In this primer I will show how to improve the security of your MariaDB installation by using two-step verification and how to use it from your Windows GUI client.
Let’s suppose you have your data in MariaDB, installed, say, on Ubuntu. And your users connect to it to run ad hoc queries, using some sort of a Windows GUI client. You don’t want them to write the access password on post-it notes or have it auto-entered by the client. And you don’t want anyone see the password when one of the salespersons connects to the mother ship from his laptop in the Internet café. So you decide to use the two-step verification, just like Google does, to secure the access to the data.
As you may know, since version 5.2.0 (released in April 2010) we support Pluggable Authentication. Using this feature one can implement an arbitrary user authentication and account management policy, completely replacing built-in MariaDB authentication with its username/password combination and
Also, as you might have heard, Oracle has recently released a PAM authentication plugin for MySQL. Alas, this plugin will not run on MariaDB — although the MySQL implementation of pluggable authentication is based on ours, the API is incompatible. And, being closed source, this plugin cannot be fixed to run in MariaDB. And — I’m not making it up — this plugin does not support communication between the client and the server, so even with this plugin and all the power of PAM the only possible authentication method remains a simple username/password combination.
But writing authentication plugins is easy, I said to myself. I will do my own authentication plugin! With blackjack and hookers.
If you want to know more about MySQL and MariaDB plugins read below. Our (Andrew Hutchings and mine) book MySQL 5.1 Plugins Development was just published by Packt. As far as I know it’s the first and the only book completely dedicated to MySQL Plugin API. It covers all existing in 5.1 plugin types, from Daemon to Storage Engines, and does not shun from explaining less known or poorly understood features of the plugin API. It describes newer plugin API extensions too – such as authentication plugins and recent CREATE TABLE extension. Also there is one chapter dedicated to UDFs.
This a “learning by example” style book, very different from the reference manual style. It is written around 23 fully working and thoroughly explained plugins example – simple demos as well as practically useful ones. My personal favorites are
- getrusage daemon plugin
- condition pushdown I_S plugin
- exif full-text parser
- Tocab storage engine (with b-tree indexes!)
- USB authentication plugin
See the complete list in the table of contents.
What others think: