Drizzle

Merge lp:~clint-fewbar/drizzle/authorize-default-deny into lp:drizzle/7.0

  1. authorize-default-deny
  2. Merge into 7.0
Proposed by Clint Byrum
Status: Superseded
Proposed branch: lp:~clint-fewbar/drizzle/authorize-default-deny
Merge into: lp:drizzle/7.0
Diff against target: 103 lines (+13/-6)
4 files modified
drizzled/drizzled.cc (+2/-0)
drizzled/plugin/authorization.cc (+6/-6)
drizzled/sys_var.cc (+4/-0)
drizzled/system_variables.h (+1/-0)
To merge this branch: bzr merge lp:~clint-fewbar/drizzle/authorize-default-deny
Reviewer Review Type Date Requested Status
Monty Taylor Approve
Review via email: mp+50822@code.launchpad.net

This proposal has been superseded by a proposal from 2011-03-15.

Description of the change

This adds the command line:

--authorize-default-deny

This changes the kernel behavior for authorization plugin resolution from defaulting to accept, requiring a plugin to restrict access, to defaulting to deny, and requiring just one plugin to not-restrict access.

It does not change the behavior of the pruneSchema portion, because that one is already additive, and it doesn't make much sense to change that to subtractive.

To post a comment you must log in.
Revision history for this message
Monty Taylor (mordred) wrote :

looks great.

review: Approve
Revision history for this message
Olaf van der Spek (olafvdspek) wrote :

Wouldn't it be better to always default to deny and have a plugin that can be used to always allow?

Revision history for this message
Brian Aker (brianaker) wrote :

Olaf brings up a good question. Right now we assume "no plugins, all access is fine".

If even a single plugin is installed, shouldn't we assume no?

Revision history for this message
Olaf van der Spek (olafvdspek) wrote :

> If even a single plugin is installed, shouldn't we assume no?

I'd default to deny and require the user to load a plugin.

Revision history for this message
Brian Aker (brianaker) wrote :

One of the original goals was to allow people who don't use any authentication what so ever to have a zero cost auth if they don't use it.

I suspect what a distribution would do is install a default plugin, maybe one for instance which just does localhost and limits a user based on their login information (ie grab the username and then use that as the credentials).

Revision history for this message
Olaf van der Spek (olafvdspek) wrote :

> One of the original goals was to allow people who don't use any authentication
> what so ever to have a zero cost auth if they don't use it.

An "Always Allow" plugin has minimal overhead and allows for a safe default.

> I suspect what a distribution would do is install a default plugin, maybe one
> for instance which just does localhost and limits a user based on their login
> information (ie grab the username and then use that as the credentials).

Is such a plugin available yet?

Revision history for this message
Clint Byrum (clint-fewbar) wrote :

On Thu, 2011-02-24 at 08:59 +0000, Olaf van der Spek wrote:
> > One of the original goals was to allow people who don't use any authentication
> > what so ever to have a zero cost auth if they don't use it.
>
> An "Always Allow" plugin has minimal overhead and allows for a safe default.

Essentially this exists by making the default allow. Those concerned
with harsher controls can use --authorize-default-deny and configure
their authorization plugin accordingly.

>
> > I suspect what a distribution would do is install a default plugin, maybe one
> > for instance which just does localhost and limits a user based on their login
> > information (ie grab the username and then use that as the credentials).
>

I am doing this work specifically for the packaging in Ubuntu and
Debian. The simple_user_policy with auth_file is good enough for most
apps, but there is a need for a backup-everything user.... rather than
rely on the literal "root" and all the privilege it brings.. it makes
sense to have another set of rules defined elsewhere...

> Is such a plugin available yet?

I'm writing a regex based plugin that just does simple user to
table/schema/process mapping to either ACCEPT or DENY

The idea is that one can have the simple user policy and the regex based
policy, and this flag allows you to control how they work together.

Revision history for this message
Olaf van der Spek (olafvdspek) wrote :

> On Thu, 2011-02-24 at 08:59 +0000, Olaf van der Spek wrote:
> > > One of the original goals was to allow people who don't use any
> authentication
> > > what so ever to have a zero cost auth if they don't use it.
> >
> > An "Always Allow" plugin has minimal overhead and allows for a safe default.
>
> Essentially this exists by making the default allow. Those concerned

No, a safe default would be deny.
What happens if you load an auth plugin and don't use --authorize-default-deny?

> I am doing this work specifically for the packaging in Ubuntu and
> Debian. The simple_user_policy with auth_file is good enough for most
> apps, but there is a need for a backup-everything user.... rather than
> rely on the literal "root" and all the privilege it brings.. it makes
> sense to have another set of rules defined elsewhere...

What does simple_user_policy do?

Olaf

Revision history for this message
Brian Aker (brianaker) wrote :

How about using the PAM module for distributions?

Revision history for this message
Brian Aker (brianaker) wrote :

BTW I am looking into this.

Revision history for this message
Olaf van der Spek (olafvdspek) wrote :

> How about using the PAM module for distributions?

I think peercred is the best method for local(host) connections.

http://kb.askmonty.org/v/socket_peercred-authentication-plugin

Revision history for this message
Andrew Hutchings (linuxjedi) wrote :

Olaf: we only use socket file for backwards compatibility with some MySQL clients, it probably wouldn't work with drizzle clients which use 127.0.0.1 for localhost.

Revision history for this message
Clint Byrum (clint-fewbar) wrote :

I keep wondering about that too.

The key is not to rely on the system default. Since Drizzle has no
encryption capabilities in the protocol, we need to make sure that users
who login via ssh aren't also encouraged to expose their password via
drizzle.

Also PAM isn't available on all supported platforms.

On Sat, 2011-02-26 at 22:28 +0000, Brian Aker wrote:
> How about using the PAM module for distributions?

Revision history for this message
Olaf van der Spek (olafvdspek) wrote :

Why does Drizzle not support UDS?

Revision history for this message
Brian Aker (brianaker) wrote :

Olaf: Drizzle supports UDS.

I'm going to write up a short blurb to the list tonight which explains a couple of things about the trunk and see where people want to go. I think we have it adjusted now to the point where it will be a bit better for folks.

Unmerged revisions

2179. By Clint Byrum

merging trunk

2178. By Clint Byrum

add an option to make authorize plugin system default to deny instead of accept

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'drizzled/drizzled.cc'
2--- drizzled/drizzled.cc 2011-02-22 06:09:35 +0000
3+++ drizzled/drizzled.cc 2011-02-22 22:32:07 +0000
4@@ -1148,6 +1148,8 @@
5 ;
6
7 long_options.add_options()
8+ ("authorize-default-deny", po::value<bool>(&global_system_variables.authorize_default_deny)->default_value(false)->zero_tokens(),
9+ _("Force authorization system to default to deny."))
10 ("auto-increment-increment", po::value<uint64_t>(&global_system_variables.auto_increment_increment)->default_value(1)->notifier(&check_limits_aii),
11 _("Auto-increment columns are incremented by this"))
12 ("auto-increment-offset", po::value<uint64_t>(&global_system_variables.auto_increment_offset)->default_value(1)->notifier(&check_limits_aio),
13
14=== modified file 'drizzled/plugin/authorization.cc'
15--- drizzled/plugin/authorization.cc 2011-02-17 00:14:13 +0000
16+++ drizzled/plugin/authorization.cc 2011-02-22 22:32:07 +0000
17@@ -71,7 +71,7 @@
18
19 inline result_type operator()(argument_type auth)
20 {
21- return auth->restrictSchema(user_ctx, schema);
22+ return auth->restrictSchema(user_ctx, schema) ^ global_system_variables.authorize_default_deny;
23 }
24 };
25
26@@ -90,7 +90,7 @@
27
28 inline result_type operator()(argument_type auth)
29 {
30- return auth->restrictTable(user_ctx, table);
31+ return auth->restrictTable(user_ctx, table) ^ global_system_variables.authorize_default_deny;
32 }
33 };
34
35@@ -109,7 +109,7 @@
36
37 inline result_type operator()(argument_type auth)
38 {
39- return auth->restrictProcess(user_ctx, session_ctx);
40+ return auth->restrictProcess(user_ctx, session_ctx) ^ global_system_variables.authorize_default_deny;
41 }
42 };
43
44@@ -151,7 +151,7 @@
45 * false, which means that that each of them believe the user is authorized
46 * to view the resource in question.
47 */
48- if (iter != authorization_plugins.end())
49+ if ((iter != authorization_plugins.end()) ^ global_system_variables.authorize_default_deny)
50 {
51 if (send_error)
52 {
53@@ -181,7 +181,7 @@
54 * false, which means that that each of them believe the user is authorized
55 * to view the resource in question.
56 */
57- if (iter != authorization_plugins.end())
58+ if ((iter != authorization_plugins.end()) ^ global_system_variables.authorize_default_deny)
59 {
60 if (send_error)
61 {
62@@ -217,7 +217,7 @@
63 * to view the resource in question.
64 */
65
66- if (iter != authorization_plugins.end())
67+ if ((iter != authorization_plugins.end()) ^ global_system_variables.authorize_default_deny)
68 {
69 if (send_error)
70 {
71
72=== modified file 'drizzled/sys_var.cc'
73--- drizzled/sys_var.cc 2011-02-15 20:03:56 +0000
74+++ drizzled/sys_var.cc 2011-02-22 22:32:07 +0000
75@@ -129,6 +129,9 @@
76 The variables are linked into the list. A variable is added to
77 it in the constructor (see sys_var class for details).
78 */
79+static sys_var_session_bool
80+sys_authorize_default_deny("authorize_default_deny",
81+ &drizzle_system_variables::authorize_default_deny);
82 static sys_var_session_uint64_t
83 sys_auto_increment_increment("auto_increment_increment",
84 &drizzle_system_variables::auto_increment_increment);
85@@ -1492,6 +1495,7 @@
86 {
87 try
88 {
89+ add_sys_var_to_list(&sys_authorize_default_deny, my_long_options);
90 add_sys_var_to_list(&sys_auto_increment_increment, my_long_options);
91 add_sys_var_to_list(&sys_auto_increment_offset, my_long_options);
92 add_sys_var_to_list(&sys_autocommit, my_long_options);
93
94=== modified file 'drizzled/system_variables.h'
95--- drizzled/system_variables.h 2011-02-12 10:06:03 +0000
96+++ drizzled/system_variables.h 2011-02-22 22:32:07 +0000
97@@ -77,6 +77,7 @@
98 uint32_t query_prealloc_size;
99 uint64_t group_concat_max_len;
100 uint64_t pseudo_thread_id;
101+ bool authorize_default_deny;
102
103 plugin::StorageEngine *storage_engine;
104

Subscribers

People subscribed via source and target branches