The socket_peercred authentication plugin

Here’s a demonstration of an authentication plugin. The plugin is named SOCKET_PEERCRED and we supply the source with MySQL 5.5. It’s plugin/auth/auth_socket.c. It’s small (less than 100 lines
at this moment). It starts with a comment that says what it does:
”
/**
@file
socket_peercred authentication plugin.
Authentication is successful if the connection is done via a unix socket and
the owner of the client process matches the user name that was used when
connecting to mysqld.
*/
”
The MySQL 5.5 reference manual describes the feature’s syntax, but you’ll feel better if you actually see it on your own machine. For this you’ll need:

Linux (other operating systems will work but you’ll have to figure that out by yourself)
MySQL Version 5.5 (no earlier version of MySQL has authentication plugins)
The password for the MySQL ‘root’ user, or someone else who can create users.

Warning: Known Bug: http://bugs.mysql.com/bug.php?id=59017. If you have 5.5.8, wait till Bug#59017 is over before trying this at home.

Throughout, stuff to type on the Linux command line is preceded by ‘linux>’, stuff to type on the mysql-client line is preceded by ‘mysql>’ and ends with ‘;’.

On Linux, create a user named ‘joe’ and create a user named ’sally’. `You’ll be prompted for passwords, type in your favourites.
linux> su root
linux> useradd joe
linux> passwd joe
linux> useradd sally
linux> passwd sally
linux> exit
(If you aren’t able to say ’su root’, but you have existing names that you can log in as, you can still repeat the demonstration by replacing [your own name #1] and [your own name #2] whenever you
see the string [joe] or [sally] in the following.)

Now switch users so that “owner of the client process” is joe. The password is blank, or whatever you stated with ‘passwd’.
linux> su joe

/* Start mysql client, logging in as MySQL ‘root’ user. */
linux> mysql –user=root
… You should see ‘Server version: 5.5′ somewhere in the introductory text, to be sure you’re connected to a running MySQL-5.5 server.

Check if there is already a user ‘x’ or a user ‘joe’, check if there is already a database ‘x’, check if there is already an installed plugin ’socket_peercred’.
If they already exist, and you’re sure they’re left over from a previous test, get rid of them — see later section with label ‘Cleanup’.
mysql> SELECT (SELECT COUNT(*) FROM mysql.user WHERE user=’joe’ or user=’x')
+(SELECT COUNT(*) FROM information_schema.schemata WHERE schema_name=’x')
+(SELECT COUNT(*) FROM mysql.plugin WHERE name = ’socket_peercred’) AS x;
… You should see: 1 row in set, containing 0.

Install the plugin that is already in the plugin_dir, source plugin/auth/auth_socket.c.
mysql> INSTALL PLUGIN socket_peercred SONAME ‘auth_socket.so’;
… You should see: no errors.

Have a look at socket_peercred information.
mysql> SELECT * FROM mysql.plugin WHERE name = ’socket_peercred’\G
… You should see:
”
name: socket_peercred
dl: auth_socket.so
”
An alternative way to look at plugins is:
mysql> SELECT * FROM information_schema.plugins WHERE plugin_name=’socket_peercred’\G
… You should see:
”
PLUGIN_NAME: socket_peercred
PLUGIN_VERSION: 1.0
PLUGIN_STATUS: ACTIVE
PLUGIN_TYPE: AUTHENTICATION
PLUGIN_TYPE_VERSION: 1.0
PLUGIN_LIBRARY: auth_socket.so
PLUGIN_LIBRARY_VERSION: 1.2
PLUGIN_AUTHOR: Sergei Golubchik
PLUGIN_DESCRIPTION: Unix Socket based authentication
PLUGIN_LICENSE: GPL
LOAD_OPTION: ON
”

Create a database named ‘x’.
mysql> CREATE DATABASE x;
… You should see: no errors.

Create a user named ‘x’ whose credentials are ‘x’. Give this user access to database x.
mysql> CREATE USER x@localhost IDENTIFIED WITH socket_peercred AS ‘x’;
mysql> GRANT ALL PRIVILEGES ON x.* TO x@localhost;
… You should see: no errors.

Create a user named ‘joe’ whose credentials are ‘x’. Give this user access to database x. */
mysql> CREATE USER joe@localhost IDENTIFIED WITH socket_peercred AS ‘x’;
mysql> GRANT ALL PRIVILEGES ON x.* to joe@localhost;
… You should see: no errors.

Look for two new columns at the end of mysql.user, namely `plugin` char(60) COLLATE utf8_bin NOT NULL DEFAULT ”, and `authentication_string` text COLLATE utf8_bin NOT NULL.
mysql> SELECT user,plugin,authentication_string FROM mysql.user WHERE User=’x'\G
… You should see:
”
user: x
plugin: socket_peercred
authentication_string: x
”

Quit.
mysql> QUIT

Start up mysql client again, logging in with –user=x.
linux> mysql –user=x –database=x
… You should see this or something similar:
”
ERROR 1698 (28000): Access denied for user ‘x’@'localhost’
”

Start up mysql client again, logging in with mysql –user=joe.
linux> mysql –user=joe –database=x
… You should see: no errors.

Horn-toots, hubbub and huzzahs. You just saw that the new feature works. Although user=x and user=joe have exactly the same access privileges, mysql –user=x has failed and mysql –user=joe has succeeded. And that’s entirely due to the “linux> su joe” that you did at the start.

CURRENT_USER has the mysql.user name+host, USER() has name+host by which you’ll be known.
mysql> SELECT CURRENT_USER, USER(), SYSTEM_USER()\G
… You should see:
”
CURRENT_USER: joe%localhost
USER(): joe@localhost
SYSTEM_USER: joe@localhost
”

Quit.
mysql> QUIT

Start up mysql client again, logging in with mysql –user=root.
linux> mysql –user=root
… You should see: no errors.

GRANT … IDENTIFIED WITH … to an existing user.
mysql> GRANT SELECT ON test.* TO joe@localhost IDENTIFIED WITH socket_peercred AS ‘y’;
… You should see:
”
ERROR 1700 (HY000): GRANT with IDENTIFIED WITH is illegal because the user joe already exists
”

GRANT … IDENTIFIED BY … to an existing user. (This will succeed and change the password but it’s useless.)
mysql> GRANT SELECT ON test.* TO joe@localhost IDENTIFIED BY PASSWORD ‘*B69027D44F6E5EDC07F1AEAD1477967B16F28227′;
… You should see: no errors. But it’s useless.
(You don’t actually need the password, because being ‘joe’ is enough. */

GRANT … IDENTIFIED WITH … to a new user. (This will succeed.)
mysql> SET @@sql_mode=no_auto_create_user;
mysql> GRANT SELECT ON test.* TO sally@localhost IDENTIFIED WITH socket_peercred AS ‘y’;
… You should see: no errors.
Notice that this creates a user named Sally, despite the @@sql_mode value.

Quit.
mysql> QUIT

Try to log in as ’sally’. (This will fail.)
linux> mysql –user=sally
… You should see:
”
ERROR 1698 (28000): Access denied for user ’sally’@'localhost’
”

Change login name to ’sally’. (This will ask for a password, then succeed.)
linux> su sally

Check who you are now.
linux> logname
… You should see: something other than sally. This shows it’s not exactly ‘login name’ that matters. It can be ’substitute name’.

Try again to log in as ’sally’. (This succeeds. )
linux> mysql –user=sally

Quit.
mysql> QUIT

Cleanup. The demonstration is over. It’s time to login again as ‘root’and get rid of all the changes made earlier.
linux> mysql –user=root
mysql> DROP USER joe@localhost; /* Reverse earlier CREATE USER */
mysql> DROP USER x@localhost; /* Reverse earlier CREATE USER */
mysql> DROP USER sally@localhost; /* Reverse earlier GRANT */
mysql> DROP DATABASE x; /* Reverse earlier CREATE DATABASE */
mysql> UNINSTALL PLUGIN socket_peercred; /* Reverse earlier INSTALL PLUGIN */
mysql> QUIT

To complete the cleanup, use Linux to delete the user names that you created with ‘useradd’ at the start.
linux> su root
linux> userdel joe
linux> userdel sally
linux> exit
… You’ll see: no errors.

And is all the above useful? It will be, when you use it. It’s good that there’s such a check, it’s exactly what some people have asked for. But it’s only a taste. I imagine it’s obvious that this plugin would be useful for people wondering about “Windows authentication”, or people who hope to get sophisticated authentication plugins as part of a commercial offering from Oracle.

Primary coder for this task (WL#1054) was Georgi Kodinov.