-
-
Notifications
You must be signed in to change notification settings - Fork 523
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authentication and authorization: architecture #2748
Comments
Authorization basic:HTTP client requests header
MySQL client supports basic authorization prior to version 8.
Authorization with the token:user login requests > daemon replies with the acccess HTTP client requests header after login
Requestsall requests from all interface SphinxQL (SSL) \ HTTPS should map into pair:
The flowthe flow after the daemon got the client request basic authorization:
the flow after the daemon got the client request with token authorization:
Buddy and API communicationI suggest to reject all requests without SSL support such as HTTP \ SphinxQL \ API requests if user management enabled at daemon or ask user to keep them behind the firewall \ NAT along with the Galera interface. Daemon could pass by buddy requests:
Conserns:
Not clean how to authorize Buddy or master - agent API requests:
Not clear how to allow buddy to performs all requests but keep the user away from certain tables, ie
The query to the daemon will fail StorageI think to store the hash |
I pushed the branch req_regex there add 100 regex patterns matching for every search query after that got enabled via
and see the loop for regex matching every pattern vs SphinxQL statement text in this mode adds from 1ms initially to 0.1ms for all subsequent invocations I tested short queries up to 128 bytes
along with large queries up to 1kb
the timing got logged into searchd.log after search finished well as
|
for the users auth replication: Another concern that new node could join the cluster at the node with the users roles set but that new node that has no users roles. And as the client request to the new node goes via SphinxQL interface into new node then the new node communicate with the donor via API interface and I dont plan to add user auth to the API interface new node could bypass the auth at the donor node. Maybe worth to think and prevent this. |
As discussed, let’s carefully consider these items:
|
Could allow to set group \ aliases in the config from the SphinxQL statement names:
Could pass special buddy user name and generated password and buddy will send HTTP requests to daemon with the
If SphinxQL query got failed to parse it still has statement set most of the time. But parser could not parse index name if the select list of the query has some error and parsing failed there. Another approach is to pass user to buddy then buddy route that user back to daemon for every fixed request to make sure daemon will authorize all buddy requests as that user requests. Maybe there is some standart proxy request that use its own auth but also route user auth with the original request. |
Tasks (estimate)
|
As discussed, these topics require further thinking:
Pls create a separate task for
and we can start working on this. |
but there is no good MIT library to verify hashed password with the password provided by user. Most of them are some modification of OpenBSD The library with the most stars 188 https://github.com/rg3/libbcrypt has CC0-1.0 license The alternative with the MIT license https://github.com/trusch/libbcrypt/tree/master has 99 stars and seems abandon |
we can change our API protocol to send challenge along with handshake however this way listen_tfo will not work |
The spec is here #2833 (comment) |
Proposal:
The task is to design optimal architecture for adding authentication features to Manticore.
Checklist:
To be completed by the assignee. Check off tasks that have been completed or are not applicable.
The text was updated successfully, but these errors were encountered: