PlanetMysql.ru — информация о СУБД MySQL

Starting with MySQL 5.5.16 it is possible to setup a password-less connections from clients into MySQL server using Windows SSPI authentication framework. This functionality is provided by Windows Native Authentication (WNA) plugin distributed with the commercial version of 5.5.16 server. The client-side support for WNA authentication is built into the client library (libmysql) distributed with the community version of 5.5.16 server and requires no additional configuration. Clients which link to 5.5.16 or higher version of libmysql will be able to connect to MySQL accounts using WNA authentication out-of-the box.

For password-less connections to work, server's administrator must install the WNA plugin in the server and create user accounts which use this plugin for authentication. It is also possible to allow connections to existing MySQL accounts via a proxy WNA account. With this setup Windows clients can password-less connect to the proxy account, and then proxy configuration selects the final MySQL account based on client's Windows credentials (user name or group membership). Detailed instructions on how to install the WNA plugin and setup and configure WNA accounts are given in the documentation.

Internally, WNA plugin usses Windows SSPI API to create a shared security context between client and server, which allows server to read client's credentials. For this to work, obviously both client and server must run on a Windows machine. Additionally, both computers must be registered inside a Windows domain (in which case Windows internally uses Kerberos authentication). If this is not the case then password-less connections are still possible but only from the same computer on which server is running (in which case NTLM authentication is used).

Note that whether native Windows authentication is used or not entirely depends on the MySQL account to which a client tries to connect. If that account is configured by DBA to authenticate using WNA plugin, then this is the only option for that account - a client can connect to it only if the client supports WNA and is run by an authorized Windows user. It can not fall-back to the standard MySQL password authentication, as well as it can not request native Windows authentication when connecting to a non WNA account.

At the moment, client support for WNA plugin is implemented mainly in the libmysql client library which is shipped with MySQL 5.5.16 (the community version). This support is built into the library and does not require any additional configuration. If your client uses this version of libmysql for connecting to the server it should be able to connect to WNA accounts.

Note that if the client is using a connector library like Connector/C++ and that library links to libmysql dynamically, then configuring the dynamic linker to use version 5.5.16 or later of libmysql will enable WNA support in your client application. If, however, the client uses libmysql based connector which is statically linked to an older version of the library (as is the case with Connector/ODBC), then it will not work with WNA plugin.

Some connectors do not use libmysql but have their own implementation of the MySQL client-server protocol (for example Connector/Java). These connectors will require changes in their implementation of the protocol to support WNA plugin.

Here is a table summarizing which of MySQL connector products support WNA plugin at the moment:

---

Libmysql	5.5.16	yes
Connector/NET	6.4.4	yes
Connector/C++	1.1.0	yes	if dynamically linked with libmysql 5.5.16+
Connector/ODBC	3.51.29 & 5.1.9	yes
Connector/Java	5.1.18	no	will not happen very soon
Connector/PHP	5.3	no	no plans to support WNA in PHP

---

PlanetMySQL Voting: Vote UP / Vote DOWN

You probably remember the world of new possibilities introduced to MySQL 5.5. If you do, you probably would agree that no API is useful by itself.

This is why you need authentication plugins that fit the largest possible number of authentication setups.

I can only guess what these authentication solutions look like for your server. But chances are that your OS has a pretty good idea on how best to authenticate users in it. This is why we've decided to hook MySQL to the two most widely used OS authentication APIs : Pluggable Authentication Modules (a.k.a PAM) and the Windows Security Support Provider Interface

Let's see first how PAM works.

We'll first consider the simple scenario where each OS user holds a corresponding user account in MySQL's mysql.user table. Sounds pretty easy to setup ? Right : you just need to remember to create a MySQL user for each of the people that have access to the computer and grant them some access.

There's one inconvenience though : you'll need to maintain the correspondence between the MySQL user and the OS user. Ask the user to update his mysql password in addition to his OS password, remember to disable access in both mysql and the OS etc.

This is where the PAM authentication plugin in its simplest form can help you: if properly configured it will ask the OS if this user can login each time a user tries to login to the MySQL server. All you need to do is create your MySQL users in such a way that they use the PAM plugin to login.
Note that externally authenticated MySQL users don't need a password stored into the mysql.user table, as they are relying on the PAM library to check the login credentials. Good ! One less password to worry about and maintain.

So how do I set things up ?
First I need to check if I have the PAM library set up on my box. Usually PAM keeps its configuration in /etc/pam.d. Looking in my macbook's /etc/pam.d I see a number of configuration paths

mbpro:~$ ls -la /etc/pam.d/
total 0
drwxr-xr-x   17 root  wheel   578 Aug 29 20:46 ./
drwxr-xr-x  103 root  wheel  3502 Sep 12 19:22 ../
-rw-r--r--    1 root  wheel   264 Aug 29 20:42 authorization
-rw-r--r--    1 root  wheel   174 Aug 29 20:46 checkpw
-r--r--r--    1 root  wheel   200 Aug 29 20:46 chkpasswd
-r--r--r--    1 root  wheel   203 Aug 29 20:46 cups
-rw-r--r--    1 root  wheel   204 Aug 29 20:46 ftpd
-r--r--r--    1 root  wheel   587 Aug 29 20:46 login
-r--r--r--    1 root  wheel   152 Aug 29 20:46 login.term
-r--r--r--    1 root  wheel   191 Aug 29 20:42 other
-r--r--r--    1 root  wheel   197 Aug 29 20:46 passwd
-r--r--r--    1 root  wheel   211 Aug 29 20:46 rshd
-rw-r--r--    1 root  wheel   408 Aug 29 20:46 screensaver
-rw-r--r--    1 root  wheel   140 Aug 29 20:46 smbd
-r--r--r--    1 root  wheel   602 Aug 29 20:42 sshd
-r--r--r--    1 root  wheel   356 Aug 29 20:46 su
-r--r--r--    1 root  wheel   203 Aug 29 20:46 sudo

Good, looks like the PAM library is already configured and under heavy use. Now all I need is to pick the right PAM path for my MySQL server. login sounds good. Let's see what's in it :

mbpro:~$ cat /etc/pam.d/login
# login: auth account password session
auth       optional       pam_krb5.so use_kcminit
auth       optional       pam_ntlm.so try_first_pass
auth       optional       pam_mount.so try_first_pass
auth       sufficient     pam_serialnumber.so try_first_pass serverinstall
auth       required       pam_opendirectory.so try_first_pass
account    required       pam_nologin.so
account    required       pam_opendirectory.so
password   required       pam_opendirectory.so
session    required       pam_launchd.so
session    required       pam_uwtmp.so
session    optional       pam_mount.so
mbpro:~$

I will not go into the details of all this, but will just highlight pam_opendirectory.so. This means that this PAM config will use Apple's OpenDirectory to verify logins. Nice ! But there's a number of bookkeeping modules that I don't really need for MySQL : e.g. pam_launchd.so.

I need something simpler. Hmm, let's try some of the existing daemons. Let's check cups.

$ cat /etc/pam.d/cups 
# cups: auth account password session
auth       required       pam_opendirectory.so
account    required       pam_permit.so
password   required       pam_deny.so
session    required       pam_permit.so

Good ! pam_opendirectory.so still there, there's auth and it's really short and sweet. This should do just fine. I could have created my own pam configuration file. And if I call it mysql the PAM plugin will pick it up without me needing to specify an authentication string. But I'll stick to what I have already.

Let's start the MySQL server and make sure the PAM plugin is available and installed.

mysql> select plugin_status from information_schema.plugins where plugin_name='authentication_pam';
--------------
select plugin_status from information_schema.plugins where plugin_name='authentication_pam'
--------------

+---------------+
| plugin_status |
+---------------+
| ACTIVE        |
+---------------+
1 row in set (0.04 sec)

Now I can experiment. I need to create a MySQL user for my gkodinov OS account

mysql> create user gkodinov identified with 'authentication_pam' as 'cups';
--------------
create user gkodinov identified with 'authentication_pam' as 'cups'
--------------

Query OK, 0 rows affected (0.00 sec)

One can never check too much, so let's see how is the user defined in the mysql.user table

mysql> select Password,plugin from mysql.user where user = 'gkodinov';
--------------
select Password,plugin from mysql.user where user = 'gkodinov'
--------------

+----------+--------------------+
| Password | plugin             |
+----------+--------------------+
|          | authentication_pam |
+----------+--------------------+
1 row in set (0.00 sec)

Goody ! No password to maintain and worry about.

I can now try logging in. Note that I'm not supplying my password as an argument on the command line : it's insecure. It's better to enter it on the prompt.

 ../client/mysql -u gkodinov -p test
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 6
Server version: 5.5.16-debug-log Source distribution

Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> select user(),current_user();
+--------------------+----------------+
| user()             | current_user() |
+--------------------+----------------+
| gkodinov@localhost | gkodinov@%     |
+--------------------+----------------+
1 row in set (0.00 sec)

Wow ! I'm in. Let's see what happens if I mistype my password.

 ../client/mysql -u gkodinov -p test
Enter password: 
ERROR 1045 (28000): Access denied for user 'gkodinov'@'localhost' (using password: YES)

Nothing unexpected. But there's nothing in the logs either (depending of course on you logging setup. On Linux you'd get a note in the secure syslog saying that the login failed). This can be quite annoying, specially if you're setting up PAM. So what can I do to diagnose PAM related problems ? I can start the server in a special debugging mode by setting the AUTHENTICATION_PAM_LOG environment variable to 1 before starting my server. Use it with caution : it prints a lot of data on the server's standard error. Thus it's not suitable for production use. You better set up your PAM modules or your external credentials storage to log authentication errors.

Among other things the debug log prints is the PAM error returned by the pam_authenticate() function. So for my failed attempt above I'd get:

...
auth_pam_server:password haha received
...
auth_pam_server:pam_authenticate rc=9
auth_pam_server: rc=9
PAM error: authentication error
...

9 is PAM_AUTH_ERR.

The above debugging log exposes one more possible problem that users should be aware of : When using PAM authentication the passwords are transferred from the client to the server in clear text. This may be dangerous if you're doing it over a network link that others can listen to. Unfortunately this is about the only way PAM can work : the library requires the password in clear text. So plan carefully and use SSL encryption of the client connection where needed !

Now that we seen how the PAM plugin can be used in simple scenarios it's time to think about more complex ones.

If you have more than a handful of users creating all these MySQL accounts for each such user can quickly become a problem. Each time you e.g. add somebody to your corporate directory you'll need to go to each and every MySQL server instance and add it as an externally authenticated MySQL user. And what's worse : grant him the privileges that he needs.

Luckily in such environments large groups of users share the same set of privileges : e.g. all DBAs have access to all the data in a MySQL server instance, all accountants have access to the tables holding the accounting data etc. While designing your application you have a pretty good idea what these typical privilege sets are. And you probably even have "template" users of different kinds : e.g. "accountant" with all the rights necessary to do his job. Or "dba" with a larger set of privileges etc. And those are pretty static user definitions. They change only when your application logic changes.

How cool would it be to only have these template users defined in each MySQL server and somehow map incoming logins to them ? And keep all logins and the mapping to the template users definable at OS level ? Of course the MySQL DBAs still need to be able to control the mapping. But other than this it's a good idea to let the OS user definitions be the only place where you need to add a new user account when you e.g. hire somebody.

The PAM plugin can answer this call. But since the PAM library API is so basic the PAM plugin needs to do the user mapping somehow otherwise.

In Unix the most obvious way of handling groups of users is through OS groups. Each user can belong to several such groups. E.g. on my Mac I have:

$ groups
staff com.apple.sharepoint.group.2 com.apple.access_screensharing everyone 
_appstore localaccounts _appserverusr admin _appserveradm _lpadmin _lpoperator 
_developer com.apple.sharepoint.group.1

This means my user id belongs to all the above groups. The information about the group membership is available to programs through the group information functions of the C standard library.

We have two questions to answer:

• How can we make the standard C library group information functions talk to an external directory (e.g. LDAP or OpenDirectory) ?
• How can we use OS groups to map OS logins to MySQL "template" user accounts that have the rights granted to them ?

The answer on the group mapping functions question is pretty standard. E.g. On linux you'll need to tweak your /etc/nsswitch.conf to allow groups to be stored and retrieved from a remote repository. In this way standard C library function like e.g. getgrnam() can connect to a remote repository and retrieve group and user information from it.

On my Mac I don't actually need to do anything : the C library functions just talk to OpenDirectory. And I can use the standard Mac admin tools to assign groups to my users.

This is why I will assume that the group mapping C standard library functions work in conjunction with the user verification PAM profile used and will concentrate on doing the mapping of OS groups to MySQL template users using the PAM plugin.

The second question has an easy answer too : the PAM plugin supports proxy users. So we can map the incoming logins using a default proxy user. To achieve this we use the full PAM authentication string syntax :

<pam service name>,<os_group_name>=<mysql user name>, 
    <os_group_name>=<mysql user name>, ...

I assume my MySQL application has 2 "template" users : reader and writer. I will be mapping these to the everyone and admin OS groups. I do this by thoughtfully creating my MySQL default proxy user (as root) :

mysql> create user reader identified with 'authentication_pam' as 'cups';
--------------
create user reader identified with 'authentication_pam' as 'cups'
--------------

Query OK, 0 rows affected (0.00 sec)

mysql> create user writer identified with 'authentication_pam' as 'cups';
--------------
create user writer identified with 'authentication_pam' as 'cups'
--------------

Query OK, 0 rows affected (0.00 sec)

mysql> create user ''@'' identified with 'authentication_pam' 
   as 'cups,admin=writer,everyone=reader';
--------------
create user ''@'' identified with 'authentication_pam' 
  as 'cups,admin=writer,everyone=reader'
--------------

Query OK, 0 rows affected (0.00 sec)

mysql> grant proxy on reader to ''@'';
--------------
grant proxy on reader to ''@''
--------------

Query OK, 0 rows affected (0.01 sec)

mysql> grant proxy on writer to ''@'';
--------------
grant proxy on writer to ''@''
--------------

Query OK, 0 rows affected (0.00 sec)

Now when I login with my user account (gkodinov) I get :

mysql> select user(), current_user(), @@proxy_user;
+--------------------+----------------+--------------+
| user()             | current_user() | @@proxy_user |
+--------------------+----------------+--------------+
| gkodinov@localhost | writer@%       | ''@''        |
+--------------------+----------------+--------------+
1 row in set (0.00 sec)

What does this mean ? I've logged in as gkodinov@localhost (as returned by user()). My effective user id (who's privileges set will I be enjoying during my session) is 'writer@%' (as returned by current_user()). And I was able to achieve this using the ''@'' proxy user. Note that the order in the authentication string is important : I've purposely specified the writer mapping before reader's. I did this because I assume that if a user is a member of both OS groups (as gkodinov is) I prefer it to map to the writer group.

Note also that I've defined my reader and writer users as authenticated through PAM. This is to cover "direct" login attempts for login ids reader and writer. In this case the initial MySQL user lookup will find the more specific names (reader and writer) instead of the catch-all user. But this will not matter, as both the template MySQL users and my proxy user are defined as authenticated using the PAM plugin, so the same PAM plugin will be used, this time without a proxy user.

As usual you can find more about the PAM plugin in its excellent online documentation.

Now let's see how Windows Authentication Plugin works

The plugin name is authentication_windows. Unlike the PAM plugin it is not forced to use the clear text password. The Windows API allows programs to use single sign on. Once the user is authenticated with the Windows OS any program can take a "ticket" and verify that this ticket was produced by a specific OS user. As a result the Windows authentication plugin doesn't even require the client to send a password. At connect time it will securely find out what OS user was used to run the MySQL client. In fact you don't even need a user name as well. If you don't supply a user name some clients will use a predefined user name ("auth_windows") and let the server windows authentication plugin to retrieve the OS user name and do the mapping to an SQL user based on it. As a result you also don't need to touch on ''@'' as you do with PAM.

You can find more detailed example on using the Windows authentication plugin in its documentation (in the Using the Windows Authentication Plugin section).

PlanetMySQL Voting: Vote UP / Vote DOWN

Three ways to recover a root user password:

The order of solutions here under gets more creative on the way down :)

1. obviously, before starting messing around check my.cnf or scripts for passwords entries, then try home directories for password files
2. secondly – can you restart mysql? if yes, restart with –skip-grant-tables, log into mysql, change your password and restart without –skip-grant-tables
3. third option – (on linux / unix ONLY)
If you haven’t found the password anywhere and can’t afford to restart your mysql.

cd data/mysql
cp -rp user.MYD bck_user.MYD_`date +%Y%m%d`
cp -rp user.MYD /tmp/user.MYD
vi /tmp/user.MYD #(edit the hashed passwords next to root*)
cp -rp /tmp/user.MYD user.MYD
sudo kill -HUP `pidof mysqld`

Note that the latter method of recovering a root password CAN be easily used maliciously leaving no trace! The only way to avoid such an attack is to make the data directory ONLY readable and writable by the user used to start/stop mysql (don’t user *nix root user to own mysql since that opens another can of worms … it’s a whole other blog post).

PlanetMySQL Voting: Vote UP / Vote DOWN

MySQL 5.5 is currently in the Release Candidate phase and making good
progress on the way to being a Generally Available release. There
are many new features that will improve performance, make service
more robust, and generally make life better for DBAs. But since
5.5.7 was released for evaluation in October, there has not been a
lot of attention given to the changes in authentication.

To greatly simplify, MySQL has a table with a list of users and a
list of hosts from which those users are allowed access. So user
'jones' and the host they connect from are checked to make sure they
are allowed access. If they match, they can access the instance.

As of 5.5.7, MySQL authentication now supports pluggable
authentication and proxies. So now you can use PAM, Windows native
authentication, LDAP, or something similar to control user accounts.
Or use proxies for group of users. For example user 'smith' is in the
'programmer' group in the LDAP directory. But there is no entry in
the MySQL.user table for that user. The server will now use the
pluggable authentication to reference an outside authentication
service to determine the group. The connection will be established
with the USER() set to 'smith@host' and CURRENT_USER() set to
'programmer@%'. Please refer to
http://dev.mysql.com/doc/refman/5.5/en/proxy-users.html for details.
PlanetMySQL Voting: Vote UP / Vote DOWN

I just saw that MySQL 5.5.7 RC had been released, and reading the releasenotes made me more than a fair bit suspicious. In some kind of general agreement on what constitutes a "beta" release, this is when the software has reached a level of maturity when no more major features are to be introduced. MySQL (and many others) has broken that rule at times, and the rule is not enforced or something.

What constitutes an RC release though, in my mind, but I really want to know what you think, is software that is really 100% feature complete. There may be, but hopefully there aren't, even any major bugs to iron out. In short, it is "A Candidate to Release", and as close to GA as you can get. I have not seen this rule broken much, really.

With MySQL 5.5.7, this is an rc, as was the previous release, 5.5.6, and this time there is a really major feature introduced between these two release, pluggable authentication. And before I go on, let me stress that this feature per se is not what I am questioning here, quite the opposite, this is a very useful feature.

What I am questioning though is:

• Why is MySQL introducing new major features in an RC release, even in between 2 RC releases? This means, if I am not mistaken, that this very important feature (authentication deal with security, mind you), that it might go live (the C is for Candiate) without having been beta tested?
• What made MySQL 5.5.6 a Release Candidate? What I mean here is that if we assume that this major new features was conceived, written and performed in just a few weeks between 5.5.6 and 5.5.7, MySQL knew that 5.5.6 wasn't feature complete, and hence in no way a release candidate (C is for Candidate, if you had forgotten that little fact).
• Why does MySQL insist on having major important changes to the security setup be tested the least in the server before GA? Fact is, what MySQL is telling us here is that there may not be any testing at all (as 5.7.7 is RC (where C is for Candidate) which means is could possibly be GA.
  

My conclusion is that MySQL 5.5 is not to be treated as GA (is MySQL even considering a GA release as feature complete, or are they about to introduce more features again in that line of releases) just not yet. Which is a problem for me personally I I just recommended us to go with 5.5.6, hey, it's RC (you know what the C in RC is for now, right?), and that it would be as close to solid for production use as you can get.

To be clear, I will stick with 5.5.6 for now. Not 5.7.7 or even 5.5 GA for a while, until I have tested that pluggable authentication is secure and solid for production use. I really want 5.5, and I am not alone, so I do not understand why MySQL had to screw around with this. I do understand why pluggable authentication should go into MySQL, for sure, but not in 5.5 or at least not in the midst of a RC cycle.

/Karlsson
Who is not saying he will now change to Postgres. Nope, I will not not act stupid. And watch me run with 5.5.6 for a while yet, I will not be alpha testing MySQL security in a live production site, no way, José.
PlanetMySQL Voting: Vote UP / Vote DOWN

I just saw that MySQL 5.5.7 RC had been released, and reading the releasenotes made me more than a fair bit suspicious. In some kind of general agreement on what constitutes a "beta" release, this is when the software has reached a level of maturity when no more major features are to be introduced. MySQL (and many others) has broken that rule at times, and the rule is not enforced or something.

What constitutes an RC release though, in my mind, but I really want to know what you think, is software that is really 100% feature complete. There may be, but hopefully there aren't, even any major bugs to iron out. In short, it is "A Candidate to Release", and as close to GA as you can get. I have not seen this rule broken much, really.

With MySQL 5.5.7, this is an rc, as was the previous release, 5.5.6, and this time there is a really major feature introduced between these two release, pluggable authentication. And before I go on, let me stress that this feature per se is not what I am questioning here, quite the opposite, this is a very useful feature.

What I am questioning though is:

• Why is MySQL introducing new major features in an RC release, even in between 2 RC releases? This means, if I am not mistaken, that this very important feature (authentication deal with security, mind you), that it might go live (the C is for Candiate) without having been beta tested?
• What made MySQL 5.5.6 a Release Candidate? What I mean here is that if we assume that this major new features was conceived, written and performed in just a few weeks between 5.5.6 and 5.5.7, MySQL knew that 5.5.6 wasn't feature complete, and hence in no way a release candidate (C is for Candidate, if you had forgotten that little fact).
• Why does MySQL insist on having major important changes to the security setup be tested the least in the server before GA? Fact is, what MySQL is telling us here is that there may not be any testing at all (as 5.7.7 is RC (where C is for Candidate) which means is could possibly be GA.
  

My conclusion is that MySQL 5.5 is not to be treated as GA (is MySQL even considering a GA release as feature complete, or are they about to introduce more features again in that line of releases) just not yet. Which is a problem for me personally I I just recommended us to go with 5.5.6, hey, it's RC (you know what the C in RC is for now, right?), and that it would be as close to solid for production use as you can get.

To be clear, I will stick with 5.5.6 for now. Not 5.7.7 or even 5.5 GA for a while, until I have tested that pluggable authentication is secure and solid for production use. I really want 5.5, and I am not alone, so I do not understand why MySQL had to screw around with this. I do understand why pluggable authentication should go into MySQL, for sure, but not in 5.5 or at least not in the midst of a RC cycle.

/Karlsson
Who is not saying he will now change to Postgres. Nope, I will not not act stupid. And watch me run with 5.5.6 for a while yet, I will not be alpha testing MySQL security in a live production site, no way, José.
PlanetMySQL Voting: Vote UP / Vote DOWN

A key differentiator in Drizzle from it’s original MySQL roots is user based authentication. Gone is the host/user and schema/table/column model that was stored in the MyISAM based mysql.user table.

Authentication is now completely pluggable, leveraging existing systems such as PAM, LDAP via PAM and Http authentication.

In this post I’ll talk about HTTP authentication which requires an external http server to implement successfully. You can look at Part 1 for PAM authentication.

Compiling for http auth support

By default during compilation you may find.

checking for libcurl... no
configure: WARNING: libcurl development lib not found: not building auth_http plugin. On Debian this is found in libcurl4-gnutls-dev. On RedHat it's in libcurl-devel.

In my case I needed:

$ sudo yum install curl-devel

NOTE: Bug #527255 talks about issues of the message being incorrect for libcurl-devel however this appears it may be valid in Fedora Installs

After successfully installing the necessary pre-requisite you should see.

checking for libcurl... yes
checking how to link with libcurl... -lcurl
checking if libcurl has CURLOPT_USERNAME... no

HTTP Authentication

We need to enable the plugin at server startup.

$ sbin/drizzled --mysql-protocol-port=3399 --plugin_add=auth_http &

You need to ensure the auth_http plugin is active by checking the data dictionary plugin table.

drizzle> select * from data_dictionary.plugins where plugin_name='auth_http';
+-------------+----------------+-----------+-------------+
| PLUGIN_NAME | PLUGIN_TYPE    | IS_ACTIVE | MODULE_NAME |
+-------------+----------------+-----------+-------------+
| auth_http   | Authentication | TRUE      |             |
+-------------+----------------+-----------+-------------+

The auth_http plugin also has the following system variables.

drizzle> SHOW GLOBAL VARIABLES LIKE '%http%';
+------------------+-------------------+
| Variable_name    | Value             |
+------------------+-------------------+
| auth_http_enable | OFF               |
| auth_http_url    | http://localhost/ |
+------------------+-------------------+
2 rows in set (0 sec)

In order to configure Http authentication, you need to have the following settings added to your drizzled.cnf file. For example:

$ cat etc/drizzled.cnf
[drizzled]
auth_http_enable=TRUE
auth_http_url=http://thedrizzler.com/auth

NOTE: Replace the domain name with something you have, even localhost.

A Drizzle restart gives us

$ bin/drizzle -e "SHOW GLOBAL VARIABLES LIKE 'auth_http%'"
+------------------+-----------------------------+
| Variable_name    | Value                       |
+------------------+-----------------------------+
| auth_http_enable | ON                          |
| auth_http_url    | http://thedrizzler.com/auth |
+------------------+-----------------------------+

By default, currently if the settings result in an invalid url, then account validation does not fail and you can still login. It is recommended that you always configure pam authentication as well as a fall back.

$ wget -O tmp http://thedrizzler.com/auth
--17:32:32--  http://thedrizzler.com/auth
Resolving thedrizzler.com... 208.43.73.220
Connecting to thedrizzler.com|208.43.73.220|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
17:32:32 ERROR 404: Not Found.

$ bin/drizzle
drizzle > exit

Configuring passwords

To correctly configured your web server to perform the HTTP auth, you can use this Apache syntax as an example.

The following is added to the VirtualHost entry in your web browser.

<Directory /var/www/drizzle/auth>
AllowOverride FileInfo All AuthConfig
AuthType Basic
AuthName "Drizzle Access Only"
AuthUserFile /home/drizzle/.authentication
Require valid-user
</Directory>

$ sudo su -
$ mkdir /var/www/drizzle/auth
$ touch /var/www/drizzle/auth/index.htm
$ apachectl graceful

We check we now need permissions for the URL.

$ wget -O tmp http://thedrizzler.com/auth
--17:35:48--  http://thedrizzler.com/auth
Resolving thedrizzler.com... 208.43.73.220
Connecting to thedrizzler.com|208.43.73.220|:80... connected.
HTTP request sent, awaiting response... 401 Authorization Required
Authorization failed.

You need to create the username/password for access.

$ htpasswd -cb /home/drizzle/.authentication testuser sakila
$ cat /home/drizzle/.authentication
testuser:85/7CbdeVql4E

Confirm that the http auth with correct user/password works.

$ wget -O tmp http://thedrizzler.com/auth --user=testuser --password=sakila
--17:37:45--  http://thedrizzler.com/auth
Resolving thedrizzler.com... 208.43.73.220
Connecting to thedrizzler.com|208.43.73.220|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently

Drizzle HTTP Authentication in action

By default we now can’t login

$ bin/drizzle
ERROR 1045 (28000): Access denied for user ''@'127.0.0.1' (using password: NO)

$ bin/drizzle --user=testuser --password=sakila999
ERROR 1045 (28000): Access denied for user 'testuser'@'127.0.0.1' (using password: YES)

$ bin/drizzle --user=testuser --password=sakila
Welcome to the Drizzle client..  Commands end with ; or \g.
Your Drizzle connection id is 6
Server version: 7 Source distribution (trunk)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

drizzle>

PlanetMySQL Voting: Vote UP / Vote DOWN

This Thursday (February 25th, 13:00 UTC - way earlier than usual!), Darren Cassar will present Securich - Security Plugin for MySQL. According to Darren, the author of the plugin, Securich is an incredibly handy and versatile tool for managing user privileges on MySQL through the use of roles. It basically makes granting and revoking rights a piece of cake, not to mention added security it provides through password expiry and password history, the customization level it permits, the fact that it runs on any MySQL 5.0 or later and it's easily deployable on any official MySQL binary, platform independent.
More information here: http://www.securich.com/about.html.

For MySQL University sessions, point your browser to this page. You need a browser with a working Flash plugin. You may register for a Dimdim account, but you don't have to. (Dimdim is the conferencing system we're using for MySQL University sessions. It provides integrated voice streaming, chat, whiteboard, session recording, and more.)

MySQL University is a free educational online program for engineers/developers. MySQL University sessions are open to anyone. All sessions (slides & audio) are recorded; the links will be on the respective MySQL University session pages which are listed on the MySQL University home page.

Here's the tentative list of upcoming sessions:

• March 4: MySQL Column Databases (Robin Schumacher)
• March 11: Improving MySQL Full-Text Search (Kristofer Pettersson)

By the way, did I mention that we need more speakers to fill up the 2010 schedule? If you'd like to be a speaker, have a look at this blog article!

PlanetMySQL Voting: Vote UP / Vote DOWN

Reminder, mark you callendar:

Wednesday January 27th, Join the Sun Startup Essentials Webinar on  Security for Web Applications.

A key success factor for Web startups is to protect their applications and data from different security threats. Join this webinar to learn about security challenges and about key solutions such as encryption, authentication, certificates, secure and fault-tolerant storage, chrooted environments. The Sun Startup Essentials experts will also cover how to implement these solutions at minimal cost by using standard and open components such as Solaris, Apache, MySQL, ZFS and more.

Registration limited to members of the Sun Startup Essentials program.

Your company is less than 6 year and  150 employee: Join Sun Startup Essentials >>

PlanetMySQL Voting: Vote UP / Vote DOWN

I want to highlight the importance of reviewing mysql’s initial set of accounts. Say you have a mysql on abc.def.ghi.jkl running on port 3306 anonymous account with privileges without a password, then: 1. mysql (if issued on localhost) 2. mysql -h abc.def.ghi.jkl 3. mysql -u ” -h abc.def.ghi.jkl 4. mysql -u ” -h abc.def.ghi.jkl -P 3306 5. mysql -u user_which_does_not_exist -h [...]
PlanetMySQL Voting: Vote UP / Vote DOWN