Is chaining UPNs via "authentication_options" when using the GSSAPI Plugin considered safe?

Dear MariaDB-Community,

I've a question concerning the GSSAPI plugin an its usage.

I must begin with a little background information. Currently, I've a MySQL-Server v5.7.28 in the enterprise edition in use, which is subject to license. The only reason why I use the enterprise edition, is because I've various applications authenticating via the Windows Native Authentication Plugin [1] negotiating incoming request via Kerberos. The server is joined in an Active Directory domain and therefore I negotiate user against AD-groups by creating MySQL users as follows:

CREATE USER 'MY_USER'@'%' IDENTIFIED WITH authentication_windows AS 'MY_DOMAIN\MY_GROUP';

Now i figured out, that MariaDB comes shipped with a GSSAPI plugin (FOSS). I tried to get the MySQL setup I outlined above transferred to a MariaDB server and noticed that things run slightly different here. Creating users, which are identified by an AD-group is not possible with MariaDB in the very same way. However, with a look at the documentation I found out, that one can chain User Principal Names via "authentication_options" when creating new users [2]. The create user statement than looks as follows:

CREATE USER MY_USER@'%' IDENTIFIED VIA gssapi USING 'username_1@MY_DOMAIN' OR gssapi USING 'username_2@MY_DOMAIN' OR gssapi USING 'username_3@MY_DOMAIN'; (and so on, you got the idea)

We are talking about roughly 50 users, that should be authenticated following this pattern.

My question now is, has anybody experience with this setup in a production environment? Is it considered "bulletproof"? When I query the column "authentication_string" of the newly created user in the MariaDB user table, I only get the last option returned (in the example above this would be "username_3@MY_DOMAIN"). I actually don't know where the information to the other users is stored. Since the auth string is read from here [3], I see no loop which matches a UPN against multiple auth strings here [4]. What do I miss? The GSSAPI based authentication however, works with all users (username_1, username_2 and username_3), when creating a user like this. I assume that the magic happens in ./sql/sql_acl.cc, but I am having trouble to follow the flow because I don't know the code.

Every input is very welcome - thank you in advance.

Best regards Johannes

[1] https://dev.mysql.com/doc/refman/8.0/en/windows-pluggable-authentication.html [2] https://mariadb.com/kb/en/create-user/ [3] https://github.com/MariaDB/server/blob/10.6/plugin/auth_gssapi/gssapi_server.cc#L188-L192 [4] https://github.com/MariaDB/server/blob/10.6/plugin/auth_gssapi/gssapi_server.cc#L247-L250

Comments

Comments loading...
Content reproduced on this site is the property of its respective owners, and this content is not reviewed in advance by MariaDB. The views, information and opinions expressed by this content do not necessarily represent those of MariaDB or any other party.