5.5.7. Proxy Users

If authentication to the MySQL server for an externally defined user occurs through an authentication plugin, the plugin may request that the external user be treated by the server as a differently named MySQL user. Consider the following definitions:

CREATE USER 'external_auth' IDENTIFIED WITH auth_plugin AS ...;
GRANT PROXY ON 'employee' TO 'external_auth';

Now when a client connects as external_auth, the auth_plugin plugin, based on some external criteria, may return the employee user name to the server to request that this client should become the employee local user.

In this case, external_auth is a “proxy user” (a user who can impersonate or become known as another user) and employee is a “proxied user” (a user whose identity can be taken by a proxy user).

The server verifies that external proxy authentication for employee is possible through the external_auth user. It does this by checking that the external_auth user has the PROXY privilege for employee user. An error occurs if external_auth does not have the PROXY privilege for employee.

For information about authentication plugins, see Section 5.5.6, “Pluggable Authentication”.

Default Proxy Users

To specify that some or all users should connect using an external plugin, create a “blank” MySQL user, set it up to use plugin authentication, and let the plugin return the real authenticated user name (if different from the blank user). For example:

CREATE USER ''@'' IDENTIFIED WITH ldap_plugin AS 'O=Oracle, OU=MySQL';
CREATE USER 'developer' IDENTIFIED BY 'test';
CREATE USER 'manager' IDENTIFIED BY 'test2';
GRANT PROXY ON 'manager' TO ''@'';
GRANT PROXY ON 'developer' TO ''@'';

Now assume that a client tries to connect as follows:

mysql --user=myuser --password='myuser_pass' ...

The server will not find myuser defined as a MySQL user. But because there is a blank user (''@''), it invokes ldap_plugin, passing it myuser and myuser_pass.

Suppose that ldap_plugin finds in the LDAP directory that myuser is a developer. It will return developer to the MySQL server. The server then checks whether ''@'' can authenticate as developer and, if so, accepts the connection, setting USER() and CURRENT_USER() as follows:

| USER()           | CURRENT_USER |
| myuser@localhost | developer@%  |

For simplicity, external authentication cannot be multilevel: Neither the credentials for manager nor those for developer are taken into account in the preceding example. However, they are still used if a client tries to authenticate directly against the developer account.

Proxy User System Variables

Two system variables help trace the proxy login process:

  • proxy_user: The proxy user account name used when connecting. This will be null if proxying is not used. Using the example shown earlier, this variable will be set as follows:

    mysql> SELECT @@proxy_user;
    | @@proxy_user |
    | ''@''        |
  • external_user: Sometimes the authentication plugin may use an external user to connect to the MySQL server. For example, when using Windows native authentication, a plugin that authenticates using the windows API does not need the login ID passed to it. However, it still uses an Windows user ID to authenticate. The plugin may return this external user ID (or the first 512 UTF-8 bytes of it) to the server using the external_user read-only session variable. If there is no external user, this variable contains an empty string.

Granting Proxy Privileges

A special PROXY privilege is needed to enable an external authentication account to connect as another user. To grant it, use the GRANT statement. For example:

GRANT PROXY ON 'proxied_user' TO 'proxy_user';

proxied_user must represent a valid locally authenticated user at connection time or connection attempts fail. proxy_user must represent a valid externally authenticated MySQL user at connection time or connection attempts fail.

The corresponding REVOKE syntax is:

REVOKE PROXY ON 'proxied_user' FROM 'proxy_user';

MySQL GRANT and REVOKE syntax extensions work as usual. For example:

GRANT PROXY ON 'a' TO 'b', 'c', 'd';
GRANT PROXY ON ''@'' TO 'd';
REVOKE PROXY ON 'a' FROM 'b', 'c', 'd';

In the preceding example, ''@'' is the default proxy user and means “any user.

The PROXY privilege can be granted in these cases:

  • By proxied_user for itself: The value of USER() must exactly match CURRENT_USER() and proxied_user, for both the user name and host name parts of the account name.

  • By a user that has GRANT PROXY ... WITH GRANT OPTION for proxied_user.

The root account created by default during MySQL installation has the PROXY ... WITH GRANT OPTION privilege for all users. For example, root can do this:

CREATE USER 'ldap_admin' IDENTIFIED BY 'test';

Now the ldap_admin user can manage all the specific GRANT PROXY mappings. For example, ldap_admin can do this:

GRANT PROXY ON sally TO joe;
Copyright © 2010-2023 Platon Technologies, s.r.o.           Home | Man pages | tLDP | Documents | Utilities | About
Design by styleshout