Uploaded image for project: 'MariaDB Server'
  1. MDEV-4691

Kerberize MariaDB -- add Kerberos authentication support to MariaDB

    Details

    • Type: Task
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Fix Version/s: 10.1.10
    • Component/s: Plugins
    • Labels:
    • Sprint:
      10.2.0-1, 10.1.10, 10.2.0-2

      Description

      This task identifies TODOs to add Kerberos authentication support to MariaDB.

      Kerberos is a standardised network authentication protocol providing mutual authentication of potential users and network service. Many commercial relational database management systems have already internalized support for Kerberos authentication. The goal of this project aims to adding cross-platform Kerberos authentication support to MariaDB database.

      User Scenario

      In this section, we give a normal use case.
      Suppose user Adam what to authentication against his Kerberos principal.

      Step 1 Create a login user in MariaDB and specify the kerberos as server side authentication plugin.

      CREATE USER 'adam' IDENTIFIED VIA kerberos AS 'adam/mariadb@lp';
      

      The gap between MariaDB username length and Kerberos principal name length make it error-prone to embedded a whole principal name into a MariaDB login name. We use a short name as MariaDB login name and identify the principal name with the AS clause. If the AS clause is absent when creating a user, the MariaDB login name is used as principal name implicitly.
      Step 2 At client side, Adam acquires a service ticket (or access token) to MariaDB.
      Step 3 Adam tries to login with short login name.

      $ mysql -u adam
      

      Step 4 If adam/mariadb@lp is a valid principal in Kerberos and the service ticket is not expired, Adam can login MariaDB passwordlessly; otherwise, he will receive an actionable error message.

      The Source Code

      Source codes will be located in the plugin/auth_kerberos directory.
      mysql_declar_plugin/mysql_declare_plugin_end macros can be used to define server side plugin and mysql_declare_client_plugin/mysql_end_client_plugin macros for client side.

      Client-Server Communication

      This section defines the message exchanges between client and server during Kerberos authentication.

      Step 1 Server sends the null-terminated SPN to the client (the SPN is given as server parameter, documented in yet another section).
      Step 2 Client receives SPN from server with vio->read_packet, creates a secure context with the SPN by gss_init_sec_context repeating until done.
      Step 3 Client writes the output token created by gss_init_sec_context to the server, using vio->write_packet.
      Step 4 Server acquire credential with gss_acquire_cred to get the initial server credential.
      Step 5 Server reads token created at step 3, checks the principal name enclosed in the token with its credential get in step 4 and accepts the access requests if recognizable otherwise fails the connection.

      Figure-out SPN

      This section describes the policy to identify a valid service principal name.

      For the server side plugin, an SPN is requried. The principal name is an option in configuration file (e.g. ~/.my.cfn) with

      spn=primary/instance@realm

      or

      spn=primary@machine.domain

      depending on its platform, where primary is the service name. If this option does not present, mysql is the default SPN.

      Cross-platform Requirements

      GSSAPI based Kerberos authentication is widely used in *nix world, while Windows also provides an SSPI based Kerberos authentication process. The plugin will support Windows-SSPI in addition to GSSAPi to maximize the compatibility.

      Links

      1. Configure Kerberos authentication in Oracle RDBMS. http://docs.oracle.com/cd/A97630_01/network.920/a96573/asokerb.htm
      2. Using Kerberos authentication with SQL Server. http://msdn.microsoft.com/en-us/library/cc280745(v=sql.105).aspx
      3. Configuring Kerberos for Sybase. http://www.sybase.com.hk/content/1029260/1029260.pdf
      4. The Kerberos network authentication service (v5). http://tools.ietf.org/html/rfc4120
      5. GSS-API C-binding. http://tools.ietf.org/html/rfc2744
      6. The Kerberos version 5 Generic Security Service Application Program Interface (GSS-API) mechanism: Version 2. http://tools.ietf.org/html/rfc4121
      7. MariaDB Pluggable Authentication. https://kb.askmonty.org/en/development-pluggable-authentication/
      8. How the Kerberos Version 5 Authentication Protocol Works. http://technet.microsoft.com/en-us/library/cc772815(v=ws.10).aspx
      9. SSPI/Kerberos Interoperability with GSSAPI. http://msdn.microsoft.com/en-us/library/ms995352.aspx
      10. Best Practices for Integrating Kerberos into Your Application. http://www.kerberos.org/software/appskerberos.pdf

        Attachments

          Issue links

            Activity

              People

              • Assignee:
                wlad Vladislav Vaintroub
                Reporter:
                qiushuang QIU Shuang
              • Votes:
                6 Vote for this issue
                Watchers:
                12 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 4 weeks
                  4w
                  Remaining:
                  Time Spent - 5 hours Remaining Estimate - 3 weeks, 4 days, 3 hours
                  3w 4d 3h
                  Logged:
                  Time Spent - 5 hours Remaining Estimate - 3 weeks, 4 days, 3 hours
                  5h