2011-03-12 16:29:54.445567+00:00 https://api.launchpad.net/1.0/bugs/693108 https://api.launchpad.net/1.0/~olafvdspek https://api.launchpad.net/1.0/bugs/693108/linked_branches https://api.launchpad.net/1.0/bugs/693108/activity https://bugs.launchpad.net/bugs/693108 Olaf van der Spek Sergei Fix Released Wishlist 2010-12-21 17:37:03.877648+00:00 bug Olaf van der Spek added bug bug watch added Sergei maria: status Sergei maria: importance Sergei maria: status Olaf van der Spek maria: status Sergei maria: assignee Sergei maria: status Olaf van der Spek maria: status Sergei maria: status Olaf van der Spek DB account mapping]]> summary Olaf van der Spek DB account mapping]]> summary Sergei maria: status Sergei Sergei Could you add an option where the MySQL server does authentication by the Linux system > account of the other end of the (local) connection? > > This will only work for local connections, but is very handy. Passwords would no longer > be needed, making it both more secure and easier. > > In addition to user name/password, the privilege tables should contain a unix_account > column. > > http://bugs.mysql.com/bug.php?id=49940 > This is already implemented in 5.2. See http://kb.askmonty.org/v/development-pluggable-authentication and socket_peercred plugin therein Regards, Sergei P.S. I see you really started moving feature requests from mysql bugdb to mariadb. First update select, now this :)]]> Olaf van der Spek wrote: > This is already implemented in 5.2. > See http://kb.askmonty.org/v/development-pluggable-authentication > and socket_peercred plugin therein Where are the socket_peercred docs? > P.S. I see you really started moving feature requests from mysql bugdb > to mariadb. First update select, now this :) Hehe. Makes sense, doesn't it? Olaf]]> Sergei On Tue, Dec 21, 2010 at 7:05 PM, Sergei <693108@bugs.launchpad.net> wrote: > > This is already implemented in 5.2. > > See http://kb.askmonty.org/v/development-pluggable-authentication > > and socket_peercred plugin therein > > Where are the socket_peercred docs? Same page. Did you look at it at all, or you just asking to keep the thread going? :) Regards, Sergei]]> Olaf van der Spek wrote: > Hi, Olaf! > > On Dec 21, Olaf van der Spek wrote: >> On Tue, Dec 21, 2010 at 7:05 PM, Sergei <693108@bugs.launchpad.net> wrote: >> > This is already implemented in 5.2. >> > See http://kb.askmonty.org/v/development-pluggable-authentication >> > and socket_peercred plugin therein >> >> Where are the socket_peercred docs? > > Same page. Did you look at it at all, or you just asking to keep the > thread going? :) I had seen the page before I submitted the feature request. I expected a page or at least a section dedicated to the plugin. For example, I have no idea how to install the plugin. I also don't see how to setup system account -> db account mapping, but it seems this isn't possible. The bit about socket_peercred seemed just an example of the auth plugin system to me, not as documentation of socket_peercred itself. Olaf]]> Sergei On Wed, Dec 22, 2010 at 1:07 PM, Sergei <693108@bugs.launchpad.net> wrote: > > Hi, Olaf! > > > > On Dec 21, Olaf van der Spek wrote: > >> On Tue, Dec 21, 2010 at 7:05 PM, Sergei <693108@bugs.launchpad.net> wrote: > >> > This is already implemented in 5.2. > >> > See http://kb.askmonty.org/v/development-pluggable-authentication > >> > and socket_peercred plugin therein > >> > >> Where are the socket_peercred docs? > > > > Same page. Did you look at it at all, or you just asking to keep the > > thread going? :) > > I had seen the page before I submitted the feature request. > I expected a page or at least a section dedicated to the plugin. > For example, I have no idea how to install the plugin. > I also don't see how to setup system account -> db account mapping, > but it seems this isn't possible. > > The bit about socket_peercred seemed just an example of the auth > plugin system to me, not as documentation of socket_peercred itself. Hmm, I see. I could add a page dedicated to socket_peercred, yes. But it won't explain how to install it - it's documented here: http://dev.mysql.com/doc/refman/5.5/en/install-plugin.html And it won't talk about mapping, because socket_peercred cannot do that in particular, and authentication plugins should not do that in general - mapping is completely unrelated to authentication. Still, if it is considered useful, I can copy the relevant part of the http://kb.askmonty.org/v/development-pluggable-authentication page to a special socket_peercred dedicated page. Regards, Sergei]]> Olaf van der Spek wrote: > I could add a page dedicated to socket_peercred, yes. > > But it won't explain how to install it - it's documented here: > http://dev.mysql.com/doc/refman/5.5/en/install-plugin.html A link to that page would be nice. Although peercred is so useful that it should be installed by default. > And it won't talk about mapping, because socket_peercred cannot do that > in particular, and authentication plugins should not do that in general - > mapping is completely unrelated to authentication. Why? Normally, I can supply any user/pass I want. With peercred, I would suddenly be restricted to a single MySQL user? That doesn't make sense. IMO mapping system -> MySQL account would be very useful. > > http://kb.askmonty.org/v/development-pluggable-authentication page to > a special socket_peercred dedicated page. I think that should be done. Olaf]]> Sergei Olaf van der Spek wrote: > done. Don't forget #6. ]]> Sergei Olaf van der Spek wrote: > what do you mean? add a link to how to use it? A link to install-plugin.html > there's link to pluggable auth page, it's enough, I think. > > install by default? probably not just yet, may be later. > > mapping? no, it's not part of the plugin, it does not belong to that > layer. What layer does it belong to? Olaf ]]> Sergei On Mon, Jan 10, 2011 at 10:45 PM, Sergei <693108@bugs.launchpad.net> wrote: > > what do you mean? add a link to how to use it? > > A link to install-plugin.html done. > > mapping? no, it's not part of the plugin, it does not belong to that > > layer. > > What layer does it belong to? To the server. Mapping should happen after the plugin has authenticated he user. If we'd start implementing mapping *in the plugins* (like Oracle started doing), we'd have to implement it in *every* plugin (again, like Oracle has to do now). And if something has to be done in every plugin - it's a sign that this functionality belongs to no plugin in particular, it's not a plugin specific feature. It should be done in the server. Regards, Sergei ]]> Olaf van der Spek wrote: >> > mapping? no, it's not part of the plugin, it does not belong to that >> > layer. >> >> What layer does it belong to? > > To the server. Mapping should happen after the plugin has authenticated > he user. If we'd start implementing mapping *in the plugins* (like > Oracle started doing), we'd have to implement it in *every* plugin > (again, like Oracle has to do now). And if something has to be done in > every plugin - it's a sign that this functionality belongs to no plugin > in particular, it's not a plugin specific feature. It should be done > in the server. The output of authentication is a MySQL user (from mysql.users). The input varies and depends on the plugin. Given that the server doesn't know about peercred details, how can it do the mapping? At the moment you assume a 1:1 mapping from system accounts to MySQL accounts. An assumption that quite restricting and IMO invalid. Olaf ]]> Olaf van der Spek wrote: > ** Changed in: maria >       Status: New => Fix Released Could you include a link? And/or respond to the mapping issue? -- Olaf ]]> Sergei Olaf van der Spek wrote: > you misunderstood :( > nothing else was implemented, besides what's already done. > I was simply going over old tickets, looking where we forgot to update the status. > > The link was mentioned here: > https://bugs.launchpad.net/maria/+bug/693108/comments/7 > > To the mapping issue I responded here: https://bugs.launchpad.net/maria/+bug/693108/comments/12 Olaf ]]> Sergei Olaf van der Spek