[MXS-4191] Restrict the REST API user's authentication to specific IP's only like MariaDB Created: 2022-07-06  Updated: 2024-01-11  Resolved: 2024-01-11

Status: Closed
Project: MariaDB MaxScale
Component/s: REST-API
Affects Version/s: None
Fix Version/s: 24.02.0

Type: New Feature Priority: Major
Reporter: Naresh Chandra Assignee: Esa Korhonen
Resolution: Fixed Votes: 0
Labels: None

Sprint: MXS-SPRINT-196, MXS-SPRINT-197, MXS-SPRINT-198, MXS-SPRINT-199

 Description   

As per the security reasons, we want to restrict the --type=admin users remotely only to the specific ips and we want to restrict only the admin users only as we don't want to run any admin commands by mistakenly.

Can you please implement the maxscale users to restrict to local host or specific host only like mariadb? the restriction should work for GUI too, if we restrict admin user localhost then it should not login through GUI as well.

and also can we change the parameter to allow multiple values with comma separated?
admin_host = localhost,192,169.101.10, testmax102

EX1: admin user should access only localhost like mariadb root localhost.

EX2: if user test_admin_user has --type=admin then it should restrict to specific ip's like test_admin_user@'192.168.101.1', test_admin_user@'192.168.101.2' and test_admin_user@'192.168.101.3' then the user should only work from these ip's only like mariadb, how we restrict to only specific server IP's.

EX3: if user test_read_only user has --type=basic, as its a read only user then the user can work from any where like mariadb test_read_only@'%' access.

NOTE: We don't need to change anything for AD user(PAM USER). Please keep as it is for AD, there wont be any changes required for AD user. anyhow that we will restrict using "admin_pam_readonly_service" option in the maxscale.conf file. so it will be act as a read only for all the PAM users.

 Comments   
Comment by Esa Korhonen [ 2023-12-11 ]

Just to clarify, is the goal to have MaxScale settings such as:

rest_api_admin_host = localhost,192.169.101.10, testmax102
 
rest_api_basic_host = ....

Or should each rest-api user have their own host setting similar to how MariaDB Server users have a host pattern?

Comment by Naresh Chandra [ 2023-12-11 ]

Esa Korhonen, No need of user and host/IP combination.

Below combination is fine.
rest_api_admin_host = localhost,192,169.101.10, testmax102
rest_api_basic_host = %,192,169.%, 192,169.101.%

But this should work for both GUI and CLI? then we are fine with the above,

Comment by Esa Korhonen [ 2023-12-11 ]

Are the wildcards required only for IPs or also for hostnames?

Comment by Naresh Chandra [ 2023-12-11 ]

Esa Korhonen, If possible, keep it for both hostname and IP, but IP should be fine.

Generated at Thu Feb 08 04:26:52 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.