Rechercher dans le manuel MySQL
6.4.1.9 Socket Peer-Credential Pluggable Authentication
The server-side auth_socket
authentication
plugin authenticates clients that connect from the local host
through the Unix socket file. The plugin uses the
SO_PEERCRED
socket option to obtain
information about the user running the client program. Thus, the
plugin can be used only on systems that support the
SO_PEERCRED
option, such as Linux.
The source code for this plugin can be examined as a relatively simple example demonstrating how to write a loadable authentication plugin.
The following table shows the plugin and library file names. The
file must be located in the directory named by the
plugin_dir
system variable.
Table 6.20 Plugin and Library Names for Socket Peer-Credential Authentication
Plugin or File | Plugin or File Name |
---|---|
Server-side plugin | auth_socket |
Client-side plugin | None, see discussion |
Library file | auth_socket.so |
The following sections provide installation and usage information specific to socket pluggable authentication:
For general information about pluggable authentication in MySQL, see Section 6.2.17, “Pluggable Authentication”.
Installing Socket Pluggable Authentication
This section describes how to install the socket authentication plugin. For general information about installing plugins, see Section 5.6.1, “Installing and Uninstalling Plugins”.
To be usable by the server, the plugin library file must be
located in the MySQL plugin directory (the directory named by
the plugin_dir
system
variable). If necessary, configure the plugin directory
location by setting the value of
plugin_dir
at server startup.
To load the plugin at server startup, use the
--plugin-load-add
option to
name the library file that contains it. With this
plugin-loading method, the option must be given each time the
server starts. For example, put these lines in the server
my.cnf
file:
[mysqld]
plugin-load-add=auth_socket.so
After modifying my.cnf
, restart the
server to cause the new settings to take effect.
Alternatively, to register the plugin at runtime, use this statement:
INSTALL PLUGIN
loads the plugin
immediately, and also registers it in the
mysql.plugins
system table to cause the
server to load it for each subsequent normal startup.
To verify plugin installation, examine the
INFORMATION_SCHEMA.PLUGINS
table
or use the SHOW PLUGINS
statement (see
Section 5.6.2, “Obtaining Server Plugin Information”). For example:
- FROM INFORMATION_SCHEMA.PLUGINS
- +-------------+---------------+
- | PLUGIN_NAME | PLUGIN_STATUS |
- +-------------+---------------+
- | auth_socket | ACTIVE |
- +-------------+---------------+
If the plugin fails to initialize, check the server error log for diagnostic messages.
To associate MySQL accounts with the socket plugin, see Using Socket Pluggable Authentication.
The method used to uninstall the socket authentication plugin depends on how you installed it:
If you installed the plugin at server startup using a
--plugin-load-add
option, restart the server without the option.If you installed the plugin at runtime using
INSTALL PLUGIN
, it remains installed across server restarts. To uninstall it, useUNINSTALL PLUGIN
:- UNINSTALL PLUGIN auth_socket;
The socket plugin checks whether the socket user name (the
operating system user name) matches the MySQL user name
specified by the client program to the server. If the names do
not match, the plugin checks whether the socket user name
matches the name specified in the
authentication_string
column of the
mysql.user
system table row. If a match is
found, the plugin permits the connection. The
authentication_string
value can be
specified using an IDENTIFIED ...AS
clause
with CREATE USER
or
ALTER USER
.
Suppose that a MySQL account is created for an operating
system user named valerie
who is to be
authenticated by the auth_socket
plugin for
connections from the local host through the socket file:
If a user on the local host with a login name of
stefanie
invokes mysql
with the option --user=valerie
to connect
through the socket file, the server uses
auth_socket
to authenticate the client. The
plugin determines that the --user
option
value (valerie
) differs from the client
user's name (stephanie
) and refuses the
connection. If a user named valerie
tries
the same thing, the plugin finds that the user name and the
MySQL user name are both valerie
and
permits the connection. However, the plugin refuses the
connection even for valerie
if the
connection is made using a different protocol, such as TCP/IP.
To permit both the valerie
and
stephanie
operating system users to access
MySQL through socket file connections that use the account,
this can be done two ways:
Name both users at account-creation time, one following
CREATE USER
, and the other in the authentication string:If you have already used
CREATE USER
to create the account for a single user, useALTER USER
to add the second user:
To access the account, both valerie
and
stephanie
specify
--user=valerie
at connect time.
Deutsche Übersetzung
Sie haben gebeten, diese Seite auf Deutsch zu besuchen. Momentan ist nur die Oberfläche übersetzt, aber noch nicht der gesamte Inhalt.Wenn Sie mir bei Übersetzungen helfen wollen, ist Ihr Beitrag willkommen. Alles, was Sie tun müssen, ist, sich auf der Website zu registrieren und mir eine Nachricht zu schicken, in der Sie gebeten werden, Sie der Gruppe der Übersetzer hinzuzufügen, die Ihnen die Möglichkeit gibt, die gewünschten Seiten zu übersetzen. Ein Link am Ende jeder übersetzten Seite zeigt an, dass Sie der Übersetzer sind und einen Link zu Ihrem Profil haben.
Vielen Dank im Voraus.
Dokument erstellt 26/06/2006, zuletzt geändert 26/10/2018
Quelle des gedruckten Dokuments:https://www.gaudry.be/de/mysql-rf-socket-pluggable-authentication.html
Die Infobro ist eine persönliche Seite, deren Inhalt in meiner alleinigen Verantwortung liegt. Der Text ist unter der CreativeCommons-Lizenz (BY-NC-SA) verfügbar. Weitere Informationen auf die Nutzungsbedingungen und dem Autor.
Referenzen
Diese Verweise und Links verweisen auf Dokumente, die während des Schreibens dieser Seite konsultiert wurden, oder die zusätzliche Informationen liefern können, aber die Autoren dieser Quellen können nicht für den Inhalt dieser Seite verantwortlich gemacht werden.
Der Autor Diese Website ist allein dafür verantwortlich, wie die verschiedenen Konzepte und Freiheiten, die mit den Nachschlagewerken gemacht werden, hier dargestellt werden. Denken Sie daran, dass Sie mehrere Quellinformationen austauschen müssen, um das Risiko von Fehlern zu reduzieren.