maria-developers team mailing list archive

Thread
Date

Re: 14cc679c95e: MDEV-27831 Let the SQL SERVICE user set the current user name.

To: Alexey Botchkov <holyfoot@xxxxxxxxxxx>
From: Sergei Golubchik <serg@xxxxxxxxxxx>
Date: Mon, 4 Apr 2022 18:19:56 +0200
Cc: maria-developers@xxxxxxxxxxxxxxxxxxx
In-reply-to: <CAEJroGWUU=eJd6QBb==Rr5E+qmfe7VYNZ4fZtxuS5U60PSDz_w@mail.gmail.com>

Hi, Alexey,

On Apr 04, Alexey Botchkov wrote:
> I still like my approach.
> 
> > A plugin name is already known inside the plugin,
> > the server should determine it automatically.
> 
> Firstly I don't see any good way for the service to know the name of
> the plugin that called the mysql_real_connect_local.

I don't see either. I can only think of something like

  #define plugin_name "spider"

(for example), or

  const char * const plugin_name = "spider";

and

  #define mysql_real_connect_local(M) sql_service->mysql_real_connect_local_func(M, plugin_name)

but it's not per plugin it's per *.so. If one .so would have many
plugins, they'll all will have the same "plugin_name" and I have no
solution for that.

So it's a rather lousy solution, and I hoped you could come up with
something better :)

> Technically this call doesn't even have to be hard linked to a plugin.
> Can be just done by a part of the server.

The server doesn't have to use *plugin services*, services are an API
for plugins to use.

> Then why limit the plugin like this? That doesn't add much to the
> security as the plugin can replace that string anyway.

Not for security. It's to avoid boilerplate, to not force plugins to
tell the server what the server already knows.

> Also one plugin can have more than one connection and
> I can imagine that different usernames for these connections make sence.

well, the point was to identify what plugin makes the call.
and almost always it will be a plugin name.

> > current_user is the name of the user account and it's used in
> > many places as such. Try, for example, to create a view or a stored
> > procedure. Who will be a definer?
> If not specified, the definer is going to be username@''.
> And as a result the view or the procedure will be not functional.
> But i think it's rather correct. The user of the SQL service has to specify
> the definer explicitly.

No, using pluginname@'' can hardly be correct. ''@'' is more reasonable.
And it's not only definer, it's what CURRENT_USER shows, it's what
privileges are used. Surely, not privileges of the pluginname@''
account, there is no such account. So CURRENT_USER should not be
pluginname@''.

> > Setting only user() might be ok.
> I can agree with that. Setting the ctx->user only.
> In this case the DEFINER of the view/procedure is going to be empty
> if not explicitly specified.
> Though don't see any advantage to what is now.

USER() is purely informational.
CURRENT_USER() is not, it has a clearly defined meaning, it's the name
of the account that the privilege system uses.

Regards,
Sergei
VP of MariaDB Server Engineering
and security@xxxxxxxxxxx

Follow ups

Re: 14cc679c95e: MDEV-27831 Let the SQL SERVICE user set the current user name.
From: Alexey Botchkov, 2022-04-22

References

Re: 14cc679c95e: MDEV-27831 Let the SQL SERVICE user set the current user name.
From: Sergei Golubchik, 2022-03-04
Re: 14cc679c95e: MDEV-27831 Let the SQL SERVICE user set the current user name.
From: Alexey Botchkov, 2022-04-04