*: create a user using tidb_auth_token authentication
#38585
Conversation
|
[REVIEW NOTIFICATION] This pull request has been approved by:
To complete the pull request process, please ask the reviewers in the list to review by filling The full list of commands accepted by this bot can be found here. Reviewer can indicate their review by submitting an approval review. |
ti-chi-bot
added
do-not-merge/work-in-progress
ti-chi-bot
added
size/M
ti-chi-bot
added
release-note
CbcWestwolf
changed the title
tidb_auth_token authenticationtidb_auth_token authentication
ti-chi-bot
added
size/XXL
ti-chi-bot
removed
the
do-not-merge/work-in-progress
CbcWestwolf
changed the title
tidb_auth_token authenticationtidb_auth_token authentication
executor/simpletest/simple_test.go
Outdated
| @@ -711,6 +711,10 @@ func TestUser(t *testing.T) { | |||
| result.Check(testkit.Rows(auth.EncodePassword(""))) | |||
| dropUserSQL = `DROP USER IF EXISTS 'test1'@'localhost' ;` | |||
| tk.MustExec(dropUserSQL) | |||
| tk.MustExec(`CREATE USER token_user IDENTIFIED WITH 'tidb_auth_token' TOKEN_REQUIRE token_issuer 'issuer-abc'`) | |||
| tk.MustQuery(`SELECT plugin, token_issuer FROM mysql.user WHERE user = 'token_user'`).Check(testkit.Rows("tidb_auth_token issuer-abc")) | |||
| tk.MustExec(`ALTER USER token_user TOKEN_REQUIRE token_issuer 'issuer-123'`) | |||
There was a problem hiding this comment.
Is it allowed to specify token_issuer for other auth plugins in create user or alter user statements?
There was a problem hiding this comment.
Yes, the specified token_issuer is stored into mysql.user for all users. But it would not affect the authentication of the other auth plugin users
There was a problem hiding this comment.
I mean, if a user is identified with mysql_native_password, and the root user alters his token_issuer, this is meaningless. Should we report an error?
There was a problem hiding this comment.
I think we can give a warning when create user/alter user meet such a scenario.
ti-chi-bot
removed
the
needs-rebase
CbcWestwolf
requested review from
xhebox and
djshow832
and removed request for
xhebox and
djshow832
| @@ -712,6 +712,22 @@ func TestUser(t *testing.T) { | |||
| dropUserSQL = `DROP USER IF EXISTS 'test1'@'localhost' ;` | |||
| tk.MustExec(dropUserSQL) | |||
|
|
|||
| // Test create/alter user with `tidb_auth_token` | |||
There was a problem hiding this comment.
- Test that alter something else of the user (such as username) when the auth plugin is tidb_auth_token. The expectation is that it doesn't need to specify the token_issuer because you just want to change the username.
- Test that alter auth plugin also works.
| Type: ast.SAN, | ||
| Value: $2, | ||
| } | ||
| } | ||
| | "TOKEN_ISSUER" stringLit |
There was a problem hiding this comment.
Did you change the syntax again? I thought you have already discussed this with the PM before filing this PR. Please add this syntax in the spec and get the PM notified by @ him in the spec.
There was a problem hiding this comment.
Yes, I removed the keyword TOKEN_REQUIRE. I'll notify the PM in the spec.
Co-authored-by: djshow832 <zhangming@pingcap.com>
|
/cc bb7133 |
| tk.MustQuery(`SELECT plugin, token_issuer FROM mysql.user WHERE user = 'token_user'`).Check(testkit.Rows("tidb_auth_token issuer-123")) | ||
| tk.MustExec(`ALTER USER token_user IDENTIFIED WITH 'tidb_auth_token'`) | ||
| tk.MustExec(`CREATE USER token_user1 IDENTIFIED WITH 'tidb_auth_token'`) | ||
| tk.MustQuery(`show warnings`).Check(testkit.RowsWithSep("|", "Warning|1105|TOKEN_ISSUER is needed for 'tidb_auth_token' user, please use 'alter user' to declare it")) |
There was a problem hiding this comment.
- When creating a new user with tidb_auth_token plugin, if no attribute or no email is declared, TiDB server would NOT give any warning or error, since the attribute could be modified by ALTER USER statements.
This is the original specification of this feature, could you double confirm if this is expected?(Although the behavior is different, IMHO this is fine).
There was a problem hiding this comment.
IMHO, I think it is expected. The warning is just for the missing token_issuer, not the email attribute, though they are both needed in the later authentication.
To be honest I think all the warning for this auth plugin is not necessary for our general users. If they indeed miss something in create user, alter user can repair. The warning is just a small reminder.
ti-chi-bot
added
status/LGT2
|
/merge |
|
This pull request has been accepted and is ready to merge. Commit hash: 340811b
|
ti-chi-bot
added
the
status/can-merge
TiDB MergeCI notify✅ Well Done! New fixed [2] after this pr merged.
|
What problem does this PR solve?
Issue Number: ref #38504
Problem Summary:
What is changed and how it works?
This PR supports creating and altering users with
tidb_auth_token. Since the claims in the JWT differ in different scenarios, and more verified claims may be added in the future, this PR introduces a new keywordTOKEN_ISSUER, to declare an additional verified claim.tidb_auth_tokenuser withREQUIRE token_issuer '<issuer-abc>', then the authentication of this user requires that the JWT should have a claim"iss": "<issuer-abc>"in the payload. If not exists, the authentication fails.Check List
Tests
Side effects
Documentation
Release note
Please refer to Release Notes Language Style Guide to write a quality release note.