WL#7726: System account auth plugin
Affects: Server-5.7 — Status: Complete
There are several use cases for privileged accounts which should prohibit all connections using them: * Proxy base user * Stored programs and functions * Events This is best handled with the ability to explicitly restrict new connections for a specific account, but can be done for 5.5 and 5.6 today using an authentication plugin which always returns false (no connections allowed). This would be a meaningful stop-gap solution until 5.7 GA implements the preferred solution.
FR1: Accounts may be defined using an authentication plugin, "mysql_no_login". FR2: Accounts defined using "mysql_no_login" authentication plugin will reject all client connections. FR3: Accounts defined using "mysql_no_login" authentication plugin may be assigned privileges, like any user. FR4: Accounts defined using "mysql_no_login" authentication plugin may be used as the DEFINER or INVOKER for stored programs, events and views. FR5: Accounts defined using "mysql_no_login" authentication plugin may be used as a base user for proxy users.
I-1: A new authentication plugin, mysql_no_login, will be provided with MySQL Server packages. This plugin will require manual installation (not enabled by default), and will prevent user accounts configured to use it from accepting client connections. It will allow privileges to be granted to associated accounts for privilege abstraction in stored programs and views. There will be no new status variables or configuration options added.
Copyright (c) 2000, 2021, Oracle Corporation and/or its affiliates. All rights reserved.