The Ultimate Guide to High Availability with MariaDB

Comments - Is chaining UPNs via "authentication_options" when using the GSSAPI Plugin considered safe?

3 years, 11 months ago Sergei Golubchik
Re: Is chaining UPNs via "authentication_options" when using the GSSAPI Plugin considered safe?

yes, authentication information and privileges are stored in mysql.global_priv, while mysql.user is supposed to provide backward-compatible representation of the authentication info for older applications. It can correctly represent authentication info in the backward-compatible way only when the account uses backward compatible authentication.

The magic happens in sql_acl.cc indeed, in the function acl_authenticate():

    for (mpvio.curr_auth= mpvio.status != MPVIO_EXT::RESTART;
         res != CR_OK && mpvio.curr_auth < acl_user->nauth;
         mpvio.curr_auth++)
    {
      thd->clear_error();
      mpvio.status= MPVIO_EXT::RESTART;
      res= do_auth_once(thd, &acl_user->auth[mpvio.curr_auth].plugin, &mpvio);
    }

that is the server tries all specified authentications until one of them succeeds of the list runs out.

 
3 years, 11 months ago jo_ku_ Kunde
Re: Is chaining UPNs via "authentication_options" when using the GSSAPI Plugin considered safe?

Hi Sergei,

thank your very much for the confirmation. The code fragment is spot on.

Best regards,

Johannes

 
Content reproduced on this site is the property of its respective owners, and this content is not reviewed in advance by MariaDB. The views, information and opinions expressed by this content do not necessarily represent those of MariaDB or any other party.