Details
-
New Feature
-
Status: Closed (View Workflow)
-
Critical
-
Resolution: Won't Fix
-
2.5.10
-
None
-
All
-
MXS-SPRINT-137, MXS-SPRINT-138, MXS-SPRINT-139
Description
GSSAPI authenticator documentation says:
"The keytab file must be placed in the configured default location which almost always is /etc/krb5.keytab.
To take GSSAPI authentication into use, add the following to the listener.
authenticator=GSSAPIAuth
authenticator_options=principal_name=mariadb/[email protected]
Change the principal name to the same value you configured for the MariaDB server.
After the listeners are configured, add the following to all servers that use GSSAPI users.
authenticator=GSSAPIBackendAuth"
I'm no expert on GSSAPI, but it seems like the principal_name should be set on a per-server basis rather than in the listener, since each of the backend MariaDB servers uses a different principal_name in its gssapi_principal_name variable for the GSSAPI plugin.
Additionally, I think that we should be able to specify a separate keytab file for each server, since each of the backend servers has its own keytab, and the keytab location can be set via the gssapi_keytab_path variable on the DB server. The default keytab in /etc/krb5.keytab may be used by some other app. Even though it's possible to add principals to the default keytab, messing with the customer's non-MariaDB keytab files is probably not a great idea, because if we accidentally overwrite it, that could break something else.
We currently have a customer who wants to set this up on MaxScale and three backend DB servers, but I can't figure out any way to make it work with the current options available.
Attachments
Issue Links
- is blocked by
-
-
- Closed
-