MXS-536: Add option to MySQLAuth that skips authentication

Disabling authentication in MaxScale allows creation of users which act like wildcard users but require that the connection is made through MaxScale.
2016-12-02 13:19:07 +02:00 · 2016-12-02 13:19:07 +02:00 · b2e11d41d5
commit b2e11d41d5
parent adbd666991
3 changed files with 39 additions and 5 deletions
--- a/Documentation/Authenticators/MySQL-Authenticator.md
+++ b/Documentation/Authenticators/MySQL-Authenticator.md
@ -14,6 +14,25 @@ options. The `authenticator_options` parameter is supported by listeners
 and servers and expects a comma-separated list of key-value pairs. The
 following options contain examples on how to define it.

+### `skip_authentication`
+
+This option takes a boolean value which controls whether MaxScale will fully
+authenticate users. This option is disabled by default.
+
+Disabling authentication in MaxScale will allow MaxScale to act as a security
+gateway to the server. The authentication of users is offloaded to the backend
+server.
+
+For example, creating the user `jdoe@%` will allow the user _jdoe_ to connect
+from any IP address. This can be a problem if all traffic needs to go through
+MaxScale. By enabling this option and replacing the user with
+`jdoe@maxscale-IP`, the users can still connect from any client IP but will be
+forced to go though MaxScale.
+
+```
+authenticator_options=skip_authentication=true
+```
+
 ### `cache_dir`

 The location where the user credential cache is stored. The default value
--- a/Documentation/Release-Notes/MaxScale-2.1.0-Release-Notes.md
+++ b/Documentation/Release-Notes/MaxScale-2.1.0-Release-Notes.md
@ -104,9 +104,7 @@ following new commands were added to maxadmin, see output of `maxadmin help
 With these new features, you can start MaxScale without the servers and define
 them later.

-# Module commands
-
-## Module commands
+### Module commands

 Introduced in MaxScale 2.1, the module commands are special, module-specific
 commands. They allow the modules to expand beyound the capabilities of the
@ -145,6 +143,13 @@ aimed for two node master-slave clusters where the slave can act as a
 master in case the original master fails. For more details, please read
 the [MySQL Monitor Documentation](../Monitors/MySQL-Monitor.md).

+### Permissive authentication mode for MySQLAuth
+
+The MySQL authentication module supports the `skip_authentication` option which
+allows authentication to always succedd in MaxScale. This option offloads the
+actual authentication to the backend server and it can be used to implement a
+secure version of a wildcard user.
+
 ## Bug fixes

 [Here is a list of bugs fixed since the release of MaxScale 2.0.X.](https://jira.mariadb.org/browse/MXS-739?jql=project%20%3D%20MXS%20AND%20issuetype%20%3D%20Bug%20AND%20resolution%20in%20(Fixed%2C%20Done)%20AND%20fixVersion%20%3D%202.0.0)
--- a/server/modules/authenticator/MySQLAuth/mysql_auth.c
+++ b/server/modules/authenticator/MySQLAuth/mysql_auth.c
@ -39,6 +39,7 @@ typedef struct mysql_auth
 {
    char *cache_dir;          /**< Custom cache directory location */
    bool inject_service_user; /**< Inject the service user into the list of users */
+    bool skip_auth;           /**< Authentication will always be successful */
 } MYSQL_AUTH;


@ -144,6 +145,7 @@ static void* mysql_auth_init(char **options)
        bool error = false;
        instance->cache_dir = NULL;
        instance->inject_service_user = true;
+        instance->skip_auth = false;

        for (int i = 0; options[i]; i++)
        {
@ -165,6 +167,10 @@ static void* mysql_auth_init(char **options)
                {
                    instance->inject_service_user = config_truth_value(value);
                }
+                else if (strcmp(options[i], "skip_authentication") == 0)
+                {
+                    instance->skip_auth = config_truth_value(value);
+                }
                else
                {
                    MXS_ERROR("Unknown authenticator option: %s", options[i]);
@ -248,17 +254,21 @@ mysql_auth_authenticate(DCB *dcb)
        auth_ret = combined_auth_check(dcb, client_data->auth_token, client_data->auth_token_len,
                                       protocol, client_data->user, client_data->client_sha1, client_data->db);

+        MYSQL_AUTH *instance = (MYSQL_AUTH*)dcb->listener->auth_instance;
+
        /* On failed authentication try to load user table from backend database */
        /* Success for service_refresh_users returns 0 */
-        if (MXS_AUTH_SUCCEEDED != auth_ret && 0 == service_refresh_users(dcb->service))
+        if (MXS_AUTH_SUCCEEDED != auth_ret && !instance->skip_auth &&
+            0 == service_refresh_users(dcb->service))
        {
            auth_ret = combined_auth_check(dcb, client_data->auth_token, client_data->auth_token_len, protocol,
                                           client_data->user, client_data->client_sha1, client_data->db);
        }

        /* on successful authentication, set user into dcb field */
-        if (MXS_AUTH_SUCCEEDED == auth_ret)
+        if (MXS_AUTH_SUCCEEDED == auth_ret || instance->skip_auth)
        {
+            auth_ret = MXS_AUTH_SUCCEEDED;
            dcb->user = MXS_STRDUP_A(client_data->user);
            /** Send an OK packet to the client */
        }