privilege, server: support LDAP authentication (#43582) #43696

ti-chi-bot · 2023-05-10T14:52:04Z

This is an automated cherry-pick of #43582

What problem does this PR solve?

Issue Number: close #43580

Problem Summary:

Support LDAP authentication in TiDB.

What is changed and how it works?

Allow creating users identified with ldap.
Authenticate through binding with LDAP server, with simple method or SASL method.

This PR has some know issues, and will be fixed in the following PR:

If the LDAP connection timeout (or killed by the server), it'll not be released or re-initialized.
The LDAP connection pool is not automatically scaled, so the variable authentication_ldap_{simple,sasl}_max_pool_size has no meaning. Maybe we should use a single authentication_ldap_{simple,sasl}_pool_size variable to replace init and max pool size, if we don't support auto scaling? I'm not sure whether it's needed actually.

Check List

Tests

Unit test
Integration test
Manual test (add detailed scripts or steps below)
No code

Here is the guide for manually test:

Manual Test Instruction

Here is a guide to manually test the following functions. To help the reviewer test this function, I have prepared a docker image to setup the LDAP server environment. It will use port 389 and 3306 to setup a LDAP server and a percona server (as reference). You can execute the following commands and don't exit the shell. It's also suggested to use the mysql client in this docker image, in case that your local mysql client doesn't support LDAP authentication (or don't have related dependencies installed):

docker run --network host -it yangkeao/ldap-sasl-example:d2b324 /bin/bash

To test this PR, you'll need to compile the tidb server and execute it. I assume the TiDB server runs with default configuration and listens port 4000.

Then we need to set some basic variables to make LDAP work:

set global authentication_ldap_sasl_server_host='127.0.0.1';

Simple LDAP authentication

Create a user with simple LDAP authentication by executing the following SQL in TiDB server.

create user yangkeao IDENTIFIED WITH authentication_ldap_simple as 'cn=yangkeao+uid=yangkeao,dc=example,dc=org';

Try to login the tidb-server with user yangkeao. The password is 123456.

LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN=1 mysql -h 127.0.0.1 -u yangkeao -P 4000 -p123456

Login successfully. It means the simple LDAP authentication method really works!

LDAP SASL authentication (SCRAM-SHA-1/256)

Create a user with SASL LDAP authentication, or alter the previous user to use SASL LDAP authentication:

alter user yangkeao IDENTIFIED WITH authentication_ldap_sasl as 'cn=yangkeao+uid=yangkeao,dc=example,dc=org';

Try to login the tidb-server with user yangkeao. As the LDAP SASL method uses authentication_ldap_sasl_client plugin, but not clear_text plugin, so you don't need to enable the clear_text plugin with environment variables:

mysql -h 127.0.0.1 -u yangkeao -P 4000 -p123456

Login successfully. It means the SASL LDAP authentication method really works!

You can also change to another SASL method to have a try (the default one is SCRAM-SHA-1). For example:

set global authentication_ldap_sasl_auth_method_name='SCRAM-SHA-256';

Then you can login through mysql -h 127.0.0.1 -u yangkeao -P 4000 -p123456, you'll get the same result.

StartTLS

TiDB also support using TLS connection between tidb-server and LDAP server (NOTE: LDAP over SSL is not supported, like MySQL). The CA certificate locates in /etc/ssl/certs/example.crt in the container. You can copy it to anywhere the TiDB server can read. For example, I copied it to /tmp/ca.crt:

cat <<EOF > /tmp/ca.crt
-----BEGIN CERTIFICATE-----
MIIFZTCCA02gAwIBAgIUZ2hQOFVvjuAHrC8Tv+5dnwPGvF0wDQYJKoZIhvcNAQEL
BQAwQjELMAkGA1UEBhMCWFgxFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEcMBoGA1UE
CgwTRGVmYXVsdCBDb21wYW55IEx0ZDAeFw0yMzA0MjQwNjM1MTRaFw0yODA0MjMw
NjM1MTRaMEIxCzAJBgNVBAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAa
BgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQwggIiMA0GCSqGSIb3DQEBAQUAA4IC
DwAwggIKAoICAQDFvQt3xupYFQxZsyQPr2byhR9ZHoAWBxxqNWxbvpqy7RzHeccJ
Jg36dO1BNIBY8NjIy/JHV7eLDVGCh9FTGozn8dODQMOwDXTYqxFOiBHb2/M9wxVX
ILafa1GlsOnUFxEws9T0XH7ZBqMLC/KlXdJ5xQD1C36K1eWHvphjD0AFhgUnqQ4N
O3NT3tJjzcY7oXBoKpgSgQs7qeTdJLTKJE7pY02C/hJI2WvJDdIiEhZTi0UWqE06
5aXp8Heag/H4VlZzRA+RzQuDXqgXC3Bt7mJwtnoym0HgyTvoKBKO/vzfAW1yQhGo
6ikfSZkvIy3kyPAxD1FSWeSA0Xo8soGNDUsZjV6dQRtcnlWLPFA+7VfwivCPNiFh
91csXhHNEkYPNq4yCe6ZsycydZ+GNdNygzIrMjQ+DjNnHXXmfdeiiLLJbyxYzwuu
GaAT9eD98vXeJFhuWSbKyj4oXcMKnj3bTAQnudMCHIV8cMDe7Zuq1d4/gjXvk95Z
s/OnxqRYYNTXECkdLrevAPfGI2Qg9d7IrhnAh6KqCDDiFkhDkS5TMbWeHA88ZPKZ
6RvLYZmA+j3tjtKPpta9yPiTglExjBUDHIe+37K84G4p0C4bEo5RxEop5hHuX4EW
QvwNb0254i+RCsdyt+tFHiAVzo3/mTg9EMkWlTzoy0381HytFNcLDGb37QIDAQAB
o1MwUTAdBgNVHQ4EFgQUHs+YTH+x0YRNja11v18CF4iu5XowHwYDVR0jBBgwFoAU
Hs+YTH+x0YRNja11v18CF4iu5XowDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B
AQsFAAOCAgEAqf2ukpuqXC7u0kTqWdrw+3x2R+mwoLSsy7QbpsjdPbJwVoEysC02
WHiZcMj+w75wZQ2SS5Md1+1K4HiIWC3n+eRDodz+Di0Hg9lxtoMFuOIBpnYUsDuA
Fooo/B7HadZkw9AbWFxPK5EGLyfCRuZF50981svSX5rnYqgCLLs0zGxr7Uswhzvh
3fQMDd0OGLST0M4FW/pQkRYIWnQ4zn/n+wJaHBeaKXHJ7QfgNCtVXOLTXdzpreIL
RvvydcOdVoPnjMgCs1jyhB6g226+/nOuQqic53pxnUTUTvHFJQ5B6/JlzMHeJS1m
ycvSxmF+3RqhjePiwRAT/ui9FBXkhXSG3wp0n0w83rpq7Ne0uwPH/KE9hqFkiI5x
PzobjKy6ahzoSbZrw/a4gDXfZe3fYGtm1EdyDYTh1HFCi7hkdoxY9iCIL1Gr+mpB
YruELQZ+RpvZQ7V8JN7bPtzWfPybPkOSozP1EoLXhUAnXl4/DinoBZvum1MpvPWY
sKF9qQfTP6cAqOuIL1LcVhJ7yHAjR+BK7tvhA2h4sIqxEjhlDmJjH0XMr9JpYQcb
yBzNgkS0YycMPJru0zb2p7vodql5rxSWArQW13Pyqza6N803Qk3vP0/SCfYXeR/i
hv/InNBQBwfHo79FBEv/T7UB8yS7CIu75f562jp23DFKUQD+doybmDg=
-----END CERTIFICATE-----
EOF

Then configure the TiDB to use StartTLS to connect to the LDAP:

set global authentication_ldap_sasl_tls='ON';
set global authentication_ldap_sasl_ca_path='/tmp/ca.crt';

Then you can login the user yangkeao with the StartTLS:

mysql -h 127.0.0.1 -u yangkeao -P 4000 -p123456

NOTE: this certificate is signed for localhost and 127.0.0.1. Using it on other host will refuse to login.

Release note

Support `authentication_ldap_simple` and `authentication_ldap_sasl` authentication plugin. Allow authenticate user with LDAP service.

Signed-off-by: ti-chi-bot <ti-community-prow-bot@tidb.io>

ti-chi-bot · 2023-05-10T14:52:06Z

[REVIEW NOTIFICATION]

This pull request has been approved by:

CbcWestwolf
bb7133

To complete the pull request process, please ask the reviewers in the list to review by filling /cc @reviewer in the comment.
After your PR has acquired the required number of LGTMs, you can assign this pull request to the committer in the list by filling /assign @committer in the comment to help you merge this pull request.

The full list of commands accepted by this bot can be found here.

Details

Reviewer can indicate their review by submitting an approval review.
Reviewer can cancel approval by submitting a request changes review.

Signed-off-by: Yang Keao <yangkeao@chunibyo.icu>

YangKeao · 2023-05-10T15:28:50Z

Blocked by https://github.com/pingcap/enterprise-plugin/pull/102

CbcWestwolf · 2023-05-10T15:36:45Z

/retest-required

bb7133 · 2023-05-10T15:52:29Z

br/pkg/lightning/config/config_test.go:787
        	Error:      	Not equal: 
        	            	expected: "guest:12345@tcp(172.16.30.11:4001)/?maxAllowedPacket=67108864&charset=utf8mb4&sql_mode=%27ONLY_FULL_GROUP_BY%2CSTRICT_TRANS_TABLES%2CNO_ZERO_IN_DATE%2CNO_ZERO_DATE%2CERROR_FOR_DIVISION_BY_ZERO%2CNO_AUTO_CREATE_USER%2CNO_ENGINE_SUBSTITUTION%27"
        	            	actual  : "guest:12345@tcp(172.16.30.11:4001)/?charset=utf8mb4&sql_mode=%27ONLY_FULL_GROUP_BY%2CSTRICT_TRANS_TABLES%2CNO_ZERO_IN_DATE%2CNO_ZERO_DATE%2CERROR_FOR_DIVISION_BY_ZERO%2CNO_AUTO_CREATE_USER%2CNO_ENGINE_SUBSTITUTION%27"

Please update the test result

CbcWestwolf · 2023-05-10T16:29:02Z

/retest

CbcWestwolf · 2023-05-11T03:33:08Z

/retest

YangKeao · 2023-05-11T05:02:33Z

/retest

CbcWestwolf · 2023-05-11T06:10:51Z

/retest

CbcWestwolf · 2023-05-11T07:05:21Z

/retest

bb7133 · 2023-05-11T07:30:08Z

/merge

ti-chi-bot · 2023-05-11T07:30:12Z

@bb7133: /merge in this pull request requires 2 approval(s).

Details

In response to this:

/merge

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the ti-community-infra/tichi repository.

bb7133

LGTM

CbcWestwolf · 2023-05-11T07:31:09Z

LGTM

bb7133 · 2023-05-11T07:32:14Z

/merge

ti-chi-bot · 2023-05-11T07:32:17Z

@bb7133: /merge in this pull request requires 2 approval(s).

Details

In response to this:

/merge

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the ti-community-infra/tichi repository.

CbcWestwolf · 2023-05-11T07:34:01Z

/merge

ti-chi-bot · 2023-05-11T07:34:05Z

This pull request has been accepted and is ready to merge.

Details

Commit hash: edf8bf4

This is an automated cherry-pick of pingcap#43582

2e54417

Signed-off-by: ti-chi-bot <ti-community-prow-bot@tidb.io>

ti-chi-bot requested a review from a team as a code owner May 10, 2023 14:52

ti-chi-bot bot added release-note Denotes a PR that will be considered when it comes time to generate release notes. do-not-merge/cherry-pick-not-approved labels May 10, 2023

ti-chi-bot mentioned this pull request May 10, 2023

privilege, server: support LDAP authentication #43582

Merged

4 tasks

ti-chi-bot added release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. type/cherry-pick-for-release-7.1 This PR is cherry-picked to release-7.1 from a source PR. labels May 10, 2023

resolve conflict in dependencies

57467fb

Signed-off-by: Yang Keao <yangkeao@chunibyo.icu>

YangKeao requested a review from CbcWestwolf May 10, 2023 15:11

fix UT

edf8bf4

bb7133 approved these changes May 11, 2023

View reviewed changes

ti-chi-bot bot added the status/LGT1 Indicates that a PR has LGTM 1. label May 11, 2023

CbcWestwolf approved these changes May 11, 2023

View reviewed changes

ti-chi-bot bot added status/LGT2 Indicates that a PR has LGTM 2. and removed status/LGT1 Indicates that a PR has LGTM 1. labels May 11, 2023

VelocityLight added cherry-pick-approved Cherry pick PR approved by release team. and removed do-not-merge/cherry-pick-not-approved labels May 11, 2023

ti-chi-bot bot added the status/can-merge Indicates a PR has been approved by a committer. label May 11, 2023

ti-chi-bot bot merged commit 00b50a3 into pingcap:release-7.1 May 11, 2023

wuhuizuo deleted the cherry-pick-43582-to-release-7.1 branch August 18, 2023 03:39

privilege, server: support LDAP authentication (#43582) #43696

privilege, server: support LDAP authentication (#43582) #43696

Uh oh!

Conversation

ti-chi-bot commented May 10, 2023

What problem does this PR solve?

What is changed and how it works?

Check List

Manual Test Instruction

Simple LDAP authentication

LDAP SASL authentication (SCRAM-SHA-1/256)

StartTLS

Release note

Uh oh!

ti-chi-bot bot commented May 10, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

YangKeao commented May 10, 2023

Uh oh!

CbcWestwolf commented May 10, 2023

Uh oh!

bb7133 commented May 10, 2023

Uh oh!

CbcWestwolf commented May 10, 2023

Uh oh!

CbcWestwolf commented May 11, 2023

Uh oh!

YangKeao commented May 11, 2023

Uh oh!

CbcWestwolf commented May 11, 2023

Uh oh!

CbcWestwolf commented May 11, 2023

Uh oh!

bb7133 commented May 11, 2023

Uh oh!

ti-chi-bot bot commented May 11, 2023

Uh oh!

bb7133 left a comment

Choose a reason for hiding this comment

Uh oh!

CbcWestwolf commented May 11, 2023

Uh oh!

bb7133 commented May 11, 2023

Uh oh!

ti-chi-bot bot commented May 11, 2023

Uh oh!

CbcWestwolf commented May 11, 2023

Uh oh!

ti-chi-bot bot commented May 11, 2023

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

ti-chi-bot bot commented May 10, 2023 •

edited

Loading