Authentication & Authorization
Background
In ShardingSphere-Proxy, user authentication and authorization information is configured through authority
.
Thanks to ShardingSphere’s pluggable architecture, Proxy provides two levels of privilege providers, namely:
ALL_PERMITTED
: each user has all privileges without special authorization;DATABASE_PERMITTED
: grant the user privileges on the specified logical databases, defined byuser-database-mappings
.
The administrator can choose which privilege provider to use as needed when configuring authority
.
Parameter
authority:
users:
- user: # Specify the username, and authorized host for logging in to the compute node. Format: <username>@<hostname>. When the hostname is % or an empty string, it indicates that the authorized host is not limited.
password: # Password
authenticationMethodName: # Optional, used to specify the password authentication method for the user
authenticators: # Optional, not required by default, Proxy will automatically choose the authentication method according to the frontend protocol type
authenticatorName:
type: # Authentication method type
defaultAuthenticator: # Optional, specify an authenticator as the default password authentication method
privilege:
type: # Privilege provider type. The default value is ALL_PERMITTED.
Sample
Minimalist configuration
authority:
users:
- user: root@%
password: root
- user: sharding
password: sharding
illustrate:
- Two users are defined:
root@%
andsharding
; authenticationMethodName
is not specified forroot@127.0.0.1
, Proxy will automatically choose the authentication method according to the frontend protocol;- privilege provider is not specified, the default
ALL_PERMITTED
will be used;
Authentication configuration
Custom authentication configuration can meet the needs of users in some specific scenarios. Taking openGauss
as the frontend protocol type as an example, its default authentication method is scram-sha-256
. If the user sharding
needs to use an old version of the psql client (which does not support scram-sha-256
) to connect to the Proxy, the administrator may allow sharding to use the md5
method for password authentication. The configuration is as follows:
authority:
users:
- user: root@127.0.0.1
password: root
- user: sharding
password: sharding
authenticationMethodName: md5
authenticators:
md5:
type: MD5
privilege:
type: ALL_PERMITTED
illustrate:
- Two users are defined:
root@127.0.0.1
andsharding
; - Use
MD5
method for password authentication forsharding
; - Authentication method is not specified for
root@127.0.0.1
, Proxy will automatically choose one according to the frontend protocol; - The privilege provider
ALL_PERMITTED
is specified.
Authorization configuration
ALL_PERMITTED
authority:
users:
- user: root@127.0.0.1
password: root
- user: sharding
password: sharding
privilege:
type: ALL_PERMITTED
illustrate:
- Two users are defined:
root@127.0.0.1
andsharding
; authenticators
andauthenticationMethodName
are not defined, Proxy will automatically choose the authentication method according to the frontend protocol;- The privilege provider
ALL_PERMITTED
is specified.
DATABASE_PERMITTED
authority:
users:
- user: root@127.0.0.1
password: root
- user: sharding
password: sharding
privilege:
type: DATABASE_PERMITTED
props:
user-database-mappings: root@127.0.0.1=*, sharding=test_db, sharding=sharding_db
illustrate:
- Two users are defined:
root@127.0.0.1
andsharding
; authenticators
andauthenticationMethodName
are not defined, Proxy will automatically choose the authentication method according to the frontend protocol;- The privilege provider
DATABASE_PERMITTED
is specified, authorizeroot@127.0.0.1
to access all logical databases (*
), and usersharding
can only accesstest_db
andsharding_db
.
Related References
Please refer to Authority Provider for specific implementation of authority provider.