Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

server, privilege: Socket authentication #27561

Merged
merged 9 commits into from
Oct 19, 2021
Merged

Conversation

dveeden
Copy link
Contributor

@dveeden dveeden commented Aug 24, 2021

What problem does this PR solve?

Support MySQL compatible Socket Authentication (auth_socket).

This could be used to provide a more secure alternative to the default account.

See also:

What is changed and how it works?

Check List

Tests

  • Unit test

Documentation

  • Affects user behaviors
  • Contains syntax changes
  • Contains variable changes
  • Contains experimental features
  • Changes MySQL compatibility

Release note

Support for socket authentication was added

Notes for reviews

  • Run tidb-server with socket = "/tmp/tidb.sock" in your config.
  • CREATE USER 'myuser'@'%' IDENTIFIED WITH 'auth_socket' (replace myuser with your UNIX username)
  • Try to connect with mysqlsh --sql mysql://myuser@(/tmp/tidb.sock)/ (shoul work)
  • Try to connect with a different UNIX user (e.g. use sudo to use root) (should fail)
  • Try to connect over TCP mysqlsh --sql mysql://myuser@127.0.0.1:4000/
  • You might hit tidb using unix socket cannot restart if after SIGKILL #26058 when testing this.
  • CREATE USER 'my_other_user'@'%' IDENTIFIED WITH 'auth_socket' AS 'myuser' (replace myuser with your UNIX username)
  • Try to connect with mysqlsh --sql mysql://my_other_user@(/tmp/tidb.sock)/ as UNIX user myuser. This tests the mapping between UNIX and TiDB users.

@ti-chi-bot
Copy link
Member

ti-chi-bot commented Aug 24, 2021

[REVIEW NOTIFICATION]

This pull request has been approved by:

  • mjonss
  • morgo

To complete the pull request process, please ask the reviewers in the list to review by filling /cc @reviewer in the comment.
After your PR has acquired the required number of LGTMs, you can assign this pull request to the committer in the list by filling /assign @committer in the comment to help you merge this pull request.

The full list of commands accepted by this bot can be found here.

Reviewer can indicate their review by submitting an approval review.
Reviewer can cancel approval by submitting a request changes review.

@ti-chi-bot ti-chi-bot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Aug 24, 2021
@github-actions github-actions bot added the sig/sql-infra SIG: SQL Infra label Aug 24, 2021
@dveeden dveeden force-pushed the auth_socket branch 2 times, most recently from b60c8d4 to 0829868 Compare August 25, 2021 06:36
@dveeden dveeden force-pushed the auth_socket branch 5 times, most recently from 12d48c5 to abbe998 Compare September 6, 2021 15:36
@dveeden dveeden marked this pull request as ready for review September 6, 2021 15:37
@ti-chi-bot ti-chi-bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Sep 6, 2021
@dveeden dveeden force-pushed the auth_socket branch 3 times, most recently from bb425fc to 13ff4f7 Compare September 8, 2021 07:57
@dveeden
Copy link
Contributor Author

dveeden commented Sep 14, 2021

/cc @crazycs520 @XuHuaiyu @morgo

Copy link
Contributor

@morgo morgo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good, minor nits.

privilege/privileges/privileges.go Outdated Show resolved Hide resolved
privilege/privileges/privileges.go Outdated Show resolved Hide resolved
@dveeden dveeden requested a review from morgo September 27, 2021 07:04
@dveeden dveeden requested a review from morgo September 28, 2021 11:59
@ti-chi-bot ti-chi-bot added the status/LGT1 Indicates that a PR has LGTM 1. label Sep 29, 2021
@morgo morgo requested a review from mjonss October 6, 2021 14:07
executor/show.go Outdated Show resolved Hide resolved
@dveeden dveeden marked this pull request as ready for review October 15, 2021 11:05
@ti-chi-bot ti-chi-bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Oct 15, 2021
@dveeden dveeden requested a review from morgo October 15, 2021 11:11
@dveeden
Copy link
Contributor Author

dveeden commented Oct 15, 2021

/run-check_dev_2

@mjonss
Copy link
Contributor

mjonss commented Oct 18, 2021

Tested on macOS 11.6 on Apple M1 (arm cpu):

Release Version: v5.3.0-alpha-1086-gfae002894
Edition: Community
Git Commit Hash: fae0028948ac951e638620c7a89a78e1ad4decdd
Git Branch: auth_socket
UTC Build Time: 2021-10-18 11:41:15
GoVersion: go1.17.1
Race Enabled: false
TiKV Min Version: v3.0.0-60965b006877ca7234adaced7890d7b029ed1306
Check Table Before Drop: false

with mysql -S /tmp/tidb.sock without issues
and mysqlsh -S /tmp/tidb.sock --sql --password= with this in the tidb-server error log:

[2021/10/18 14:00:59.019 +02:00] [WARN] [builtin_string.go:291] ["unexpected `Flen` value(-1) in CONCAT's args"] ["arg's index"=0]
[2021/10/18 14:00:59.019 +02:00] [WARN] [builtin_string.go:291] ["unexpected `Flen` value(-1) in CONCAT's args"] ["arg's index"=2]

Which is the same when mysqlsh root@localhost -P 4000 --sql --password= was used.

@mjonss
Copy link
Contributor

mjonss commented Oct 18, 2021

Same test environment but with create user root@localhost identified with 'auth_socket' as 'my_user'; and

> mysql -S /tmp/tidb.sock -u root
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)

I assume that authentication variable is not properly set to my_user since it fails in privilege/privileges/privileges.go:366

(dlv) p user
"root"
(dlv) p pwd
"my_user"
(dlv) p authentication
[]uint8 len: 0, cap: 144, []

@mjonss
Copy link
Contributor

mjonss commented Oct 18, 2021

Same result on Ubuntu 21.04 x64 on create user root@localhost identified with 'auth_socket' as 'my_user'; (that authentication fails, since authentication variable is empty:

Release Version: v5.3.0-alpha-1086-gfae0028948
Edition: Community
Git Commit Hash: fae0028948ac951e638620c7a89a78e1ad4decdd
Git Branch: HEAD
UTC Build Time: 2021-10-18 12:34:35
GoVersion: go1.16.2
Race Enabled: false
TiKV Min Version: v3.0.0-60965b006877ca7234adaced7890d7b029ed1306
Check Table Before Drop: false

@mjonss
Copy link
Contributor

mjonss commented Oct 18, 2021

Looks like PeerHost is called too late, so cc.peerHost is not yet set which makes the userplugin lookup through userplugin, err := cc.ctx.AuthPluginForUser(&auth.UserIdentity{Username: cc.user, Hostname: cc.peerHost}) not working in server/conn.go:843 since cc.peerHost is not yet set to "localhost".

@dveeden
Copy link
Contributor Author

dveeden commented Oct 18, 2021

@mjonss does the mysql.user.authentication_string have the right value?

@mjonss
Copy link
Contributor

mjonss commented Oct 18, 2021

@mjonss does the mysql.user.authentication_string have the right value?

@dveeden, I think so:

                  Host: localhost
                  User: root
 authentication_string: <my_user> -- really my unix username
                plugin: auth_socket

@@ -414,6 +414,7 @@ func (s *Server) startNetworkListener(listener net.Listener, isUnixSocket bool,
}

clientConn.isUnixSocket = true
clientConn.peerHost = "localhost"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is a constant you can use for "localhost": variable.DefHostname

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not changing that as the "Default Hostname" is not guaranteed to remain "localhost" in the future.

Copy link
Contributor

@mjonss mjonss left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM
Tested on macOS 11.6 on Apple M1 cpu and ubuntu 21.04 x64, and it now works also for 'proxy' user.

@ti-chi-bot ti-chi-bot added status/LGT2 Indicates that a PR has LGTM 2. and removed status/LGT1 Indicates that a PR has LGTM 1. labels Oct 19, 2021
@morgo
Copy link
Contributor

morgo commented Oct 19, 2021

/merge

@ti-chi-bot
Copy link
Member

This pull request has been accepted and is ready to merge.

Commit hash: d50ac88

@ti-chi-bot ti-chi-bot added the status/can-merge Indicates a PR has been approved by a committer. label Oct 19, 2021
@ti-chi-bot ti-chi-bot merged commit 0e38904 into pingcap:master Oct 19, 2021
dveeden added a commit to dveeden/docs that referenced this pull request Oct 20, 2021
@dveeden dveeden mentioned this pull request Oct 20, 2021
12 tasks
@xiongjiwei
Copy link
Contributor

can not build on windows after this pr

@dveeden
Copy link
Contributor Author

dveeden commented Oct 21, 2021

@xiongjiwei

While Windows now seems to have AF_UNIX support ( https://devblogs.microsoft.com/commandline/af_unix-comes-to-windows/ ) this doesn't seem to be supported by Go.

Can you try dveeden@3d40baf and see if that fixes the build for the windows target for you?

@xiongjiwei
Copy link
Contributor

@dveeden it works! thank you.

@dveeden dveeden mentioned this pull request Oct 21, 2021
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/sql-infra SIG: SQL Infra size/L Denotes a PR that changes 100-499 lines, ignoring generated files. status/can-merge Indicates a PR has been approved by a committer. status/LGT2 Indicates that a PR has LGTM 2.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants