In ShardingSphere-Proxy, user authentication and authorization information is configured through authority.
Thanks to ShardingSphere’s pluggable architecture, Proxy provides two levels of privilege providers, namely:
ALL_PERMITTED: each user has all privileges without special authorization.DATABASE_PERMITTED: grants the user privileges on the specified logical databases, defined by user-database-mappings.The administrator can choose which privilege provider to use as needed when configuring authority.
authority:
users:
- user: # Specify the username, and authorized host for logging in to the compute node. Format: <username>@<hostname>. When the hostname is % or an empty string, it indicates that the authorized host is not limited, username and hostname are case-insensitive
password: # Password
admin: # Optional, administrator identity. If true, the user has the highest authority. The default value is false
authenticationMethodName: # Optional, used to specify the password authentication method for the user
authenticators: # Optional, not required by default, Proxy will automatically choose the authentication method according to the frontend protocol type
authenticatorName:
type: # Authentication method type
defaultAuthenticator: # Optional, specify an authenticator as the default password authentication method
privilege:
type: # Privilege provider type. The default value is ALL_PERMITTED
authority:
users:
- user: root@%
password: root
- user: sharding
password: sharding
Explanation:
root@% and sharding;authenticationMethodName is not specified for root@127.0.0.1, Proxy will automatically choose the authentication method according to the frontend protocol;ALL_PERMITTED will be used;The custom authentication configuration allows users to greater leeway to set their own custom configurations according to their scenarios.
Taking openGauss as the frontend protocol type as an example, its default authentication method is scram-sha-256.
If the user sharding needs to use an old version of the psql client (which does not support scram-sha-256) to connect to the Proxy, the administrator may allow sharding to use the md5 method for password authentication.
The configuration is as follows:
authority:
users:
- user: root@127.0.0.1
password: root
- user: sharding
password: sharding
authenticationMethodName: md5
authenticators:
md5:
type: MD5
privilege:
type: ALL_PERMITTED
Explanation:
root@127.0.0.1 and sharding;MD5 method for password authentication for sharding;root@127.0.0.1, Proxy will automatically choose one according to the frontend protocol;ALL_PERMITTED is specified.authority:
users:
- user: root@127.0.0.1
password: root
- user: sharding
password: sharding
privilege:
type: ALL_PERMITTED
Explanation:
root@127.0.0.1 and sharding;authenticators and authenticationMethodName are not defined, Proxy will automatically choose the authentication method according to the frontend protocol;ALL_PERMITTED is specified.authority:
users:
- user: root@127.0.0.1
password: root
- user: sharding
password: sharding
privilege:
type: DATABASE_PERMITTED
props:
user-database-mappings: root@127.0.0.1=*, sharding@%=test_db, sharding@%=sharding_db
Explanation:
root@127.0.0.1 and sharding;authenticators and authenticationMethodName are not defined, Proxy will automatically choose the authentication method according to the frontend protocol;DATABASE_PERMITTED is specified, authorize root@127.0.0.1 to access all logical databases (*), and user sharding can only access test_db and sharding_db.Please refer to Authority Provider for the specific implementation of authority provider.