In ShardingSphere-Proxy, user authentication and authorization information is configured through authority
.
Thanks to ShardingSphere’s pluggable architecture, Proxy provides two levels of privilege providers, namely:
ALL_PERMITTED
: each user has all privileges without special authorization. (Will be removed in a future version)DATABASE_PERMITTED
: grants the user privileges on the specified logical databases, defined by user-database-mappings
. (Recommended)The administrator can choose which privilege provider to use as needed when configuring authority
.
authority:
users:
- user: # Specify the username, and authorized host for logging in to the compute node. Format: <username>@<hostname>. When the hostname is % or an empty string, it indicates that the authorized host is not limited, username and hostname are case-insensitive
password: # Password
admin: # Optional, administrator identity. If true, the user has the highest authority. The default value is false
authenticationMethodName: # Optional, used to specify the password authentication method for the user
authenticators: # Optional, not required by default, Proxy will automatically choose the authentication method according to the frontend protocol type
authenticatorName:
type: # Authentication method type
defaultAuthenticator: # Optional, specify an authenticator as the default password authentication method
privilege:
type: # Privilege provider type. The default value is ALL_PERMITTED
authority:
users:
- user: root@%
password: root
- user: sharding
password: sharding
Explanation:
root@%
and sharding
;authenticationMethodName
is not specified for root@127.0.0.1
, Proxy will automatically choose the authentication method according to the frontend protocol;ALL_PERMITTED
will be used;The custom authentication configuration allows users to greater leeway to set their own custom configurations according to their scenarios.
Taking openGauss
as the frontend protocol type as an example, its default authentication method is scram-sha-256
.
If the user sharding
needs to use an old version of the psql client (which does not support scram-sha-256
) to connect to the Proxy, the administrator may allow sharding to use the md5
method for password authentication.
The configuration is as follows:
authority:
users:
- user: root@127.0.0.1
password: root
- user: sharding
password: sharding
authenticationMethodName: md5
authenticators:
md5:
type: MD5
privilege:
type: ALL_PERMITTED
Explanation:
root@127.0.0.1
and sharding
;MD5
method for password authentication for sharding
;root@127.0.0.1
, Proxy will automatically choose one according to the frontend protocol;ALL_PERMITTED
is specified.authority:
users:
- user: root@127.0.0.1
password: root
- user: sharding
password: sharding
privilege:
type: ALL_PERMITTED
Explanation:
root@127.0.0.1
and sharding
;authenticators
and authenticationMethodName
are not defined, Proxy will automatically choose the authentication method according to the frontend protocol;ALL_PERMITTED
is specified.authority:
users:
- user: root@127.0.0.1
password: root
admin: true
- user: sharding
password: sharding
- user: test
password: sharding
privilege:
type: DATABASE_PERMITTED
props:
user-database-mappings: sharding@%=*, test@%=test_db, test@%=sharding_db
Explanation:
root@127.0.0.1
, sharding
and test
, which root@127.0.0.1
is an admin user;authenticators
and authenticationMethodName
are not defined, Proxy will automatically choose the authentication method according to the frontend protocol;DATABASE_PERMITTED
is specified, authorize sharding@%
to access all logical databases (*
), and user test
can only access test_db
and sharding_db
.