1 of 48

Plugins

Explore plugins in MariaDB Server. This section details how to extend database functionality, security, and performance by leveraging various loadable plugins, from authentication to storage engines.

Plugin Overview

MariaDB supports loading plugins at startup or runtime to extend functionality, including storage engines, security features, and logging capabilities, without rebuilding the server.

MariaDB supports the use of plugins, software components that may be added to the core software without having to rebuild the MariaDB server from source code. Plugins can be loaded at startup, or loaded and unloaded while the server is running, without interruption. Plugins are commonly used for adding desired storage engines, additional security requirements, logging special information about the server, or even small enhancements, such as a plugin to get a timestamp as an integer.

Querying Plugin Information

There are a number of ways to see which plugins are currently active.

A server almost always has a large number of active plugins, because the server contains a large number of built-in plugins, which are active by default and cannot be uninstalled.

Plugin Maturity

This page lists the maturity level (Alpha, Beta, Gamma, Stable) of various MariaDB plugins, helping users determine which are suitable for production environments.

The following table lists the various plugins included in MariaDB ordered by their maturity. Note that maturity will differ across MariaDB versions - see below for an easy way to get a complete list of plugins and their maturity in your version of MariaDB:

Plugin

Version

Maturity

3.0

Stable

1.6

Stable

This query shows a complete list of plugins and their maturity level:

MariaDB Community Audit Plugin

The MariaDB Community Audit Plugin (server_audit) records server activity, including connections and queries, to a file or syslog to support auditing and compliance.

Audit Plugin Overview

The MariaDB Audit Plugin records server activity, including connections, queries, and table access, to help meet organizational auditing and compliance regulations.

MariaDB and MySQL are used in a broad range of environments, but if you needed to record user access to be in compliance with auditing regulations for your organization, you would previously have had to use other database solutions. To meet this need, though, MariaDB has developed the MariaDB Audit Plugin. Although the MariaDB Audit Plugin has some unique features available only for MariaDB, it can be used also with MySQL.

Basically, the purpose of the MariaDB Audit Plugin is to log the server's activity. For each client session, it records who connected to the server (i.e., user name and host), what queries were executed, and which tables were accessed and server variables that were changed. This information is stored in a rotating log file or it may be sent to the local syslogd.

Review these pages for detailed documentation:

Audit Plugin Installation

Follow this guide to install the Audit Plugin on your MariaDB server. Learn how to verify the plugin file's location, load it dynamically, or configure it to load automatically at startup.

The server_audit plugin logs the server's activity. For each client session, it records who connected to the server (i.e., user name and host), what queries were executed, and which tables were accessed and server variables that were changed. This information is stored in a rotating log file or it may be sent to the local syslogd.

Locating the Plugin

The server_audit plugin's shared library is included in MariaDB packages as the server_audit.so or server_audit.dll shared library on systems where it can be built.

The plugin must be located in the plugin directory, the directory containing all plugin libraries for MariaDB. The path to this directory is configured by the system variable. To see the value of this variable and thereby determine the file path of the plugin library, execute the following SQL statement:

Check the directory returned at the filesystem level to make sure that you have a copy of the plugin library, server_audit.so or server_audit.dll, depending on your system. It's included in recent installations of MariaDB. If you do not have it, you should upgrade MariaDB.

Installing the Plugin

Although the plugin's shared library is distributed with MariaDB by default, the plugin is not actually installed by MariaDB by default. There are two methods that can be used to install the plugin with MariaDB.

The first method can be used to install the plugin without restarting the server. You can install the plugin dynamically by executing or :

The second method can be used to tell the server to load the plugin when it starts up. The plugin can be installed this way by providing the or the options. This can be specified as a command-line argument to mariadbd , or it can be specified in a relevant server in an :

Uninstalling the Plugin

You can uninstall the plugin dynamically by executing or :

If you installed the plugin by providing the or the options in a relevant server in an , then those options should be removed to prevent the plugin from being loaded the next time the server is restarted.

Prohibiting Uninstallation

The or statements may be used to uninstall plugins. For the server_audit plugin, you might want to disable this capability. To prevent the plugin from being uninstalled, you could set the option to FORCE_PLUS_PERMANENT in a relevant server in an after the plugin is loaded once:

Once you've added the option to the server's option file and restarted the server, the plugin can't be uninstalled. If someone tries to uninstall the audit plugin, then an error message will be returned. Below is an example of the error message:

For more information on FORCE_PLUS_PERMANENT and other option values for the option, see for more information.

_{This page is licensed: CC BY-SA / Gnu FDL}

Audit Plugin Configuration

Configure the Audit Plugin to suit your monitoring requirements. Learn how to enable logging, select specific event types to record, and exclude specific users from the audit trail.

After the audit plugin has been installed and loaded, there will be some new global variables within MariaDB. These can be used to configure many components, limits, and methods related to auditing the server. You may set these variables related to the logs, such as their location, size limits, rotation parameters, and method of logging information. You may also set what information is logged, such connects, disconnects, and failed attempts to connect. You can also have the audit plugin log queries, read and write access to tables. So as not to overload your logs, the audit plugin can be configured based on lists of users. You can include or exclude the activities of specific users in the logs.

To see a list of on the server and their values, execute the follow while connected to the server:

The values of these variables can be changed by an administrator with the SUPER privilege, using the statement. Below is an example of how to disable audit logging:

Although it is possible to change all of the variables shown above, some of them may be reset when the server restarts. Therefore, you may want set them in the configuration file (e.g.,

Audit Plugin Log Format

Understand the structure of audit log entries. This guide breaks down the fields in the log records, including timestamps, server IDs, user details, and the specific operations performed.

The audit plugin logs user access to MariaDB and its objects. The audit trail (that is, the audit log) is a set of records, written as a list of fields to a file in a plain‐text format. The fields in the log are separated by commas. The format used for the plugin's own log file is slightly different from the format used if it logs to the system log because it has its own standard format. The general format for the logging to the plugin's own file is defined like the following:

If the server_audit_output_type variable is set to syslog instead of the default, file, the audit log file format is as follows:

Item logged

Description

timestamp

Various events result in different audit records. Some events do not return a value for some fields (for instance, when the active database is not set when connecting to the server).

Below is a generic example of the output for connect events, with placeholders representing data. These are events in which a user connected, disconnected, or tried unsuccessfully to connect to the server.

Here is the one audit record generated for each query event:

Below are generic examples of records that are entered in the audit log for each type of table event:

Passwords are hidden in the log for certain types of queries. They are replaced with asterisks for GRANT, CREATE USER, CREATE MASTER, CREATE SERVER, and ALTER SERVER statements. Passwords, however, are not replaced for the PASSWORD() and OLD_PASSWORD() functions when they are used inside other SQL statements (i.e., SET PASSWORD).

For applier operations, audit log plugin logs events with a generic name of <wsrep_applier> .

This addresses an issue where the user was logged on the primary node, but stripped from other cluster nodes. See for details.

For Galera Cluster replication applier operations, audit log plugin logs events without indicating what user initiates them.

_{This page is licensed: CC BY-SA / Gnu FDL}

Audit Plugin Status Variables

Monitor the performance and status of the Audit Plugin. View variables that track the number of logged events and current settings to ensure the auditing system is functioning correctly.

There are a few status variables related to the , once it has been . These variables can be displayed using the statement like so:

Status Variables

Below is a list of all status variables related to the Audit Plugin. These cannot be set: These are not to be confused with system variables, which can be set. See for a complete list of status variables that can be viewed with the statement. See also the .

Audit Plugin Versions

Review the version history of the MariaDB Audit Plugin. Check compatibility with different MariaDB Server releases and identify which features or bug fixes are included in each version.

Below is a list of the releases of the MariaDB Audit Plugin, the most recent version first, and in which versions of MariaDB each plugin version was included.

MariaDB Community Audit Plugin Version

Introduced in MariaDB Community Server

1.5.0

1.4.14

, , , ,

1.4.13

, , ,

_{This page is licensed: CC BY-SA / Gnu FDL}

Authentication Plugins

Explore the authentication plugins available in MariaDB, such as ed25519, GSSAPI, and PAM, which provide flexible and secure methods for user verification.

Authentication Plugin - mysql_native_password

The mysql_native_password plugin is the default legacy authentication method, using SHA-1 hashing to verify passwords stored in the internal mysql.user table.

The mysql_native_password authentication plugin is the default authentication plugin that will be used for an account created when no authentication plugin is explicitly mentioned and is set. It uses the password hashing algorithm introduced in MySQL 4.1, which is also used by the function when is set. This hashing algorithm is based on .

It is not recommended to use the mysql_native_password authentication plugin for new installations that require high password security. If someone is able to both listen to the connection protocol and get a copy of the mysql.user table, then the person would be able to use this information to connect to the MariaDB server. The authentication plugin is a more modern authentication plugin that provides simple password authentication using a more secure algorithm.

Authentication Plugin - mysql_old_password

This plugin provides backward compatibility for pre-4.1 clients using an older, insecure password hashing algorithm and should not be used for new installations.

The mysql_old_password authentication plugin is the default authentication plugin that is used for an account created when no authentication plugin is explicitly mentioned and old_passwords=1 is set. It uses the pre-MySQL 4.1 password hashing algorithm, which is also used by the OLD_PASSWORD() function and by the PASSWORD() function when old_passwords=1 is set.

It is not recommended to use the mysql_old_password authentication plugin for new installations. The password hashing algorithm is no longer secure, and the plugin is primarily provided for backward compatibility. The ed25519 authentication plugin is a more modern authentication plugin that provides simple password authentication.

Installing the Plugin

The mysql_old_password authentication plugin is statically linked into the server, so no installation is necessary.

Creating Users

The easiest way to create a user account with the mysql_old_password authentication plugin is to make sure that is set, and create a user account via that does not specify an authentication plugin, but instead specifies a password via the clause:

If does not have NO_AUTO_CREATE_USER set, then you can also create the user via :

You can also create the user account by providing a password hash via the clause, and MariaDB validates whether the password hash is one that is compatible with mysql_old_password:

Similar to all other , you could also specify the name of the plugin in the IDENTIFIED VIA clause, while providing the password hash as the USING clause:

Changing User Passwords

You can change a user account's password with the statement, while providing the plain-text password as an argument to the function:

You can also change the user account's password with the statement. You have to make sure that is set, and you have to specify a password via the clause:

Client Authentication Plugins

For clients that use the libmysqlclient or libraries, MariaDB provides one client authentication plugin that is compatible with the mysql_old_password authentication plugin:

mysql_old_password

When connecting with a to a server as a user account that authenticates with the mysql_old_password authentication plugin. You may need to tell the client where to find the relevant client authentication plugin by specifying the --plugin-dir option:

However, the mysql_old_password client authentication plugin is generally statically linked into client libraries like libmysqlclient or , so this is not usually necessary.

`mysql_old_password`

The mysql_old_password client authentication plugin hashes the password before sending it to the server.

Support in Client Libraries

The mysql_old_password authentication plugin is one of the conventional authentication plugins, so all client libraries should support it.

_{This page is licensed: CC BY-SA / Gnu FDL}

Authentication Plugin - PARSEC

PARSEC is a modern, secure authentication plugin that uses salted passwords and elliptic curve cryptography to prevent replay attacks and secure user credentials.

This plugin is available from MariaDB 11.6.

The PARSEC Authentication Plugin is intended to be the default in a future release.

The PARSEC (Password Authentication using Response Signed with Elliptic Curve) authentication plugin uses salted passwords, key derivation, extensible password storage format, and both server- and client-side scrambles.

It signs the response with ed25519, but it uses stock unmodified ed25519

Authentication Plugin - SHA-256

The SHA-256 authentication plugin uses the SHA-256 hashing algorithm for password storage, offering stronger security than the default SHA-1 method.

Background

MySQL 5.6 added support for the authentication plugin, and MySQL 8.0 also added support for the authentication plugin.

The caching_sha2_password plugin is now the default authentication plugin in MySQL 8.0.4 and above, based on the value of the system variable.

Authentication with Pluggable Authentication Modules (PAM)

Learn about authentication with Pluggable Authentication Modules (PAM) in MariaDB Server. This section details how to integrate MariaDB with PAM for centralized and flexible user authentication.

MariaDB Replication & Cluster Plugins

This section covers plugins specifically designed for high availability and clustering, including the wsrep_provider plugin used for Galera Cluster integration.

wsrep_provider

The wsrep_provider plugin exposes Galera Cluster provider options as individual system variables, allowing for easier configuration and validation of cluster settings.

This plugin is for . It splits up the wsrep_provider_options setting into individual configuration variables.

The plugin is available from MariaDB 11.4, and built in to the server, but not enabled by default.

Without that plugin, options are grouped together, like this:

With this plugin loaded, you can configure individual variables, like this:

This makes managing provider options easier, and helps avoid the problem of wsrep_provider_options exceeding the maximum length of 2048 characters for an individual variable.

Other Plugins

Discover additional plugins that extend MariaDB Server functionality, such as the Disks, Feedback, and Query Response Time plugins, for specialized use cases.

inet4

The inet4 plugin provides the INET4 data type, allowing for efficient native storage and manipulation of IPv4 addresses as 4-byte binary strings.

This plugin implements the inet4 data type and functions used by this data type, like conversions.

For plugin version and maturity level, see this page.

This plugin is built in to MariaDB Server. It cannot be disabled.

inet4 is a data type plugin. It can be used in stored procedures as a variable type and as a data type for table columns.

MYSQL_JSON

The MYSQL_JSON plugin provides a JSON data type alias for compatibility, ensuring that tables created with the MySQL JSON type can be read by MariaDB.

The TYPE_MYSQL_JSON plugin is available from .

The JSON type in MySQL stores the JSON object in its own native form, while, in MariaDB, the is a . Opening a table with a JSON type created in MySQL results in an error:

The mysql_json plugin is used to make it easier to upgrade to MariaDB.

mhnsw

The mhnsw plugin implements the Hierarchical Navigable Small World algorithm, enabling high-performance approximate nearest neighbor search for vector data.

This plugin is for internal use only.

This plugin implements the nhnsw vector index algorithm. It is used to create vector indexes.

See Vector Overview for the functionality, and Vector System Variables for what you can configure.

It is built in the server, and is always enabled.

For plugin version and maturity level, see this page.

online_alter_log

The online_alter_log plugin provides logging capabilities for online ALTER TABLE operations, helping administrators monitor and debug schema changes.

This plugin is for internal use only.

This plugin represents the online alter log in a transaction. It is used to commit transactions for tables while an online ALTER TABLE query is running.

It is built in the server, and is always enabled.

See the Online Schema Change page for functionality details.

For plugin version and maturity level, see this page.

Query Cache Information Plugin

This plugin exposes the contents of the query cache via the QUERY_CACHE_INFO table in the Information Schema, aiding in performance analysis.

The QUERY_CACHE_INFO plugin creates the QUERY_CACHE_INFO table in the INFORMATION_SCHEMA database. This table shows all queries in the query cache. Querying this table acquires the query cache lock and will result in lock waits for queries that are using or expiring from the query cache. You must have the PROCESS privilege to query this table.

Installing the Plugin

The first method can be used to install the plugin without restarting the server. You can install the plugin dynamically by executing or :

The second method can be used to tell the server to load the plugin when it starts up. The plugin can be installed this way by providing the or the options. This can be specified as a command-line argument to or it can be specified in a relevant server in an :

Uninstalling the Plugin

You can uninstall the plugin dynamically by executing or :

Example

Options

`query_cache_info`

Description: Controls how the server should treat the plugin when the server starts up.
- Valid values are:
  - OFF - Disables the plugin without removing it from the table.

_{This page is licensed: CC BY-SA / Gnu FDL}

User Variables Plugin

The User Variables plugin adds the USER_VARIABLES table to the Information Schema, allowing users to inspect defined user variables and their values.

The user_variables plugin creates the USER_VARIABLES table in the INFORMATION_SCHEMA database. This table contains information about user-defined variables.

Viewing

User-defined variables can be viewed by either querying the USER_VARIABLES, or by running SHOW USER_VARIABLES.

Flushing User-Defined Variables

User-defined variables are reset and the Information Schema table emptied with the statement.

Examples

Installing the Plugin

In current versions, the user_variables plugin is statically linked into the server by default, so it does not need to be installed.

If it is not installed, however, here are two methods that can be used to install the plugin with MariaDB.

The first method can be used to install the plugin without restarting the server. You can install the plugin dynamically by executing or :

The second method can be used to tell the server to load the plugin when it starts up. The plugin can be installed this way by providing the or the options. This can be specified as a command-line argument to or it can be specified in a relevant server in an :

Uninstalling the Plugin

You can uninstall the plugin dynamically by executing or :

Options

`user_variables`

Description: Controls how the server should treat the plugin when the server starts up.
- Valid values are:
  - OFF - Disables the plugin without removing it from the table.

_{This page is licensed: CC BY-SA / Gnu FDL}

Password Validation Plugins

Password validation plugins, like simple_password_check and cracklib, enforce strong password policies by checking new passwords against defined complexity rules.

password_reuse_check_interval Variable

This system variable defines the retention period in days for the password history used by the Password Reuse Check Plugin to prevent reuse.

The password_reuse_check_interval system variable is available when the password_reuse_check plugin is installed. It determines the retention period for the password history in days. Zero, the default, means that passwords are never discarded.

Command line: --password_reuse_check_interval=#
Scope: Global
Read-only: No
Data Type: numeric
Default Value: 0
Range: 0 to 36500

_{This page is licensed: CC BY-SA / Gnu FDL}

Simple Password Check Plugin

The Simple Password Check Plugin enforces basic password complexity rules, such as minimum length and required numbers of digits, letters, and special characters.

simple_password_check is a plugin. It can check whether a password contains at least a certain number of characters of a specific type. When first installed, a password is required to be at least eight characters, and requires at least one digit, one uppercase character, one lowercase character, and one character that is neither a digit nor a letter.

Note that passwords can be directly set as a hash, bypassing the password validation, if the variable is OFF (it is ON by default).

Configuring PAM Authentication and User Mapping with Unix Authentication

This guide shows how to authenticate database users using local Unix accounts and map Unix groups to MariaDB users with the PAM plugin.

We walk through the configuration of PAM authentication using the pam authentication plugin and user and group mapping with the pam_user_map PAM module. The primary authentication will be handled by the pam_unix PAM module, which performs standard Unix password authentication.

Hypothetical Requirements

In this walkthrough, we are going to assume the following hypothetical requirements:

The Unix user foo should be mapped to the MariaDB user bar. (foo: bar)
Any Unix user in the Unix group dba should be mapped to the MariaDB user dba. (@dba: dba)

Creating Our Unix Users and Groups

Let's go ahead and create the Unix users and groups that we are using for this hypothetical scenario.

First, let's create the foo user and a couple users to go into the dba group. Note that each of these users needs a password.

Next, let's create the dba group and add our two users to it:

We also need to create Unix users with the same name as the bar and dba MariaDB users. See to read more about why. No one will be logging in as these users, so they do not need passwords.

Installing the pam_user_map PAM Module

Next, let's .

Before the module can be compiled from source, we may need to install some dependencies.

On RHEL, CentOS, and other similar Linux distributions that use , we need to install gcc and pam-devel:

On Debian, Ubuntu, and other similar Linux distributions that use , we need to install gcc and libpam0g-dev:

And then we can build and install the library with the following:

Configuring the pam_user_map PAM Module

Next, let's based on our hypothetical requirements.

The configuration file for the pam_user_map PAM module is /etc/security/user_map.conf. Based on our hypothetical requirements, ours would look like:

Installing the PAM Authentication Plugin

Next, let's .

Log into the MariaDB Server and execute the following:

Configuring the PAM Service

Next, let's . We will call our service mariadb, so our PAM service configuration file will be located at /etc/pam.d/mariadb on most systems.

Since we are only doing Unix authentication with the pam_unix PAM module and group mapping with the pam_user_map PAM module, our configuration file would look like this:

Configuring the pam_unix PAM Module

The pam_unix PAM module adds on a lot of systems. We basically have to give the user that runs mysqld access to /etc/shadow.

If the mysql user is running mysqld, then we can do that by executing the following:

The server needs to be restarted for this change to take affect.

Creating MariaDB Users

Next, let's . Remember that our PAM service is called mariadb.

First, let's create the MariaDB user for the user mapping: foo: bar . This means we need to create a bar user:

Next, let's create the MariaDB user for the group mapping: @dba: dba . This means that we need to create a dba user:

Next, to allow for the user and group mapping, we need to that is also able to PROXY as the bar and dba users. Before we can create the proxy user, we might need to :

Finally, let's create the anonymous proxy user:

Testing our Configuration

Next, let's test out our configuration by . We can verify this by logging in as each of our users and comparing the return value of , which is the original user name and the return value of , which is the authenticated user name.

First, let's test our foo user:

We can verify that our foo Unix user was properly mapped to the bar MariaDB user by looking at the return value of CURRENT_USER().

Next, let's test our alice user in the dba group:

Finally, let's test our bob user in the dba group:

We can verify that our alice and bob Unix users in the dba Unix group were properly mapped to the dba MariaDB user by looking at the return values of CURRENT_USER().

_{This page is licensed: CC BY-SA / Gnu FDL}

User and Group Mapping with PAM

The pam_user_map PAM module allows administrators to map external PAM users and groups to specific MariaDB accounts for flexible authorization management.

Overview

Even when using the pam authentication plugin, the authenticating PAM user account still needs to exist in MariaDB, and the account needs to have privileges in the database. Creating these MariaDB accounts and making sure the privileges are correct can be a lot of work. To decrease the amount of work involved, some users would like to be able to map a PAM user to a different MariaDB user. For example, let’s say that alice and bob are both DBAs. It would be nice if each of them could log into MariaDB with their own PAM username and password, while MariaDB sees both of them as the same dba user. That way, there is only one MariaDB account to keep track of.

Although most PAM modules usually do not do things like this, PAM supports the ability to change the user name in the process of authentication.The MariaDB pam authentication plugin fully supports this feature of PAM.

The pam_user_map PAM Module

Rather than building user and group mapping into the pam authentication plugin, MariaDB thought that it would cover the most use cases and offer the most flexibility to offload this functionality to an external PAM module. The pam_user_map PAM module was implemented by MariaDB to facilitate this. This PAM module can be used by the pam authentication plugin, just like other PAM modules.

Lack of Support for MySQL/Percona Group Mapping Syntax

Unlike MariaDB, MySQL and Percona implemented group mapping in their PAM authentication plugins. If you've read through or , you've probably seen syntax where the group mappings are provided in the statement like this:

Since MariaDB's user and group mapping is performed by an external PAM module, MariaDB's pam authentication plugin does not support this syntax. Instead, the user and group mappings for the pam_user_map PAM module are configured in an external configuration file. This is discussed in a later section.

Installing the pam_user_map PAM Module

The pam_user_map PAM module gets installed as part of all our MariaDB server packages.

Some Linux distributions have not picked up this change in their own packages yet. When using such an installation, it may be necessary to compile the PAM module from source as described in the next section, or to manually extract it from one of our server packages and copy it to the target system.

Installing the pam_user_map PAM Module from Source

Installing Compilation Dependencies

Before the module can be compiled from source, you may need to install some dependencies.

On RHEL, CentOS, and other similar Linux distributions that use , you need to install gcc, pam-devel and MariaDB-devel:

On Debian, Ubuntu, and other similar Linux distributions that use , you need to install gcc, libpam0g-dev:

Compiling and Installing the pam_user_map PAM Module

The pam_user_map PAM module can be built by downloading plugin/auth_pam/mapper/pam_user_map.c file from the MariaDB source tree and compiling it after minor adjustments. Once it is built, it can be installed to the system's PAM module directory, which is typically /lib64/security/:

You also need to adjust the major version number in the URL on the first line to match your installed MariaDB version, and the #-I include path argument on the gcc line, as depending on operating system and MariaDB server version, the plugin_auth_common.h file may be installed in a directory other than /usr/include/mysql/ .

Configuring the pam_user_map PAM Module

The pam_user_map PAM module uses the configuration file at the path /etc/security/user_map.conf to determine its user and group mappings. The file's format is described below.

To map a specific PAM user to a specific MariaDB user:

Or to map any PAM user in a specific PAM group to a specific MariaDB user, the group name is prefixed with @:

For example, here is an example /etc/security/user_map.conf:

Configuring PAM

With user and group mapping, configuring PAM is done similar to how it is . However, when configuring the PAM service, you will have to add an auth line for the pam_user_map PAM module to the service's PAM configuration file:

Creating Users

With user and group mapping, creating users is done similar to how it is . However, one major difference is that you will need to the privilege on the mapped user to the original user.

Consider having the following configured in /etc/security/user_map.conf:

Then you could execute the following to grant the relevant privileges:

Note that the ''@'%' account is a special catch-all . Any login by a user that has no more specific account match in the system will be matched by this anonymous account.

Also note that you might not be able to create the ''@'%' anonymous account by default on some systems without doing some extra steps first. See for more information.

Verifying that Mapping is Occurring

In case any user mapping is performed, the original user name is returned by the SQL function , while the authenticated user name is returned by the SQL function . The latter actually defines what privileges are available to a connected user.

Consider having the following configured:

Then the following output would verify that it is working properly:

We can verify that our foo PAM user was properly mapped to the bar MariaDB user by looking at the return value of CURRENT_USER().

Logging

By default, the pam_user_map PAM module does not perform any logging. However, if you want to enable debug logging, then you can add the debug module argument to the service's PAM configuration file:

When debug logging is enabled, the pam_user_map PAM module will write log entries to the as other PAM modules, which is typically /var/log/secure on many systems.

For example, this debug log output can look like the following:

Known Issues

PAM User with Same Name as Mapped MariaDB User Must Exist

With user and group mapping, any PAM user or any PAM user in a given PAM group can be mapped to a specific MariaDB user account. However, due to the way PAM works, a PAM user with the same name as the mapped MariaDB user account must exist.

Consider the configuration file for the PAM service file containing the following:

Consider etc/security/user_map.conf containing the following:

In that case, any PAM user in the PAM group dba are mapped to the MariaDB user account dba. But if a PAM user with the name dba doesn't exist, the pam_user_map PAM module's debug logging writes errors to the syslog, like the following:

In the above log snippet, notice that both the pam_unix and the pam_sss PAM modules are complaining that the dba PAM user does not appear to exist, and that these complaints cause the PAM authentication process to fail, which causes the MariaDB authentication process to fail as well.

This can be fixed by creating a PAM user with the same name as the mapped MariaDB user account, which is dba in this case.

You may also be able to work around this problem by essentially disabling PAM's account verification for the service with the PAM module. For example, in the above case, that would be:

See for more information.

Tutorials

You may find the following PAM and user mapping-related tutorials helpful:

Authentication Plugin - Unix Socket

The unix_socket plugin authenticates users connecting via the local Unix socket file by matching the operating system user ID to the database user account.

The unix_socket authentication plugin is installed by default, and it is used by the 'root'@'localhost' user account by default. See Authentication for more information.

The unix_socket authentication plugin allows the user to use operating system credentials when connecting to MariaDB via the local Unix socket file. This Unix socket file is defined by the socket system variable.

The unix_socket authentication plugin works by calling the getsockopt system call with the SO_PEERCRED socket option, which allows it to retrieve the uid of the process that is connected to the socket. It is then able to get the user name associated with that uid. Once it has the user name, it will authenticate the connecting user as the MariaDB account that has the same user name.

The unix_socket authentication plugin is not suited to multiple Unix users accessing a single MariaDB user account.

Security

A unix_socket authentication plugin is a passwordless security mechanism. Its security lies in the strength of the access to the Unix user, rather than the complexity and the secrecy of the password.

As security differs from password security, the strengths and weaknesses need to be considered, and those can differ depending on the specific installation.

Strengths

Access is limited to the Unix user so, for example, a www-data user cannot access root with the unix_socket authentication plugin.
There is no password which can be cracked by brute force.
There is no password that can be accidentally exposed by user accident, poor security on backups, or poor security on passwords in configuration files.

Weaknesses

The strength of a unix_socket authentication plugin is effectively the strength of the security of the Unix users on the system. In most cases, the Unix user default installation is sufficiently secure. However, the following is a non-exhaustive list of potential Unix user security issues that may arise.

Common access areas without screen locks, where an unauthorized user accesses the logged in Unix user of an authorized user.
Extensive sudo access grants that provide users with access to execute commands of a different Unix user.
Scripts writable by Unix users other than the Unix user that are executed (via cron or directly) by the Unix user.
Web pages that are susceptible to command injection, where the Unix user running the web page has elevated privileges in the database that weren't intended to be used.

In some of these scenarios a database password may prevent these security exploits, however it will remove all the strengths of the unix_socket authentication plugin previously mentioned.

Disabling the Plugin

The unix_socket authentication plugin is installed by default.

If you do not want it to be available by default, you must disable it.

The unix_socket authentication plugin is also installed by default in new installations that use the packages provided by Debian's default repositories and Ubuntu's default repositories. See for more information.

The unix_socket authentication plugin can be disabled by starting the server with the option set to OFF. This can be specified as a command-line argument to or it can be specified in a relevant server in an :

As an alternative, the option can also be set to OFF by pairing the option with the disable :

Installing the Plugin

The unix_socket authentication plugin is installed by default in almost all MariaDB server versions. If you work with a version that doesn't have the plugin installed, you can install it as described in one of the following ways.

Install the plugin without restarting the server. You can install the plugin dynamically, by executing or :

Instruct the server to load the plugin at startup. The plugin can be installed this way by providing the or the options. This can be specified as a command-line argument to or it can be specified in a relevant server in an :

Uninstalling the Plugin

You can uninstall the plugin dynamically by executing or :

If you installed the plugin by providing the or the options in a server in an , those options should be removed to prevent the plugin from being loaded the next time the server is restarted.

Creating Users

To create a user account via , specify the name of the plugin in the clause:

If does not have NO_AUTO_CREATE_USER set, then you can also create the user account via :

The authentication string (if present) is compared with the socket's user name. Authentication proceeds if there's a match. In this case, the system variable contains the OS user.

Consider an OS user named 'bob' that has been created like this:

That user can connect like this:

Alternatively, accessing the sock file directly, the user can connect like this:

Once connected, you can view that user like this:

The plugin only checks whether the OS socket user id matches the MariaDB user name. It ignores the authentication string.

Switching to Password-Based Authentication

If Unix socket authentication does not meet your needs, you can switch a user account back to password-based authentication, by telling MariaDB to use a different for the account. The specific authentication plugin is specified with the clause. To switch to the authentication plugin, you need to do this:

If you use scripts that require passwordless access to MariaDB, this would cause them to break. You may be able to fix that by setting a password in the [client] in your /root/.my.cnf .

Client Authentication Plugins

The unix_socket authentication plugin does not require any specific client authentication plugins. It should work with all clients.

Support in Client Libraries

The unix_socket authentication plugin does not require any special support in client libraries. It should work with all client libraries.

Example

In this example, user serg is already logged into the operating system and has full shell access. The user has already authenticated with the operating system and the MariaDB account is configured to use the unix_socket authentication plugin, so there is no need to authenticate again for the database. MariaDB accepts the operating system credentials and allows the user to connect. However, any attempt to connect to the database as another operating system is denied.

Options

`unix_socket`

Description: Controls how the server should treat the plugin when the server starts up.
- Valid values are:
  - OFF - Disables the plugin without removing it from the table.

Cracklib Password Check Plugin

The Cracklib Password Check Plugin enforces password strength by validating new passwords against the CrackLib library and its dictionary.

cracklib_password_check is a password validation plugin. It uses the CrackLib library to check the strength of new passwords. CrackLib is installed by default in many Linux distributions, since the system's Pluggable Authentication Module (PAM) authentication framework is usually configured to check the strength of new passwords with the pam_cracklib PAM module.

Note that passwords can be directly set as a hash, bypassing the password validation, if the strict_password_validation variable is OFF (it is ON by default).

The plugin requires at least cracklib 2.9.0, so it is not available on Debian/Ubuntu builds before Debian 8 Jessie/Ubuntu 14.04 Trusty, RedHat Enterprise Linux / CentOS 6.

Installing the Plugin's Package

The cracklib_password_check plugin's shared library is included in MariaDB packages as the cracklib_password_check.so or cracklib_password_check.dll shared library on systems where it can be built.

Installing on Linux

The cracklib_password_check plugin is included in systemd on Linux, but not in the older generic and glibc_214 tarballs.

Installing with a Package Manager

The cracklib_password_check plugin can also be installed via a package manager on Linux. In order to do so, your system needs to be configured to install from one of the MariaDB repositories.

You can configure your package manager to install it from MariaDB Corporation's MariaDB Package Repository by using the .

You can also configure your package manager to install it from MariaDB Foundation's MariaDB Repository by using the .

Installing with yum/dnf

On RHEL, CentOS, Fedora, and other similar Linux distributions, it is highly recommended to install the relevant from MariaDB's repository using or . Starting with RHEL 8 and Fedora 22, yum has been replaced by dnf, which is the next major version of yum. However, yum commands still work on many systems that use dnf:

Installing with apt-get

On Debian, Ubuntu, and other similar Linux distributions, it is highly recommended to install the relevant from MariaDB's repository using :

Installing with zypper

On SLES, OpenSUSE, and other similar Linux distributions, it is highly recommended to install the relevant from MariaDB's repository using :

Installing the Plugin

Once the shared library is in place, the plugin is not actually installed by MariaDB by default. There are two methods that can be used to install the plugin with MariaDB.

The first method can be used to install the plugin without restarting the server. You can install the plugin dynamically by executing or :

The second method can be used to tell the server to load the plugin when it starts up. The plugin can be installed this way by providing the or the options. This can be specified as a command-line argument to mariadbd, or it can be specified in a relevant server in an :

Uninstalling the Plugin

You can uninstall the plugin dynamically by executing or :

Viewing CrackLib Errors

If password validation fails, then the original CrackLib error message can be viewed by executing .

Example

When creating a new password, if the criteria are not met, the following error is returned:

Known Issues

SELinux

When using the standard policy with the set to enforcing, mariadbd does not have access to /usr/share/cracklib, and you may see the following error when attempting to use the cracklib_password_check plugin:

And the SELinux audit.log contains errors like these:

This can be fixed by creating an SELinux policy that allows mysqld to load the CrackLib dictionary:

See for more information.

System Variables

`cracklib_password_check_dictionary`

Description: Sets the path to the CrackLib dictionary. If not set, the default CrackLib dictionary path is used. The parameter expects the base name of a cracklib dictionary (a set of three files with endings .hwm, .pwd, .pwi), not a directory path.
Command line: --cracklib-password-check-dictionary=value
Scope: Global

Options

`cracklib_password_check`

Description: Controls how the server should treat the plugin when the server starts up.
- Valid values are:
  - OFF - Disables the plugin without removing it from the table.

Audit Plugin Options and System Variables

Browse the complete reference of system variables for the Audit Plugin. Use these settings to fine-tune logging behavior, control performance impact, and manage log file handling.

Overview

There are a several options and system variables related to the MariaDB Audit Plugin, once it has been installed. System variables can be displayed using the SHOW VARIABLES statement like so:

To change the value of one of these variables, you can use the SET statement, or set them at the command-line when starting MariaDB. It's recommended that you set them in the MariaDB configuration for the server like so:

System Variables

Below is a list of all system variables related to the Audit Plugin. See for a complete list of system variables and instructions on setting them. See also the .

`server_audit_events`

Description: If set, this restricts audit logging to certain event types. If not set, every event type is logged to the audit log.
Command line: --server-audit-events=value
Scope: Global
Dynamic: Yes

`server_audit_excl_users`

Description: If not empty, it contains the list of users whose activity will NOT be logged: SET GLOBAL server_audit_excl_users='user_foo, user_bar'. CONNECT records aren't affected by this variable - they are always logged. The user is still logged if it's specified in .
Command line: --server-audit-excl-users=value
Scope: Global

`server_audit_file_buffer_size`

Description: Size (in bytes) of file buffer to make logging faster. Values > 0 are adjusted in increments of 8192. (For instance, a value of 100 would be adjusted to 8192.)
Command line: --server-audit-file-buffer-size=#

`server_audit_file_path`

Description: When , sets the path and the filename to the log file. If the specified path exists as a directory, then the log will be created inside that directory with the name 'server_audit.log'. Otherwise the value is treated as a filename. The default value is 'server_audit.log', which means this file will be created in the database directory.
Command line: --server-audit-file-path=value
Scope: Global

`server_audit_file_rotate_now`

Description: When , the user can force the log file rotation by setting this variable to ON or 1.
Command line: --server-audit-rotate-now[={0|1}]
Scope: Global
Dynamic: Yes

`server_audit_file_rotate_size`

Description: When , it limits the size of the log file to the given amount of bytes. Reaching that limit turns on the rotation - the current log file is renamed as 'file_path.1'. The empty log file is created as 'file_path' to log into it. The default value is 1000000.
Command line: --server-audit-rotate-size=#
Scope: Global
Dynamic: Yes

`server_audit_file_rotations`

Description: When ', this specifies the number of rotations to save. If set to 0 then the log never rotates. The default value is 9.
Command line: --server-audit-rotations=#
Scope: Global
Dynamic: Yes

`server_audit_incl_users`

Description: If not empty, it contains a comma-delimited list of users whose activity will be logged: SET GLOBAL server_audit_incl_users='user_foo, user_bar'. CONNECT records aren't affected by this variable - they are always logged. This setting has higher priority than . So if the same user is specified both in incl_ and excl_ lists, they will still be logged.
Command line: --server-audit-incl-users=value
Scope: Global

`server_audit_loc_info`

Description: Used by plugin internals. It has no useful meaning to users.
- In earlier versions, users see it as a read-only variable.
- In later versions, it is hidden from the user.
Command line: N/A

`server_audit_logging`

Description: Enables/disables the logging. Expected values are ON/OFF: SET GLOBAL server_audit_logging=on If the server_audit_output_type is FILE, this will actually create/open the logfile so the should be properly specified beforehand. Same about the SYSLOG-related parameters. The logging is turned off by default.
Command line: --server-audit-logging[={0|1}]
Scope: Global

`server_audit_mode`

Description: This variable doesn't have any distinctive meaning for a user. Its value mostly reflects the server version with which the plugin was started and is intended to be used by developers for testing.
Command line: --server-audit-mode[=#]
Scope: Global
Dynamic: Yes

`server_audit_output_type`

Description: Specifies the desired output type. Can be SYSLOG, FILE or null as no output: SET GLOBAL server_audit_output_type=file file: log records will be saved into the rotating log file. The name of the file set by variable. syslog: log records will be sent to the local syslogd daemon with the standard <syslog.h> API. The default value is 'file'.
Command line: --server-audit-output-type=value
Scope: Global

`server_audit_query_log_limit`

Description: Limit on the length of the query string in a record.
Command line: --server-audit-query-log-limit=#
Scope: Global
Dynamic: Yes

`server_audit_sync_log_file`

Description: Flushes the buffer to the log file. While log records are in the buffer, they don't appear in the log file. To write them out from the buffer, issue this statement: SET GLOBAL server_audit_log_file=1
Command line: --server-audit-sync-log-file
Scope: Global

`server_audit_syslog_facility`

Description: SYSLOG-mode variable. It defines the 'facility' of the records that will be sent to the syslog. Later the log can be filtered by this parameter.
Command line: --server-audit-syslog-facility=value
Scope: Global
Dynamic: Yes

`server_audit_syslog_ident`

Description: SYSLOG-mode variable. String value for the 'ident' part of each syslog record. Default value is 'mysql-server_auditing'. New value becomes effective only after restarting the logging.
Command line: --server-audit-syslog-ident=value
Scope: Global
Dynamic: Yes

`server_audit_syslog_info`

Description: SYSLOG-mode variable. The 'info' string to be added to the syslog records. Can be changed any time.
Command line: --server-audit-syslog-info=value
Scope: Global
Dynamic: Yes

`server_audit_syslog_priority`

Description: SYSLOG-mode variable. Defines the priority of the log records for the syslogd.
Command line: --server-audit-syslog-priority=value
Scope: Global
Dynamic: Yes

Notes on System Variables

audit_file_buffer_size and server_audit_sync_log_file

The server audit plugin typically employs synchronous, per-event logging, causing performance bottlenecks. Individual file writes for each log entry can result in significant I/O overhead, especially in large database environments. As of MariaDB 12.1, two new variables were introduced to allow asynchronous logging, and more fine grained control over how audit log writes are handled. Using the server_audit_file_buffer_size setting (buffer size in bytes), you can configure an additional in-memory audit log buffer. When the size of the buffer exceeds the server_audit_file_buffer_size setting, the audit log is written to disk. Additionally, a manual on-demand audit log disk sync can be triggered by setting server_audit_sync_log_file to ON or 1.

Options

`server_audit`

Description: Controls how the server should treat the plugin when the server starts up.
- Valid values are:
  - OFF - Disables the plugin without removing it from the table.

_{This page is licensed: CC BY-SA / Gnu FDL}

Authentication Plugin - GSSAPI

The gssapi authentication plugin enables passwordless single sign-on by authenticating users via the Generic Security Services API, supporting Kerberos on Unix and Windows.

The gssapi authentication plugin allows the user to authenticate with services that use the Generic Security Services Application Program Interface (GSSAPI). Windows has a slightly different but very similar API called Security Support Provider Interface (SSPI). The GSSAPI is a standardized API described in RFC2743 and RFC2744. The client and server negotiate using a standardized protocol described in RFC7546.

On Windows, this authentication plugin supports Kerberos and NTLM authentication. Windows authentication is supported regardless of whether a domain is used in the environment.

On Unix systems, the most dominant GSSAPI service is Kerberos. However, it is less commonly used on Unix systems than it is on Windows. Regardless, this authentication plugin also supports Kerberos authentication on Unix.

The gssapi authentication plugin is most often used for authenticating with Microsoft Active Directory.

This article gives instructions on configuring the gssapi authentication plugin for MariaDB for passwordless login.

Installing the Plugin's Package

Since , on Windows, the plugin is included in the server. There is no need for separate installation.

The gssapi authentication plugin's shared library is included in MariaDB packages as the auth_gssapi.so or auth_gssapi.dll shared library on systems where it can be built.

Installing on Linux

The gssapi authentication plugin is included in on Linux.

Installing with a Package Manager

The gssapi authentication plugin can also be installed via a package manager on Linux. In order to do so, your system needs to be configured to install from one of the MariaDB repositories.

You can configure your package manager to install it from MariaDB Corporation's MariaDB Package Repository by using the .

You can also configure your package manager to install it from MariaDB Foundation's MariaDB Repository by using the .

Installing with yum/dnf

Installing with apt-get

On Debian, Ubuntu, and other similar Linux distributions, it is highly recommended to install the relevant from MariaDB's repository using :

Installing with zypper

On SLES, OpenSUSE, and other similar Linux distributions, it is highly recommended to install the relevant from MariaDB's repository using :

Installing on Windows

Before , the gssapi authentication plugin is included in and packages on Windows.

Installing the Plugin

Since , on Windows, the plugin is included in the server. There is no need for separate installation.

On Windows, and on other operating systems, although the plugin's shared library is distributed with MariaDB by default, the plugin is not actually installed by MariaDB by default. There are two methods that can be used to install the plugin with MariaDB.

The first method can be used to install the plugin without restarting the server. You can install the plugin dynamically by executing or :

The second method can be used to tell the server to load the plugin when it starts up. The plugin can be installed this way by providing the or the options. This can be specified as a command-line argument to or it can be specified in a relevant server in an :

Uninstalling the Plugin

You can uninstall the plugin dynamically by executing or :

If you installed the plugin by providing the or the options in a relevant server in an , then those options must be removed to prevent the plugin from being loaded the next time the server is restarted.

Configuring the Plugin

If the MariaDB server is running on Unix, then some additional configuration steps will need to be implemented in order to use the plugin.

If the MariaDB server is running on Windows, then no special configuration steps will need to be implemented in order to use the plugin, as long as the following is true:

The Windows server is joined to a domain.
The MariaDB server process is running as either a or a .

Creating a Keytab File on Unix

If the MariaDB server is running on Unix, then the KDC server will need to create a keytab file for the MariaDB server. The keytab file contains the service principal name, which is the identity that the MariaDB server will use to communicate with the KDC server. The keytab will need to be transferred to the MariaDB server, and the mysqld server process will need read access to this keytab file.

How this keytab file is generated depends on whether the KDC server is or .

Creating a Keytab File with Microsoft Active Directory

If you are using , you may need to create a keytab using the utility on a Windows host. The service principal will need to be mapped to an existing domain user. To do so, follow the steps listed below.

Be sure to replace the following items in the step below:

Replace ${HOST} with the fully qualified DNS name for the MariaDB server host.
Replace ${DOMAIN} with the Active Directory domain.
Replace ${AD_USER} with the existing domain user.

To create the service principal, execute the following command:

Creating a Keytab File with MIT Kerberos

If you are using , then you can create a file using the utility. To do so, follow the steps listed below.

In the following steps, be sure to replace ${HOST} with the fully qualified DNS name for the MariaDB server host.

First, create the service principal using the utility:

Then, export the newly created user to the keytab file using the utility:

More details can be found at the following links:

Configuring the Path to the Keytab File on Unix

If the MariaDB server is running on Unix, then the path to the keytab file that was previously created can be set by configuring the system variable. This can be specified as a command-line argument to mariadbd, or it can be specified in a relevant server in an :

Configuring the Service Principal Name

The service principal name can be set by configuring the system variable. This can be specified as a command-line argument to mariadbd, or it can be specified in a relevant server in an :

If a service principal name is not provided, the plugin tries to use mariadb/host.domain.com@REALM by default.

If the MariaDB server is running on Unix, the plugin needs a service principal name in order to function.

If the MariaDB server is running on Windows, the plugin does not usually need a service principal in order to function. However, if you want to use one, anyway, it can be created with the setspn utility.

Different KDC implementations may use different canonical forms to identify principals. See to learn what the standard says about principal names.

More details can be found at the following links:

Creating Users

To create a user account via , specify the name of the plugin in the clause:

If does not have NO_AUTO_CREATE_USER set, then you can also create the user account via :

You can also specify the user's for MariaDB with the USING clause:

The format of the realm depends on the specific authentication mechanism that is used. For example, the format would need to be machine\\username for Windows users authenticating with NTLM.

If the realm is not provided in the user account's definition, then the realm is not used for comparison. Therefore, 'usr1@EXAMPLE.COM', 'usr1@EXAMPLE.CO.UK' and 'mymachine\usr1' would all identify as the following user account:

Creating Users Identified Via Group Membership or SID (Windows-specific)

On Windows only, it is possible to login using a AD or local group-membership. This is achieved by using the GROUP prefix in IDENTIFIED ... AS:

The effect of the above definition is that every user that identifies as a member of group Administrators can log in using the user name root without a password.

User can also login using own or group (Security Identifier):

Using SIDs will perform slightly faster than using name (since it will spare translation between SID and name which is otherwise done). SIDs are immune against user or group renaming.

This feature is available from MariaDB 10.11.

On Windows, in addition to the usual authentication with a password, passwordless authentication is permitted when creating the root user during installation. This works in a similar manner to . However, since auth_gssapi, unlike unix_socket, requires client support, to avoid failures when MariaDB is used with third-party drivers, authentication on Windows first attempts password-based native_authentication, and only if it fails, falls back to passwordless auth_gssapi.

Client Authentication Plugins

For clients that use the libmysqlclient or libraries, MariaDB provides one client authentication plugin that is compatible with the gssapi authentication plugin:

auth_gssapi_client

When connecting with a to a server as a user account that authenticates with the gssapi authentication plugin, you may need to tell the client where to find the relevant client authentication plugin by specifying the --plugin-dir option:

`auth_gssapi_client`

The auth_gssapi_client client authentication plugin receives the principal name from the server, and then uses either the function (on Unix) or the function (on Windows) to establish a security context on the client.

Support in Client Libraries

Using the Plugin with MariaDB Connector/C

supports gssapi authentication using the mentioned in the previous section.

Using the Plugin with MariaDB Connector/ODBC

supports gssapi authentication using the mentioned in the previous section.

Using the Plugin with MariaDB Connector/J

supports gssapi authentication. Current documentation can be found .

Using the Plugin with MariaDB Connector/Node.js

does not yet support gssapi authentication. See for more information.

Using the Plugin with MySqlConnector for .NET

supports gssapi authentication.

The support is transparent. Normally, the connector only needs to be provided the correct user name, and no other parameters are required.

However, this connector also supports the connection string parameter, which can be used for mutual authentication.

.NET specific problems/workarounds

When connecting from Unix client to Windows server with ADO.NET, in an Active Directory domain environment, be aware that .NET Core on Unix does not support principal names in UPN(User Principal Name) form, which is default on Windows (e.g machine$@domain.com) . Thus, upon encountering an authentication exception with "server not found in Kerberos database", use one of workarounds below

Force host-based SPN on server side.
- For example, this can be done by setting the system variable to HOST/machine in a server in an .
Pass host-based SPN on client side.

System Variables

`gssapi_keytab_path`

Description: Defines the path to the server's keytab file.
- This system variable is only meaningful on Unix.
- See and for more information.
Command line: --gssapi-keytab-path

`gssapi_principal_name`

Description: Name of the service principal.
- See for more information.
Command line: --gssapi-principal-name
Scope: Global

`gssapi_mech_name`

Description: Name of the SSPI package used by server. Can be either 'Kerberos' or 'Negotiate'. Set it to 'Kerberos', to prevent less secure NTLM in domain environments, but leave it as default (Negotiate) to allow non-domain environments (e.g if server does not run in a domain environment).
- This system variable is only meaningful on Windows.
Command line: --gssapi-mech-name

Options

`gssapi`

Description: Controls how the server should treat the plugin when the server starts up.
- Valid values are:
  - OFF - Disables the plugin without removing it from the table.

_{This page is licensed: CC BY-SA / Gnu FDL}

Pluggable Authentication Overview

Pluggable authentication allows MariaDB to use various authentication methods, enabling external validation, different hashing algorithms, and role-based access control.

When a user attempts to log in, the authentication plugin controls how MariaDB Server determines whether the connection is from a legitimate user.

When creating or altering a user account with the GRANT, CREATE USER or ALTER USER statements, you can specify the authentication plugin you want the user account to use, by providing the IDENTIFIED VIA clause. By default, when you create a user account without specifying an authentication plugin, MariaDB uses the mysql_native_password plugin.

You can specify multiple authentication plugins for each user account.

The root@localhost user created by has the ability to use two authentication plugins:

It is configured to try to use the authentication plugin. This allows the root@localhost user to log in without a password via the local Unix socket file defined by the system variable, as long as the login is attempted from a process owned by the operating system root user account.
If authentication fails with the authentication plugin, it is configured to try to use the authentication plugin. However, an invalid password is initially set, so in order to authenticate this way, a password must be set with .

Supported Authentication Plugins

The authentication process is a conversation between the server and a client. MariaDB implements both server-side and client-side authentication plugins.

Supported Server Authentication Plugins

MariaDB provides seven server-side authentication plugins:

Supported Client Authentication Plugins

MariaDB provides eight client-side authentication plugins:

MariaDB supports the following server options related to authentication plugins:

Server Option

Description

Most support command-line arguments related to client authentication plugins:

Client Option

Description

Developers who are using can implement similar functionality in their application by setting the following options with the function:

MYSQL_OPT_CAN_HANDLE_EXPIRED_PASSWORDS
MYSQL_PLUGIN_DIR
MYSQL_DEFAULT_AUTH

For example:

supports the following installation options related to authentication plugins:

Installation Option

Description

Extended SQL Syntax

MariaDB has extended the SQL standard , , and statements, so that they support specifying different authentication plugins for specific users. An authentication plugin can be specified with these statements by providing the IDENTIFIED VIA clause. Examples:

The optional USING clause allows users to provide an authentication string to a plugin. The authentication string's format and meaning is completely defined by the plugin.

For example, for the authentication plugin, the authentication string should be a password hash:

Since is the default authentication plugin, the above is just another way of saying the following:

In contrast, for the authentication plugin, the authentication string should refer to a :

A user account can be associated with multiple authentication plugins.

To configure the root@localhost user account to try the authentication plugin, followed by the authentication plugin as a backup, execute the following query:

See for more information.

Authentication Plugins Installed by Default

Server Authentication Plugins Installed by Default

Not all server-side authentication plugins are installed by default. If a specific server-side authentication plugin is not installed by default, then you can find the installation procedure on the documentation page for the specific authentication plugin.

The following server-side authentication plugins are installed by default:

The and authentication plugins authentication plugins are installed by default in all builds.
The authentication plugin is installed by default in all builds on Unix and Linux.
The authentication plugin is installed by default in all builds on Windows.

The following server-side authentication plugins are installed by default:

The and authentication plugins are installed by default in all builds.
The authentication plugin is installed by default in new installations that use the packages provided by Debian's default repositories and Ubuntu's default repositories in Ubuntu. See for more information.
The authentication plugin is installed by default in all builds on Windows.

Client Authentication Plugins Installed by Default

Client-side authentication plugins do not need to be installed in the same way that server-side authentication plugins do. If the client uses either the libmysqlclient or library, then the library automatically loads client-side authentication plugins from the library's plugin directory whenever they are needed.

Most support the --plugin-dir command line argument that can be used to set the path to the library's plugin directory:

Client Option

Description

Developers who are using can implement similar functionality in their application by setting the MYSQL_PLUGIN_DIR option with the function. Example:

If your client encounters errors similar to the following error, you may need to set the path to the library's plugin directory:

If the client does not use either the libmysqlclient or library, then you will have to determine which authentication plugins are supported by the specific client library used by the client.

If the client uses either the libmysqlclient or library, but the client is not bundled with either library's optional client authentication plugins, then you can only use the conventional authentication plugins (like and ) and the non-conventional authentication plugins that don't require special client-side authentication plugins (like and ).

Default Authentication Plugin

Default Server Authentication Plugin

The authentication plugin is currently the default authentication plugin in all versions of MariaDB if the system variable is set to 0, which is the default.

On a system with the system variable set to 0, this means that if you create a user account with either the or statements, and if you do not specify an authentication plugin with theIDENTIFIED VIAclause, then MariaDB will use the [mysql_native_password](authentication-plugin-mysql_native_password.md) authentication plugin for the user account.

Creating a user account like this, it uses the authentication plugin:

The same is true for this user account:

The authentication plugin becomes the default authentication plugin in all versions of MariaDB, if the system variable is explicitly set to 1.

The authentication plugin is not considered secure. It is recommended to avoid using this authentication plugin. To help prevent undesired use of the authentication plugin, the server supports the system variable that configures the server to refuse connections trying to use the authentication plugin.

Most support secure_auth.

Server Option

Description

Developers using can implement similar functionality in their application by setting the MYSQL_SECURE_AUTH option with the function:

Default Client Authentication Plugin

The default client-side authentication plugin depends on these factors:

If a client doesn't explicitly set the default client-side authentication plugin, the client determines which authentication plugin to use, by checking the length of the scramble in the server's handshake packet.
If the server's handshake packet contains a 9-byte scramble, the client defaults to the authentication plugin.
If the server's handshake packet contains a 20-byte scramble, the client defaults to the authentication plugin.

Setting the Default Client Authentication Plugin

Most support the --default-auth command-line argument that sets the default client-side authentication plugin:

Client Option

Description

Developers using can implement similar functionality in applications, by setting the MYSQL_DEFAULT_AUTH option with the function:

If you know that your user account is configured to require a client-side authentication plugin other than or , this helps speed up your connection process when you explicitly set the default client-side authentication plugin.

According to the , the server first sends the handshake packet to the client, then the client replies with a packet containing the user name of the user account that is requesting access. The server handshake packet initially tells the client to use the default server authentication plugin, and the client reply initially tells the server that it will use the default client authentication plugin.

However, the server-side and client-side authentication plugins mentioned in these initial packets may not be the correct ones for this specific user account. The server only knows what authentication plugin to use for this specific user account after reading the user name from the client reply packet and finding the appropriate row for the user account in either the table or the table, depending on the MariaDB version.

If the server finds that either the server-side or client-side default authentication plugin does not match the actual authentication plugin that should be used for the given user account, then the server restarts the authentication on either the server side or the client side.

This means that, if you know what client authentication plugin your user account requires, then you can avoid an unnecessary authentication restart and you can save two packets and two round-trips.between the client and server by configuring your client to use the correct authentication plugin by default.

Available Authentication Plugins

Server Authentication Plugins

`mysql_native_password`

The authentication plugin uses the same password hashing algorithm used by the function when is set. This hashing algorithm is based on .

`mysql_old_password`

The authentication plugin uses the same hashing algorithm used by the function and by the function when is set.

`ed25519`

The authentication plugin uses the to securely store users' passwords and to authenticate users. The algorithm is the same one that is . It is based on the elliptic curve and code created by .

`gssapi`

The authentication plugin allows authenticating with services that use the . Windows has a slightly different but very similar API called .

On Windows, this authentication plugin supports and authentication. Windows authentication is supported regardless of whether a is used in the environment.

On Unix systems, the most dominant GSSAPI service is . However, it is less commonly used on Unix systems than it is on Windows. Regardless, this authentication plugin also supports Kerberos authentication on Unix.

The authentication plugin is most often used for authenticating with .

`pam`

The authentication plugin allows MariaDB to offload user authentication to the system's framework. PAM is an authentication framework used by Linux, FreeBSD, Solaris, and other Unix-like operating systems.

`unix_socket`

The authentication plugin allows the user to use operating system credentials when connecting to MariaDB via the local Unix socket file. This Unix socket file is defined by the system variable.

The authentication plugin works by calling the system call with the SO_PEERCRED socket option, which allows it to retrieve the uid of the process that is connected to the socket. It is then able to get the user name associated with that uid. Once it has the user name, it will authenticate the connecting user as the MariaDB account that has the same user name.

For example:

In this example, a user serg is already logged into the operating system and has full shell access. The user has already authenticated with the operating system and the MariaDB account is configured to use the authentication plugin, so the user does not need to authenticate again for the database. MariaDB accepts the user's operating system credentials and allows connecting. However, any attempt to connect to the database as another operating system user will be denied.

`named_pipe`

The authentication plugin allows the user to use operating system credentials when connecting to MariaDB via named pipe on Windows. Named pipe connections are enabled by the system variable.

The authentication plugin works by using and calling GetUserName() to retrieve the user name of the process that is connected to the named pipe. Once it has the user name, it authenticates the connecting user as the MariaDB account that has the same user name:

Authentication Plugin API

The authentication plugin API is extensively documented in the in the following files:

mysql/plugin_auth.h (server part)
mysql/client_plugin.h (client part)
mysql/plugin_auth_common.h (common parts)

The MariaDB also contains some authentication plugins that are intended explicitly to be examples for developers. They are located in plugin/auth_examples.

The definitions of two example authentication plugins called two_questions and three_attempts can be seen in plugin/auth_examples/dialog_examples.c. These authentication plugins demonstrate how to communicate with the user using the client authentication plugin.

The two_questions authentication plugin asks the user for a password and a confirmation ("Are you sure?").

The three_attempts authentication plugin gives the user three attempts to enter a correct password.

The password for both of these plugins should be specified in the plain text in the USING clause:

Dialog Client Authentication Plugin - Client Library Extension

The client authentication plugin, strictly speaking, is not part of the client-server or authentication plugin API. But it can be loaded into any client application that uses the libmysqlclient or libraries. This authentication plugin provides a way for the application to customize the UI of the dialog function.

In order to use the client authentication plugin to communicate with the user in a customized way, the application will need to implement a function with the following signature:

The function takes the following arguments:

The connection handle.
A question "type", which has one of the following values:
- 1 - Normal question
- 2

The function returns a pointer to a string of characters, as entered by the user. It may be stored in buf or allocated with malloc().

By using this function, a GUI application can open a dialog window, and a network application can send the question over the network, as required. If no mysql_authentication_dialog_ask function is provided by the application, the client authentication plugin falls back to and .

Providing this callback is particularly important on Windows, because Windows GUI applications have no associated console and the default dialog function will not be able to reach the user. An example of Windows GUI client that does it correctly is .

Plugins

Plugin Overview

Querying Plugin Information

Plugin Maturity

See Also

MariaDB Community Audit Plugin

Audit Plugin Overview

Audit Plugin Installation

Locating the Plugin

Installing the Plugin

Uninstalling the Plugin

Prohibiting Uninstallation

Audit Plugin Configuration

Audit Plugin Log Format

Audit Plugin Status Variables

Status Variables

Audit Plugin Versions

Authentication Plugins

Authentication Plugin - mysql_native_password

Authentication Plugin - mysql_old_password

Installing the Plugin

Creating Users

Changing User Passwords

Client Authentication Plugins

mysql_old_password

Support in Client Libraries

Authentication Plugin - PARSEC

Authentication Plugin - SHA-256

Background

Authentication with Pluggable Authentication Modules (PAM)

MariaDB Replication & Cluster Plugins

wsrep_provider

Other Plugins

inet4

MYSQL_JSON

mhnsw

online_alter_log

Query Cache Information Plugin

Installing the Plugin

Uninstalling the Plugin

Example

Options

query_cache_info

User Variables Plugin

Viewing

Flushing User-Defined Variables

Examples

Installing the Plugin

Uninstalling the Plugin

Options

user_variables

Password Validation Plugins

password_reuse_check_interval Variable

Simple Password Check Plugin

Plugins

Authentication Plugins

Other Plugins

Authentication with Pluggable Authentication Modules (PAM)

inet4

Password Validation Plugins

MariaDB Replication & Cluster Plugins

mhnsw

MariaDB Community Audit Plugin

Plugin Overview

Querying Plugin Information

Audit Plugin Overview

Audit Plugin Status Variables

Status Variables

wsrep_provider

MYSQL_JSON

Tutorials

Blog Posts

online_alter_log

Querying Plugin Information with information_schema.PLUGINS

Querying Plugin Information with mysql.plugin

Installing a Plugin

Installing a Plugin Dynamically

Installing a Plugin with INSTALL SONAME

Installing a Plugin with INSTALL PLUGIN

Installing a Plugin with Plugin Load Options

`mysql_old_password`

`query_cache_info`

`user_variables`

Querying Plugin Information with `mysql.plugin`

Installing a Plugin with `INSTALL SONAME`

Installing a Plugin with `INSTALL PLUGIN`

Installing a Plugin with `--plugin-load-add`

Installing a Plugin with `--plugin-load`

`Server_audit_current_log`

`Server_audit_last_error`

`Server_audit_writes_failed`

`mysql_old_password`

`user_variables`

`query_cache_info`

`mysql_native_password`