mirror of
https://github.com/MariaDB/server.git
synced 2025-02-05 13:22:17 +01:00
7ebabea5d3
Support membership tests in SSPI with special prefix form CREATE USER u IDENTIFIED WITH gssapi AS "GROUP:<group_name>" or CREATE USER u IDENTIFIED WITH gssapi AS "SID:<sid>" If user is created as one of the above, after successful SSPI handshake, this will happen 1) If "GROUP:" prefix is used, then <group_name> is translated to SID using LookupAccountName() API 2) SSPI user is checked for SID membership with ImpersonateSecurityContext() and CheckMembership() APIs Note, that it <group>/<sid> do not need strictly to refer to an actual group. Identity test is also supported, e.g "GROUP:<users_name>" or "SID:<user_sid>" will work too. Well-known SIDs (in SDDL syntax) appear to be supported such as "SID:WD" will refer to World/Everyone (== "SID:S-1-1-0") or "SID:BA" will refer to Administrators (== "SID:S-1-5-32-544") In UAC environments, for successful checks against Administrators group, elevation(Run As Administrator) might be necessary, since CheckMembership() needs groups to be marked as enabled in the token group list.
52 lines
1.2 KiB
Perl
52 lines
1.2 KiB
Perl
package My::Suite::AuthGSSAPI;
|
|
|
|
@ISA = qw(My::Suite);
|
|
|
|
return "No AUTH_GSSAPI plugin" unless $ENV{AUTH_GSSAPI_SO};
|
|
|
|
return "Not run for embedded server" if $::opt_embedded_server;
|
|
|
|
# Following environment variables may need to be set
|
|
if ($^O eq "MSWin32")
|
|
{
|
|
chomp(my $whoami =`whoami /UPN 2>NUL` || `whoami`);
|
|
my $fullname = $whoami;
|
|
$fullname =~ s/\\/\\\\/; # SQL escaping for backslash
|
|
$ENV{'GSSAPI_FULLNAME'} = $fullname;
|
|
$ENV{'GSSAPI_SHORTNAME'} = $ENV{'USERNAME'};
|
|
chomp(my $sid = `powershell -Command "([System.Security.Principal.WindowsIdentity]::GetCurrent()).User.Value"`);
|
|
$ENV{'SID'} = $sid;
|
|
|
|
}
|
|
else
|
|
{
|
|
if (!$ENV{'GSSAPI_FULLNAME'})
|
|
{
|
|
my $s = `klist 2>/dev/null |grep 'Default principal: '`;
|
|
if ($s)
|
|
{
|
|
chomp($s);
|
|
my $fullname = substr($s,19);
|
|
$ENV{'GSSAPI_FULLNAME'} = $fullname;
|
|
}
|
|
}
|
|
$ENV{'GSSAPI_SHORTNAME'} = (split /@/, $ENV{'GSSAPI_FULLNAME'}) [0];
|
|
}
|
|
|
|
|
|
if (!$ENV{'GSSAPI_FULLNAME'} || !$ENV{'GSSAPI_SHORTNAME'})
|
|
{
|
|
return "Environment variable GSSAPI_SHORTNAME and GSSAPI_FULLNAME need to be set"
|
|
}
|
|
|
|
if ($::opt_verbose)
|
|
{
|
|
foreach $var ('GSSAPI_SHORTNAME','GSSAPI_FULLNAME','GSSAPI_KEYTAB_PATH','GSSAPI_PRINCIPAL_NAME')
|
|
{
|
|
print "$var=$ENV{$var}\n";
|
|
}
|
|
}
|
|
sub is_default { 1 }
|
|
|
|
bless { };
|
|
|