From f15815c6bbdb37b977e53814420ea36f3fe95636 Mon Sep 17 00:00:00 2001 From: MassimilianoPinto Date: Wed, 10 Sep 2014 17:12:25 +0200 Subject: [PATCH 1/4] New service parameter localhost_match_any MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit New service parameter ‘localhost_match_any’ allows localhost matching the wildcard host. Default value is 0, don’t match. It may be changed if backend servers don’t have the anonymous user ‘’@localhost --- server/core/config.c | 25 +++++++++++++++++++++++++ server/core/service.c | 22 ++++++++++++++++++++++ server/include/service.h | 2 ++ server/modules/protocol/mysql_common.c | 7 ++++++- 4 files changed, 55 insertions(+), 1 deletion(-) diff --git a/server/core/config.c b/server/core/config.c index 0dfc980dc..48ade63ea 100644 --- a/server/core/config.c +++ b/server/core/config.c @@ -34,6 +34,7 @@ * 29/05/14 Mark Riddoch Addition of filter definition * 23/05/14 Massimiliano Pinto Added automatic set of maxscale-id: first listening ipv4_raw + port + pid * 28/05/14 Massimiliano Pinto Added detect_replication_lag parameter + * 09/09/14 Massimiliano Pinto Added localhost_match_any parameter * * @endverbatim */ @@ -276,6 +277,9 @@ int error_count = 0; char *version_string = config_get_value(obj->parameters, "version_string"); + char *allow_localhost_match_any = + config_get_value(obj->parameters, "localhost_match_any"); + if (obj->element == NULL) /*< if module load failed */ { LOGIF(LE, (skygw_log_write_flush( @@ -310,6 +314,11 @@ int error_count = 0; if (weightby) serviceWeightBy(obj->element, weightby); + if (allow_localhost_match_any) + serviceEnableLocalhostMatchAny( + obj->element, + config_truth_value(allow_localhost_match_any)); + if (!auth) auth = config_get_value(obj->parameters, "auth"); @@ -998,6 +1007,7 @@ SERVER *server; char* max_slave_conn_str; char* max_slave_rlag_str; char *version_string; + char *allow_localhost_match_any; enable_root_user = config_get_value(obj->parameters, "enable_root_user"); @@ -1008,6 +1018,8 @@ SERVER *server; version_string = config_get_value(obj->parameters, "version_string"); + allow_localhost_match_any = config_get_value(obj->parameters, "localhost_match_any"); + if (version_string) { if (service->version_string) { free(service->version_string); @@ -1021,6 +1033,11 @@ SERVER *server; auth); if (enable_root_user) serviceEnableRootUser(service, atoi(enable_root_user)); + + if (allow_localhost_match_any) + serviceEnableLocalhostMatchAny( + service, + atoi(allow_localhost_match_any)); /** Read, validate and set max_slave_connections */ max_slave_conn_str = @@ -1105,6 +1122,8 @@ SERVER *server; enable_root_user = config_get_value(obj->parameters, "enable_root_user"); + allow_localhost_match_any = + config_get_value(obj->parameters, "localhost_match_any"); user = config_get_value(obj->parameters, "user"); @@ -1120,6 +1139,11 @@ SERVER *server; auth); if (enable_root_user) serviceEnableRootUser(service, atoi(enable_root_user)); + + if (allow_localhost_match_any) + serviceEnableLocalhostMatchAny( + service, + atoi(allow_localhost_match_any)); } } } @@ -1325,6 +1349,7 @@ static char *service_params[] = "user", "passwd", "enable_root_user", + "localhost_match_any", "max_slave_connections", "max_slave_replication_lag", "version_string", diff --git a/server/core/service.c b/server/core/service.c index 1b79db346..4c98a5a5c 100644 --- a/server/core/service.c +++ b/server/core/service.c @@ -31,6 +31,7 @@ * 07/05/14 Massimiliano Pinto Added: version_string initialized to NULL * 23/05/14 Mark Riddoch Addition of service validation call * 29/05/14 Mark Riddoch Filter API implementation + * 09/09/14 Massimiliano Pinto Added service option for localhost authentication * * @endverbatim */ @@ -108,6 +109,7 @@ SERVICE *service; service->credentials.name = NULL; service->credentials.authdata = NULL; service->enable_root = 0; + service->localhost_match_any = 0; service->routerOptions = NULL; service->databases = NULL; service->svc_config_param = NULL; @@ -1171,3 +1173,23 @@ serviceGetWeightingParameter(SERVICE *service) { return service->weightby; } + +/** + * Enable/Disable localhost authentication match criteria + * associated with this service. + * + * @param service The service we are setting the data for + * @param action 1 for enable, 0 for disable access + * @return 0 on failure + */ + +int +serviceEnableLocalhostMatchAny(SERVICE *service, int action) +{ + if (action != 0 && action != 1) + return 0; + + service->localhost_match_any = action; + + return 1; +} diff --git a/server/include/service.h b/server/include/service.h index cd13d411b..43077c511 100644 --- a/server/include/service.h +++ b/server/include/service.h @@ -44,6 +44,7 @@ * struct * 29/05/14 Mark Riddoch Filter API mechanism * 26/06/14 Mark Riddoch Added WeightBy support + * 09/09/14 Massimiliano Pinto Added service option for localhost authentication * * @endverbatim */ @@ -122,6 +123,7 @@ typedef struct service { SERVICE_STATS stats; /**< The service statistics */ struct users *users; /**< The user data for this service */ int enable_root; /**< Allow root user access */ + int localhost_match_any; /**< Match localhost against wildcard */ CONFIG_PARAMETER* svc_config_param; /*< list of config params and values */ int svc_config_version; /*< Version number of configuration */ diff --git a/server/modules/protocol/mysql_common.c b/server/modules/protocol/mysql_common.c index f9c0ebdea..3d7779da6 100644 --- a/server/modules/protocol/mysql_common.c +++ b/server/modules/protocol/mysql_common.c @@ -26,6 +26,11 @@ * 04/09/2013 Massimiliano Pinto Added dcb NULL assert in mysql_send_custom_error * 12/09/2013 Massimiliano Pinto Added checks in gw_decode_mysql_server_handshake and gw_read_backend_handshake * 10/02/2014 Massimiliano Pinto Added MySQL Authentication with user@host + * 10/09/2014 Massimiliano Pinto Added MySQL Authentication option enabling localhost match with any host (wildcard %) + * Backend server configuration may differ so default is 0, don't match and an explicit + * localhost entry should be added for the selected user in the backends. + * Setting to 1 allow localhost (127.0.0.1 or socket) to match the any host grant via + * user@% * */ @@ -1345,7 +1350,7 @@ int gw_find_mysql_user_password_sha1(char *username, uint8_t *gateway_password, * The check for localhost is 127.0.0.1 (IPv4 only) */ - if (key.ipv4.sin_addr.s_addr == 0x0100007F) { + if ((key.ipv4.sin_addr.s_addr == 0x0100007F) && !dcb->service->localhost_match_any) { /* Skip the wildcard check and return 1 */ LOGIF(LD, (skygw_log_write_flush( From 8818f2317649cf12c5c697b34221c01a52a73624 Mon Sep 17 00:00:00 2001 From: MassimilianoPinto Date: Fri, 12 Sep 2014 16:24:55 +0200 Subject: [PATCH 2/4] Added localhost_match_wildcard_host parameter Added localhost_match_wildcard_host parameter to service --- server/core/config.c | 32 +++++++++++++------------- server/core/service.c | 4 ++-- server/include/service.h | 3 ++- server/modules/protocol/mysql_common.c | 2 +- 4 files changed, 21 insertions(+), 20 deletions(-) diff --git a/server/core/config.c b/server/core/config.c index 96d05eeef..3d12ac645 100644 --- a/server/core/config.c +++ b/server/core/config.c @@ -35,7 +35,7 @@ * 23/05/14 Massimiliano Pinto Added automatic set of maxscale-id: first listening ipv4_raw + port + pid * 28/05/14 Massimiliano Pinto Added detect_replication_lag parameter * 28/08/14 Massimiliano Pinto Added detect_stale_master parameter - * 09/09/14 Massimiliano Pinto Added localhost_match_any parameter + * 09/09/14 Massimiliano Pinto Added localhost_match_wildcard_host parameter * * @endverbatim */ @@ -289,8 +289,8 @@ int error_count = 0; is_rwsplit = true; } - char *allow_localhost_match_any = - config_get_value(obj->parameters, "localhost_match_any"); + char *allow_localhost_match_wildcard_host = + config_get_value(obj->parameters, "localhost_match_wildcard_host"); if (obj->element == NULL) /*< if module load failed */ { @@ -326,10 +326,10 @@ int error_count = 0; if (weightby) serviceWeightBy(obj->element, weightby); - if (allow_localhost_match_any) - serviceEnableLocalhostMatchAny( + if (allow_localhost_match_wildcard_host) + serviceEnableLocalhostMatchWildcardHost( obj->element, - config_truth_value(allow_localhost_match_any)); + config_truth_value(allow_localhost_match_wildcard_host)); if (!auth) auth = config_get_value(obj->parameters, @@ -1195,7 +1195,7 @@ SERVER *server; char* max_slave_conn_str; char* max_slave_rlag_str; char *version_string; - char *allow_localhost_match_any; + char *allow_localhost_match_wildcard_host; enable_root_user = config_get_value(obj->parameters, "enable_root_user"); @@ -1206,7 +1206,7 @@ SERVER *server; version_string = config_get_value(obj->parameters, "version_string"); - allow_localhost_match_any = config_get_value(obj->parameters, "localhost_match_any"); + allow_localhost_match_wildcardi_host = config_get_value(obj->parameters, "localhost_match_wildcard_host"); if (version_string) { if (service->version_string) { @@ -1222,10 +1222,10 @@ SERVER *server; if (enable_root_user) serviceEnableRootUser(service, atoi(enable_root_user)); - if (allow_localhost_match_any) - serviceEnableLocalhostMatchAny( + if (allow_localhost_match_wildcard_host) + serviceEnableLocalhostMatchWildcardHost( service, - atoi(allow_localhost_match_any)); + atoi(allow_localhost_match_wildcard_host)); /** Read, validate and set max_slave_connections */ max_slave_conn_str = @@ -1324,8 +1324,8 @@ SERVER *server; enable_root_user = config_get_value(obj->parameters, "enable_root_user"); - allow_localhost_match_any = - config_get_value(obj->parameters, "localhost_match_any"); + allow_localhost_match_wildcard_host = + config_get_value(obj->parameters, "localhost_match_wildcard_host"); user = config_get_value(obj->parameters, "user"); @@ -1342,10 +1342,10 @@ SERVER *server; if (enable_root_user) serviceEnableRootUser(service, atoi(enable_root_user)); - if (allow_localhost_match_any) + if (allow_localhost_match_wildcard_host) serviceEnableLocalhostMatchAny( service, - atoi(allow_localhost_match_any)); + atoi(allow_localhost_match_wildcard_host)); } } } @@ -1563,7 +1563,7 @@ static char *service_params[] = "user", "passwd", "enable_root_user", - "localhost_match_any", + "localhost_match_wildcard_host", "max_slave_connections", "max_slave_replication_lag", "use_sql_variables_in", /*< rwsplit only */ diff --git a/server/core/service.c b/server/core/service.c index e64d25038..f36474645 100644 --- a/server/core/service.c +++ b/server/core/service.c @@ -1301,12 +1301,12 @@ serviceGetWeightingParameter(SERVICE *service) */ int -serviceEnableLocalhostMatchAny(SERVICE *service, int action) +serviceEnableLocalhostMatchWildcardHost(SERVICE *service, int action) { if (action != 0 && action != 1) return 0; - service->localhost_match_any = action; + service->localhost_match_wildcard_host = action; return 1; } diff --git a/server/include/service.h b/server/include/service.h index 9f5bef7b4..139a08056 100644 --- a/server/include/service.h +++ b/server/include/service.h @@ -123,7 +123,7 @@ typedef struct service { SERVICE_STATS stats; /**< The service statistics */ struct users *users; /**< The user data for this service */ int enable_root; /**< Allow root user access */ - int localhost_match_any; /**< Match localhost against wildcard */ + int localhost_match_wildcard_host; /**< Match localhost against wildcard */ CONFIG_PARAMETER* svc_config_param; /*< list of config params and values */ int svc_config_version; /*< Version number of configuration */ @@ -163,6 +163,7 @@ extern void serviceSetFilters(SERVICE *, char *); extern int serviceEnableRootUser(SERVICE *, int ); extern void serviceWeightBy(SERVICE *, char *); extern char *serviceGetWeightingParameter(SERVICE *); +extern int serviceEnableLocalhostMatchWildcardHost(SERVICE *, int); extern void service_update(SERVICE *, char *, char *, char *); extern int service_refresh_users(SERVICE *); extern void printService(SERVICE *); diff --git a/server/modules/protocol/mysql_common.c b/server/modules/protocol/mysql_common.c index 3d7779da6..45d93023a 100644 --- a/server/modules/protocol/mysql_common.c +++ b/server/modules/protocol/mysql_common.c @@ -1350,7 +1350,7 @@ int gw_find_mysql_user_password_sha1(char *username, uint8_t *gateway_password, * The check for localhost is 127.0.0.1 (IPv4 only) */ - if ((key.ipv4.sin_addr.s_addr == 0x0100007F) && !dcb->service->localhost_match_any) { + if ((key.ipv4.sin_addr.s_addr == 0x0100007F) && !dcb->service->localhost_match_wildcard_host) { /* Skip the wildcard check and return 1 */ LOGIF(LD, (skygw_log_write_flush( From 7108add6f5c079cf60899e93048864e85e15598e Mon Sep 17 00:00:00 2001 From: MassimilianoPinto Date: Fri, 12 Sep 2014 17:21:34 +0200 Subject: [PATCH 3/4] code cleanup localhost_match_wildcard_host code cleanup for localhost_match_wildcard_host --- server/core/config.c | 5 +++-- server/core/service.c | 2 +- server/modules/protocol/mysql_client.c | 1 + server/modules/protocol/mysql_common.c | 8 +++----- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/server/core/config.c b/server/core/config.c index 3d12ac645..21d3321a4 100644 --- a/server/core/config.c +++ b/server/core/config.c @@ -1206,7 +1206,7 @@ SERVER *server; version_string = config_get_value(obj->parameters, "version_string"); - allow_localhost_match_wildcardi_host = config_get_value(obj->parameters, "localhost_match_wildcard_host"); + allow_localhost_match_wildcard_host = config_get_value(obj->parameters, "localhost_match_wildcard_host"); if (version_string) { if (service->version_string) { @@ -1320,6 +1320,7 @@ SERVER *server; char *user; char *auth; char *enable_root_user; + char *allow_localhost_match_wildcard_host; enable_root_user = config_get_value(obj->parameters, @@ -1343,7 +1344,7 @@ SERVER *server; serviceEnableRootUser(service, atoi(enable_root_user)); if (allow_localhost_match_wildcard_host) - serviceEnableLocalhostMatchAny( + serviceEnableLocalhostMatchWildcardHost( service, atoi(allow_localhost_match_wildcard_host)); } diff --git a/server/core/service.c b/server/core/service.c index f36474645..a5e08f937 100644 --- a/server/core/service.c +++ b/server/core/service.c @@ -129,7 +129,7 @@ SERVICE *service; service->credentials.name = NULL; service->credentials.authdata = NULL; service->enable_root = 0; - service->localhost_match_any = 0; + service->localhost_match_wildcard_host = 0; service->routerOptions = NULL; service->databases = NULL; service->svc_config_param = NULL; diff --git a/server/modules/protocol/mysql_client.c b/server/modules/protocol/mysql_client.c index 3c8a70bd9..c106ac420 100644 --- a/server/modules/protocol/mysql_client.c +++ b/server/modules/protocol/mysql_client.c @@ -42,6 +42,7 @@ #include #include #include +#include MODULE_INFO info = { MODULE_API_PROTOCOL, diff --git a/server/modules/protocol/mysql_common.c b/server/modules/protocol/mysql_common.c index 45d93023a..116c3c948 100644 --- a/server/modules/protocol/mysql_common.c +++ b/server/modules/protocol/mysql_common.c @@ -1352,10 +1352,10 @@ int gw_find_mysql_user_password_sha1(char *username, uint8_t *gateway_password, if ((key.ipv4.sin_addr.s_addr == 0x0100007F) && !dcb->service->localhost_match_wildcard_host) { /* Skip the wildcard check and return 1 */ - LOGIF(LD, + LOGIF(LE, (skygw_log_write_flush( - LOGFILE_DEBUG, - "%lu [MySQL Client Auth], user [%s@%s] not existent", + LOGFILE_ERROR, + "%lu [MySQL Client Auth], user [%s@%s] not found, try with 'localhost_match_wildcard_host=1' in service definition", pthread_self(), key.user, dcb->remote))); @@ -1699,8 +1699,6 @@ void protocol_add_srv_command( MySQLProtocol* p, mysql_server_cmd_t cmd) { - server_command_t* c; - spinlock_acquire(&p->protocol_lock); if (p->protocol_state != MYSQL_PROTOCOL_ACTIVE) From acdc2968c75420ffe157c7e31d87b686af0d46df Mon Sep 17 00:00:00 2001 From: MassimilianoPinto Date: Fri, 12 Sep 2014 17:34:13 +0200 Subject: [PATCH 4/4] Added LogFile entry for failed match Added LogFile entry for failed match --- server/modules/protocol/mysql_common.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server/modules/protocol/mysql_common.c b/server/modules/protocol/mysql_common.c index 116c3c948..2473cc6ce 100644 --- a/server/modules/protocol/mysql_common.c +++ b/server/modules/protocol/mysql_common.c @@ -1355,7 +1355,7 @@ int gw_find_mysql_user_password_sha1(char *username, uint8_t *gateway_password, LOGIF(LE, (skygw_log_write_flush( LOGFILE_ERROR, - "%lu [MySQL Client Auth], user [%s@%s] not found, try with 'localhost_match_wildcard_host=1' in service definition", + "%lu [MySQL Client Auth], user [%s@%s] not found, please try with 'localhost_match_wildcard_host=1' in service definition", pthread_self(), key.user, dcb->remote)));