Kerberize MariaDB -- add Kerberos authentication support to MariaDB
This task identifies TODOs to add Kerberos authentication support to MariaDB.
Kerberos is a standardised network authentication protocol providing mutual authentication of potential users and network service. Many commercial relational database management systems have already internalized support for Kerberos authentication. The goal of this project aims to adding cross-platform Kerberos authentication support to MariaDB database.
In this section, we give a normal use case.
Suppose user Adam what to authentication against his Kerberos principal.
Step 1 Create a login user in MariaDB and specify the kerberos as server side authentication plugin.
The gap between MariaDB username length and Kerberos principal name length make it error-prone to embedded a whole principal name into a MariaDB login name. We use a short name as MariaDB login name and identify the principal name with the AS clause. If the AS clause is absent when creating a user, the MariaDB login name is used as principal name implicitly.
Step 2 At client side, Adam acquires a service ticket (or access token) to MariaDB.
Step 3 Adam tries to login with short login name.
Step 4 If adam/mariadb@lp is a valid principal in Kerberos and the service ticket is not expired, Adam can login MariaDB passwordlessly; otherwise, he will receive an actionable error message.
Source codes will be located in the plugin/auth_kerberos directory.
mysql_declar_plugin/mysql_declare_plugin_end macros can be used to define server side plugin and mysql_declare_client_plugin/mysql_end_client_plugin macros for client side.
This section defines the message exchanges between client and server during Kerberos authentication.
Step 1 Server sends the null-terminated SPN to the client (the SPN is given as server parameter, documented in yet another section).
Step 2 Client receives SPN from server with vio->read_packet, creates a secure context with the SPN by gss_init_sec_context repeating until done.
Step 3 Client writes the output token created by gss_init_sec_context to the server, using vio->write_packet.
Step 4 Server acquire credential with gss_acquire_cred to get the initial server credential.
Step 5 Server reads token created at step 3, checks the principal name enclosed in the token with its credential get in step 4 and accepts the access requests if recognizable otherwise fails the connection.
This section describes the policy to identify a valid service principal name.
For the server side plugin, an SPN is requried. The principal name is an option in configuration file (e.g. ~/.my.cfn) with
depending on its platform, where primary is the service name. If this option does not present, mysql is the default SPN.
GSSAPI based Kerberos authentication is widely used in *nix world, while Windows also provides an SSPI based Kerberos authentication process. The plugin will support Windows-SSPI in addition to GSSAPi to maximize the compatibility.
- Configure Kerberos authentication in Oracle RDBMS. http://docs.oracle.com/cd/A97630_01/network.920/a96573/asokerb.htm
- Using Kerberos authentication with SQL Server. http://msdn.microsoft.com/en-us/library/cc280745(v=sql.105).aspx
- Configuring Kerberos for Sybase. http://www.sybase.com.hk/content/1029260/1029260.pdf
- The Kerberos network authentication service (v5). http://tools.ietf.org/html/rfc4120
- GSS-API C-binding. http://tools.ietf.org/html/rfc2744
- The Kerberos version 5 Generic Security Service Application Program Interface (GSS-API) mechanism: Version 2. http://tools.ietf.org/html/rfc4121
- MariaDB Pluggable Authentication. https://kb.askmonty.org/en/development-pluggable-authentication/
- How the Kerberos Version 5 Authentication Protocol Works. http://technet.microsoft.com/en-us/library/cc772815(v=ws.10).aspx
- SSPI/Kerberos Interoperability with GSSAPI. http://msdn.microsoft.com/en-us/library/ms995352.aspx
- Best Practices for Integrating Kerberos into Your Application. http://www.kerberos.org/software/appskerberos.pdf