← Back to team overview

maria-developers team mailing list archive

Re: [GSoC] Kerberize MariaDB -- some unclear point about the project

 

Hi Wlad,

After thinking it over again, the maximum login name length in MariaDB, which is only 16 characters by default the same as in MySQL.
I find this https://mariadb.atlassian.net/browse/MDEV-4332 in JIRA.
Will the long username be well supported in subsequent releases?

A valid GNU/Linux username is a 32 character string (see useradd(8) man page).
And a valid Kerberos principal name length is in between 1 and 256 inclusively. (see http://pic.dhe.ibm.com/infocenter/iseries/v6r1m0/index.jsp?topic=/cl/addkrbtkt.htm, I didn't find an official document)
If we put a whole valid Kerberos principal name, I think it may cause problem someday for the unmatched name length.

Do you think the username length a big constraints?
Let me know your thought.

Thanks!
Sincerely, Shuang


On Jun 21, 2013, at 9:58 AM, QIU Shuang <qiush.summer@xxxxxxxxx> wrote:

> Hi wlad,
> 
> Thank you for your concern.
> 
>> Create user
>> 'foo@bar'@localhost creates user foo@bar, on localhost. 
> 
>> create user that is identified with name and domain and can connect
>> from any computer
> I admit that I mis-understood the usage of User@Host in MariaDB.
> 
> I thought the User and Host fields in MariaDB are in the same place as those in a Kerberos principal.
> i.e. if my MariaDB login name is qiush@xxxxxxxxxxx, then my Kerberos principal will be
> qiush@xxxxxxxxxxx/CHINA, where MariaDB login name is part of Kerberos principal.
> (if that case, the realm part is omitted in MariaDB, and we should find another way to figure it out.
> That's what I argued in my previous email.)
> 
> From your reply, it seems qiush@xxxxxxxxxxx/CHINA@xxxxxxxxxxx, the bold part is MariaDB User and italic part Host,
> can be a valid login name in our project.
> 
> Suddenly realise the Host in MariaDB login name will constraint the user login place.
> It's much clear now.
> 
>> Re realm,  I do not know this much but 'shuang@xxxxxxxxxxxxxxxx/REALM' also
>> does not  look too weird to me.
> To me, either :).
> 
>> Or perhaps I miss something still? Can you elaborate?
> No, you're right. I confused these two names.
> 
> Thank you for you hints!
> Sincerely, Shuang
> 
> 
> On Jun 20, 2013, at 2:22 AM, Vladislav Vaintroub <wlad@xxxxxxxxxxxxxxxx> wrote:
> 
>> 
>> 
>> From: QIU Shuang [mailto:qiush.summer@xxxxxxxxx] 
>> Sent: Mittwoch, 19. Juni 2013 19:52
>> To: Vladislav Vaintroub
>> Subject: Re: [Maria-developers] [GSoC] Kerberize MariaDB -- some unclear
>> point about the project
>> 
>> 
>> Hi Shuang,
>> 
>>>> Trying to make a nicer name, for example by removing domain part could
>> introduce some ambiguity here  and different Kerberos users to login as the
>> same.
>>> I think so.
>>> But per my knowledge, the fully qualified name in MariaDB is
>> username@hostname.
>>> What about the realm/domain part?
>>> I think this may be a gap between MariaDB and Kerberos.
>> 
>> Maybe I oversee something, but I do not really see any contradiction here.
>> Do you mean that @ is special character  should not be used in usernames? It
>> actually can, it just must be properly escaped. Create user
>> 'foo@bar'@localhost creates user foo@bar, on localhost. 
>> Hypothetical CREATE USER 'shuang@xxxxxxxxxxxxxxxx' @'%' IDENTIFIED WITH
>> 'Kerberos' 
>> 
>> will create user that is identified with name and domain and can connect
>> from any computer (due to use of wildcard for computername part, this
>> wildcard can be omitted). 
>> Re realm,  I do not know this much but 'shuang@xxxxxxxxxxxxxxxx/REALM' also
>> does not  look too weird to me.
>> 
>> Or perhaps I miss something still? Can you elaborate?
>> 
>> Wlad
>> 
> 


Follow ups

References