• Post Reply Bookmark Topic Watch Topic
  • New Topic

Kerberos and MySQL groups  RSS feed

 
H. Faber
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,
i have Kerberos implemented in a MySQL server.
Now I would like to have kind of group management in that solution, so that there is no need to have a MySQL user account for each Windows-user, but only user groups. Is that possible, if so, how?

Question unclear? OK, example:

Group "superheroes" consisting of users Walker, Hudson, Smith and Peters. Each of them is able to authenticate at Kerberos and get access to the MySQL database. In that database I need to have the users Walker, Hudson, Smith and Peters in my user accounts.
It would be much easier if there was a possibility to only maintain the group "superheroes" (even if as single "user" account) in the MySQL database instead of accounts for each user.

Is that possible? Or any alternative idea?
 
Knute Snortum
Sheriff
Posts: 4087
112
Chrome Eclipse IDE Java Postgres Database VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It works like MySQL doesn't have user roles until version 8.0, which unfortunately is in development only.

But it looks like you're asking a Kerberos question, so I added this topic to the Security forum.
 
Tim Holloway
Bartender
Posts: 18715
71
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
MySQL supports authentication plugins. I'm not sure if you really meant "Kerberos" here, however. Although Kerberos is essentially what Windows authentication is using, I'm not sure I'd depend on it being identical to standard Kerberos - after all, Active Directory isn't a complete LDAP service compared to something like OpenLDAP.

I found an interesting site where Linux systems use Kerberos via the Linux PAM authentication and authorization system, but that's no good for Windows. I'd recommend doing a web search on "MySQL Windows Authentication" and see if anything promising arises.
 
H. Faber
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yeah, PAM could be the right direction, see MySQL doc. But I do not get the point.
 
Tim Holloway
Bartender
Posts: 18715
71
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
PAM is Linux Pluggable Authentication Modules subsystem. It serves as the central control point for authentication of users as well as the aggregator for the various optional authentication backends.

If you're running Linux, that would be the way to go, but since it's Linux-only (I don't even think MacOS uses it), and I got the impression you're talking Windows, then it wouldn't apply. That's why I recommended searching for MySQL Windows Authentication.

Although come to think of it, since Windows is using Active Directory for domain-level authentication, maybe what you really need isn't Kerberos MySQL, but AD MySQL authentication. Which would be done with an LDAP MySQL plugin security module.
 
H. Faber
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for your answer, Tim!

Wouldn't AD/LDAP with MySQL lack the SSO security from Kerberos?
 
Tim Holloway
Bartender
Posts: 18715
71
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Actually, no. You don't talk to Kerberos directly in Windows. In Windows either you do a local machine login or - when you're on a corporate network - you do a domain login. The Windows user authentication (login) system employs Active Directory to validate credentials then it generates Kerberos tokens. So ultimately AD is the source for authentication anyway.

Yes, I think that pure Kerberos - like on Linux - can support multiple credential authenticators, but Windows only supports AD unless there's something I don't know about. That's the case with AD versus LDAP as well. Microsoft only implemented the parts of the standard that they found useful for Windows.
 
H. Faber
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Well, we have a self-programmed plugin for MySQL via Kerberos/Windows, but it only works for single user login. What would it need to manage groups?
 
Tim Holloway
Bartender
Posts: 18715
71
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Groups (roles) are a little different than user IDs. A user has one and only one active login user ID, but a userid may belong to more than one group (have more than one role). For example, I might have the regular user, system-administrator, and application-administrator roles for web application "X" under Tomcat's J2EE-standard security system.

So the security plugin needs to determine whether a given operation is allowed under one of the user's assigned roles.

There are 2 ways to do this:

1. Obtain the user's role collection from Active Directory and enumerate the roles (NOT RECOMMENDED)

2. Invoke an API function that asks if any of the allowed roles for the SQL query/update (or DDL) are available for that user ID. This is the recommended method, when possible, because it's the equivalent of the J2EE isUserInRole() method, which can only return true or false. Retrieving a list of roles allows exploiters to go "fishing" for something damaging, whereas simply asking "in role?" requires that you know what the possible roles are and an intruder may not have that information.

When Oracle bought MySQL, it caused a fork in the product line. As Knute as pointed out, roles do not come into MySQL until MySQL version 8, which is not yet a release version. The fork produced an open-source spinoff of MySQL called "MariaDB" and recent versions of it do support roles. Since version 10.0.5, in fact, and on my system, MariaDB is presently 10.1.25. Oddly, the last pre-split version of MySQL is something like 5.7. Post-split MySQL jumps to version 8 on Oracle and version 10 on MariaDB and as far as I know, there's nothing in between.

We tend to use the term "MySQL" to refer to MariaDB, but technically MySQL is the Oracle version and as you can see, their capabilities are no longer quite identical. MariaDB is more advanced, but MySQL proper has Fortune Corporation support behind it* so in a business environment, you may not have an option other than to wait for Oracle to catch up.

MySQL is a very popular DBMS, but it's never been quite as advanced as some of its open-source competitors. The PostgreSQL DBMS has had roles for some time now (it also supported transactions long before MySQL did). PostgreSQL is, in fact, a lot like Oracle's own eponymous DBMS product (except for the price). For that matter, Microsoft's own SQL Server not only supports roles, it's fully integrated into Windows security. I've had occasion to curse their per-user schema organization in times past.

Finally, something to keep in mind. JDBC clients can't use Windows/Kerberos security to the best of my knowledge. That's because the JDBC connection is via TCP/IP and therefore permit logins from places far from your LAN and its security domain. So groups couldn't be applied at that level except as defined within the DBMS itself.

----
*Sadly, since the Internet made half-literate people on the other side of the planet available as support people, "commercial support" isn't what it used to be. Then again, "commercial support" nosedived when telephone menu systems and automated call queueing ("Your call is very important to us") came in. Hard to believe that back in the days when mainframes ruled, the big-name products would often have an engineer on-site full time.

Incidentally, Oracle also cause open-source Office software to fork. The LibreOffice suite spun off when Oracle bought OpenOffice (originally it was a German product called StarOffice). When Oracle realized that people hated their attempts to monetize OpenOffice, it was donated to the Apache Foundation, and is now more or less independent and still undergoing development. Eventually perhaps they and LibreOffice will merge again.
 
It is sorta covered in the JavaRanch Style Guide.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!