A key differentiator in Drizzle from it’s original MySQL roots is user based authentication. Gone is the host/user and schema/table/column model that was stored in the MyISAM based mysql.user table.
Authentication is now completely pluggable, leveraging existing systems such as PAM , LDAP via PAM and Http authentication .
In this post I’ll talk about PAM authentication which is effectively your current Linux based user security.
This information is based on the current build 1317 .
Compiling for PAM support
Your Drizzle environment needs to be compiled with PAM support. You would have received the following warning during a configure.
$ ./configure ... checking for libpam... no configure: WARNING: Couldn't find PAM development support, pam_auth will not be built. On Debian, libpam is in libpam0g-dev. On RedHat it's in pam-devel.
The solution is provided in the warning message which is another great thing about Drizzle. The pre checks for dependencies and the optional messages like these far exceed the MySQL equivalent compilation process. In my case:
$ sudo yum install pam-devel
When correctly configured, it should look like:
checking for libpam... yes checking how to link with libpam... -lpam
Working with PAM
You need to enable the PAM authentication plugin at drizzled startup.
sbin/drizzled --plugin_add=auth_pam &
Unfortunately connecting fails to work with
time sbin/drizzle --user=testuser --password=***** --port=4427 real 0m0.003s user 0m0.003s sys 0m0.001s
A look into the source at src/drizzle-2010.03.1317/plugin/auth_pam/auth_pam.cc shows a needed config file
117 retval= pam_start("check_user", userinfo.name, &conv_info, &pamh);
Configuring PAM
In order to enable PAM with Drizzle you need to have the following system configuration.
$ cat /etc/pam.d/check_user auth required pam_unix.so account required pam_unix.so $ time sbin/drizzle --user=testuser --password=***** --port=4427 ERROR 1045 (28000): Access denied for user 'testuser'@'127.0.0.1' (using password: YES) real 0m2.055s user 0m0.002s sys 0m0.002s
This did some validation but still failed.
It seems Bug #484069 may fix this problem, however this is not currently in the main line!
Stay Tuned!