Re: [Maria-developers] [GSoC] Kerberize MariaDB -- some unclear point about the project
Hi wlad, Thank you for your concern.
Create user 'foo@bar'@localhost creates user foo@bar, on localhost.
create user that is identified with name and domain and can connect from any computer I admit that I mis-understood the usage of User@Host in MariaDB.
I thought the User and Host fields in MariaDB are in the same place as those in a Kerberos principal. i.e. if my MariaDB login name is qiush@sjtu.edu.cn, then my Kerberos principal will be qiush@sjtu.edu.cn/CHINA, where MariaDB login name is part of Kerberos principal. (if that case, the realm part is omitted in MariaDB, and we should find another way to figure it out. That's what I argued in my previous email.) From your reply, it seems qiush@sjtu.edu.cn/CHINA@sjtu.edu.cn, the bold part is MariaDB User and italic part Host, can be a valid login name in our project. Suddenly realise the Host in MariaDB login name will constraint the user login place. It's much clear now.
Re realm, I do not know this much but 'shuang@uni.shanghai.edu/REALM' also does not look too weird to me. To me, either :).
Or perhaps I miss something still? Can you elaborate? No, you're right. I confused these two names.
Thank you for you hints! Sincerely, Shuang On Jun 20, 2013, at 2:22 AM, Vladislav Vaintroub <wlad@montyprogram.com> wrote:
From: QIU Shuang [mailto:qiush.summer@gmail.com] Sent: Mittwoch, 19. Juni 2013 19:52 To: Vladislav Vaintroub Subject: Re: [Maria-developers] [GSoC] Kerberize MariaDB -- some unclear point about the project
Hi Shuang,
Trying to make a nicer name, for example by removing domain part could introduce some ambiguity here and different Kerberos users to login as the same. I think so. But per my knowledge, the fully qualified name in MariaDB is username@hostname. What about the realm/domain part? I think this may be a gap between MariaDB and Kerberos.
Maybe I oversee something, but I do not really see any contradiction here. Do you mean that @ is special character should not be used in usernames? It actually can, it just must be properly escaped. Create user 'foo@bar'@localhost creates user foo@bar, on localhost. Hypothetical CREATE USER 'shuang@uni.shanghai.edu' @'%' IDENTIFIED WITH 'Kerberos'
will create user that is identified with name and domain and can connect from any computer (due to use of wildcard for computername part, this wildcard can be omitted). Re realm, I do not know this much but 'shuang@uni.shanghai.edu/REALM' also does not look too weird to me.
Or perhaps I miss something still? Can you elaborate?
Wlad
Hi Wlad, After thinking it over again, the maximum login name length in MariaDB, which is only 16 characters by default the same as in MySQL. I find this https://mariadb.atlassian.net/browse/MDEV-4332 in JIRA. Will the long username be well supported in subsequent releases? A valid GNU/Linux username is a 32 character string (see useradd(8) man page). And a valid Kerberos principal name length is in between 1 and 256 inclusively. (see http://pic.dhe.ibm.com/infocenter/iseries/v6r1m0/index.jsp?topic=/cl/addkrbt..., I didn't find an official document) If we put a whole valid Kerberos principal name, I think it may cause problem someday for the unmatched name length. Do you think the username length a big constraints? Let me know your thought. Thanks! Sincerely, Shuang On Jun 21, 2013, at 9:58 AM, QIU Shuang <qiush.summer@gmail.com> wrote:
Hi wlad,
Thank you for your concern.
Create user 'foo@bar'@localhost creates user foo@bar, on localhost.
create user that is identified with name and domain and can connect from any computer I admit that I mis-understood the usage of User@Host in MariaDB.
I thought the User and Host fields in MariaDB are in the same place as those in a Kerberos principal. i.e. if my MariaDB login name is qiush@sjtu.edu.cn, then my Kerberos principal will be qiush@sjtu.edu.cn/CHINA, where MariaDB login name is part of Kerberos principal. (if that case, the realm part is omitted in MariaDB, and we should find another way to figure it out. That's what I argued in my previous email.)
From your reply, it seems qiush@sjtu.edu.cn/CHINA@sjtu.edu.cn, the bold part is MariaDB User and italic part Host, can be a valid login name in our project.
Suddenly realise the Host in MariaDB login name will constraint the user login place. It's much clear now.
Re realm, I do not know this much but 'shuang@uni.shanghai.edu/REALM' also does not look too weird to me. To me, either :).
Or perhaps I miss something still? Can you elaborate? No, you're right. I confused these two names.
Thank you for you hints! Sincerely, Shuang
On Jun 20, 2013, at 2:22 AM, Vladislav Vaintroub <wlad@montyprogram.com> wrote:
From: QIU Shuang [mailto:qiush.summer@gmail.com] Sent: Mittwoch, 19. Juni 2013 19:52 To: Vladislav Vaintroub Subject: Re: [Maria-developers] [GSoC] Kerberize MariaDB -- some unclear point about the project
Hi Shuang,
Trying to make a nicer name, for example by removing domain part could introduce some ambiguity here and different Kerberos users to login as the same. I think so. But per my knowledge, the fully qualified name in MariaDB is username@hostname. What about the realm/domain part? I think this may be a gap between MariaDB and Kerberos.
Maybe I oversee something, but I do not really see any contradiction here. Do you mean that @ is special character should not be used in usernames? It actually can, it just must be properly escaped. Create user 'foo@bar'@localhost creates user foo@bar, on localhost. Hypothetical CREATE USER 'shuang@uni.shanghai.edu' @'%' IDENTIFIED WITH 'Kerberos'
will create user that is identified with name and domain and can connect from any computer (due to use of wildcard for computername part, this wildcard can be omitted). Re realm, I do not know this much but 'shuang@uni.shanghai.edu/REALM' also does not look too weird to me.
Or perhaps I miss something still? Can you elaborate?
Wlad
Hi, QIU! On Jun 21, QIU Shuang wrote:
Hi Wlad,
After thinking it over again, the maximum login name length in MariaDB, which is only 16 characters by default the same as in MySQL. I find this https://mariadb.atlassian.net/browse/MDEV-4332 in JIRA. Will the long username be well supported in subsequent releases?
As you can see, this MDEV-4332 is already marked as "Fixed", with the "Fix Version/s: 5.5.31". So this is already supported in the 5.5.31 release. But note that - see the task description - you need to change system tables manually to enjoy longer user names.
A valid GNU/Linux username is a 32 character string (see useradd(8) man page). And a valid Kerberos principal name length is in between 1 and 256 inclusively. (see http://pic.dhe.ibm.com/infocenter/iseries/v6r1m0/index.jsp?topic=/cl/addkrbt..., I didn't find an official document) If we put a whole valid Kerberos principal name, I think it may cause problem someday for the unmatched name length.
Right. Currently (starting from 5.5.31) the code supports up to 512 bytes long usernames. But practically the limit is 80 characters, then we hit a max index length limit in MyISAM. Regards, Sergei
I think a valid way to handle long names this would be to allow full Kerberos name after the AS keyword CREATE USER shortname IDENTIFIED WITH Kerberos AS "full@principal/NAME" If "AS" is omitted, then we can assume the Kerberos name is the same as shortname? Serg, would this work? Wlad
-----Original Message----- From: Sergei Golubchik [mailto:serg@mariadb.org] Sent: Freitag, 21. Juni 2013 10:39 To: QIU Shuang Cc: Vladislav Vaintroub; maria-developers@lists.launchpad.net Subject: Re: [Maria-developers] [GSoC] Kerberize MariaDB -- some unclear point about the project
Hi, QIU!
On Jun 21, QIU Shuang wrote:
Hi Wlad,
After thinking it over again, the maximum login name length in MariaDB, which is only 16 characters by default the same as in MySQL. I find this https://mariadb.atlassian.net/browse/MDEV-4332 in JIRA. Will the long username be well supported in subsequent releases?
As you can see, this MDEV-4332 is already marked as "Fixed", with the "Fix Version/s: 5.5.31".
So this is already supported in the 5.5.31 release.
But note that - see the task description - you need to change system tables manually to enjoy longer user names.
A valid GNU/Linux username is a 32 character string (see useradd(8) man page). And a valid Kerberos principal name length is in between 1 and 256 inclusively. (see
http://pic.dhe.ibm.com/infocenter/iseries/v6r1m0/index.jsp?topic=/cl/addkrbt k
t.htm, I didn't find an official document)
If we put a whole valid Kerberos principal name, I think it may cause problem someday for the unmatched name length.
Right. Currently (starting from 5.5.31) the code supports up to 512 bytes long usernames. But practically the limit is 80 characters, then we hit a max index length limit in MyISAM.
Regards, Sergei
Hi Sergei, Thanks for your reply. After discussing with Wlad, we think it proper to use a short name as login name and enclose the full principal name in the AS clause. This will bypass the login name constraint in MariaDB. Thank you very much! Sincerely, Shuang On Jun 21, 2013, at 4:39 PM, Sergei Golubchik <serg@mariadb.org> wrote:
Hi, QIU!
On Jun 21, QIU Shuang wrote:
Hi Wlad,
After thinking it over again, the maximum login name length in MariaDB, which is only 16 characters by default the same as in MySQL. I find this https://mariadb.atlassian.net/browse/MDEV-4332 in JIRA. Will the long username be well supported in subsequent releases?
As you can see, this MDEV-4332 is already marked as "Fixed", with the "Fix Version/s: 5.5.31".
So this is already supported in the 5.5.31 release.
But note that - see the task description - you need to change system tables manually to enjoy longer user names.
A valid GNU/Linux username is a 32 character string (see useradd(8) man page). And a valid Kerberos principal name length is in between 1 and 256 inclusively. (see http://pic.dhe.ibm.com/infocenter/iseries/v6r1m0/index.jsp?topic=/cl/addkrbt..., I didn't find an official document) If we put a whole valid Kerberos principal name, I think it may cause problem someday for the unmatched name length.
Right. Currently (starting from 5.5.31) the code supports up to 512 bytes long usernames. But practically the limit is 80 characters, then we hit a max index length limit in MyISAM.
Regards, Sergei
participants (3)
-
QIU Shuang -
Sergei Golubchik -
Vladislav Vaintroub