← Back to team overview

maria-developers team mailing list archive

[GSoC] Kerberize MariaDB -- some unclear point about the project


Hi Wlad and the community,

I've developed a Kerberos plugin prototype with both raw API and GSSAPI supported on my own Linux box.
The codes are pushed to my private repo already.
It is just a prototype, which can handle only the normal case, without any tests in deployed environment.
And I know there is a long way to go before accepted
I now have a clear knowledge about the control flow of authentication plugin and Kerberos protocol.

The working use case is like this:
1. login my computer as, for example, qiush;
2. create a user in MariaDB named qiush;
3. get the initial credential from Kerberos Key Distribution Center (KDC), i.e. tgt;
4. connect mysqld as qiush and now I can login DBMS passwordlessly before tgt expires.

Correctly me if I miss something in this case.
The exception case is how to get/renew tgt when the original expired.

I have created a private repo based on 5.5 release version, which is available at https://launchpad.net/~qiush-summer.
For those that concern about our project, you can track my progress.
(The reason why I choose 5.5 release version instead of the latest development branch 10.x is that I cannot clone the repo
from launchpad and I don't know why.
I'll figure it out later if necessary).

Some problems (three, exactly) when implementing the toy plugin.

The first one is about the private repo and bazaar (I'm a git guy and have little experience working with bazaar).
In order to make some demonstrated progress, I push my local update to the private repo each time I create a new commit.
It seems the commit number is global (see the screen shot of my private repo history below).

Recent revisions
3796. By Shuang Qiu 20 hours ago
prototype with GSSAPI enabled
3795. By Shuang Qiu on 2013-06-15
Kerberos plugin prototype with raw krb5 API
3794. By Shuang Qiu on 2013-06-13
3793. By Michael Widenius on 2013-06-11
Fixed tests that failed on 32 bit because of my earlier fixes of 32 bit limits.
3792. By Sergei on 2013-06-07
MDEV-4468 Assertion `error != 0' fails or timeout occurs on select from a FEDERATED table which points at a non-existent table

I'm afraid that my commits may pollute the code base.
So the question is that will others (e.g. Sergei since commit 3792) see my changes next time he gets local branch updated.
Is it the best practice to use bazaar like this (push after each commit)?
If not, could you please give me some suggestion to use bazaar and launchpad correctly in our community?

The other two are about the exception case.

When get the initial credential from KDC, clients/services are asked for a password or asked to provide a keytab file to derive a long-term key that can be used encrypting messages between clients and KDC.
On the server/service side, I think the keytab approach is better.
Otherwise, each time we restart the service, a password will be asked.
It may be annoying, I think :p.

Then how to figure out the name of keytab file? I can come up with three approaches:
1. hard coded the filename and document the keytab file name clearly in the manual for users to follow (not the best choice, I think);
2. use the default Kerberos setting, which is /etc/krb5.keytab when properly configured;
3. make the filename an option in configuration file, e.g. ~/.my.cnf, with a default value /etc/krb5.keytab, since it is the default Kerberos setting.

I prefer the third solution.
As to the client side, I think both are OK.
The problem of keytab choice is the same.
Then I try to get some hints from similar password requesting authentication plugin.
I read code in plugin/auth_dialog and plugin/auth_examples where server plugin and client plugin are implemented separately.
In the client plugin, a external function of type mysql_authenticaton_dialog_ask_t
static mysql_authentication_dialog_ask_t ask;
can be provided as an alternative to command line input.
Should I also implement them in two parts? And also provide the mysql_authentication_dialog_ask_t hook?

The last problem.
Kerberos requires user to provide a service name to resolve before requesting service ticket.
How to name our service?
Hard coded it as MYSQL or set in configuration file (I prefer the latter one)?

Let me know your thoughts :).

Thank you very much and best regards!
Sincerely, Shuang

Follow ups