On Thu, Apr 23, 2015 at 3:17 PM, Felipe Gasper <felipe@felipegasper.com> wrote:
FWIW, MySQL 5.7 has made mysql_native_password support proxy users:
https://dev.mysql.com/doc/refman/5.7/en/proxy-users.html
Is there a feature request for this with MariaDB, I wonder? Would be very, very useful.
Very interesting. I've submitted a feature request for MariaDB here: https://mariadb.atlassian.net/browse/MDEV-8042 Feel free to comment, watch and/or upvote. I'm not a big fan of this bit from the MySQL documentation: "When a single account has been granted proxy privileges on more than one account, the server mapping is nondeterministic. Therefore, granting proxy privileges on multiple accounts to a single account is discouraged." Nondeterministic behavior can be pretty messy. Maybe improving the role system to support more use cases would be better than going down this route?
And/or, I wonder about rigging up our own PAM authentication for the temp/proxy user …
If you decide to hack together your own solution, maybe you could use our PAM user mapping module as a guide. The source code is linked in the blog post, but I'll link it here as well: https://github.com/MariaDB/server/blob/10.1/plugin/auth_pam/mapper/pam_user_...
The problem with roles is that they apparently can’t log in; our need is literally to have one user impersonate another. The only way for us to use MariaDB roles as they stand currently would seem to be to retool our entire application so that only roles, not users, have privileges. Given the size of our project that would be quite a change--and probably not feasible given that we’re deployed on commercial servers worldwide.
That makes sense. Judging by the original JIRA issue for role support, separating roles and user accounts into different namespaces was a design decision: https://mariadb.atlassian.net/browse/MDEV-4397 It would be nice to have the flexibility to allow roles to log in (similar to how PostgreSQL roles can be defined with "WITH LOGIN" role attributes), but I'm not sure if MariaDB will get that feature. Maybe submit a feature request to our JIRA? Thanks, Geoff