← Back to team overview

maria-discuss team mailing list archive

Re: Proxy users in MariaDB?

 

On Thu, Apr 23, 2015 at 3:17 PM, Felipe Gasper <felipe@xxxxxxxxxxxxxxxx> wrote:
>
> FWIW, MySQL 5.7 has made mysql_native_password support proxy users:
>
> https://dev.mysql.com/doc/refman/5.7/en/proxy-users.html
>
> Is there a feature request for this with MariaDB, I wonder? Would be very,
> very useful.
>

Very interesting. I've submitted a feature request for MariaDB here:

https://mariadb.atlassian.net/browse/MDEV-8042

Feel free to comment, watch and/or upvote.

I'm not a big fan of this bit from the MySQL documentation:

"When a single account has been granted proxy privileges on more than
one account, the server mapping is nondeterministic. Therefore,
granting proxy privileges on multiple accounts to a single account is
discouraged."

Nondeterministic behavior can be pretty messy. Maybe improving the
role system to support more use cases would be better than going down
this route?

> And/or, I wonder about rigging up our own PAM authentication for the
> temp/proxy user …
>

If you decide to hack together your own solution, maybe you could use
our PAM user mapping module as a guide. The source code is linked in
the blog post, but I'll link it here as well:

https://github.com/MariaDB/server/blob/10.1/plugin/auth_pam/mapper/pam_user_map.c

> The problem with roles is that they apparently can’t log in; our need is
> literally to have one user impersonate another. The only way for us to use
> MariaDB roles as they stand currently would seem to be to retool our entire
> application so that only roles, not users, have privileges. Given the size
> of our project that would be quite a change--and probably not feasible given
> that we’re deployed on commercial servers worldwide.
>

That makes sense.

Judging by the original JIRA issue for role support, separating roles
and user accounts into different namespaces was a design decision:

https://mariadb.atlassian.net/browse/MDEV-4397

It would be nice to have the flexibility to allow roles to log in
(similar to how PostgreSQL roles can be defined with "WITH LOGIN" role
attributes), but I'm not sure if MariaDB will get that feature. Maybe
submit a feature request to our JIRA?

Thanks,

Geoff


Follow ups

References