The authenticators should have a similar way to print diagnostic
information as filter and routers do. This allows the authenticators to
print the users in their own format.
In the future, all the diagnostic entry points should be changed so that
they return a structure that contains the information in a standard
form. This information can then be formatted in different ways by other
modules.
MariaDB and others match grants first by exact hostname/IP and then by
wildcard. If there are no exact matches, the wildcard grant should be
picked. This can be tested by having different passwords for localhost and
remote address.
The SQLite based authentication should first check for an exact match and
then only after that should it try to match the hostname to a wildcard
grant.
The get_users function now combines the functionality of the old get_users
and get_all_users. This removes large parts of similar code.
Removed the listener resources as MySQLAuth was the only one that used it.
The user data is now stored inside a SQLite3 database. By storing the data
inside a database, we remove the restriction that the previous hashtable
based implementation had.
Currently the only situation where a user needs to be authenticated after
the initial authentication is when a COM_CHANGE_USER is being
executed. This was previously handled by directly calling a function in
the MySQLAuth authenticator.
The new entry in the API of the authenticators is very specific to MySQL
and should be reviewed once other protocols are added.
Moved some typedefs to router.h and server.h, changed a few
constants to these enums. Renamed some types in config.h to
remove "Gateway".
There are still some functions in the public header which are
only used in core, but they seem to fit the theme of public functions
so were not moved.
MXS-391. The user hosts in the SQL backends can now contain wildcard
addresses (e.g.basicuser@%.com or someuser@myhost_.org). Authenticating
these types of users is rather heavy since it requires looking
up the client host name.
All modules now declare a name for the module. This is name is added as a
prefix to all messages logged by a module. The prefix should help
determine which part of the system logs a message.
Previously, these were discarded. This patch adds a function to
"merge" the mask to the ip so that it's in the form which
normalize_hostname expects (using % as wildcard). Only simple masks
with 255:s and 0:s are accepted. Any other combinations may leave
the hostname in a garbled state which will cause it to be discarded
later.
MaxScale can now start without any defined monitors. This allows the core
services to be configured beforehand. With the changes to dynamic
modifications to servers, automatic scaling of slaves is possible.
Doing the checksum matching after memory is allocated and all the work is
done is not very efficient. A simpler solution is to always replace the
users when we reload them.
Replacing the users every time the service users are reloaded will not
cause a degradation in performance because the previous implementation
already does all the extra work but then just discards it.
A faster solution would be to first query the server and request some sort
of a checksum based on the result set the users query would
create. Currently, this can be done inside a stored procedure but it is
not very convenient for the average user. Another option would be to
generate a long string with GROUP_CONCAT but it is highly likely that some
internal buffer limit is hit before the complete value is calculated.
The dbusers.c was a MySQL protocol specific file which was used directly
by some of the modules.
Added a new return value for the loadusers authenticator entry point which
allows fatal failures to occur when users are loaded. Currently this is
only taken into notice when the service is first started. If a listener
later returns a fatal error, it is only logged but the service stays in
operation.
Moved the MySQLAuth authenticator sources and the tests that relate to
this module into a subdirectory in the authenticator
directory. Eventually, all authenticators could have a subdirectory of
their own.
