Commit Graph

111 Commits

Author SHA1 Message Date
521cce7c17 Refresh users on failed reauthentication
If the reauthentication of a client that is performing a COM_CHANGE_USER
fails, the users need to be reloaded. Without the reloading, the
reauthentication will fail if new users were added after the last loading
of users.
2018-05-15 10:15:32 +03:00
ec4569497e Merge branch '2.1' into 2.2 2018-05-14 10:14:16 +03:00
7d784001df MXS-1628: Respond with correct error to malformed packets
If the client sent a malformed authentication response packet, MaxScale
would interpret that as failed authentication.
2018-05-10 22:24:39 +03:00
2bdac88b0b MXS-1738 Copy AF_UNIX data from listener to client dcb
We need to copy some data from a AF_UNIX based listener dcb
to the accepted client dcb, to prevent assertion violation in
dcb_get_port(). Further, to be able to log the path in the case
of an authentication error we need to copy that as well.
2018-03-26 10:06:42 +03:00
39dff20a0a Use correct callback function in MySQLAuth
The JSON diagnostics function used the non-JSON version of the callback.
2018-03-20 13:07:27 +02:00
633b08ed0d MXS-1717 Show which listener users are coming from
Earlier, if a service had multiple listeners you would have had

   MaxScale> show dbusers MyService
   User names: alice@% ...
   User names: bob@% ...

That is, no indication of which listener is reporting what. With
this commit the result will be

   User names (MyListener1): alice@% ...
   User names (MyListener2): bob@% ...

Further, the diagnostics function of an authenticator is now expected
to write the list of users to the provided DCB, without performing any
other formatting. The formatting (printing "User names" and appending
a line-feed) is now handled by the handler for the MaxAdmin command
"show dbusers".
2018-03-13 10:25:42 +02:00
8bfb4f231a Merge branch '2.1' into 2.2 2018-03-06 10:38:01 +02:00
f066ba8753 MXS-1693: Accept 'mysql_native_password' as plugin name
When the authenticator loads users, it should also accept users who have
explicitly defined 'mysql_native_password' as their authentication plugin.
2018-03-05 13:58:09 +02:00
e5934dfb11 Expand SHOW DATABASES warning message
The message now states the impliciations of missing permissions. If the
MaxScale user does not have the permissions to view all databases, it will
only see its own databases.
2018-03-05 13:58:09 +02:00
39d3c42c94 Merge branch '2.1' into 2.2 2018-03-01 17:52:42 +02:00
03eb30fbc6 Check SHOW DATABASES privilege on startup
MySQLAuth requires the SHOW DATABASES privilege to see all the databases
so it should be checked that the current user has the permission. A
missing permission will cause errors that are hard to resolve.
2018-02-22 10:06:29 +02:00
e346968e0e Merge branch '2.1' into 2.2 2018-02-10 08:28:11 +02:00
816983691a MXS-1660 Turn client hostname lookup failure into a warning
This is used only in case of everything else fails and this lookup
is not unlikely to fail if the client comes from some machine on
an internal network.
2018-02-09 12:03:13 +02:00
3dfb972d87 Merge branch '2.1' into 2.2 2018-01-30 16:28:11 +02:00
6410b4f19a MXS-1633 Turn off collecting of sqlite3 memstats
According to customer reports collecting the statistics has a significant
impact on the performance. As we don't need that information we can just
as well turn off that.

Further, since maxscale-common now links to the sqlite3-library, no
module needs to do that explicitly.
2018-01-30 13:58:37 +02:00
6068850b18 MXS-1627: Only load users that use default auth plugin
The list of users that is used for authentication shoudl only consist of
users that do not use an explicit authentication plugin. This way
authentication fails before any connections to the backend servers are
done.
2018-01-29 13:10:19 +02:00
05402208a5 Merge branch '2.1' into 2.2 2018-01-19 11:47:13 +02:00
5273cbada6 MXS-1600: Add case-insensitive matching to MySQLAuth
The authenticator now supports similar identifier matching as the MariaDB
server. The lower_case_table_names parameter explains its intended use
(case-insensitive identifier matching):
https://mariadb.com/kb/en/library/server-system-variables/#lower_case_table_names
2018-01-16 13:51:22 +02:00
224f918845 MXS-1592 Make all modules lowercase
Make all modules lowercase and make module loading case
insensitive. Further, make command invocation case insensitive,
as far as the module name is conserned.
2018-01-03 14:57:18 +02:00
8d15256d70 MXS-1539: Add asynchronous authenticator capability
The new ACAP_TYPE_ASYNC capability allows the authenticator to tell the
core that all entry points for it support asynchronous usage.
2018-01-03 08:56:41 +02:00
0f015e6341 Don't log errors for unknown hostnames
When a client connects to MaxScale and authentication fails, an error
about hostname resolution is logged. This happens because the
authentication first tries to resolve the address as an IP address, then
an IPv6-mapped-IPv4 address and finally as a hostname. If users have not
been loaded, the authentication is guaranteed to fail on the first attempt
due to the lazy loading of users.
2017-12-21 10:48:08 +02:00
2008d08cfc Add hostname to lookup error message
This should help detect what is the hostname that causes the problem.
2017-12-21 10:48:06 +02:00
eda700e785 Don't use sqlite3_errstr
The function is not defined in older versions.
2017-12-05 13:49:00 +02:00
c03ce7ac7f Use correct database name for SQLite
The :memory: database was misspelled as :memory without the trailing
colon. This caused an actual on-disk database to be created instead of an
in-memory one.
2017-12-05 09:43:06 +02:00
4194c1c558 MXS-1539: Preliminary implementation of thread-local user cache
The thread-local user cache removes most of the cross-thread communication
from the user authentication at the cost of increased memory use and extra
network usage when users are loaded.
2017-12-05 09:43:05 +02:00
513220805b MXS-1539: Remove useless handles
The client handle was never used.
2017-12-05 09:43:05 +02:00
a971aa25da Merge branch '2.1' into 2.2 2017-10-30 11:01:19 +02:00
617abd0d52 Fix read of uninitialized memory when DNS lookup fails
If the DNS lookup fails, the destination string buffer is used as-is and
thus it needs to be initialized to an empty string.
2017-10-04 00:45:05 +03:00
bd39284f9c Merge branch '2.1' into 2.2 2017-10-03 14:30:06 +03:00
67ef7bd058 MXS-1367: Take mxs_mysql_query into use
The use of a wrapper function allows automated retrying of the queries
without requiring any changes to the code that uses it.
2017-10-03 10:57:12 +03:00
895d950da0 Format all source files with Astyle
Formatted all source files Astyle.
2017-09-28 07:04:21 +03:00
016ad77b62 MXS-1457: Inject service credentials if no users are loaded
If the authenticator option is enabled, no users are loaded and no errors
have occurred in the user loading process, the service credentials are
injected.
2017-09-27 20:00:39 +03:00
395b445336 MXS-1457: Ignore removed servers when loading users
When users are loaded, removed or deleted servers are ignored.
2017-09-27 19:28:05 +03:00
2633ad2fe4 Merge branch '2.1' into 2.2 2017-09-26 14:29:14 +03:00
2079bba49c MXS-1451: Calculate password even with skip_authentication=true
The result of the authentication should be ignored but the scramble that
is calculated as a side-effect still needs to be stored. This can be done
by altering the SQL used to get the matching row to only match on the
username, not the network address.

Also expanded the test case to cover the use of bad credentials.
2017-09-25 19:00:44 +03:00
3676dcebb1 MXS-1398: Clean up mysql.h header
Cleaned up the MaxScale version of the mysql.h header by removing all
unused includes. This revealed a large amount of dependencies on these
removed includes in other files which needed to be fixed.

Also sorted all includes in changed files by type and alphabetical
order. Removed explicit revision history from modified files.
2017-09-14 15:30:43 +03:00
7ba0533cc8 Authenticator API extract-entrypoint returns bool
Extraction either succeeds or fails, it does not need to return
defined integer values.
2017-08-09 17:28:58 +03:00
ed05d24a9a Move SSL-code in mysql_auth.c and pam_client_session.cc to
a separate function in ssl.cc

Removes some duplicate code.
2017-08-07 12:22:59 +03:00
f3e98745bd MXS-1313: Fix updating of server character sets
The server character set is now updated every time a connection is created
with mxs_mysql_real_connect.
2017-07-07 14:52:15 +03:00
c94d9c76fb MXS-1249: Take mxs_mysql_set_server_version into use
The function should actually be in include/maxscale/protocol/mysql.h
and the implementation in MySQLCommon, but the monitors do not link
to that yet.

All MySQL related should be moved to MySQLCommon and the core
refactored so that no MySQL knowledge is needed there.
2017-06-21 13:28:59 +03:00
3e39ec906e Change server version from char pointer to char array
With this change, it is no longer possible that the server version
is deallocated at the very moment it is read. There is still a race,
but it's mostly harmless.
2017-06-19 14:05:26 +03:00
f546a17e77 Update change date of 2.2 2017-06-01 10:24:20 +03:00
b1294f083c MXS-1220: Add old diagnostic interface for monitors and authenticators
Added back the old diagnostic entry point in the monitor and authenticator
interfaces.
2017-05-04 09:14:04 +03:00
076599ee5e MXS-1220: Make the parameters of the diagnostic entry points const
The diagnostic entry points should not modify the state of the object
being diagnosed.
2017-05-04 09:14:03 +03:00
bc3cfe0221 MXS-1220: Fix memory leaks
Some of the JSON objects created in the diagnostic functions leaked
memory.
2017-05-04 09:14:03 +03:00
4804c975ad MXS-1220: Implement JSON diagnostics entry point in autheticators
All autheticators now implement the JSON version of the diagnostics
function.
2017-05-04 09:12:15 +03:00
ad1c05b015 Merge branch '2.1' into develop 2017-04-05 11:35:13 +03:00
872f69b681 Also check IPv6 mapped IPv4 addresses as IPv4
If a client connects from an IPv4 address, but the listener listens on an
IPv6 address, the client IP will be a IPv6 mapped IPv4 address
e.g. ::ffff:127.0.0.1. A grant for an IPv4 address should still match an
IPv6 mapped IPv4 address.
2017-04-04 15:28:39 +03:00
9f14f3659f Only check user permissions on startup
When users were loaded, the permissions for the service user were
checked. The conditional that makes sure the check is executed only at
startup was checking the listener's users instead of the SQLite handle
which caused all reloads of users to check the permissions.
2017-04-04 15:28:39 +03:00
cbc1e864d9 Use RFC 3986 compliant addresses in log messages
When log messages are written with both address and port information, IPv6
addresses can cause confusion if the normal address:port formatting is
used. The RFC 3986 suggests that all IPv6 addresses are expressed as a
bracket enclosed address optionally followed by the port that is separate
from the address by a colon.

In practice, the "all interfaces" address and port number 3306 can be
written in IPv4 numbers-and-dots notation as 0.0.0.0:3306 and in IPv6
notation as [::]:3306. Using the latter format in log messages keeps the
output consistent with all types of addresses.

The details of the standard can be found at the following addresses:

     https://www.ietf.org/rfc/rfc3986.txt

     https://www.rfc-editor.org/std/std66.txt
2017-03-31 14:12:58 +03:00