diff --git a/Documentation/Authenticators/MySQL-Authenticator.md b/Documentation/Authenticators/MySQL-Authenticator.md index f2397d018..ffbdb0c7d 100644 --- a/Documentation/Authenticators/MySQL-Authenticator.md +++ b/Documentation/Authenticators/MySQL-Authenticator.md @@ -67,3 +67,16 @@ injected into the list of users. ``` authenticator_options=inject_service_user=false ``` + +### `lower_case_table_names` + +Enable case-insensitive identifier matching for authentication. This parameter +is disabled by default. + +The parameter functions exactly as the MariaDB Server system variable +[lower_case_table_names](https://mariadb.com/kb/en/library/server-system-variables/#lower_case_table_names). +This makes the matching done by the authenticator on database names to be +case-insensitive by converting all names into their lowercase form. + +**Note:** The identifier names are converted using an ASCII-only function. This + means that non-ASCII characters will retain their case-sensitivity. diff --git a/server/modules/authenticator/MySQLAuth/dbusers.c b/server/modules/authenticator/MySQLAuth/dbusers.c index eb72bba95..c1981272b 100644 --- a/server/modules/authenticator/MySQLAuth/dbusers.c +++ b/server/modules/authenticator/MySQLAuth/dbusers.c @@ -186,7 +186,10 @@ int validate_mysql_user(MYSQL_AUTH* instance, DCB *dcb, MYSQL_session *session, uint8_t *scramble, size_t scramble_len) { sqlite3 *handle = instance->handle; - size_t len = sizeof(mysqlauth_validate_user_query) + strlen(session->user) * 2 + + const char* validate_query = instance->lower_case_table_names ? + mysqlauth_validate_user_query_lower : + mysqlauth_validate_user_query; + size_t len = strlen(validate_query) + 1 + strlen(session->user) * 2 + strlen(session->db) * 2 + MYSQL_HOST_MAXLEN + session->auth_token_len * 4 + 1; char sql[len + 1]; int rval = MXS_AUTH_FAILED; @@ -198,7 +201,7 @@ int validate_mysql_user(MYSQL_AUTH* instance, DCB *dcb, MYSQL_session *session, } else { - sprintf(sql, mysqlauth_validate_user_query, session->user, dcb->remote, + sprintf(sql, validate_query, session->user, dcb->remote, dcb->remote, session->db, session->db); } @@ -214,7 +217,7 @@ int validate_mysql_user(MYSQL_AUTH* instance, DCB *dcb, MYSQL_session *session, if (!res.ok && strchr(dcb->remote, ':') && strchr(dcb->remote, '.')) { const char *ipv4 = strrchr(dcb->remote, ':') + 1; - sprintf(sql, mysqlauth_validate_user_query, session->user, ipv4, ipv4, + sprintf(sql, validate_query, session->user, ipv4, ipv4, session->db, session->db); if (sqlite3_exec(handle, sql, auth_cb, &res, &err) != SQLITE_OK) @@ -233,7 +236,7 @@ int validate_mysql_user(MYSQL_AUTH* instance, DCB *dcb, MYSQL_session *session, char client_hostname[MYSQL_HOST_MAXLEN] = ""; get_hostname(dcb, client_hostname, sizeof(client_hostname) - 1); - sprintf(sql, mysqlauth_validate_user_query, session->user, client_hostname, + sprintf(sql, validate_query, session->user, client_hostname, client_hostname, session->db, session->db); if (sqlite3_exec(handle, sql, auth_cb, &res, &err) != SQLITE_OK) diff --git a/server/modules/authenticator/MySQLAuth/mysql_auth.c b/server/modules/authenticator/MySQLAuth/mysql_auth.c index d8e4f6e17..2b9177e21 100644 --- a/server/modules/authenticator/MySQLAuth/mysql_auth.c +++ b/server/modules/authenticator/MySQLAuth/mysql_auth.c @@ -183,6 +183,7 @@ static void* mysql_auth_init(char **options) instance->cache_dir = NULL; instance->inject_service_user = true; instance->skip_auth = false; + instance->lower_case_table_names = false; instance->handle = NULL; for (int i = 0; options[i]; i++) @@ -209,6 +210,10 @@ static void* mysql_auth_init(char **options) { instance->skip_auth = config_truth_value(value); } + else if (strcmp(options[i], "lower_case_table_names") == 0) + { + instance->lower_case_table_names = config_truth_value(value); + } else { MXS_ERROR("Unknown authenticator option: %s", options[i]); diff --git a/server/modules/authenticator/MySQLAuth/mysql_auth.h b/server/modules/authenticator/MySQLAuth/mysql_auth.h index 07f66a1e5..ae289e202 100644 --- a/server/modules/authenticator/MySQLAuth/mysql_auth.h +++ b/server/modules/authenticator/MySQLAuth/mysql_auth.h @@ -66,6 +66,12 @@ static const char mysqlauth_validate_user_query[] = " WHERE user = '%s' AND ( '%s' = host OR '%s' LIKE host) AND (anydb = '1' OR '%s' = '' OR '%s' LIKE db)" " LIMIT 1"; +/** Query that checks if there's a grant for the user being authenticated */ +static const char mysqlauth_validate_user_query_lower[] = + "SELECT password FROM " MYSQLAUTH_USERS_TABLE_NAME + " WHERE user = '%s' AND ( '%s' = host OR '%s' LIKE host) AND (anydb = '1' OR '%s' = '' OR LOWER('%s') LIKE LOWER(db))" + " LIMIT 1"; + /** Query that only checks if there's a matching user */ static const char mysqlauth_skip_auth_query[] = "SELECT password FROM " MYSQLAUTH_USERS_TABLE_NAME @@ -106,10 +112,11 @@ static int db_flags = SQLITE_OPEN_READWRITE | typedef struct mysql_auth { - sqlite3 *handle; /**< SQLite3 database handle */ - char *cache_dir; /**< Custom cache directory location */ - bool inject_service_user; /**< Inject the service user into the list of users */ - bool skip_auth; /**< Authentication will always be successful */ + sqlite3 *handle; /**< SQLite3 database handle */ + char *cache_dir; /**< Custom cache directory location */ + bool inject_service_user; /**< Inject the service user into the list of users */ + bool skip_auth; /**< Authentication will always be successful */ + bool lower_case_table_names; /**< Disable database case-sensitivity */ } MYSQL_AUTH; /** Common structure for both backend and client authenticators */