[MXS-2544] PAMAuth doesn't check role permissions Created: 2019-06-05  Updated: 2020-08-25  Resolved: 2019-08-14

Status: Closed
Project: MariaDB MaxScale
Component/s: Authenticator
Affects Version/s: 2.3.7
Fix Version/s: 2.4.1

Type: Bug Priority: Major
Reporter: Geoff Montee (Inactive) Assignee: Esa Korhonen
Resolution: Fixed Votes: 0
Labels: None

Issue Links:
Relates
relates to MXS-872 MaxScale doesn't understand roles Closed
relates to MXS-2642 PAMAuth does not eliminate duplicate ... Closed
Sprint: MXS-SPRINT-84, MXS-SPRINT-85, MXS-SPRINT-86

 Description   

MySQLAuth was fixed to check role permissions in MXS-872. It looks like PAMAuth needs a similar fix. See here:

https://github.com/mariadb-corporation/MaxScale/blob/maxscale-2.3.7/server/modules/authenticator/PAM/PAMAuth/pam_instance.cc#L205

Let's say that you define a PAM user like this:

CREATE ROLE 'admin_role';
 
GRANT ALL PRIVILEGES ON *.* TO 'admin_role';
 
CREATE USER 'pamuser'@'%' IDENTIFIED VIA pam USING 'mariadb';
 
GRANT 'admin_role' TO 'pamuser'@'%';
 
SET DEFAULT ROLE 'admin_role' FOR 'pamuser'@'%';

Currently, MaxScale will not recognize the PAM user, because it assumes that it has no privileges. The MaxScale log will contain entries like this:

2019-06-04 10:07:03   notice : Service 'db-service-pam' started (3/12)
 
2019-06-04 10:11:02   notice : Loaded 0 users for service db-service-pam



 Comments   
Comment by Esa Korhonen [ 2019-06-10 ]

This is indeed a limitation in the PAM authenticator. I will take a look, hopefully it's straightforward to fix.

Comment by Esa Korhonen [ 2019-06-13 ]

Assuming that this can go to 2.4.

Generated at Thu Feb 08 04:14:54 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.