[MXS-2497] Support all MariaDBClient-compatible authenticators on the same listener Created: 2019-05-16  Updated: 2020-08-25  Resolved: 2020-01-28

Status: Closed
Project: MariaDB MaxScale
Component/s: Authenticator
Affects Version/s: 2.2.21, 2.3.6
Fix Version/s: 2.5.0

Type: New Feature Priority: Major
Reporter: Geoff Montee (Inactive) Assignee: Esa Korhonen
Resolution: Fixed Votes: 0
Labels: None

Issue Links:
Blocks
blocks MXS-1605 PamAuth - Option to Failback to Defau... Closed
Relates
relates to MXS-485 Authentication plugin skeleton Closed
relates to MXS-615 Authentication as Module Closed
relates to MXS-2499 MaxScale still authenticates clients ... Closed
Epic Link: Router Improvements
Sprint: MXS-SPRINT-96, MXS-SPRINT-97, MXS-SPRINT-98

 Description   

A lot of users are using the PAMAuth and MySQLAuth authenticators at the same time with the same services. With the current design, a listener and a server can only each have one authenticator. Therefore, this kind of configuration requires a lot of duplication:

  • Every listener needs to be duplicated for every client-side authenticator.
  • Every server needs to be duplicated for every backend authenticator.
  • Every dependent service also needs to be duplicated.

It seems like it should be possible to change the design to support all MariaDBClient-compatible authenticators on the same listener at the same time. I think this will be even more important as users start to use even more authentication plugins on a more regular basis, such as ed25519 and gssapi.

MariaDB Server supports all authentication plugins on the same port, so I think MaxScale should also be able to do it. When a user tries to log in to MariaDB Server, it checks the plugin column of the mysql.user table to decide which plugin to use to authenticate the user:

https://mariadb.com/kb/en/library/mysqluser-table/

MaxScale could do something similar. For example, it could have an "authentication dispatcher" class of some kind. This class could query the mysql.user table to determine which authentication plugin each user account uses, and write it to an SQLite table. e.g.:

CREATE TABLE user_account_plugin_mappings (
 
   user char(80),
 
   host char(60),
 
   plugin char(64),
 
   PRIMARY KEY (user, host)
 
);

When a user tries to log in to MaxScale, the "authentication dispatcher" can determine which authenticator to use for that user by checking the plugin mapping for that user account.

In MariaDB 10.4, a user account can be configured to use several different authentication plugins in a pre-configured order. This information is stored in the mysql.global_priv table.

https://mariadb.com/kb/en/library/mysqlglobal_priv-table/

If we wanted to support multiple authentication plugins in MaxScale too, then we could probable extend the mapping table schema to include an additional order column. e.g.:

CREATE TABLE user_account_plugin_mappings (
 
   user char(80),
 
   host char(60),
 
   order int,
 
   plugin char(64),
 
   PRIMARY KEY (user, host, order)
 
);



 Comments   
Comment by Todd Stoffel (Inactive) [ 2019-05-21 ]

I would like to quantify "a lot of users". If this is one case, maybe they can sponsor an NRE project.

Generated at Thu Feb 08 04:14:34 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.