Rechercher dans le manuel MySQL

6.4.1.8 No-Login Pluggable Authentication

The mysql_no_login server-side authentication plugin prevents all client connections to any account that uses it. Use cases for such a plugin include proxied accounts that should never permit direct login but are accessed only through proxy accounts and accounts that must be able to execute stored programs and views with elevated privileges without exposing those privileges to ordinary users.

The following table shows the plugin and library file names. The file name suffix might differ on your system. The file must be located in the directory named by the plugin_dir system variable.

Table 6.19 Plugin and Library Names for No-Login Authentication

Plugin or File Plugin or File Name
Server-side plugin mysql_no_login
Client-side plugin None
Library file mysql_no_login.so

The following sections provide installation and usage information specific to no-login pluggable authentication:

For general information about pluggable authentication in MySQL, see Section 6.2.17, “Pluggable Authentication”. For proxy user information, see Section 6.2.18, “Proxy Users”.

Installing No-Login Pluggable Authentication

This section describes how to install the no-login authentication plugin. For general information about installing plugins, see Section 5.6.1, “Installing and Uninstalling Plugins”.

To be usable by the server, the plugin library file must be located in the MySQL plugin directory (the directory named by the plugin_dir system variable). If necessary, configure the plugin directory location by setting the value of plugin_dir at server startup.

The plugin library file base name is mysql_no_login. The file name suffix differs per platform (for example, .so for Unix and Unix-like systems, .dll for Windows).

To load the plugin at server startup, use the --plugin-load-add option to name the library file that contains it. With this plugin-loading method, the option must be given each time the server starts. For example, put these lines in the server my.cnf file (adjust the .so suffix for your platform as necessary):

[mysqld]
plugin-load-add=mysql_no_login.so

After modifying my.cnf, restart the server to cause the new settings to take effect.

Alternatively, to register the plugin at runtime, use this statement (adjust the .so suffix as necessary):

  1. INSTALL PLUGIN mysql_no_login SONAME 'mysql_no_login.so';

INSTALL PLUGIN loads the plugin immediately, and also registers it in the mysql.plugins system table to cause the server to load it for each subsequent normal startup.

To verify plugin installation, examine the INFORMATION_SCHEMA.PLUGINS table or use the SHOW PLUGINS statement (see Section 5.6.2, “Obtaining Server Plugin Information”). For example:

  1. mysql> SELECT PLUGIN_NAME, PLUGIN_STATUS
  2.        FROM INFORMATION_SCHEMA.PLUGINS
  3.        WHERE PLUGIN_NAME LIKE '%login%';
  4. +----------------+---------------+
  5. | PLUGIN_NAME    | PLUGIN_STATUS |
  6. +----------------+---------------+
  7. | mysql_no_login | ACTIVE        |
  8. +----------------+---------------+

If the plugin fails to initialize, check the server error log for diagnostic messages.

To associate MySQL accounts with the no-login plugin, see Using No-Login Pluggable Authentication.

Table des matières Haut

Uninstalling No-Login Pluggable Authentication

The method used to uninstall the no-login authentication plugin depends on how you installed it:

  • If you installed the plugin at server startup using a --plugin-load-add option, restart the server without the option.

  • If you installed the plugin at runtime using INSTALL PLUGIN, it remains installed across server restarts. To uninstall it, use UNINSTALL PLUGIN:

    1. UNINSTALL PLUGIN mysql_no_login;

Table des matières Haut

Using No-Login Pluggable Authentication

This section describes how to use the no-login authentication plugin to prevent connections from MySQL client programs to the server. It is assumed that the server is running with the server-side plugin enabled, as described in Installing No-Login Pluggable Authentication.

To refer to the no-login authentication plugin in the IDENTIFIED WITH clause of a CREATE USER statement, use the name mysql_no_login.

An account that authenticates using mysql_no_login may be used as the DEFINER for stored program and view objects. If such an object definition also includes SQL SECURITY DEFINER, it executes with that account's privileges. DBAs can use this behavior to provide access to confidential or sensitive data that is exposed only through well-controlled interfaces.

The following example provides a simple illustration of these principles. It defines an account that does not permit client connections, and associates with it a view that exposes only certain columns of the mysql.user system table:

  1. CREATE DATABASE nologindb;
  2. CREATE USER 'nologin'@'localhost'
  3.   IDENTIFIED WITH mysql_no_login;
  4. GRANT ALL ON nologindb.*
  5.   TO 'nologin'@'localhost';
  6.   TO 'nologin'@'localhost';
  7. CREATE DEFINER = 'nologin'@'localhost'
  8.   VIEW nologindb.myview
  9.   AS SELECT User, Host FROM mysql.user;

To provide protected access to the view to an ordinary user, do this:

  1. GRANT SELECT ON nologindb.myview
  2.   TO 'ordinaryuser'@'localhost';

Now the ordinary user can use the view to access the limited information it presents:

  1. SELECT * FROM nologindb.myview;

Attempts by the user to access columns other than those exposed by the view result in an error, as do all attempts to select from the view by users not granted access to it.

Note

Because the nologin account cannot be used directly, the operations required to set up objects that it uses must be performed by root or similar account with the privileges required to create the objects and set DEFINER values.

An account that authenticates using mysql_no_login may be used as a proxied base user for proxy accounts:

  1. -- create proxied account
  2. CREATE USER 'proxy_base'@'localhost'
  3.   IDENTIFIED WITH mysql_no_login;
  4. -- grant privileges to proxied account
  5. GRANT ...
  6.   ON ...
  7.   TO 'proxy_base'@'localhost';
  8. -- permit real_user to be a proxy account for proxied account
  9. GRANT PROXY
  10.   ON 'proxy_base'@'localhost'
  11.   TO 'real_user'@'localhost';

This enables clients to access MySQL through the proxy account (real_user) but not to bypass the proxy mechanism by connecting directly as the proxied user (proxy_base).


Rechercher dans le manuel MySQL

Traduction non disponible

Le manuel MySQL n'est pas encore traduit en français sur l'infobrol. Seule la version anglaise est disponible pour l'instant.

Document créé le 26/06/2006, dernière modification le 26/10/2018
Source du document imprimé : https://www.gaudry.be/mysql-rf-no-login-pluggable-authentication.html

L'infobrol est un site personnel dont le contenu n'engage que moi. Le texte est mis à disposition sous licence CreativeCommons(BY-NC-SA). Plus d'info sur les conditions d'utilisation et sur l'auteur.

Références

  1. Consulter le document html Langue du document :en Manuel MySQL : https://dev.mysql.com/

Ces références et liens indiquent des documents consultés lors de la rédaction de cette page, ou qui peuvent apporter un complément d'information, mais les auteurs de ces sources ne peuvent être tenus responsables du contenu de cette page.
L'auteur de ce site est seul responsable de la manière dont sont présentés ici les différents concepts, et des libertés qui sont prises avec les ouvrages de référence. N'oubliez pas que vous devez croiser les informations de sources multiples afin de diminuer les risques d'erreurs.

Table des matières Haut