MXS-1758 Support anonymous user with proxy grant for PAM

This allows using user group mapping with PAM authenticator.
This commit is contained in:
Esa Korhonen
2018-04-19 16:14:32 +03:00
parent 68a89f0a25
commit cb0ac44e1f
3 changed files with 85 additions and 4 deletions

View File

@ -238,14 +238,25 @@ void PamClientSession::get_pam_user_services(const DCB* dcb, const MYSQL_session
") ORDER BY authentication_string;"; ") ORDER BY authentication_string;";
MXS_DEBUG("PAM services search sql: '%s'.", services_query.c_str()); MXS_DEBUG("PAM services search sql: '%s'.", services_query.c_str());
char *err; char *err;
if (sqlite3_exec(m_dbhandle, services_query.c_str(), user_services_cb, if (sqlite3_exec(m_dbhandle, services_query.c_str(), user_services_cb, services_out, &err) != SQLITE_OK)
services_out, &err) != SQLITE_OK)
{ {
MXS_ERROR("Failed to execute query: '%s'", err); MXS_ERROR("Failed to execute query: '%s'", err);
sqlite3_free(err); sqlite3_free(err);
} }
MXS_DEBUG("User '%s' matched %lu rows in %s db.", session->user, MXS_DEBUG("User '%s' matched %lu rows in %s db.", session->user,
services_out->size(), m_instance.m_tablename.c_str()); services_out->size(), m_instance.m_tablename.c_str());
if (services_out->empty())
{
// No service found for user with correct username & password. Check if anonymous user exists.
const string anon_query = string("SELECT authentication_string FROM ") + m_instance.m_tablename +
" WHERE " + FIELD_USER + " = '' AND " + FIELD_HOST + " = '%';";
if (sqlite3_exec(m_dbhandle, anon_query.c_str(), user_services_cb, services_out, &err) != SQLITE_OK)
{
MXS_ERROR("Failed to execute query: '%s'", err);
sqlite3_free(err);
}
}
} }
/** /**

View File

@ -216,8 +216,11 @@ int PamInstance::load_users(SERVICE* service)
row[3] && strcasecmp(row[3], "Y") == 0, row[3] && strcasecmp(row[3], "Y") == 0,
row[4]); row[4]);
} }
rval = MXS_AUTH_LOADUSERS_OK;
mysql_free_result(res); mysql_free_result(res);
if (query_anon_proxy_user(servers->server, mysql))
{
rval = MXS_AUTH_LOADUSERS_OK;
}
} }
} }
mysql_close(mysql); mysql_close(mysql);
@ -287,3 +290,69 @@ json_t* PamInstance::diagnostic_json()
return rval; return rval;
} }
bool PamInstance::query_anon_proxy_user(SERVER* server, MYSQL* conn)
{
bool success = true;
bool anon_user_found = false;
string anon_pam_service;
const char ANON_USER_QUERY[] = "SELECT authentication_string FROM mysql.user WHERE "
"(plugin = 'pam' AND user = '' AND host = '%');";
const char ANON_GRANT_QUERY[] = "SHOW GRANTS FOR ''@'%';";
const char GRANT_PROXY[] = "GRANT PROXY ON";
// Query for the anonymous user which is used with group mappings
if (mysql_query(conn, ANON_USER_QUERY))
{
MXS_ERROR("Failed to query server '%s' for the anonymous PAM user: '%s'.",
server->unique_name, mysql_error(conn));
success = false;
}
else
{
MYSQL_RES *res = mysql_store_result(conn);
if (res)
{
MYSQL_ROW row = mysql_fetch_row(res);
if (row)
{
anon_user_found = true;
if (row[0])
{
anon_pam_service = row[0];
}
}
mysql_free_result(res);
}
if (anon_user_found)
{
// Check that the anon user has a proxy grant
if (mysql_query(conn, ANON_GRANT_QUERY))
{
MXS_ERROR("Failed to query server '%s' for the grants of the anonymous PAM user: '%s'.",
server->unique_name, mysql_error(conn));
success = false;
}
else
{
if ((res = mysql_store_result(conn)))
{
MYSQL_ROW row;
while ((row = mysql_fetch_row(res)))
{
if (row[0] && strncmp(row[0], GRANT_PROXY, sizeof(GRANT_PROXY) - 1) == 0)
{
MXS_NOTICE("Anonymous PAM user with proxy grant found. User account mapping "
"enabled.");
add_pam_user("", "%", NULL, false, anon_pam_service.c_str());
}
}
mysql_free_result(res);
}
}
}
}
return success;
}

View File

@ -36,6 +36,7 @@ private:
void add_pam_user(const char *user, const char *host, const char *db, bool anydb, void add_pam_user(const char *user, const char *host, const char *db, bool anydb,
const char *pam_service); const char *pam_service);
void delete_old_users(); void delete_old_users();
bool query_anon_proxy_user(SERVER* server, MYSQL* conn);
sqlite3 * const m_dbhandle; /**< SQLite3 database handle */ sqlite3 * const m_dbhandle; /**< SQLite3 database handle */
}; };