An update... There have been discussions in the background around this. I would have preferred them to be in the public, MariaDB Server development still has things to improve there. But... Part of the confusion over the the plugin was due to documentation issues. This has been slightly improved since then. I will say that I'm more confident that this plugin is the right direction. That said, the documentation still needs work, and the plugin should still be externally audited. There is working going into making these things happen. There are also some minor things that need to be corrected in code. The effort to make this the default it also delayed until a lot more testing can be done against third-party connectors to make sure no regressions happen. That being said, please test (and break if you can) this plugin! We want to make this the best authentication plugin that we can. Kind Regards Andrew On 14/10/2024 15:08, Andrew Hutchings wrote:
Hi all,
There is a new authentication plugin called PARSEC that is set to become the default authentication plugin in MariaDB soon (MDEV-32618 and MDEV-12320).
The current documentation for it can be found here:
https://mariadb.com/kb/en/authentication-plugin-parsec/
I personally think that using a single salt and sending it to the client could be a problem. I do not work in the security industry and the documentation has a few errors in it and pieces missing, so I'm unclear how certain things work.
I think the ext-salt requirements will likely add complications to load balancing scenarios and replication.
This is a request for anyone in the community to please audit this plugin before it becomes the default. Once it is the default, it will be difficult to change it.
Kind Regards
-- Andrew (LinuxJedi) Hutchings Chief Contributions Officer MariaDB Foundation