On Thu, Apr 23, 2015 at 2:42 PM, Felipe Gasper <felipe@felipegasper.com> wrote:
This looks really cool--thank you for posting!
One question: how readily might this be able to support using MariaDB’s own authentication for the user rather than /etc/shadow?
Example:
GRANT USAGE ON *.* TO 'temp_g5fj3s'@'' IDENTIFIED BY 'my_secret'; GRANT PROXY ON 'frank'@'localhost' TO 'temp_g5fj3s'@'';
e.g., I log in as “temp_g5fj3s” using “my_secret”, and MariaDB would then just make that user behave as 'frank'@'localhost'.
I believe that the proxy user functionality in MySQL/MariaDB requires that the authentication plugin change the user name to that of the proxied user: https://dev.mysql.com/doc/refman/5.5/en/proxy-users.html As far as I know, MariaDB's default authentication doesn't support this kind of thing. The PAM authentication plugin does. However, if you are using MariaDB 10.0, you could use roles: https://mariadb.com/kb/en/mariadb/roles-overview/ What you are trying to do would look like this: CREATE USER 'temp_g5fj3s'@'%' IDENTIFIED BY 'my_secret'; CREATE ROLE 'frank'; GRANT 'frank' TO 'temp_g5fj3s'@'%'; When 'temp_g5fj3s' logs in, the user would have to do this to inherit frank's privileges: SET ROLE frank; Starting in 10.1., the user would also be able to do this to inherit frank's privileges automatically: SET DEFAULT ROLE frank FOR 'temp_g5fj3s'@'%'; Geoff