hcq/MaxScale
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
da129025eb25e5d56f314220aa95b060d40e5110
MaxScale/server/modules/authenticator/max_admin_auth.c
Johan Wikman a9b0a5550c Allow socket and address/port to be used with maxadmin 
It's now possible to use both a Unix domain socket and host/port
when connecting with MaxAdmin to MaxScale.

By default MaxAdmin will attempt to use the default Unix domain
socket, but if host and/or port has been specified, then an inet
socket will be used.

maxscaled will authenticate the connection attempt differently
depending on whether a Unix domain socket is used or not. If
a Unix domain socket is used, then the Linux user id will be
used for the authorization, otherwise the 1.4.3 username/password
handshake will be performed.

adminusers has now been extended so that there is one set of
functions for local users (connecting locally over a Unix socket)
and one set of functions for remote users (connecting locally
or remotely over an Inet socket).

The local users are stored in the new .../maxscale-users and the
remote users in .../passwd. That is, the old users of a 1.4
installation will work as such in 2.0.

One difference is that there will be *no* default remote user.
That is, remote users will always have to be added manually using
a local user.

The implementation is shared; the local and remote alternatives
use common functions to which the hashtable and filename to be
used are forwarded.

The commands "[add|remove] user" behave now exactly like they did
in 1.4.3, and also all existing users work out of the box.

In addition there is now the commands "[enable|disable] account"
using which Linux accounts can be enabled for MaxAdmin usage.
2016-09-02 13:47:16 +03:00

182 lines
4.9 KiB
C
Raw Blame History

/*
* Copyright (c) 2016 MariaDB Corporation Ab
*
* Use of this software is governed by the Business Source License included
* in the LICENSE.TXT file and at www.mariadb.com/bsl.
*
* Change Date: 2019-01-01
*
* On the date above, in accordance with the Business Source License, use
* of this software will be governed by version 2 or later of the General
* Public License.
*/
/**
* @file max_admin_auth.c
*
* MaxScale Admin Authentication module for checking of clients credentials
* for access to MaxAdmin. Might be usable for other purposes.
*
* @verbatim
* Revision History
* Date Who Description
* 14/03/2016 Martin Brampton Initial version
* 17/05/2016 Massimiliano Pinto New version authenticates UNIX user
*
* @endverbatim
*/
#include <gw_authenticator.h>
#include <modinfo.h>
#include <dcb.h>
#include <buffer.h>
#include <adminusers.h>
/* @see function load_module in load_utils.c for explanation of the following
* lint directives.
*/
/*lint -e14 */
MODULE_INFO info =
{
MODULE_API_AUTHENTICATOR,
MODULE_GA,
GWAUTHENTICATOR_VERSION,
"The MaxScale Admin client authenticator implementation"
};
/*lint +e14 */
static char *version_str = "V2.0.0";
static int max_admin_auth_set_protocol_data(DCB *dcb, GWBUF *buf);
static bool max_admin_auth_is_client_ssl_capable(DCB *dcb);
static int max_admin_auth_authenticate(DCB *dcb);
static void max_admin_auth_free_client_data(DCB *dcb);
/*
* The "module object" for mysql client authenticator module.
*/
static GWAUTHENTICATOR MyObject =
{
max_admin_auth_set_protocol_data, /* Extract data into structure */
max_admin_auth_is_client_ssl_capable, /* Check if client supports SSL */
max_admin_auth_authenticate, /* Authenticate user credentials */
max_admin_auth_free_client_data, /* Free the client data held in DCB */
};
/**
* Implementation of the mandatory version entry point
*
* @return version string of the module
*/
/* @see function load_module in load_utils.c for explanation of the following
* lint directives.
*/
/*lint -e14 */
char* version()
{
return version_str;
}
/**
* The module initialisation routine, called when the module
* is first loaded.
*/
void ModuleInit()
{
}
/**
* The module entry point routine. It is this routine that
* must populate the structure that is referred to as the
* "module object", this is a structure with the set of
* external entry points for this module.
*
* @return The module object
*/
GWAUTHENTICATOR* GetModuleObject()
{
return &MyObject;
}
/*lint +e14 */
/**
* @brief Authentication of a user/password combination.
*
* The validation is already done, the result is returned.
*
* @param dcb Request handler DCB connected to the client
* @return Authentication status - always 0 to denote success
*/
static int
max_admin_auth_authenticate(DCB *dcb)
{
return (dcb->data != NULL && ((ADMIN_session *)dcb->data)->validated) ? 0 : 1;
}
/**
* @brief Transfer data from the authentication request to the DCB.
*
* Expects a chain of two buffers as the second parameters, with the
* username in the first buffer and the password in the second buffer.
*
* @param dcb Request handler DCB connected to the client
* @param buffer Pointer to pointer to buffers containing data from client
* @return Authentication status - 0 for success, 1 for failure
*/
static int
max_admin_auth_set_protocol_data(DCB *dcb, GWBUF *buf)
{
ADMIN_session *session_data;
max_admin_auth_free_client_data(dcb);
if ((session_data = (ADMIN_session *)calloc(1, sizeof(ADMIN_session))) != NULL)
{
int user_len = (GWBUF_LENGTH(buf) > ADMIN_USER_MAXLEN) ? ADMIN_USER_MAXLEN : GWBUF_LENGTH(buf);
#if defined(SS_DEBUG)
session_data->adminses_chk_top = CHK_NUM_ADMINSES;
session_data->adminses_chk_tail = CHK_NUM_ADMINSES;
#endif
memcpy(session_data->user, GWBUF_DATA(buf), user_len);
session_data->validated = false;
dcb->data = (void *)session_data;
/* Check for existance of the user */
if (admin_linux_account_enabled(session_data->user))
{
session_data->validated = true;
return 0;
}
}
return 1;
}
/**
* @brief Determine whether the client is SSL capable
*
* Always say that client is not SSL capable. Support for SSL is not yet
* available.
*
* @param dcb Request handler DCB connected to the client
* @return Boolean indicating whether client is SSL capable - false
*/
static bool
max_admin_auth_is_client_ssl_capable(DCB *dcb)
{
return false;
}
/**
* @brief Free the client data pointed to by the passed DCB.
*
* The max_admin authenticator uses a simple structure that can be freed with
* a single call to free().
*
* @param dcb Request handler DCB connected to the client
*/
static void
max_admin_auth_free_client_data(DCB *dcb)
{
free(dcb->data);
}
Reference in New Issue View Git Blame Copy Permalink