hcq/MaxScale
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch '2.3' into develop

Browse Source
This commit is contained in:
Esa Korhonen
2019-01-24 17:00:51 +02:00
parent f559bf3d95 0f26a8bed6
commit efb8dd9c06
3 changed files with 61 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
Documentation/Authenticators/PAM-Authenticator.md
View File

@ -47,6 +47,30 @@ auth required pam_unix.so
account required pam_unix.so account required pam_unix.so
``` ```
## Anonymous user mapping
The MaxScale PAM authenticator supports a limited version of
[user mapping](https://mariadb.com/kb/en/library/user-and-group-mapping-with-pam/).
Anonymous mapping is enabled in MaxScale if the following user exists:
- Empty username and wildcard host (`''@'%'`)
- `plugin = 'pam'`
- Proxy grant is on (The query `SHOW GRANTS FOR ''@'%';` returns `GRANT PROXY ON ...`
When the authenticator detects such a user, anonymous account mapping is enabled.
To verify this, search the MaxScale log for "Anonymous PAM user with proxy grant
found. User account mapping enabled." When mapping is on, the PAM authenticator
does not require client accounts to exist in the `mysql.user`-table received from
the backend. It will simply authenticate the client to the local machine with
the username and password supplied. The PAM service used for authentication is
read from the `authentication_string`-field of the anonymous user. If authentication
was successful, MaxScale then uses the username and password to log to the backends.
Anonymous mapping is only attempted if the client username is not found in the
`mysql.user`-table as explained in [Configuration](#configuration). This means,
that if a user is found and the authentication fails, anonymous authentication
is not attempted even when it could use a different PAM service with a different
outcome.
## Implementation details and limitations ## Implementation details and limitations
The PAM general authentication scheme is difficult for a proxy such as MaxScale. The PAM general authentication scheme is difficult for a proxy such as MaxScale.

31
script/maxscale_generate_support_info.py
View File

@ -88,6 +88,13 @@ def main(argv):
print(format_str.format(file_name)) print(format_str.format(file_name))
output_file.writestr(file_name, contents) output_file.writestr(file_name, contents)
# Run some commands to gather general system info.
contents = get_system_info()
if len(contents) > 0:
file_name = "system_info.txt"
print(format_str.format(file_name))
output_file.writestr(file_name, contents)
output_file.close() output_file.close()
@ -197,5 +204,29 @@ def read_core_file():
return core_file_contents return core_file_contents
def get_system_info():
commands = ["cat /etc/os-release", "lscpu", "cat /proc/meminfo"]
total_output = ""
for command in commands:
try:
output_bytes = subprocess.check_output(command, shell=True, stderr=subprocess.PIPE)
except subprocess.CalledProcessError as e:
# If a command fails, try the next one. It may work.
message = "Error gathering system info: command \"{}\" returned {}".format(
command, e.returncode)
total_output += command + "\n" + message + "\n"
print(message)
except IOError as e:
message = "Error gathering system info: command \"{}\" could not be ran: {}".format(
command, e.strerror)
total_output += command + "\n" + message + "\n"
print(message)
else:
if len(output_bytes) > 0:
total_output += command + "\n" + output_bytes.decode("utf-8") + "\n"
return total_output
if __name__ == "__main__": if __name__ == "__main__":
main(sys.argv) main(sys.argv)

12
server/maxscale.cnf.template
View File

@ -1,10 +1,10 @@
# MaxScale documentation: # MaxScale documentation:
# https://mariadb.com/kb/en/mariadb-enterprise/mariadb-maxscale-22/ # https://mariadb.com/kb/en/mariadb-enterprise/mariadb-maxscale-23/
# Global parameters # Global parameters
# #
# Complete list of configuration options: # Complete list of configuration options:
# https://mariadb.com/kb/en/mariadb-enterprise/mariadb-maxscale-22-mariadb-maxscale-configuration-usage-scenarios/ # https://mariadb.com/kb/en/mariadb-maxscale-23-mariadb-maxscale-configuration-usage-scenarios/
[maxscale] [maxscale]
threads=auto threads=auto
@ -25,7 +25,7 @@ protocol=MariaDBBackend
# #
# This will keep MaxScale aware of the state of the servers. # This will keep MaxScale aware of the state of the servers.
# MariaDB Monitor documentation: # MariaDB Monitor documentation:
# https://mariadb.com/kb/en/mariadb-enterprise/mariadb-maxscale-22-mariadb-monitor/ # https://mariadb.com/kb/en/mariadb-maxscale-23-mariadb-monitor/
[MariaDB-Monitor] [MariaDB-Monitor]
type=monitor type=monitor
@ -42,7 +42,7 @@ monitor_interval=2000
# #
# ReadConnRoute documentation: # ReadConnRoute documentation:
# https://mariadb.com/kb/en/mariadb-enterprise/mariadb-maxscale-22-readconnroute/ # https://mariadb.com/kb/en/mariadb-maxscale-23-readconnroute/
[Read-Only-Service] [Read-Only-Service]
type=service type=service
@ -53,7 +53,7 @@ password=mypwd
router_options=slave router_options=slave
# ReadWriteSplit documentation: # ReadWriteSplit documentation:
# https://mariadb.com/kb/en/mariadb-enterprise/mariadb-maxscale-22-readwritesplit/ # https://mariadb.com/kb/en/mariadb-maxscale-23-readwritesplit/
[Read-Write-Service] [Read-Write-Service]
type=service type=service
@ -64,7 +64,7 @@ password=mypwd
# This service enables the use of the MaxAdmin interface # This service enables the use of the MaxAdmin interface
# MaxScale administration guide: # MaxScale administration guide:
# https://mariadb.com/kb/en/mariadb-enterprise/mariadb-maxscale-22-maxadmin-admin-interface/ # https://mariadb.com/kb/en/mariadb-maxscale-23-maxadmin-admin-interface/
[MaxAdmin-Service] [MaxAdmin-Service]
type=service type=service