maria-developers team mailing list archive

[QIU Shuang <qiush.summer@xxxxxxxxx>]

Hi Wlad,

After thinking it over again, the maximum login name length in MariaDB, which is only 16 characters by default the same as in MySQL.
I find this https://mariadb.atlassian.net/browse/MDEV-4332 in JIRA.
Will the long username be well supported in subsequent releases?

A valid GNU/Linux username is a 32 character string (see useradd(8) man page).
And a valid Kerberos principal name length is in between 1 and 256 inclusively. (see http://pic.dhe.ibm.com/infocenter/iseries/v6r1m0/index.jsp?topic=/cl/addkrbtkt.htm, I didn't find an official document)
If we put a whole valid Kerberos principal name, I think it may cause problem someday for the unmatched name length.

Do you think the username length a big constraints?
Let me know your thought.

Thanks!
Sincerely, Shuang


On Jun 21, 2013, at 9:58 AM, QIU Shuang <qiush.summer@xxxxxxxxx> wrote:

> Hi wlad,
> 
> Thank you for your concern.
> 
>> Create user
>> 'foo@bar'@localhost creates user foo@bar, on localhost. 
> 
>> create user that is identified with name and domain and can connect
>> from any computer
> I admit that I mis-understood the usage of User@Host in MariaDB.
> 
> I thought the User and Host fields in MariaDB are in the same place as those in a Kerberos principal.
> i.e. if my MariaDB login name is qiush@xxxxxxxxxxx, then my Kerberos principal will be
> qiush@xxxxxxxxxxx/CHINA, where MariaDB login name is part of Kerberos principal.
> (if that case, the realm part is omitted in MariaDB, and we should find another way to figure it out.
> That's what I argued in my previous email.)
> 
> From your reply, it seems qiush@xxxxxxxxxxx/CHINA@xxxxxxxxxxx, the bold part is MariaDB User and italic part Host,
> can be a valid login name in our project.
> 
> Suddenly realise the Host in MariaDB login name will constraint the user login place.
> It's much clear now.
> 
>> Re realm,  I do not know this much but 'shuang@xxxxxxxxxxxxxxxx/REALM' also
>> does not  look too weird to me.
> To me, either :).
> 
>> Or perhaps I miss something still? Can you elaborate?
> No, you're right. I confused these two names.
> 
> Thank you for you hints!
> Sincerely, Shuang
> 
> 
> On Jun 20, 2013, at 2:22 AM, Vladislav Vaintroub <wlad@xxxxxxxxxxxxxxxx> wrote:
> 
>> 
>> 
>> From: QIU Shuang [mailto:qiush.summer@xxxxxxxxx] 
>> Sent: Mittwoch, 19. Juni 2013 19:52
>> To: Vladislav Vaintroub
>> Subject: Re: [Maria-developers] [GSoC] Kerberize MariaDB -- some unclear
>> point about the project
>> 
>> 
>> Hi Shuang,
>> 
>>>> Trying to make a nicer name, for example by removing domain part could
>> introduce some ambiguity here  and different Kerberos users to login as the
>> same.
>>> I think so.
>>> But per my knowledge, the fully qualified name in MariaDB is
>> username@hostname.
>>> What about the realm/domain part?
>>> I think this may be a gap between MariaDB and Kerberos.
>> 
>> Maybe I oversee something, but I do not really see any contradiction here.
>> Do you mean that @ is special character  should not be used in usernames? It
>> actually can, it just must be properly escaped. Create user
>> 'foo@bar'@localhost creates user foo@bar, on localhost. 
>> Hypothetical CREATE USER 'shuang@xxxxxxxxxxxxxxxx' @'%' IDENTIFIED WITH
>> 'Kerberos' 
>> 
>> will create user that is identified with name and domain and can connect
>> from any computer (due to use of wildcard for computername part, this
>> wildcard can be omitted). 
>> Re realm,  I do not know this much but 'shuang@xxxxxxxxxxxxxxxx/REALM' also
>> does not  look too weird to me.
>> 
>> Or perhaps I miss something still? Can you elaborate?
>> 
>> Wlad
>> 
>