[MXS-835] Please reinstate remote access to maxscaled protocol Created: 2016-08-24 Updated: 2016-09-06 Resolved: 2016-09-06 |
|
| Status: | Closed |
| Project: | MariaDB MaxScale |
| Component/s: | maxadmin |
| Affects Version/s: | 2.0.0 |
| Fix Version/s: | 2.0.1 |
| Type: | Bug | Priority: | Major |
| Reporter: | Guillaume Lefranc | Assignee: | Johan Wikman |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Sprint: | 2016-17 |
| Description |
|
Starting with 2.0.0, remote access to maxscaled protocol (maxadmin listener) has been removed in favor of domain sockets only. This change impacts external applications such as replication-manager, that could potentially talk remotely with MaxScale. I suggest reinstating the remote protocol, but make it admin-only. The default settings for maxscale should always go to domain sockets, and the default user (admin/mariadb) shouldn't have privileges to connect remotely. In order to connect the operator would have to create a different user with specific remote privileges. |
| Comments |
| Comment by Johan Wikman [ 2016-08-25 ] |
|
Just as a clarification. With domain sockets there are no passwords. Since domain sockets are used we can reliably find out the user of maxadmin. By default root can use maxadmin and then he can specify that other Linux users also are allowed to use maxadmin. They can then subsequently add other users. With a regular socket we obviously cannot identify who is at the other end, so in that case a completely different set of accounts (and passwords) are needed. It may be confusing if your identity when maxadmin is used locally is different from your identity when maxadmin is used remotely. Would telnet accessibility be sufficient? Currently there is interference between maxadmin and telnet - they use the same account file but expect different content - but that would be straightforward to sort out. |
| Comment by Johan Wikman [ 2016-09-06 ] |
|
MaxScale now supports both access using Unix domain sockets and Internet sockets. The former is secure and the latter is not. The user databases are completely separate. In the former case you enable Linux accounts, in the latter case you create users (just as before). Either, none or both can be used. When using both, you need to create two listeners; one that listens on a Unix domain socket and one that listens on an address and port. |