In ShardingSphere-Proxy, user authentication and authorization information is configured through authority.
Thanks to ShardingSphere’s pluggable architecture, Proxy provides two levels of privilege providers, namely:
ALL_PERMITTED: each user has all privileges without special authorization;DATABASE_PERMITTED: grant the user privileges on the specified logical databases, defined by user-database-mappings.The administrator can choose which privilege provider to use as needed when configuring authority.
authority:
users:
- user: # Specify the username, and authorized host for logging in to the compute node. Format: <username>@<hostname>. When the hostname is % or an empty string, it indicates that the authorized host is not limited.
password: # Password
authenticationMethodName: # Optional, used to specify the password authentication method for the user
authenticators: # Optional, not required by default, Proxy will automatically choose the authentication method according to the frontend protocol type
authenticatorName:
type: # Authentication method type
defaultAuthenticator: # Optional, specify an authenticator as the default password authentication method
privilege:
type: # Privilege provider type. The default value is ALL_PERMITTED.
authority:
users:
- user: root@%
password: root
- user: sharding
password: sharding
illustrate:
root@% and sharding;authenticationMethodName is not specified for root@127.0.0.1, Proxy will automatically choose the authentication method according to the frontend protocol;ALL_PERMITTED will be used;Custom authentication configuration can meet the needs of users in some specific scenarios.
Taking openGauss as the frontend protocol type as an example, its default authentication method is scram-sha-256.
If the user sharding needs to use an old version of the psql client (which does not support scram-sha-256) to connect to the Proxy, the administrator may allow sharding to use the md5 method for password authentication.
The configuration is as follows:
authority:
users:
- user: root@127.0.0.1
password: root
- user: sharding
password: sharding
authenticationMethodName: md5
authenticators:
md5:
type: MD5
privilege:
type: ALL_PERMITTED
illustrate:
root@127.0.0.1 and sharding;MD5 method for password authentication for sharding;root@127.0.0.1, Proxy will automatically choose one according to the frontend protocol;ALL_PERMITTED is specified.authority:
users:
- user: root@127.0.0.1
password: root
- user: sharding
password: sharding
privilege:
type: ALL_PERMITTED
illustrate:
root@127.0.0.1 and sharding;authenticators and authenticationMethodName are not defined, Proxy will automatically choose the authentication method according to the frontend protocol;ALL_PERMITTED is specified.authority:
users:
- user: root@127.0.0.1
password: root
- user: sharding
password: sharding
privilege:
type: DATABASE_PERMITTED
props:
user-database-mappings: root@127.0.0.1=*, sharding=test_db, sharding=sharding_db
illustrate:
root@127.0.0.1 and sharding;authenticators and authenticationMethodName are not defined, Proxy will automatically choose the authentication method according to the frontend protocol;DATABASE_PERMITTED is specified, authorize root@127.0.0.1 to access all logical databases (*), and user sharding can only access test_db and sharding_db.Please refer to Authority Provider for specific implementation of authority provider.