Delegating authentication to an upstream server when proxying

[ramnes]

Hey!

Is it currently possible to delegate authentication to a backend MySQL server rather than validating credentials locally?

I would like to forward my go-mysql server authentication to an upstream server instead of storing/checking credentials in the proxy itself. The challenge I see is that the salt is generated in NewCustomizedConn before I have a chance to connect to the backend and use its salt.

If this isn't currently supported, how would you recommend approaching this? Happy to contribute a PR if there's a preferred direction. :)

[lance6716]

I think you can implement CredentialProvider interface:

• the receiver (self, this in other programming languages) holding a connection to the database
• CheckUsername and GetCredential return needed data by querying the database

salt does not affect the process? GetCredential should work as a plaintext password

[ramnes]

Hm, I'm not sure to understand. GetCredential builds a Credential out of a password, and you can't get the user's password out of the remote database. You could extract the hash and auth plugin out of the upstream database, but it means you'd need to have the privileges to do so. For a fully transparent proxy, you wouldn't even have an user to connect to the database in the first place. :)

If you don't want to mirror the credentials but completely delegate the authentication process, it seems to me that sending the data (e.g., the salt for mysql_native_password) back and forth between the upstream server and downstream client is the only way.

[lance6716]

Oh, I misunderstood "forward my go-mysql server authentication to an upstream server". Previously I think you have stored plaintext password at upstream database, and will compare connection's password with that.

I have forgotten the auth process 😂 Maybe you can ask LLM for now.