-
Notifications
You must be signed in to change notification settings - Fork 5.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
privilege, server: support LDAP authentication #43582
Conversation
[REVIEW NOTIFICATION] This pull request has been approved by:
To complete the pull request process, please ask the reviewers in the list to review by filling The full list of commands accepted by this bot can be found here. Reviewer can indicate their review by submitting an approval review. |
This PR is around 300-400 lines. Most of the 1500 lines of changes are refractor (adding arguments to existing functions), system variables, getter/setter, format padding... Though, 300-400 lines are quite large too... |
c557361
to
3160024
Compare
Signed-off-by: Yang Keao <[email protected]>
Signed-off-by: Yang Keao <[email protected]>
Signed-off-by: Yang Keao <[email protected]>
Signed-off-by: Yang Keao <[email protected]>
d7f5798
to
721fbc0
Compare
Signed-off-by: Yang Keao <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Signed-off-by: Yang Keao <[email protected]>
/retest-required |
LGTM |
Signed-off-by: Yang Keao <[email protected]>
/retest-required |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Signed-off-by: Yang Keao <[email protected]>
/merge |
This pull request has been accepted and is ready to merge. Commit hash: 5764079
|
In response to a cherrypick label: new pull request created to branch |
Signed-off-by: ti-chi-bot <[email protected]>
What problem does this PR solve?
Issue Number: close #43580
Problem Summary:
Support LDAP authentication in TiDB.
What is changed and how it works?
bind
ing with LDAP server, with simple method or SASL method.This PR has some know issues, and will be fixed in the following PR:
authentication_ldap_{simple,sasl}_max_pool_size
has no meaning. Maybe we should use a singleauthentication_ldap_{simple,sasl}_pool_size
variable to replaceinit
andmax
pool size, if we don't support auto scaling? I'm not sure whether it's needed actually.Check List
Tests
Here is the guide for manually test:
Manual Test Instruction
Here is a guide to manually test the following functions. To help the reviewer test this function, I have prepared a docker image to setup the LDAP server environment. It will use port
389
and3306
to setup a LDAP server and a percona server (as reference). You can execute the following commands and don't exit the shell. It's also suggested to use themysql
client in this docker image, in case that your local mysql client doesn't support LDAP authentication (or don't have related dependencies installed):To test this PR, you'll need to compile the tidb server and execute it. I assume the TiDB server runs with default configuration and listens port 4000.
Then we need to set some basic variables to make LDAP work:
Simple LDAP authentication
yangkeao
. The password is123456
.Login successfully. It means the simple LDAP authentication method really works!
LDAP SASL authentication (SCRAM-SHA-1/256)
yangkeao
. As the LDAP SASL method usesauthentication_ldap_sasl_client
plugin, but notclear_text
plugin, so you don't need to enable theclear_text
plugin with environment variables:Login successfully. It means the SASL LDAP authentication method really works!
SCRAM-SHA-1
). For example:mysql -h 127.0.0.1 -u yangkeao -P 4000 -p123456
, you'll get the same result.StartTLS
TiDB also support using TLS connection between tidb-server and LDAP server (NOTE: LDAP over SSL is not supported, like MySQL). The CA certificate locates in
/etc/ssl/certs/example.crt
in the container. You can copy it to anywhere the TiDB server can read. For example, I copied it to/tmp/ca.crt
:Then configure the TiDB to use StartTLS to connect to the LDAP:
Then you can login the user
yangkeao
with the StartTLS:NOTE: this certificate is signed for
localhost
and127.0.0.1
. Using it on other host will refuse to login.Release note