Add a feature to support supplementary groups
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
percona-pam-for-mysql |
Fix Released
|
Wishlist
|
Sergei Glushchenko |
Bug Description
The limitation of the PAM plugin for proxy users is that a lookup for a group is limited to the initial group and not its supplementary groups as discussed in https:/
Testing PAM authentication with initial and supplementary groups
Create proxy user:
mysql> create user ''@'' identified with auth_pam as 'mysqld,
Note:
mysqld => PAM
''@'' => Proxy user
developer => Unix Group
developer_user => Proxied User
Create proxied user:
mysql> create user developer_
Configure proxy:
mysql> grant proxy on developer_
mysql> FLUSH PRIVILEGES;
Create group:
#groupadd developer;
Create users:
#useradd -g developer devuser1
#passwd devuser1
#useradd devuser2
#passwd devuser2
#usermod -G developer devuser2
Testing access:
#mysql -u devuser1 -p
mysql> select user(), current_user(), @@proxy_user;
+------
| user() | current_user() | @@proxy_user |
+------
| devuser1@localhost | developer_
+------
#mysql -u devuser2 -p
mysql> select user(), current_user(), @@proxy_user;
+------
| user() | current_user() | @@proxy_user |
+------
| devuser2@localhost | @ | NULL |
+------
Related branches
- Laurynas Biveinis (community): Approve
-
Diff: 515 lines (+226/-88)10 files modifiedCMakeLists.txt (+2/-2)
configure.ac (+2/-5)
src/Makefile.am (+6/-3)
src/auth_mapping.c (+53/-61)
src/auth_mapping.h (+2/-7)
src/auth_pam.c (+2/-1)
src/auth_pam_common.c (+6/-8)
src/auth_pam_compat.c (+2/-1)
src/groups.c (+98/-0)
src/groups.h (+53/-0)
Changed in percona-pam-for-mysql: | |
assignee: | nobody → Sergei Glushchenko (sergei.glushchenko) |
status: | New → In Progress |
Changed in percona-pam-for-mysql: | |
status: | In Progress → Fix Committed |
Changed in percona-pam-for-mysql: | |
importance: | Undecided → Wishlist |
Changed in percona-pam-for-mysql: | |
status: | Fix Committed → Fix Released |
Percona now uses JIRA for bug reports so this bug report is migrated to: https:/ /jira.percona. com/browse/ PS-97