Logo
Authority

Background #

In SphereEx-DBPlusEngine-Proxy, use authority to configure user authentication and authorization information.

Thanks to the pluggable architecture of SphereEx-DBPlusEngine, Proxy provides two levels of authority providers:

  • ALL_PERMITTED: Every user has all permissions without special authorization;
  • DATABASE_PERMITTED: Grant user privilege to the specified database, defined by user-database-mappings;
  • SphereEx:PERMITTED: Enterprise-level authorization provider that can perform fine-grained authorization management at the database, table, and column levels.

When configuring authority, administrators can choose which authority provider to use dependent on requirement.

Parameter Description #

authority:
  users:
    - user: # The combination of username and authorized host used to log in to the compute node, in the format: <username>@<hostname>, hostname is % or an empty string means no restrictions on authorized hosts
      password: # User password
      authenticationMethodName: # Optional, used to specify the password authentication method for the user
  authenticators: # Optional, no configuration is required by default, Proxy is automatically selected according to the front-end protocol type
    authenticatorName:
      type: # Password authentication type
  defaultAuthenticator: # Optional, specify an authenticatorName as the default password authentication method
  privilege:
    type: # Authorization provider type, the default value is SphereEx:PERMITTED

Configuration Example #

Simple Config #

authority:
  users:
    - user: root@%
      password: root
    - user: sharding
      password: sharding

Description:

  • Two users are defined: root@% and sharding;
  • Undefined authenticators and authenticationMethodName, Proxy will automatically choose according to the front-end protocol;
  • No privilege type is specified, the default SphereEx:PERMITTED is used.

authentication configuration #

Custom authentication configuration can meet the needs of users in some specific scenarios. Taking openGauss as the front-end protocol type as an example, its default authentication algorithm is scram-sha-256. If the user sharding needs to use an old version of the psql client (which does not support scram-sha-256) to connect to the Proxy, the administrator may allow sharding to use the md5 method for password authentication.

Supported protocols:

MySQL: mysql_native_password、mysql_clear_password Postgre:password、md5 openGauss:scram-sha-256、md5

The configuration is as follows:

authority:
  users:
    - user: root@127.0.0.1
      password: root
    - user: sharding
      password: sharding
      authenticationMethodName: md5
  authenticators:
    md5:
      type: MD5
  privilege:
    type: SphereEx:PERMITTED

Description:

  • Two users are defined: root@127.0.0.1 and sharding;
  • Specify MD5 method for password authentication for user sharding;
  • If no authentication method is specified for root@127.0.0.1, Proxy will automatically select it according to the front-end protocol;
  • Specify the authorization provider as SphereEx:PERMITTED.

Authorization Configuration #

ALL_PERMITTED #

authority:
  users:
    - user: root@127.0.0.1
      password: root
    - user: sharding
      password: sharding
  privilege:
    type: ALL_PERMITTED

Description:

  • Two users are defined: root@127.0.0.1 and sharding;
  • Undefined authenticators and authenticationMethodName, Proxy will automatically choose according to the front-end protocol;
  • Specify the authorization provider as ALL_PERMITTED.

DATABASE_PERMITTED #

authority:
  users:
    - user: root@127.0.0.1
      password: root
    - user: sharding
      password: sharding
  privilege:
    type: DATABASE_PERMITTED
    props:
      user-database-mappings: root@127.0.0.1=*, sharding@%=test_db, sharding@%=sharding_db

Description:

  • Two users are defined: root@127.0.0.1 and sharding;
  • Undefined authenticators and authenticationMethodName, Proxy will automatically choose according to the front-end protocol;
  • Specify the authorization provider as SphereEx:PERMITTED, and authorize the root@127.0.0.1 user to access all logical databases (*), and the sharding user can only access test_db and sharding_db.

SphereEx:PERMITTED #

authority:
  users:
    - user: root@127.0.0.1
      password: root
    - user: sharding
      password: sharding
  privilege:
    type: SphereEx:PERMITTED
    props:
      user-database-mappings: root@127.0.0.1=*, sharding@%=test_db, sharding@%=sharding_db

Description:

  • Two users are defined: root@127.0.0.1 and sharding;
  • Undefined authenticators and authenticationMethodName, Proxy will automatically choose according to the front-end protocol;
  • Specify authorization provider as DATABASE_PERMITTED, and authorize root@127.0.0.1 user to access tables and columns of all logical databases (*).