← Back to team overview

maria-developers team mailing list archive

Re: [GSoC] Kerberize MariaDB -- some unclear point about the project

 

Hi wlad,

Thank you for your concern.

> Create user
> 'foo@bar'@localhost creates user foo@bar, on localhost. 

> create user that is identified with name and domain and can connect
> from any computer
I admit that I mis-understood the usage of User@Host in MariaDB.

I thought the User and Host fields in MariaDB are in the same place as those in a Kerberos principal.
i.e. if my MariaDB login name is qiush@xxxxxxxxxxx, then my Kerberos principal will be
qiush@xxxxxxxxxxx/CHINA, where MariaDB login name is part of Kerberos principal.
(if that case, the realm part is omitted in MariaDB, and we should find another way to figure it out.
That's what I argued in my previous email.)

From your reply, it seems qiush@xxxxxxxxxxx/CHINA@xxxxxxxxxxx, the bold part is MariaDB User and italic part Host,
can be a valid login name in our project.

Suddenly realise the Host in MariaDB login name will constraint the user login place.
It's much clear now.

> Re realm,  I do not know this much but 'shuang@xxxxxxxxxxxxxxxx/REALM' also
> does not  look too weird to me.
To me, either :).

> Or perhaps I miss something still? Can you elaborate?
No, you're right. I confused these two names.

Thank you for you hints!
Sincerely, Shuang


On Jun 20, 2013, at 2:22 AM, Vladislav Vaintroub <wlad@xxxxxxxxxxxxxxxx> wrote:

> 
> 
> From: QIU Shuang [mailto:qiush.summer@xxxxxxxxx] 
> Sent: Mittwoch, 19. Juni 2013 19:52
> To: Vladislav Vaintroub
> Subject: Re: [Maria-developers] [GSoC] Kerberize MariaDB -- some unclear
> point about the project
> 
> 
> Hi Shuang,
> 
>>> Trying to make a nicer name, for example by removing domain part could
> introduce some ambiguity here  and different Kerberos users to login as the
> same.
>> I think so.
>> But per my knowledge, the fully qualified name in MariaDB is
> username@hostname.
>> What about the realm/domain part?
>> I think this may be a gap between MariaDB and Kerberos.
> 
> Maybe I oversee something, but I do not really see any contradiction here.
> Do you mean that @ is special character  should not be used in usernames? It
> actually can, it just must be properly escaped. Create user
> 'foo@bar'@localhost creates user foo@bar, on localhost. 
> Hypothetical CREATE USER 'shuang@xxxxxxxxxxxxxxxx' @'%' IDENTIFIED WITH
> 'Kerberos' 
> 
> will create user that is identified with name and domain and can connect
> from any computer (due to use of wildcard for computername part, this
> wildcard can be omitted). 
> Re realm,  I do not know this much but 'shuang@xxxxxxxxxxxxxxxx/REALM' also
> does not  look too weird to me.
> 
> Or perhaps I miss something still? Can you elaborate?
> 
> Wlad
> 


Follow ups

References