[MXS-536] Security user@max-host vs user@% Created: 2016-01-07  Updated: 2016-12-02  Resolved: 2016-12-02

Status: Closed
Project: MariaDB MaxScale
Component/s: Core
Affects Version/s: None
Fix Version/s: 2.1.0

Type: New Feature Priority: Critical
Reporter: Chris Assignee: markus makela
Resolution: Fixed Votes: 0
Labels: authentication


 Description   

I have a situation where I want ALL adhoc users to connect through maxscale for auditing purposes.

I would like to be able to give a user "GRANT PRIVS ON DB_NAME to USER@MAXSCALE_HOST;" to be able to connect from anywhere (faux user@%) but only through MAXSCALE_HOST. If I give user@% privs, and connect through maxscale host, from anywhere, the user shows up as USER@MAXSCALE_HOST not from where USER is connected from. Is there any way that this can be changed?



 Comments   
Comment by markus makela [ 2016-01-07 ]

This would work nicely with the QLA filter and dbfwfilter making MaxScale a sort of a gatekeeper to the backend database.

Comment by Dipti Joshi (Inactive) [ 2016-01-07 ]

markus makelaCan you give example filter strings that will address what Chris is asking for ?

Comment by markus makela [ 2016-01-07 ]

This is an improvement to the user authentication where the user 'user'@'A' and 'user'@'B' can both connect to MaxScale when the database has a grant for 'user'@'maxscale-ip'.
This will in effect be a 'user'@'%' grant from MaxScale's point of view but from the databases point of view, only connections from MaxScale are allowed.

Comment by markus makela [ 2016-05-18 ]

This can be done by "disabling" the authentication in MaxScale and offloading the authentication to the backend database. Using an authentication module which always accepts all clients would allow the backend server to make the final decision about whether to allow the user or not. Once the authentication modules are implemented, this should be easy to achieve.

A more complex version of this would only check the username of the client and only allow valid users through.

Comment by markus makela [ 2016-12-02 ]

Added the skip_authentication option which implements this feature.

Generated at Thu Feb 08 04:00:00 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.