maria-discuss team mailing list archive

[Geoff Montee <geoff.montee@xxxxxxxxx>]

On Thu, Apr 23, 2015 at 2:42 PM, Felipe Gasper <felipe@xxxxxxxxxxxxxxxx> wrote:
>
>         This looks really cool--thank you for posting!
>
>         One question: how readily might this be able to support using
> MariaDB’s own authentication for the user rather than /etc/shadow?
>
> Example:
>
> GRANT USAGE ON *.* TO 'temp_g5fj3s'@'' IDENTIFIED BY 'my_secret';
> GRANT PROXY ON 'frank'@'localhost' TO 'temp_g5fj3s'@'';
>
>         e.g., I log in as “temp_g5fj3s” using “my_secret”, and MariaDB would
> then just make that user behave as 'frank'@'localhost'.
>

I believe that the proxy user functionality in MySQL/MariaDB requires
that the authentication plugin change the user name to that of the
proxied user:

https://dev.mysql.com/doc/refman/5.5/en/proxy-users.html

As far as I know, MariaDB's default authentication doesn't support
this kind of thing. The PAM authentication plugin does.

However, if you are using MariaDB 10.0, you could use roles:

https://mariadb.com/kb/en/mariadb/roles-overview/

What you are trying to do would look like this:

CREATE USER 'temp_g5fj3s'@'%' IDENTIFIED BY 'my_secret';
CREATE ROLE 'frank';
GRANT 'frank' TO 'temp_g5fj3s'@'%';

When  'temp_g5fj3s' logs in, the user would have to do this to inherit
frank's privileges:

SET ROLE frank;

Starting in 10.1., the user would also be able to do this to inherit
frank's privileges automatically:

SET DEFAULT ROLE frank FOR 'temp_g5fj3s'@'%';

Geoff