issue Links:
Relates
relates to MXS-2267 Document which accounts PAM authentic... Closed
relates to MXS-2308 Change default for connector_plugindir Closed
relates to MXS-334 Enable Pam.d Support Closed
relates to MXS-1758 Support PAM group mapping, like Maria... Closed
relates to MXS-2269 Document user and group mapping suppo... Closed
relates to MXS-2292 Allow PAM user and group mapping to w... Closed
relates to MXS-2293 Monitor fails PAM authentication with... Closed
Sprint: MXS-SPRINT-75, MXS-SPRINT-76

 Description   

MaxScale's PAM authenticators support user and group mapping, but the documentation doesn't show how to configure it:

https://mariadb.com/kb/en/mariadb-maxscale-23-pam-authenticator/

The process should probably be documented, similar to the MariaDB Server documentation that describes how to configure it from start to finish:

https://mariadb.com/kb/en/library/configuring-pam-authentication-and-user-mapping-with-unix-authentication/

Here's how I was able to configure it:

I started with a 2-node Galera Cluster and a MaxScale 2.3.3 instance with the following configuration:

[maxscale]
 
threads=4
 
syslog=1
 
maxlog=1
 
#log_to_shm=1
 
log_warning=1
 
log_notice=1
 
log_info=1
 
admin_host=127.0.0.1
 
admin_port=8989
 
admin_auth=1
 
admin_enabled=1
 
connector_plugindir=/usr/lib64/mysql/plugin/
 
 
 
[C1N1]
 
type=server
 
address=172.30.0.249
 
port=3306
 
protocol=MariaDBBackend
 
authenticator=PAMBackendAuth
 
 
 
[C1N2]
 
type=server
 
address=172.30.0.32
 
port=3306
 
protocol=MariaDBBackend
 
authenticator=PAMBackendAuth
 
 
 
[Galera-Monitor]
 
type=monitor
 
module=galeramon
 
servers=C1N1,
 
        C1N2
 
user=maxscale
 
password=password
 
monitor_interval=10000
 
 
 
[Read-Listener]
 
type=listener
 
service=Splitter-Service
 
port=3306
 
protocol=MariaDBClient
 
authenticator=PAMAuth
 
 
 
[Splitter-Service]
 
type=service
 
router=readwritesplit
 
servers=C1N1,
 
        C1N2
 
user=maxscale
 
password=password
 
max_slave_connections=100%

1.) First, on both backend nodes, I created the monitor user in PAM and set the user's password:

sudo adduser maxscale
 
sudo passwd maxscale

2.) Then, on both backend nodes and the maxscale node, I created the PAM user and group that I want to test:

sudo useradd alice
 
sudo passwd alice
 
sudo groupadd dba
 
sudo usermod -a -G dba alice

3.) Then, on both backend nodes and the maxscale node, I also had to create a PAM user with the same name as the MariaDB user that my group is going to be mapped to:

sudo useradd dba -g dba

Because of this:

https://mariadb.com/kb/en/library/user-and-group-mapping-with-pam/#pam-user-with-same-name-as-mapped-mariadb-user-must-exist

4.) Then, on both backend nodes and the maxscale node, I compiled and installed the pam_user_map PAM module:

sudo yum install gcc pam-devel
 
wget https://raw.githubusercontent.com/MariaDB/server/10.4/plugin/auth_pam/mapper/pam_user_map.c 
gcc pam_user_map.c -shared -lpam -fPIC -o pam_user_map.so 
sudo install --mode=0755 pam_user_map.so /lib64/security/

5.) Then, on both backend nodes and the maxscale node, I configured my user and group mapping in /etc/security/user_map.conf:

@dba:dba

6.) Then, on both backend nodes, I installed the PAM authentication plugin:

INSTALL SONAME 'auth_pam';

7.) Then, on both backend nodes and the maxscale node, I configured the PAM service in /etc/pam.d/mariadb:

auth required pam_unix.so audit
 
auth optional pam_user_map.so
 
account required pam_unix.so audit

8.) Then, on both backend nodes, I gave the mysql user access to /etc/shadow:

sudo groupadd shadow
 
sudo usermod -a -G shadow mysql
 
sudo chown root:shadow /etc/shadow
 
sudo chmod g+r /etc/shadow

9.) Then, on the maxscale instance, I gave the maxscale user access to /etc/shadow:

sudo groupadd shadow
 
sudo usermod -a -G shadow maxscale
 
sudo chown root:shadow /etc/shadow
 
sudo chmod g+r /etc/shadow

10.) Then, on both backend nodes, I created my monitor user:

CREATE USER 'maxscale'@'%' IDENTIFIED VIA pam USING 'mariadb';
 
GRANT ALL PRIVILEGES ON *.* TO 'maxscale'@'%';

11.) Then, on both backend nodes, I created my dba user:

CREATE USER 'dba'@'%' IDENTIFIED BY 'strongpassword';
 
GRANT ALL PRIVILEGES ON *.* TO 'dba'@'%' ;

12.) Then, on the backend nodes, I created my anonymous proxy user.

First, I had to do some cleanup:

DELETE FROM mysql.db WHERE User='' AND Host='%';
 
FLUSH PRIVILEGES;

Because of this:

https://mariadb.com/kb/en/library/create-user/#fixing-a-legacy-default-anonymous-account

And then I created my anonymous proxy user:

CREATE USER ''@'%' IDENTIFIED VIA pam USING 'mariadb';
 
GRANT PROXY ON 'dba'@'%' TO ''@'%';

13.) Then, I restarted both backend nodes and maxscale.

14.) Then, I tested it out:

[ec2-user@ip-172-30-0-106 ~]$ mysql -u alice -h 172.30.0.106 -p
 
Enter password:
 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
 
Your MariaDB connection id is 5
 
Server version: 10.1.37-MariaDB MariaDB Server
 
 
 
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
 
 
 
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
 
 
 
MariaDB [(none)]> SELECT USER(), CURRENT_USER();
 
+--------------------------------------------------+----------------+
 
| USER()                                           | CURRENT_USER() |
 
+--------------------------------------------------+----------------+
 
| alice@ip-172-30-0-106.us-west-2.compute.internal | dba@%          |
 
+--------------------------------------------------+----------------+
 
1 row in set (0.001 sec)


Generated at Thu Feb 08 04:13:05 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.