Commit Graph

317 Commits

Author SHA1 Message Date
a971aa25da Merge branch '2.1' into 2.2 2017-10-30 11:01:19 +02:00
617abd0d52 Fix read of uninitialized memory when DNS lookup fails
If the DNS lookup fails, the destination string buffer is used as-is and
thus it needs to be initialized to an empty string.
2017-10-04 00:45:05 +03:00
bd39284f9c Merge branch '2.1' into 2.2 2017-10-03 14:30:06 +03:00
67ef7bd058 MXS-1367: Take mxs_mysql_query into use
The use of a wrapper function allows automated retrying of the queries
without requiring any changes to the code that uses it.
2017-10-03 10:57:12 +03:00
895d950da0 Format all source files with Astyle
Formatted all source files Astyle.
2017-09-28 07:04:21 +03:00
016ad77b62 MXS-1457: Inject service credentials if no users are loaded
If the authenticator option is enabled, no users are loaded and no errors
have occurred in the user loading process, the service credentials are
injected.
2017-09-27 20:00:39 +03:00
395b445336 MXS-1457: Ignore removed servers when loading users
When users are loaded, removed or deleted servers are ignored.
2017-09-27 19:28:05 +03:00
2633ad2fe4 Merge branch '2.1' into 2.2 2017-09-26 14:29:14 +03:00
2079bba49c MXS-1451: Calculate password even with skip_authentication=true
The result of the authentication should be ignored but the scramble that
is calculated as a side-effect still needs to be stored. This can be done
by altering the SQL used to get the matching row to only match on the
username, not the network address.

Also expanded the test case to cover the use of bad credentials.
2017-09-25 19:00:44 +03:00
3936c71e11 Add missing includes 2017-09-19 15:46:13 +03:00
3676dcebb1 MXS-1398: Clean up mysql.h header
Cleaned up the MaxScale version of the mysql.h header by removing all
unused includes. This revealed a large amount of dependencies on these
removed includes in other files which needed to be fixed.

Also sorted all includes in changed files by type and alphabetical
order. Removed explicit revision history from modified files.
2017-09-14 15:30:43 +03:00
9f81f0775f MXS-1354: Rename user account type enum
Renamed the enum and its values.
2017-08-18 10:28:21 +03:00
253d6d211f MXS-1354: Allow creation of basic users
The type of the user being created is defined at creation time. This
allows the creation of basic users.

Although the users can be created internally, they cannot yet be created
via maxadmin or the REST API.
2017-08-18 10:28:20 +03:00
af4e852649 MXS-1354: Take refactored users into use
The refactored interface is now in use. The only module that used it
directly was the CDC protocol module. This should probably be changed so
that it uses the adminusers interface instead of the users interface
directly.
2017-08-18 10:28:20 +03:00
2784858495 A few PAM cleanups
Print header found message only if libraries also found.
Change header guards to pragma once.
Check return value of store_client_password().
2017-08-16 13:47:29 +03:00
7ba0533cc8 Authenticator API extract-entrypoint returns bool
Extraction either succeeds or fails, it does not need to return
defined integer values.
2017-08-09 17:28:58 +03:00
ed05d24a9a Move SSL-code in mysql_auth.c and pam_client_session.cc to
a separate function in ssl.cc

Removes some duplicate code.
2017-08-07 12:22:59 +03:00
8ef8ee6600 Add client-to-MaxScale SSL support to PAM authenticator
Only client-side SSL is supported for now.
2017-08-07 12:22:59 +03:00
7488129afc PAM code cleanup & refactor
Divided functionality into classes, fixed comments +
various other cleanup. BackenAuth no longer increments
sequence on sending password. SQLite busy timeout shortened
to 1 second.
2017-08-07 12:22:59 +03:00
f916b74c2e Add first version of PAM authenticator plugin
This includes the client and backend authenticators. Currently,
only a simple password-based scheme with the SQL-client "dialog" plugin
is supported. In this mode, the server sends the first PAM message
with the AuthSwitchRequest packet and the client responds with the
password. No further authentication messages are supported. If the
connection is not encrypted, the password is sent in plaintext. The
client password is used as is for logging in to backends.
2017-08-07 12:22:59 +03:00
f3e98745bd MXS-1313: Fix updating of server character sets
The server character set is now updated every time a connection is created
with mxs_mysql_real_connect.
2017-07-07 14:52:15 +03:00
c94d9c76fb MXS-1249: Take mxs_mysql_set_server_version into use
The function should actually be in include/maxscale/protocol/mysql.h
and the implementation in MySQLCommon, but the monitors do not link
to that yet.

All MySQL related should be moved to MySQLCommon and the core
refactored so that no MySQL knowledge is needed there.
2017-06-21 13:28:59 +03:00
3e39ec906e Change server version from char pointer to char array
With this change, it is no longer possible that the server version
is deallocated at the very moment it is read. There is still a race,
but it's mostly harmless.
2017-06-19 14:05:26 +03:00
45afbda100 Add descriptions to module commands
Each module command has to describe what it does. This should make module
commands self-documenting to some degree.
2017-06-12 10:08:25 +03:00
b3c1e15f22 MXS-1220: Add output for module commands
The module commands can now produce JSON formatted output which is passed
to the caller. The output should conform to the JSON API as closely as
possible.

Currently, the REST API wraps all JSON produced by module commands inside
a meta-object of the following type:

  {
    "meta": <output of module command>
  }

This allows the output to be JSON API conformant without modifying the
modules and allows incremental updates to code.
2017-06-12 10:08:25 +03:00
ba546fcd21 MXS-1220: Add execution of module commands to REST API
The module command self links now point to an endpoint that executes the
module command. Depending on the type of the module command, either a GET
or a POST request must be made.
2017-06-02 12:52:33 +03:00
f546a17e77 Update change date of 2.2 2017-06-01 10:24:20 +03:00
b1294f083c MXS-1220: Add old diagnostic interface for monitors and authenticators
Added back the old diagnostic entry point in the monitor and authenticator
interfaces.
2017-05-04 09:14:04 +03:00
076599ee5e MXS-1220: Make the parameters of the diagnostic entry points const
The diagnostic entry points should not modify the state of the object
being diagnosed.
2017-05-04 09:14:03 +03:00
bc3cfe0221 MXS-1220: Fix memory leaks
Some of the JSON objects created in the diagnostic functions leaked
memory.
2017-05-04 09:14:03 +03:00
4804c975ad MXS-1220: Implement JSON diagnostics entry point in autheticators
All autheticators now implement the JSON version of the diagnostics
function.
2017-05-04 09:12:15 +03:00
ad1c05b015 Merge branch '2.1' into develop 2017-04-05 11:35:13 +03:00
872f69b681 Also check IPv6 mapped IPv4 addresses as IPv4
If a client connects from an IPv4 address, but the listener listens on an
IPv6 address, the client IP will be a IPv6 mapped IPv4 address
e.g. ::ffff:127.0.0.1. A grant for an IPv4 address should still match an
IPv6 mapped IPv4 address.
2017-04-04 15:28:39 +03:00
9f14f3659f Only check user permissions on startup
When users were loaded, the permissions for the service user were
checked. The conditional that makes sure the check is executed only at
startup was checking the listener's users instead of the SQLite handle
which caused all reloads of users to check the permissions.
2017-04-04 15:28:39 +03:00
cbc1e864d9 Use RFC 3986 compliant addresses in log messages
When log messages are written with both address and port information, IPv6
addresses can cause confusion if the normal address:port formatting is
used. The RFC 3986 suggests that all IPv6 addresses are expressed as a
bracket enclosed address optionally followed by the port that is separate
from the address by a colon.

In practice, the "all interfaces" address and port number 3306 can be
written in IPv4 numbers-and-dots notation as 0.0.0.0:3306 and in IPv6
notation as [::]:3306. Using the latter format in log messages keeps the
output consistent with all types of addresses.

The details of the standard can be found at the following addresses:

     https://www.ietf.org/rfc/rfc3986.txt

     https://www.rfc-editor.org/std/std66.txt
2017-03-31 14:12:58 +03:00
b458b63756 Use IPv6 for created listeners
When listeners are created, use the default values of [::]:3306.
2017-03-29 17:14:39 +03:00
7bd05d4581 Merge branch '2.1' into develop 2017-03-22 15:20:21 +02:00
ab4c738c3c MXS-1167: Skip loading of users for internal services at startup
When MaxScale is being started and the users are loaded, the MySQL
authenticator should not load the database users for internal services
abstracted as servers.

The loading of users at startup for internal services is avoided because
the startup is done in a single thread context and the internal services
have not yet been started.

The delayed loading of users will cause the authentication to fail when
the first client connect. This triggers the reloading of the users and the
second attempt at authentication will succeed. All of this is hidden from
the end user.
2017-03-20 12:16:29 +02:00
0b5d164855 MXS-1167: Skip permission checks for internal services
If a server points to a local MaxScale listener, the permission checks for
that server are skipped. This allows permission checks to be used with a
mix of external servers and internal services.
2017-03-20 11:10:55 +02:00
039f6e3487 Take static module capabilities into use
The static module capabilities are now used to query the capabilities of
filters and routers. The new RCAP_TYPE_NOAUTH capability is also taken
into use. These changes removes the need for the `is_internal_service`
function.
2017-03-20 11:10:08 +02:00
1736aca7f7 Add module level static capabilities
The static capabilities declared in getCapabilities allows certain
capabilities to be queried before instances are created. The intended use
of this capability is to remove the need for the `is_internal_service`
function.
2017-03-20 11:10:08 +02:00
9efcea4cec Fix false error message
The error message for failure to connect to any server was always logged
when the schemarouter was used.
2017-03-15 09:11:18 +02:00
d19e5b376d MXS-1032: Add configurable connector plugin directory
The connector plugin directory can now be controlled with the
`connector_plugindir` argument and configuration option. This should allow
the connector to use the system plugins if the versions are binary
compatible.

Replaced calls to mysql_options to mysql_optionsv as the former is
deprecated in Connector-C 3.0 and the latter is supported in Connector-C
2.3.
2017-03-15 09:11:18 +02:00
8c7618035b Merge branch '2.1' into develop 2017-03-14 10:45:25 +02:00
4d561c5f6a Detect password usage based on token length
The client protocol module can resolve whether a password was used based
on the information the authenticators gather before authentication is
done. It uses the authentication token length as the basis on which it
makes the decision.
2017-03-13 19:42:38 +02:00
147a1f88eb Merge branch '2.1-ipv6' into develop 2017-03-13 13:18:08 +02:00
9c325104b7 Use correct size for snprintf
The mysql authenticator used the size of the pointer for the snprintf size
parameter instead of the actual size of the destination buffer.
2017-03-13 10:45:56 +02:00
086650bb4d Fix loading of users from multiple servers
The users were deleted before each individual server was queried. This
caused authentication to fail if the authentication data was loaded from
multiple servers.
2017-03-13 10:45:56 +02:00
7bc47fd5a4 Return the localhost_match_wildcard_host warning
When a local address is used which could match the wildcard host, a
warning is again logged.
2017-03-13 10:45:56 +02:00
ea55667096 Add back the missing netmask handling code
The netmask code was mistakenly removed when the authentication was moved
to the SQLite based system.
2017-03-13 10:45:56 +02:00