A server-side authentication plugin is available that authenticates clients that connect from the local host through the Unix socket file.
The source code for this plugin can be examined as a relatively simple example demonstrating how to write a loadable authentication plugin.
The following table shows the plugin and library file names. The
file name suffix might differ on your system. The file location
is the directory named by the
plugin_dir system variable. For
installation information, see
Section 5.8, “Pluggable Authentication”.
Table 7.8 MySQL Socket Peer-Credential Authentication Plugin
|Server-side plugin name|
|Client-side plugin name||None, see discussion|
|Library file name|
auth_socket authentication plugin
authenticates clients that connect from the local host through
the Unix socket file. The plugin uses the
SO_PEERCRED socket option to obtain
information about the user running the client program. Thus, the
plugin can be built only on systems that support the
SO_PEERCRED option, such as Linux.
The plugin checks whether the socket user name matches the MySQL
user name specified by the client program to the server. As of
MySQL 5.7.6, if the names do not match, the plugin also checks
whether the socket user name matches the name specified in the
authentication_string column of the
mysql.user table row. If a match is found,
the plugin permits the connection.
Suppose that a MySQL account is created for a user named
valerie who is to be authenticated by the
auth_socket plugin for connections from the
local host through the socket file:
CREATE USER 'valerie'@'localhost' IDENTIFIED WITH auth_socket;
If a user on the local host with a login name of
stefanie invokes mysql
with the option
--user=valerie to connect
through the socket file, the server uses
auth_socket to authenticate the client. The
plugin determines that the
--user option value
valerie) differs from the client user's name
stephanie) and refuses the connection. If a
valerie tries the same thing, the
plugin finds that the user name and the MySQL user name are both
valerie and permits the connection. However,
the plugin refuses the connection even for
valerie if the connection is made using a
different protocol, such as TCP/IP.
For general information about pluggable authentication in MySQL, see Section 5.8, “Pluggable Authentication”.