On 23 Apr 2015 4:59 PM, Geoff Montee wrote:
On Thu, Apr 23, 2015 at 2:42 PM, Felipe Gasper <felipe@felipegasper.com> wrote:
This looks really cool--thank you for posting!
One question: how readily might this be able to support using MariaDB’s own authentication for the user rather than /etc/shadow?
Example:
GRANT USAGE ON *.* TO 'temp_g5fj3s'@'' IDENTIFIED BY 'my_secret'; GRANT PROXY ON 'frank'@'localhost' TO 'temp_g5fj3s'@'';
e.g., I log in as “temp_g5fj3s” using “my_secret”, and MariaDB would then just make that user behave as 'frank'@'localhost'.
I believe that the proxy user functionality in MySQL/MariaDB requires that the authentication plugin change the user name to that of the proxied user:
FWIW, MySQL 5.7 has made mysql_native_password support proxy users: https://dev.mysql.com/doc/refman/5.7/en/proxy-users.html Is there a feature request for this with MariaDB, I wonder? Would be very, very useful. And/or, I wonder about rigging up our own PAM authentication for the temp/proxy user …
However, if you are using MariaDB 10.0, you could use roles:
The problem with roles is that they apparently can’t log in; our need is literally to have one user impersonate another. The only way for us to use MariaDB roles as they stand currently would seem to be to retool our entire application so that only roles, not users, have privileges. Given the size of our project that would be quite a change--and probably not feasible given that we’re deployed on commercial servers worldwide. -FG