Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

*: authentication using tidb_auth_token plugin #38773

Merged
merged 47 commits into from
Nov 3, 2022
Merged

*: authentication using tidb_auth_token plugin #38773

merged 47 commits into from
Nov 3, 2022

Conversation

CbcWestwolf
Copy link
Member

@CbcWestwolf CbcWestwolf commented Oct 31, 2022
edited
Loading

What problem does this PR solve?

Issue Number: close #38504

Problem Summary:

Using the tidb_auth_token plugin for authentication.

What is changed and how it works?

Check List

Tests

  • Unit test
  • Integration test
  • Manual test (add detailed scripts or steps below)
    • Construct a JWT and JWKS for testing, see the next section
  • No code

Manual test

Preparation
  1. go install github.com/cbcwestwolf/generate_jwt
  2. cd tidb && wget https://raw.githubusercontent.com/CbcWestwolf/generate_jwt/master/JWKS.json
  3. edit the configuration file config.toml
[security]
auth-token-jwks = "JWKS.json"
  1. start the tidb-server: ./bin/tidb-server -config config.toml
  2. create the user using the root user: mysql -h 127.0.0.1 -P 4000 -uroot -D test --prompt="tidb> "
create user '[email protected]' identified with 'tidb_auth_token' require token_issuer 'issuer-abc' attribute '{"email": "[email protected]"}'
Success to auth
  1. generate a JWT:
generate_jwt --kid "the-key-id-0" --sub "[email protected]" --email "[email protected]" --iss "issuer-abc"
  1. use the JWT to auth
mycli -h 127.0.0.1 -P 4000 -u '[email protected]' -p '<the-JWT-generated>' --prompt="tidb> "

Note that the mysql client should support mysql_clear_password auth plugin. mycli enables mysql_clear_password by default. If you are using mysql, you should use an --enable-cleartext-plugin option that enables the plugin.

Fail to auth

Just change the claim like sub to "[email protected]".

jwt.io may help.

Side effects

  • Performance regression: Consumes more CPU
  • Performance regression: Consumes more Memory
  • Breaking backward compatibility

Documentation

  • Affects user behaviors
  • Contains syntax changes
  • Contains variable changes
  • Contains experimental features
  • Changes MySQL compatibility

Release note

1. add configuration `security.auth-token-jwks` and `security.auth-token-refresh-interval`
6. support passwordless authentication `tidb_auth_token`

@ti-chi-bot
Copy link
Member

ti-chi-bot commented Oct 31, 2022
edited
Loading

[REVIEW NOTIFICATION]

This pull request has been approved by:

  • djshow832
  • xhebox

To complete the pull request process, please ask the reviewers in the list to review by filling /cc @reviewer in the comment.
After your PR has acquired the required number of LGTMs, you can assign this pull request to the committer in the list by filling /assign @committer in the comment to help you merge this pull request.

The full list of commands accepted by this bot can be found here.

Reviewer can indicate their review by submitting an approval review.
Reviewer can cancel approval by submitting a request changes review.

@ti-chi-bot ti-chi-bot added release-note-none Denotes a PR that doesn't merit a release note. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Oct 31, 2022
@CbcWestwolf CbcWestwolf mentioned this pull request Oct 31, 2022
Closed
2 tasks
@ti-chi-bot ti-chi-bot added needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Nov 1, 2022
@ti-chi-bot ti-chi-bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Nov 1, 2022
@ti-chi-bot ti-chi-bot added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Nov 1, 2022
@ti-chi-bot ti-chi-bot added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed release-note-none Denotes a PR that doesn't merit a release note. labels Nov 2, 2022
@djshow832
Copy link
Contributor

/merge

@ti-chi-bot
Copy link
Member

This pull request has been accepted and is ready to merge.

Commit hash: 6a62a58

@ti-chi-bot ti-chi-bot added the status/can-merge Indicates a PR has been approved by a committer. label Nov 3, 2022
@CbcWestwolf
Copy link
Member Author

/hold

@ti-chi-bot ti-chi-bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Nov 3, 2022
@ti-chi-bot ti-chi-bot removed the status/can-merge Indicates a PR has been approved by a committer. label Nov 3, 2022
@CbcWestwolf
Copy link
Member Author

/unhold

@ti-chi-bot ti-chi-bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Nov 3, 2022
bb7133
bb7133 approved these changes Nov 3, 2022
View reviewed changes
Copy link
Member

@bb7133 bb7133 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@bb7133
Copy link
Member

bb7133 commented Nov 3, 2022

/merge

@ti-chi-bot
Copy link
Member

This pull request has been accepted and is ready to merge.

Commit hash: ce5d9af

@ti-chi-bot ti-chi-bot added the status/can-merge Indicates a PR has been approved by a committer. label Nov 3, 2022
@CbcWestwolf
Copy link
Member Author

/run-mysql-test
/run-unit-test

@CbcWestwolf
Copy link
Member Author

/run-build
/run-mysql-test

@you06
Copy link
Contributor

you06 commented Nov 3, 2022

There is a workaround for the mysql-test failure, you can run /run-mysql-test tidb-test=pr/2007

@CbcWestwolf
Copy link
Member Author

/run-mysql-test tidb-test=pr/2007

2 similar comments
@CbcWestwolf
Copy link
Member Author

/run-mysql-test tidb-test=pr/2007

@CbcWestwolf
Copy link
Member Author

/run-mysql-test tidb-test=pr/2007

@ti-chi-bot ti-chi-bot merged commit f9c7bbc into pingcap:master Nov 3, 2022
@CbcWestwolf CbcWestwolf deleted the tidb_auth_token_2 branch November 3, 2022 18:54
@sre-bot
Copy link
Contributor

sre-bot commented Nov 3, 2022

TiDB MergeCI notify

🔴 Bad News! [2] CI still failing after this pr merged.
These failed integration tests don't seem to be introduced by the current PR.

CI Name Result Duration Compare with Parent commit
idc-jenkins-ci-tidb/integration-common-test 🔴 failed 8, success 9, total 17 5 min 24 sec Existing failure
idc-jenkins-ci-tidb/common-test 🔴 failed 2, success 9, total 11 4 min 4 sec Existing failure
idc-jenkins-ci-tidb/integration-ddl-test 🟢 all 6 tests passed 30 min Existing passed
idc-jenkins-ci/integration-cdc-test 🟢 all 39 tests passed 20 min Existing passed
idc-jenkins-ci-tidb/tics-test 🟢 all 1 tests passed 5 min 33 sec Existing passed
idc-jenkins-ci-tidb/sqllogic-test-2 🟢 all 28 tests passed 4 min 25 sec Existing passed
idc-jenkins-ci-tidb/sqllogic-test-1 🟢 all 26 tests passed 3 min 55 sec Existing passed
idc-jenkins-ci-tidb/mybatis-test 🟢 all 1 tests passed 3 min 24 sec Existing passed
idc-jenkins-ci-tidb/integration-compatibility-test 🟢 all 1 tests passed 2 min 43 sec Existing passed
idc-jenkins-ci-tidb/plugin-test 🟢 build success, plugin test success 4min Existing passed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bb7133 bb7133 bb7133 approved these changes

@xhebox xhebox xhebox approved these changes

@djshow832 djshow832 djshow832 approved these changes

Assignees
No one assigned
Labels
release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. status/can-merge Indicates a PR has been approved by a committer. status/LGT2 Indicates that a PR has LGTM 2.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support authentication using a token/JWT
8 participants
@CbcWestwolf @ti-chi-bot @djshow832 @bb7133 @you06 @sre-bot @xhebox @hawkingrei