hcq/MaxScale
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

MySQL authentication with db name

Browse Source 
MySQL authentication with db name
This commit is contained in:
MassimilianoPinto
2014-10-21 16:46:52 +02:00
parent 3cdb1dc2ae
commit a1f621da30
2 changed files with 93 additions and 124 deletions
Download Patch File Download Diff File Expand all files Collapse all files

185
server/core/dbusers.c
View File

@ -53,7 +53,7 @@
#define MYSQL_USERS_COUNT "SELECT COUNT(1) AS nusers FROM mysql.user" #define MYSQL_USERS_COUNT "SELECT COUNT(1) AS nusers FROM mysql.user"
#define MYSQL_USERS_WITH_DB_ORDER " ORDER BY host DESC" #define MYSQL_USERS_WITH_DB_ORDER " ORDER BY host DESC"
#define LOAD_MYSQL_USERS_WITH_DB_QUERY "SELECT user.user AS user,user.host AS host,user.password AS password,concat(user.user,user.host,user.password,user.Select_priv) AS userdata, user.Select_priv AS anydb,db.db AS db FROM mysql.user LEFT JOIN mysql.db ON user.user=db.user AND user.host=db.host WHERE user.user IS NOT NULL AND user.user <> ''" MYSQL_USERS_WITH_DB_ORDER #define LOAD_MYSQL_USERS_WITH_DB_QUERY "SELECT user.user AS user,user.host AS host,user.password AS password,concat(user.user,user.host,user.password,user.Select_priv,IFNULL(db,'')) AS userdata, user.Select_priv AS anydb,db.db AS db FROM mysql.user LEFT JOIN mysql.db ON user.user=db.user AND user.host=db.host WHERE user.user IS NOT NULL AND user.user <> ''" MYSQL_USERS_WITH_DB_ORDER
#define LOAD_MYSQL_USERS_WITH_DB_QUERY_NO_ROOT "SELECT * FROM (" LOAD_MYSQL_USERS_WITH_DB_QUERY ") AS t1 WHERE user NOT IN ('root')" MYSQL_USERS_WITH_DB_ORDER #define LOAD_MYSQL_USERS_WITH_DB_QUERY_NO_ROOT "SELECT * FROM (" LOAD_MYSQL_USERS_WITH_DB_QUERY ") AS t1 WHERE user NOT IN ('root')" MYSQL_USERS_WITH_DB_ORDER
@ -67,7 +67,7 @@ static int uh_hfun( void* key);
char *mysql_users_fetch(USERS *users, MYSQL_USER_HOST *key); char *mysql_users_fetch(USERS *users, MYSQL_USER_HOST *key);
char *mysql_format_user_entry(void *data); char *mysql_format_user_entry(void *data);
int add_mysql_users_with_host_ipv4(USERS *users, char *user, char *host, char *passwd, char *anydb, char *db); int add_mysql_users_with_host_ipv4(USERS *users, char *user, char *host, char *passwd, char *anydb, char *db);
static int getDatabases(SERVICE *); static int getDatabases(SERVICE *, MYSQL *);
HASHTABLE *resource_alloc(); HASHTABLE *resource_alloc();
/** /**
@ -83,8 +83,8 @@ load_mysql_users(SERVICE *service)
return getUsers(service, service->users); return getUsers(service, service->users);
} }
int mysql_users_load_dbs(SERVICE *service) { int mysql_users_load_dbs(SERVICE *service, MYSQL *con) {
return getDatabases(service); return getDatabases(service, con);
} }
/** /**
@ -207,10 +207,9 @@ int add_mysql_users_with_host_ipv4(USERS *users, char *user, char *host, char *p
/* for anydb == Y key.resource is '\0' as set by memset */ /* for anydb == Y key.resource is '\0' as set by memset */
if (anydb == NULL) { if (anydb == NULL) {
key.resource = NULL; key.resource = NULL;
} } else {
else {
if (strcmp(anydb, "N") == 0) { if (strcmp(anydb, "N") == 0) {
if (db) if (db != NULL)
key.resource = strdup(db); key.resource = strdup(db);
else else
key.resource = NULL; key.resource = NULL;
@ -265,7 +264,7 @@ int add_mysql_users_with_host_ipv4(USERS *users, char *user, char *host, char *p
/* add user@host as key and passwd as value in the MySQL users hash table */ /* add user@host as key and passwd as value in the MySQL users hash table */
if (mysql_users_add(users, &key, passwd)) { if (mysql_users_add(users, &key, passwd)) {
ret = 1; ret = 1;
fprintf(stderr, "Added user %s@%i with db [%s]\n", key.user, key.ipv4.sin_addr.s_addr, key.resource); fprintf(stderr, "Added user %s@%i with db [%s]\n", key.user, key.ipv4.sin_addr.s_addr, key.resource == NULL ? "NULL" : key.resource);
} }
} }
@ -285,15 +284,12 @@ int add_mysql_users_with_host_ipv4(USERS *users, char *user, char *host, char *p
* @return -1 on any error or the number of users inserted (0 means no users at all) * @return -1 on any error or the number of users inserted (0 means no users at all)
*/ */
static int static int
getDatabases(SERVICE *service) getDatabases(SERVICE *service, MYSQL *con)
{ {
MYSQL *con = NULL;
MYSQL_ROW row; MYSQL_ROW row;
MYSQL_RES *result = NULL; MYSQL_RES *result = NULL;
char *service_user = NULL; char *service_user = NULL;
char *service_passwd = NULL; char *service_passwd = NULL;
char *dpwd;
SERVER *server;
int ndbs = 0; int ndbs = 0;
int i = 0; int i = 0;
@ -303,55 +299,6 @@ getDatabases(SERVICE *service)
if (service_user == NULL || service_passwd == NULL) if (service_user == NULL || service_passwd == NULL)
return -1; return -1;
con = mysql_init(NULL);
if (con == NULL) {
LOGIF(LE, (skygw_log_write_flush(
LOGFILE_ERROR,
"Error : mysql_init: %s",
mysql_error(con))));
return -1;
}
if (mysql_options(con, MYSQL_OPT_USE_REMOTE_CONNECTION, NULL)) {
LOGIF(LE, (skygw_log_write_flush(
LOGFILE_ERROR,
"Error : failed to set external connection. "
"It is needed for backend server connections. "
"Exiting.")));
return -1;
}
/**
* Attempt to connect to one of the databases database or until we run
* out of databases
* to try
*/
server = service->databases;
dpwd = decryptPassword(service_passwd);
while (server != NULL && (mysql_real_connect(con,
server->name,
service_user,
dpwd,
NULL,
server->port,
NULL,
0) == NULL))
{
server = server->nextdb;
}
free(dpwd);
if (server == NULL)
{
LOGIF(LE, (skygw_log_write_flush(
LOGFILE_ERROR,
"Error : Unable to load db names from backend database "
"for service %s. Missing server information.",
service->name)));
mysql_close(con);
return -1;
}
if (mysql_query(con, get_showdbs_priv_query)) { if (mysql_query(con, get_showdbs_priv_query)) {
LOGIF(LE, (skygw_log_write_flush( LOGIF(LE, (skygw_log_write_flush(
LOGFILE_ERROR, LOGFILE_ERROR,
@ -359,7 +306,6 @@ getDatabases(SERVICE *service)
"error: %s.", "error: %s.",
service->name, service->name,
mysql_error(con)))); mysql_error(con))));
mysql_close(con);
return -1; return -1;
} }
@ -372,7 +318,6 @@ getDatabases(SERVICE *service)
"error: %s.", "error: %s.",
service->name, service->name,
mysql_error(con)))); mysql_error(con))));
mysql_close(con);
return -1; return -1;
} }
@ -397,12 +342,9 @@ getDatabases(SERVICE *service)
if (!ndbs) { if (!ndbs) {
/* return if no db names are available */ /* return if no db names are available */
mysql_close(con);
return 0; return 0;
} }
if (mysql_query(con, "SHOW DATABASES")) { if (mysql_query(con, "SHOW DATABASES")) {
LOGIF(LE, (skygw_log_write_flush( LOGIF(LE, (skygw_log_write_flush(
LOGFILE_ERROR, LOGFILE_ERROR,
@ -411,7 +353,6 @@ getDatabases(SERVICE *service)
service->name, service->name,
mysql_error(con)))); mysql_error(con))));
mysql_close(con);
return -1; return -1;
} }
@ -425,31 +366,20 @@ getDatabases(SERVICE *service)
service->name, service->name,
mysql_error(con)))); mysql_error(con))));
/* cleanup the hashtable */
mysql_close(con);
return -1; return -1;
} }
/* Now populate service->resources hashatable with db names */ /* Now populate service->resources hashatable with db names */
//service->resources = (char **) calloc(ndbs+1, sizeof(char *));
service->resources = resource_alloc(); service->resources = resource_alloc();
// if calloc fails, return -1
//for (i = 0; i < ndbs; i++) {
// service->resources[i] = NULL;
//}
i = 0; i = 0;
while ((row = mysql_fetch_row(result))) { while ((row = mysql_fetch_row(result))) {
//service->resources[i] = strndup(row[0], MYSQL_DATABASE_MAXLEN);
fprintf(stderr, "Found a Database[%i]:[%s]\n", i, row[0]);
resource_add(service->resources, row[0], ""); resource_add(service->resources, row[0], "");
fprintf(stderr, "Found a Database[%i]:[%s]\n", i, row[0]);
i++; i++;
} }
mysql_free_result(result); mysql_free_result(result);
mysql_close(con);
return ndbs; return ndbs;
} }
@ -477,9 +407,9 @@ getUsers(SERVICE *service, USERS *users)
unsigned char hash[SHA_DIGEST_LENGTH]=""; unsigned char hash[SHA_DIGEST_LENGTH]="";
char *users_data = NULL; char *users_data = NULL;
int nusers = 0; int nusers = 0;
/* last byte is for Select_priv=Y|N */ int users_data_row_len = MYSQL_USER_MAXLEN + MYSQL_HOST_MAXLEN + MYSQL_PASSWORD_LEN + sizeof(char) + MYSQL_DATABASE_MAXLEN;
int users_data_row_len = MYSQL_USER_MAXLEN + MYSQL_HOST_MAXLEN + MYSQL_PASSWORD_LEN + sizeof(char); int dbnames = 0;
int dbnames_loaded = 0; int db_grants = 0;
serviceGetUser(service, &service_user, &service_passwd); serviceGetUser(service, &service_user, &service_passwd);
@ -487,14 +417,6 @@ getUsers(SERVICE *service, USERS *users)
if (service_user == NULL || service_passwd == NULL) if (service_user == NULL || service_passwd == NULL)
return -1; return -1;
/* load all mysql database names */
dbnames_loaded = mysql_users_load_dbs(service);
LOGIF(LM, (skygw_log_write(
LOGFILE_MESSAGE,
"Loaded %d MySQL Database Names.",
dbnames_loaded)));
con = mysql_init(NULL); con = mysql_init(NULL);
if (con == NULL) { if (con == NULL) {
@ -545,6 +467,15 @@ getUsers(SERVICE *service, USERS *users)
return -1; return -1;
} }
/* load all mysql database names */
dbnames = mysql_users_load_dbs(service, con);
LOGIF(LM, (skygw_log_write(
LOGFILE_MESSAGE,
"Loaded %d MySQL Database Names.",
dbnames)));
/* Load users */
if (mysql_query(con, MYSQL_USERS_COUNT)) { if (mysql_query(con, MYSQL_USERS_COUNT)) {
LOGIF(LE, (skygw_log_write_flush( LOGIF(LE, (skygw_log_write_flush(
LOGFILE_ERROR, LOGFILE_ERROR,
@ -583,17 +514,16 @@ getUsers(SERVICE *service, USERS *users)
return -1; return -1;
} }
fprintf(stderr, "---> result from dbnames_loaded = [%i]\n", dbnames_loaded);
/* enable_root for MySQL protocol module means load the root user credentials from backend databases */ /* enable_root for MySQL protocol module means load the root user credentials from backend databases */
if (dbnames_loaded > 0) { if (dbnames > 0) {
fprintf(stderr, "Loading dbnames_loaded = [%i]\n", dbnames_loaded); /* check for root user select */
if(service->enable_root) { if(service->enable_root) {
users_query = LOAD_MYSQL_USERS_WITH_DB_QUERY; users_query = LOAD_MYSQL_USERS_WITH_DB_QUERY;
} else { } else {
users_query = LOAD_MYSQL_USERS_WITH_DB_QUERY_NO_ROOT; users_query = LOAD_MYSQL_USERS_WITH_DB_QUERY_NO_ROOT;
} }
} else { } else {
/* check for root user select */
if(service->enable_root) { if(service->enable_root) {
users_query = LOAD_MYSQL_USERS_QUERY " ORDER BY HOST DESC"; users_query = LOAD_MYSQL_USERS_QUERY " ORDER BY HOST DESC";
} else { } else {
@ -601,10 +531,17 @@ getUsers(SERVICE *service, USERS *users)
} }
} }
/* if there is a Table access denied, try first removing dbanme from user selection */ /* send the query that fetches users and db grants */
if (mysql_query(con, users_query)) { if (mysql_query(con, users_query)) {
/* if not ER_TABLEACCESS_DENIED_ERROR) exit */ /*
* An error occurred executing the query
*
* Check mysql_errno() against ER_TABLEACCESS_DENIED_ERROR)
*/
if (1142 != mysql_errno(con)) { if (1142 != mysql_errno(con)) {
/* This is an error we cannot handle, return */
LOGIF(LE, (skygw_log_write_flush( LOGIF(LE, (skygw_log_write_flush(
LOGFILE_ERROR, LOGFILE_ERROR,
"Error : Loading users with dbnames for service [%s] encountered " "Error : Loading users with dbnames for service [%s] encountered "
@ -617,11 +554,16 @@ getUsers(SERVICE *service, USERS *users)
return -1; return -1;
} else { } else {
/* ER_TABLEACCESS_DENIED_ERROR, try mysql.user only query without DB names */ /*
* We have got ER_TABLEACCESS_DENIED_ERROR
* try loading users from mysql.user without DB names.
*/
LOGIF(LE, (skygw_log_write_flush( LOGIF(LE, (skygw_log_write_flush(
LOGFILE_ERROR, LOGFILE_ERROR,
"Warning: Loading DB grants failed: GRANT is required on [mysql.db] to user [%s]. Try loading DB users for service [%s] without DB name MaxScale Authentication", service_user, service->name))); "Warning: Loading DB grants failed: GRANT is required on [mysql.db] to user [%s]. Try loading DB users for service [%s] without DB name MaxScale Authentication", service_user, service->name)));
/* check for root user select */
if(service->enable_root) { if(service->enable_root) {
users_query = LOAD_MYSQL_USERS_QUERY " ORDER BY HOST DESC"; users_query = LOAD_MYSQL_USERS_QUERY " ORDER BY HOST DESC";
} else { } else {
@ -642,9 +584,29 @@ getUsers(SERVICE *service, USERS *users)
return -1; return -1;
} }
/* users loaded but without dbnames */ // LOG IT
dbnames_loaded = 0; /* users successfully loaded but without db grants */
} }
} else {
/*
* users successfully loaded.
* If dbnames > 0 the query loaded also db grants.
*/
if (dbnames > 0) {
// LOG IT
db_grants = 1;
}
}
/*
* If database specific grants were not loaded
* we need to delete database names hashtable, if loaded
*/
if (db_grants == 0 && dbnames > 0) {
// LOG IT
resource_free(service->resources);
} }
result = mysql_store_result(con); result = mysql_store_result(con);
@ -680,11 +642,20 @@ getUsers(SERVICE *service, USERS *users)
*/ */
int rc = 0; int rc = 0;
char *password;
if (row[2] != NULL) {
if (strlen(row[2]) > 1)
password = row[2] +1;
else
password = row[2];
} else {
password = strdup("");
}
if (dbnames_loaded) if (db_grants > 0)
rc = add_mysql_users_with_host_ipv4(users, row[0], row[1], strlen(row[2]) ? row[2]+1 : row[2], row[4], row[5]); rc = add_mysql_users_with_host_ipv4(users, row[0], row[1], password, row[4], row[5]);
else else
rc = add_mysql_users_with_host_ipv4(users, row[0], row[1], strlen(row[2]) ? row[2]+1 : row[2], "Y", NULL); rc = add_mysql_users_with_host_ipv4(users, row[0], row[1], password, "Y", NULL);
if (rc == 1) { if (rc == 1) {
LOGIF(LE, (skygw_log_write_flush( LOGIF(LE, (skygw_log_write_flush(
@ -817,9 +788,15 @@ static int uh_cmpfun( void* v1, void* v2) {
MYSQL_USER_HOST *hu1 = (MYSQL_USER_HOST *) v1; MYSQL_USER_HOST *hu1 = (MYSQL_USER_HOST *) v1;
MYSQL_USER_HOST *hu2 = (MYSQL_USER_HOST *) v2; MYSQL_USER_HOST *hu2 = (MYSQL_USER_HOST *) v2;
if (v1 == NULL || v2 == NULL || hu1 == NULL || hu2 == NULL || hu1->user == NULL || hu2->user == NULL) if (v1 == NULL || v2 == NULL)
return 0; return 0;
if (hu1 == NULL || hu2 == NULL)
return 0;
if (hu1->user == NULL || hu2->user == NULL)
return 0;
if (strcmp(hu1->user, hu2->user) == 0 && (hu1->ipv4.sin_addr.s_addr == hu2->ipv4.sin_addr.s_addr) && (hu1->netmask >= hu2->netmask)) { if (strcmp(hu1->user, hu2->user) == 0 && (hu1->ipv4.sin_addr.s_addr == hu2->ipv4.sin_addr.s_addr) && (hu1->netmask >= hu2->netmask)) {
/* if no database name was passed, auth is ok */ /* if no database name was passed, auth is ok */

32
server/modules/protocol/mysql_client.c
View File

@ -456,7 +456,6 @@ static int gw_mysql_do_authentication(DCB *dcb, GWBUF *queue) {
strncpy(database, strncpy(database,
(char *)(client_auth_packet + 4 + 4 + 4 + 1 + 23 + strlen(username) + (char *)(client_auth_packet + 4 + 4 + 4 + 1 + 23 + strlen(username) +
1 + 1 + auth_token_len), MYSQL_DATABASE_MAXLEN); 1 + 1 + auth_token_len), MYSQL_DATABASE_MAXLEN);
fprintf(stderr, "---- Database name passed [%s], flag [%i]\n", database, connect_with_db);
} }
/* allocate memory for token only if auth_token_len > 0 */ /* allocate memory for token only if auth_token_len > 0 */
@ -487,36 +486,30 @@ static int gw_mysql_do_authentication(DCB *dcb, GWBUF *queue) {
} }
} }
fprintf(stderr, "--- Authentication reply is [%i]\n", auth_ret);
/* let's free the auth_token now */ /* let's free the auth_token now */
if (auth_token) if (auth_token)
free(auth_token); free(auth_token);
if (database && strlen(database)) { if (database && strlen(database)) {
int i = 0; /* if database names are loaded we can check if db name exists */
if (dcb->service->resources) { if (dcb->service->resources) {
if (hashtable_fetch(dcb->service->resources, database)) { if (hashtable_fetch(dcb->service->resources, database)) {
db_exists = 1; db_exists = 1;
} else {
db_exists = 0;
} }
/* fetch dbname */
/*
while(dcb->service->resources[i]) {
if (strncmp(database, dcb->service->resources[i], MYSQL_DATABASE_MAXLEN) == 0) {
db_exists = 1;
}
i++;
}
*/
} else { } else {
/* if database names are not loaded we take dbname as existent */ /* if database names are not loaded we don't allow connection */
db_exists = 1; db_exists = -1;
} }
if (!db_exists && auth_ret == 0) { if (db_exists == 0 && auth_ret == 0) {
auth_ret = 2; auth_ret = 2;
} }
if (db_exists < 0 && auth_ret == 0) {
auth_ret = 1;
}
} }
if (auth_ret == 0) if (auth_ret == 0)
@ -753,8 +746,7 @@ int gw_read_client_event(
uint8_t* payload = NULL; uint8_t* payload = NULL;
bool stmt_input; /*< router input type */ bool stmt_input; /*< router input type */
fprintf(stderr, "NBYTES %i\n", nbytes_read); ss_dassert(nbytes_read >= 5);
//ss_dassert(nbytes_read >= 5);
session = dcb->session; session = dcb->session;
ss_dassert( session!= NULL); ss_dassert( session!= NULL);