From b2e11d41d59c530ae1d53a7df5c8bcf46cf7c38b Mon Sep 17 00:00:00 2001 From: Markus Makela Date: Fri, 2 Dec 2016 13:19:07 +0200 Subject: [PATCH] MXS-536: Add option to MySQLAuth that skips authentication Disabling authentication in MaxScale allows creation of users which act like wildcard users but require that the connection is made through MaxScale. --- .../Authenticators/MySQL-Authenticator.md | 19 +++++++++++++++++++ .../MaxScale-2.1.0-Release-Notes.md | 11 ++++++++--- .../authenticator/MySQLAuth/mysql_auth.c | 14 ++++++++++++-- 3 files changed, 39 insertions(+), 5 deletions(-) diff --git a/Documentation/Authenticators/MySQL-Authenticator.md b/Documentation/Authenticators/MySQL-Authenticator.md index 82db5d52d..f2397d018 100644 --- a/Documentation/Authenticators/MySQL-Authenticator.md +++ b/Documentation/Authenticators/MySQL-Authenticator.md @@ -14,6 +14,25 @@ options. The `authenticator_options` parameter is supported by listeners and servers and expects a comma-separated list of key-value pairs. The following options contain examples on how to define it. +### `skip_authentication` + +This option takes a boolean value which controls whether MaxScale will fully +authenticate users. This option is disabled by default. + +Disabling authentication in MaxScale will allow MaxScale to act as a security +gateway to the server. The authentication of users is offloaded to the backend +server. + +For example, creating the user `jdoe@%` will allow the user _jdoe_ to connect +from any IP address. This can be a problem if all traffic needs to go through +MaxScale. By enabling this option and replacing the user with +`jdoe@maxscale-IP`, the users can still connect from any client IP but will be +forced to go though MaxScale. + +``` +authenticator_options=skip_authentication=true +``` + ### `cache_dir` The location where the user credential cache is stored. The default value diff --git a/Documentation/Release-Notes/MaxScale-2.1.0-Release-Notes.md b/Documentation/Release-Notes/MaxScale-2.1.0-Release-Notes.md index 00db1d6cd..c539b49d7 100644 --- a/Documentation/Release-Notes/MaxScale-2.1.0-Release-Notes.md +++ b/Documentation/Release-Notes/MaxScale-2.1.0-Release-Notes.md @@ -104,9 +104,7 @@ following new commands were added to maxadmin, see output of `maxadmin help With these new features, you can start MaxScale without the servers and define them later. -# Module commands - -## Module commands +### Module commands Introduced in MaxScale 2.1, the module commands are special, module-specific commands. They allow the modules to expand beyound the capabilities of the @@ -145,6 +143,13 @@ aimed for two node master-slave clusters where the slave can act as a master in case the original master fails. For more details, please read the [MySQL Monitor Documentation](../Monitors/MySQL-Monitor.md). +### Permissive authentication mode for MySQLAuth + +The MySQL authentication module supports the `skip_authentication` option which +allows authentication to always succedd in MaxScale. This option offloads the +actual authentication to the backend server and it can be used to implement a +secure version of a wildcard user. + ## Bug fixes [Here is a list of bugs fixed since the release of MaxScale 2.0.X.](https://jira.mariadb.org/browse/MXS-739?jql=project%20%3D%20MXS%20AND%20issuetype%20%3D%20Bug%20AND%20resolution%20in%20(Fixed%2C%20Done)%20AND%20fixVersion%20%3D%202.0.0) diff --git a/server/modules/authenticator/MySQLAuth/mysql_auth.c b/server/modules/authenticator/MySQLAuth/mysql_auth.c index 17ade6b30..ee011fd7c 100644 --- a/server/modules/authenticator/MySQLAuth/mysql_auth.c +++ b/server/modules/authenticator/MySQLAuth/mysql_auth.c @@ -39,6 +39,7 @@ typedef struct mysql_auth { char *cache_dir; /**< Custom cache directory location */ bool inject_service_user; /**< Inject the service user into the list of users */ + bool skip_auth; /**< Authentication will always be successful */ } MYSQL_AUTH; @@ -144,6 +145,7 @@ static void* mysql_auth_init(char **options) bool error = false; instance->cache_dir = NULL; instance->inject_service_user = true; + instance->skip_auth = false; for (int i = 0; options[i]; i++) { @@ -165,6 +167,10 @@ static void* mysql_auth_init(char **options) { instance->inject_service_user = config_truth_value(value); } + else if (strcmp(options[i], "skip_authentication") == 0) + { + instance->skip_auth = config_truth_value(value); + } else { MXS_ERROR("Unknown authenticator option: %s", options[i]); @@ -248,17 +254,21 @@ mysql_auth_authenticate(DCB *dcb) auth_ret = combined_auth_check(dcb, client_data->auth_token, client_data->auth_token_len, protocol, client_data->user, client_data->client_sha1, client_data->db); + MYSQL_AUTH *instance = (MYSQL_AUTH*)dcb->listener->auth_instance; + /* On failed authentication try to load user table from backend database */ /* Success for service_refresh_users returns 0 */ - if (MXS_AUTH_SUCCEEDED != auth_ret && 0 == service_refresh_users(dcb->service)) + if (MXS_AUTH_SUCCEEDED != auth_ret && !instance->skip_auth && + 0 == service_refresh_users(dcb->service)) { auth_ret = combined_auth_check(dcb, client_data->auth_token, client_data->auth_token_len, protocol, client_data->user, client_data->client_sha1, client_data->db); } /* on successful authentication, set user into dcb field */ - if (MXS_AUTH_SUCCEEDED == auth_ret) + if (MXS_AUTH_SUCCEEDED == auth_ret || instance->skip_auth) { + auth_ret = MXS_AUTH_SUCCEEDED; dcb->user = MXS_STRDUP_A(client_data->user); /** Send an OK packet to the client */ }