Ps 10999 9.7 OIDC authentication#6035
Open
jankowsk wants to merge 2 commits into
Open
Conversation
PS-11253 [8.4]: Fix heap-use-after-free when granting external roles PROBLEM 1 When OpenID Connect authentication maps external roles during login, acl_authenticate() called grant_role() with mpvio->acl_user. That ACL_USER is a copy allocated on the connection's mem_root and is freed when dispatch_command() ends. grant_role() stores ACL_USER by value in the role graph, including the raw user/host pointers. Later DROP USER walks that graph and reads those pointers after the mem_root was cleared, causing a heap-use-after-free (ASAN failure in auth_openid_connect.idp cleanup). FIX 1 Lookup the durable ACL cache entry with find_acl_user() and pass that to grant_role() instead of the mem_root copy. PROBLEM 2 An external role once granted was not revoked until the server restarts. FIX 2 Compare roles returned by authentication plugin with roles already granted. Revoke external roles that are no longer granted by the plugin. Simplified external roles container (the external roles always have empty hostname).
OpenID Connect pluggable authentication is a parity feature with MySQL Enterprise Edition. It allows users to authenticate to Percona MySQL Server using OpenID Connect. The user connecting to the server must identify itself with ID Token previously obtained from an Identity Provider. The server verifies if the token was signed by user’s Identity Provider (IDP) and if token’s subject matches user’s name in the Identity Provider domain. The plugin supports group-role mapping and proxy accounts. This commit gathers the following tasks: PS-10849: OpenID Connect Pluggable Authentication PS-11017: MTR tests PS-11018: Add proxy support to OIDC authentication PS-11065: Telemetry support for OpenID Connect authentication
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.