We are pleased to announce availability of an early access version of Percona’s PAM Authentication plugin for MySQL. This plugin supports MySQL-5.5.x, Percona Server 5.5.x and MariaDB 5.2.x. The PAM Authentication plugin can be used for:
- MySQL authentication using operating system users (pam_unix)
- MySQL authentication from LDAP server (pam_ldap)
- authentication against RSA SecurID server
- any other authentication methods that provides access via PAM
We name it early access as it does not yet have the full list of features we want to implement. It is currently functional and we want to make it available for everybody. In this version you still need to create individual users in MySQL (even though they will be authenticated via PAM), in the final (non-early access) version this restriction will be removed. Percona PAM Authentication Plugin for MySQL as always, is fully open source, free of charge and can be used on an unlimited amount of servers. Resources:
Alleluia!
Between the audit plug-in interface, and your PAM authentication plug-in (hopefully implementing the proxy users authentication plug-in feature), real role-based access, best-practices password controls, and access non-repudiation can be a reality. To me, this means MySQL can finally be deployed in a PCI environment without lots of hacks, workarounds, and other controls gymnastics to satisfy governance requirements (and PCI auditors 🙂 ).
Now if Monty’s group can get caught up to 5.6; we use MyISAM extensively for simple but huge KV stores, and love virtual (indexable) columns, segmented key cache, and other MariaDB goodies, but really need to start leveraging 5.6 features such as the Partition enhancements (we can finally ditch merge tables), Multi-threaded slaves (!!! A huge pain point for us), Diff-based RBR, Replication Checksums, lots of additional instrumentation, etc.
Then, those combined with figuring out how to use Gearman to leverage Java plug-ins/UDFs, and we’ll be able to stop eyeing PostgreSQL’s feature set with frustrated envy, and enjoy the rocking performance and flexibility of the MySQL platform.
[Please no flaming – PostgreSQL rocks in its own right, but we have an investment in the MySQL platform that I would appreciate being able to continue to leverage for enterprise workflows and loads.]
This is a very useful addition I never thought of! Nice work to all involved. It reminds me of some of the unix auth in postgres.
Cheers,
Tim
Quite useful. The most utility I guess comes from “any other authentication methods that provides access via PAM” .. PAM gives you the freedom to stack authentication/authorization methods (including ldap, rsa and unix) to the choice of user/customer.
Is there a way to use it with MySQL 5.1 ?
The PAM plugin depends on the MySQL pluggable authentication feature, which is only available starting with 5.5.
Is this PAM compatible with all MySQL/Oracle CLI? As in the beginning there were some limitations.
St –
If one uses the “auth_pam_compat” plugin, then it uses the stock Oracle “mysql_clear_password” plugin instead of “dialog” plugin used by the full-feature version. As “mysql_clear_password” is a default plugin distributed in Oracle MySQL, it provides the CLI compatibility.
Does anyone know the timing of the final release and whether it’ll be compatible with the 5.6?
Scott,
Final releases are shipped with Percona Server,
it is available in our latest releases.
We will ship PAM with Percona Server 5.6 too.