Authentication Plugin - Named Pipe

MariaDB starting with 10.1.11

The named_pipe authentication plugin was first released in MariaDB 10.1.11.

The named_pipe authentication plugin allows the user to use operating system credentials when connecting to MariaDB via named pipe on Windows. Named pipe connections are enabled by the named_pipe system variable.

The named_pipe authentication plugin works by using named pipe impersonation and calling GetUserName() to retrieve the user name of the process that is connected to the named pipe. Once it has the user name, it authenticates the connecting user as the MariaDB account that has the same user name.

Installing the Plugin

Although the plugin's shared library is distributed with MariaDB by default, the plugin is not actually installed by MariaDB by default. There are two methods that can be used to install the plugin with MariaDB.

The first method can be used to install the plugin without restarting the server. You can install the plugin dynamically by executing INSTALL SONAME or INSTALL PLUGIN. For example:

INSTALL SONAME 'auth_named_pipe';

The second method can be used to tell the server to load the plugin when it starts up. The plugin can be installed this way by providing the --plugin-load or the --plugin-load-add options. This can be specified as a command-line argument to mysqld or it can be specified in a relevant server option group in an option file. For example:

[mariadb]
...
plugin_load_add = auth_named_pipe

Uninstalling the Plugin

You can uninstall the plugin dynamically by executing UNINSTALL SONAME or UNINSTALL PLUGIN. For example:

UNINSTALL SONAME 'auth_named_pipe';

If you installed the plugin by providing the --plugin-load or the --plugin-load-add options in a relevant server option group in an option file, then those options should be removed to prevent the plugin from being loaded the next time the server is restarted.

Creating Users

To create a user account via CREATE USER, specify the name of the plugin in the IDENTIFIED VIA clause. For example:

CREATE USER username@hostname IDENTIFIED VIA named_pipe;

If SQL_MODE does not have NO_AUTO_CREATE_USER set, then you can also create the user account via GRANT. For example:

GRANT SELECT ON db.* TO username@hostname IDENTIFIED VIA named_pipe;

Client Authentication Plugins

The named_pipe authentication plugin does not require any specific client authentication plugins. It should work with all clients.

Support in Client Libraries

The named_pipe authentication plugin does not require any special support in client libraries. It should work with all client libraries.

Example

CREATE USER wlad IDENTIFIED VIA named_pipe;
CREATE USER monty IDENTIFIED VIA named_pipe;
quit

C:\>echo %USERNAME%
wlad

C:\> mysql --user=wlad --protocol=PIPE
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 4
Server version: 10.1.12-MariaDB-debug Source distribution

Copyright (c) 2000, 2015, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> quit
Bye

C:\> mysql --user=monty  --protocol=PIPE
ERROR 1698 (28000): Access denied for user 'monty'@'localhost'

In this example, a user wlad is already logged into the system. Because he has identified himself to the operating system, he does not need to do it again for the database MariaDB trusts the operating system credentials. However, he cannot connect to the database as another user.

Versions

VersionStatusIntroduced
1.0StableMariaDB 10.1.11

Options

named_pipe

  • Description: Controls how the server should treat the plugin when the server starts up.
    • Valid values are:
      • OFF - Disables the plugin without removing it from the mysql.plugins table.
      • ON - Enables the plugin. If the plugin cannot be initialized, then the server will still continue starting up, but the plugin will be disabled.
      • FORCE - Enables the plugin. If the plugin cannot be initialized, then the server will fail to start with an error.
      • FORCE_PLUS_PERMANENT - Enables the plugin. If the plugin cannot be initialized, then the server will fail to start with an error. In addition, the plugin cannot be uninstalled with UNINSTALL SONAME or UNINSTALL PLUGIN while the server is running.
    • See Plugin Overview: Configuring Plugin Activation at Server Startup for more information.
    • There may be ambiguity between this option and the named_pipe system variable. See MDEV-19625 about that.
  • Commandline: --named-pipe=value
  • Data Type: enumerated
  • Default Value: ON
  • Valid Values: OFF, ON, FORCE, FORCE_PLUS_PERMANENT
  • Introduced: MariaDB 10.1.11

Comments

Comments loading...