Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add login support for API #2846

Open
1 of 6 tasks
tomatolog opened this issue Dec 12, 2024 · 2 comments
Open
1 of 6 tasks

add login support for API #2846

tomatolog opened this issue Dec 12, 2024 · 2 comments
Assignees

Comments

@tomatolog
Copy link
Contributor

Proposal:

need to add basic auth into API interface code to support auth with users and password hash that already works for SphinxQL interface.

Could you the same approach as mysql_native_password does:

  • the client \ master queries the agent \ server
  • the agent \ server replies at the handshake with the additional salt data
  • the client \ master uses salt with the sha1 pwd similar to mysql_native_password does and sends user and password hash with the main query

Decided no to add SSL encryption here as it different task.

Checklist:

To be completed by the assignee. Check off tasks that have been completed or are not applicable.

  • Implementation completed
  • Tests developed
  • Documentation updated
  • Documentation reviewed
  • Changelog updated
  • OpenAPI YAML updated and issue created to rebuild clients
@tomatolog
Copy link
Contributor Author

change of the step

the agent \ server replies at the handshake with the additional salt data

seems too complex. Adding the send of

  • the user name
  • the token sha1(user+sha1(password) )

from the client to server or master to agent along with each query similar to HTTP Basic auth.

Master will send to agent the user auth it got from the user request.
For the replication API commands will use special user with the replication roles.

@tomatolog
Copy link
Contributor Author

could use sha2 library https://github.com/okdshin/PicoSHA2 for the token generation sha256(user+sha1(password) ) then replace it with OpenSSL code after the change of the #2789 got integrated

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant