maria-discuss team mailing list archive
-
maria-discuss team
-
Mailing list archive
-
Message #02528
Re: Proxy users in MariaDB?
On Thu, Apr 23, 2015 at 2:42 PM, Felipe Gasper <felipe@xxxxxxxxxxxxxxxx> wrote:
>
> This looks really cool--thank you for posting!
>
> One question: how readily might this be able to support using
> MariaDB’s own authentication for the user rather than /etc/shadow?
>
> Example:
>
> GRANT USAGE ON *.* TO 'temp_g5fj3s'@'' IDENTIFIED BY 'my_secret';
> GRANT PROXY ON 'frank'@'localhost' TO 'temp_g5fj3s'@'';
>
> e.g., I log in as “temp_g5fj3s” using “my_secret”, and MariaDB would
> then just make that user behave as 'frank'@'localhost'.
>
I believe that the proxy user functionality in MySQL/MariaDB requires
that the authentication plugin change the user name to that of the
proxied user:
https://dev.mysql.com/doc/refman/5.5/en/proxy-users.html
As far as I know, MariaDB's default authentication doesn't support
this kind of thing. The PAM authentication plugin does.
However, if you are using MariaDB 10.0, you could use roles:
https://mariadb.com/kb/en/mariadb/roles-overview/
What you are trying to do would look like this:
CREATE USER 'temp_g5fj3s'@'%' IDENTIFIED BY 'my_secret';
CREATE ROLE 'frank';
GRANT 'frank' TO 'temp_g5fj3s'@'%';
When 'temp_g5fj3s' logs in, the user would have to do this to inherit
frank's privileges:
SET ROLE frank;
Starting in 10.1., the user would also be able to do this to inherit
frank's privileges automatically:
SET DEFAULT ROLE frank FOR 'temp_g5fj3s'@'%';
Geoff
Follow ups
References