WL#14074: Deterministic selection of user accounts based on IP

Affects: Server-8.0 — Status: Complete

Description
Requirements
High Level Architecture
Low Level Design

Account's host part resolution order for incoming connections is non 
deterministic. Order of user account creation may affect to which account the 
newly 
connection is bound to. The aim of this worklog is to implement more deterministic 
host/IP account matching order that promote IP over domain names.

Domain matching sort order remains the same and is non-deterministic.

FR.1 - Implement connecting IP matching order on the following criteria for the 
matching user name and anonymous user:
FR.1.1 - Match the incoming connection IP with the IP specified using the CREATE 
USER ''@'' syntax;
FR.1.2 - Match the incoming connection IP with the starting address of the subnet 
specified using the CREATE USER ''@'CIDR' syntax;
FR.1.3 - Match the incoming connection IP with the starting address of the subnet 
specified using the CREATE USER ''@'/' 
syntax;
FR.2 - If the incoming connection IP is not matched, match the account based on 
the existing domain name matching algorithm.

The objective of this worklog is to define more deterministic approach 
regarding 
matching host name of the incoming connection to the already created account's 
host name using the 'CREATE USER' syntax.

Existing host name ordering algorithm
=====================================
Consider there are two accounts created:

1) CREATE USER 'user'@'localhost';
2) CREATE USER 'user'@'127.0.0.1';

When connecting to the server, the account picked up during the connect, 
depends 
which account has been created first. They both are treated equally by the 
server.

Ordering position of the accounts with wildcards in the host name depend
on the position of the first wildcard.

There are two kinds of wildcards that can be applied: multi character (%) or 
single character (_).

1. 'user'@'localhost' << No wildcards are on top
2. 'user'@'localhost_' or 'user'@'localhost%' << Wildcard on 10th position
3. 'user'@'localhos_' or 'user'@'localhos%' << Wildcard on 9th position
4. 'user'@'localho_' or 'user'@'localho%' << Wildcard on 8th position
5. 'user'@'localh_' or 'user'@'localh%' << Wildcard on 7th position
6. 'user'@'local_' or 'user'@'local%' << Wildcard on 6th position

Two accounts with wildcard on the same position in the hostname are ordered on 
the same position and their actual position on the list depends, which account 
has been created earlier:

2.1 'user'@'localhos%' << This account has been created as first
2.2 'user'@'localhos_'

Account order
=============
This worklog defines following order of the accounts stored in the Access 
Control List (ACL):

1. Accounts created using the CREATE USER ''@'' syntax, e.g.:

Named user: CREATE USER 'user'@'127.0.0.1';
Anonymous user: CREATE USER ''@'127.0.0.1';

2. Accounts created using the CREATE USER ''@'' syntax, e.g.:

Named user: CREATE USER 'user'@'127.0.0.0/8';
Anonymous user: CREATE USER ''@'127.0.0.0/8';

https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing

3. Accounts created using the CREATE USER 
''@'/' syntax, e.g.:

Named user: CREATE USER 'user'@'127.0.0.0/255.0.0.0';
Anonymous user: CREATE USER ''@'127.0.0.0/255.0.0.0';

4. Accounts using the host name not recognized as one of the above statements 
are treated as domain names and fall into separate host name order algorithm.

4.1. Account with 'localhost' specified as a host name is treated no 
differently 
than other host names that represent user specified domains without wildcards 
(domains without wildcards are ordered before wildcarded domains).

Domain name order algorithm
===========================
Domain name matching algorithm remains the same as before. It supports 
wildcards 
in the name. Domain names without wildcards are ordered as first. Ordering 
position of the account with the wildcard depends on the position of the first 
wildcard in the host name.

1. "user1.host.com" < Level 1
2. "user2.host.com" < Level 1
3. "user_.host.com" < Level 2
4. "user%.host.com" < Level 2
5. "%.host.com"     < Level 3

Note that order of domains on the same level is undefined and IP resolved to 
more than one domain may pickup random matching domain on the same level.

Anonymous user vs named user
============================
Anonymous user and named user are treat equally. Sorting algorithm orders on 
the IP and host then on the named user - anonymous user, e.g:

Anonymous user: CREATE USER ''@'127.0.0.1';
Named user: CREATE USER 'user'@'127.0.0.0/255.255.255.0';

Extend ACL_ACCESS::ACL_HOST_AND_IP class to hold following information enabling 
correct sorting order:
- ACL_HOST_AND_IP was created from the IP string, e.g.: "127.0.0.1"
- ACL_HOST_AND_IP was created from the CIDR notation string, e.g.: "127.0.0.0/8"
- ACL_HOST_AND_IP was created from the starting address and the subnet mask 
string, e.g.: "127.0.0.0/255.0.0.0"

Extend ACL_compare class to sort users of the same user name in the following 
order:
1. IP value;
2. Matching connecting IP created from the CIDR notation;
3. Matching connecting IP created from the starting address and the subnet mask;
5. Non-deterministic host matching algorithm.

Note: anonymous account with not wildcarded host is picked before non anonymous 
account with wildcarded host.