MySQL execute as user or impersonate - mysql

In MySQL, is there a way to execute a query as a specific user to test table permissions? Is there a way to impersonate a user execution context when you are connected with a higher privileged account?
In the MSSQL world, one would use EXECUTE AS login = 'username', followed by your SQL Statements, then finally a REVERT, to close the impersonation.
Is there something similar in MySQL?

Personally I have never tried before, but you can take a look at the "Mysql Proxy User" available starting from MySQL 5.5.7
The plugin may request that the connecting (external) user be treated
as a different user for privilege-checking purposes. This enables the
external user to be a proxy for the second user; that is, to have the
privileges of the second user. In other words, the external user is a
“proxy user” (a user who can impersonate or become known as another
user) and the second user is a “proxied user” (a user whose identity
can be taken on by a proxy user)
Also you can write your own authentication plugins for proxy users
... Here another post that explain this kind of behaviour "MySQL Proxy Users – SU emulation"

You must go to home page, change settings of Local instance or whatever Schema you are using. There you need to change the username.
If you are looking to run the query where you have logged in with your credentials and wants to run other query with other credentials then check the 'proxy users' in MySQL.
I hope this helps.

Related

SAML certificate authentication vs login

I have a working implementation of SAML (OneLogin) within an enterprise architecture.
When a guest user arrives at my application they are redirected to the company login where they enter their username / password. After that the user identity is passed back to my application and we log them in.
However, I notice that in other applications within the company I do not have to login at all. Somehow the website "knows who I am" and seems to authenticate me automatically. I presume there is some form of certificate on my pc / browser which the other applications are passing to the SAML??
Can somebody tell me the technical term or process? Is there a process whereby I simply pull the certificate from the browser or PC and pass it to the SAML? I would like my users to be able to auto-login without entering their credentials.
Thanks
There's a number of mechanisms that support an "automatic" authentication like what you describe. In the Identity and Access Management (IAM) realm, we have all sorts of names for it, but many of us call that "seamless single sign-on (SSO)".
Within a corporate environment, I would suspect that you are dealing with a one of two mechanisms: Kerberos authentication (especially if you're a Microsoft shop and log in to a domain-joined machine on a daily basis), or your machine is in an MDM-type of system, which uses a machine- and/or user-based certificate (aka PKI) to authenticate the user or user/machine combination.
Within your enterprise, if there are other applications whose users are immediately authenticated to the application without entering their username and password, then you should talk to your IAM team or your Single Sign On (SSO) administrators to understand why that doesn't work for yours.
I will also say that it's possible that your security team evaluated what information your application offers (insider financials? source code? your secret recipe? credit card data?) and decided that they would still require the user enter their username and password to get access to the data. So when you go to your SSO admins to ask, if they say that it's intentional, you should feel free to ask why and who you should talk to about it.
After a LOT of research and testing I finally have the answer to this question, and it is incredibly simple!
In summary:
I have a working solution with OneLogin that sends me to a page like this:
https://sts.companyname.com/adfs/ls
The url is specified in the config: saml->config->idp->singleSignOnService->url
However, this page requires the user to enter their username and password and, instead, I would like the system to be fully seamless.
The solution, it turns out, is simply to hyperlink to the following url:
https://sts.companyname.com/adfs/ls/IdpInitiatedSignon.aspx?LoginToRp=https://mypage.com/saml/metadata
where "loginToRp" url is the url provided in saml->config->sp->entityID
The ADFS IDP Initiated Signon will connect to your metadata schema and automatically log the user in (without the user needing to provide any credentials)
NOTE: this only applies to intranet sites in a corporate environment

S3 Object that only some of my users can access

I want some guidance as to how to go about this:
I want to have some objects in my S3 bucket by accessible only be a few users (users from my web app). I looked through the AWS docs and it seems as though I need to give each of my users AWS access keys(?).
Obviously I don't want to do this, so is there any way in my app to lock out some users and let other in? I'm using Node.JS and MySQL (to store my users) if that makes a difference.
Thanks a lot for the help.
The very simple description of the S3 access / permission scheme is...Access to S3, like most other AWS resources is based on IAM-centric access controls. So, you can either grant access to your S3 buckets by either granting users access to it (setting it on S3) or granting S3 access to a user (setting it in IAM as a policy). So, whatever or whomever is accessing S3 must be authenticated to AWS. Again, that is a very high-level description and meant to simply point out that access is based on user/role authentication.
Now, assuming your web-app is running on AWS (EC2?), than your EC2 instance has been (hopefully) assigned an IAM role. Once that IAM Role has been assigned the permissions to do so, the application running on the EC2 instance can now access any AWS resource via that Role.
But, you don't want ALL of your webapp users to access S3, so my two thoughts are:
1) Check the users credentials within your app (assuming the user needs to authenticate somehow with your application) and make the determination of whether or not to call S3 based on the users credentials. You would then use the IAM Role assigned to the EC2 instance (an EC2 instance can only have 1 IAM Role assigned to it) and access S3 or not.
This second idea is a pretty bad one and smells bad to me. I'm pointing it out merely as a possibility and to highlight how the use of IAM Users / Roles works.
2) This suggestion would not utilize the IAM Role assigned to the EC2 instance, though I would always advocate for assigning a Role to the instance, you can always lock down that role and deny access to all AWS resources, but you can't add a role to the instance after launched.
Have two IAM Users (S3Granted and S3Denied, each of which obviously have appropriate policies for accessing S3). Each user of your webapp (e.g. Hillary Clinton, Donald Trump, Bernie Sanders and Ted Cruz) would then each map to one of the two IAM Users based on whether or not they should have access to S3. This would be a field in your MySQL database. You wouldn't bother checking the credentials up-front (because then you would just be performing Option #1 and would proceed with the S3 call regardless of the user and S3 will either grant or deny access based on the IAM User account your webapp user is associated with. You technically wouldn't need the S3Denied User (you could just have no user), but I figured it would be cleaner to specify the IAM User.
e.g.:
WebAppUser/Bernie Sanders --> IAMUser/S3Granted
WebAppUser/Hillary Clinton --> IAMUser/S3Denied
WebAppUser/Ted Cruz --> IAMUser/S3Granted
WebAppUser/Donald Trump --> IAMUser/S3Denied
For Option #2, you would then need to store the Access keys for both IAM Users m(S3Granted and S3Denied) somewhere so that you could properly authenticate.
Also, you would need to do a bit of exception handling so that you could properly notify your users that they have been denied access.
Overall, #2 is just a bad idea. It would be much cleaner if you simply had a field in your MySQL database that specified whether or not they can access S3 and either make the S3 call via the IAM Role or refuse to do so within your webapp. Don't leave it to S3 to grant or deny access.

what does web-login actually means and how it is implemented?

Bear with me please. I am a layman in web technology and have few simple questions which need simple language answers.
When we login using a username and password on any website, what exact connection/relation is established with the website server? Is it that the server stores the IP address of the user and allows the user access to certain tables from the server database for a short span of time and the regular query to the server keeps the 'connection alive'?
Thanks in advance..
A login system receives a set of credentials from the user, typically an identifier and a password. It could include what is called an authentication token, which is either generated by a handheld device (so you not only have to have id and password but the token generator; it's on the equivalent of requiring both the pin and the card at an ATM), or it's generated by combining the password with something else and returning an encryption result.
The login system, once it receives the credentials, compares them to what is stored on the credential database. In some cases the credentials are sent encrypted, such that even the login system doesn't even know what they are, all it does is determine if the encryption is correct. This would mean that even if someone was monitoring the communication channel they could not use it to fake a login later.
Now, if the credential is valid, one of two things happens. For a desktop application or general sign-on, the login program will transfer control to either the rest of the program (for an application), or grants access to the system (for a sign on). When the person leaves the application or signs off the system, then everything starts over.
For a website, the login program will send the user a cookie that another part of the website can read and determine the user was authenticated and their credentials passed. This continues until the cookie expires, or the user logs out. If the user logs out, the website sends a new cookie that says the former cookie is expired.

SQL Server - Scripting CREATE USER WITHOUT LOGIN

I have a SQL Server instance using SQL Authentication only. I will have only two users and one database on this instance. The SA has a user name of XX. I have another user and lets say that user is X. And, in my create scripts, I am adding X as a user on the server and then on the one database that is there.
If XX is the SA (created when installing SQL Server) there is no need for me to explicitly map XX to any database, correct?
I am a little confused over the CREATE USER WITHOUT LOGIN. If the above is true would I ever need to script the addition of X to the one database WITHOUT LOGIN? What is the significance of WITHOUT LOGIN? Under what conditions would anyone what to do that?
Thank you.
Users without login were added to replace application roles.
Loginless users are usefull for impersonation, in order to gain necessary permissions. They allow users to authenticate to the instance with their own credentials, therefore making SQL Server able to audit activity to their login, while impersonating the loginless user on the database context.
Simple impersonation example:
SELECT SUSER_NAME(), USER_NAME();
GO
CREATE USER loginless_user_4test
WITHOUT LOGIN
GO
EXECUTE AS USER = 'loginless_user_4test'
GO
SELECT SUSER_NAME(), USER_NAME();
GO
REVERT --as long as you haven't issued "EXECUTE AS ... WITH NO REVERT", you can go back to previous context
GO

sync persistence_token across databases

I am trying to figure out how to sync authlogic persistence tokens across servers.
I have 4 servers, and I have many apps on all 4, the authentication is working across all the apps on one server. I can even get them to work on different servers if I copy the persistence token from one to the other 3.
The only issue I can think of is users may login to one server and not the other, but I still want them to be able to be synced in case they do go to that other server. For example:
Joe logs into server 1
Joe also logs into server 2
Jane only logs into server 1
Fred only logs into server 2
I would need a 2 way sync from each of the servers. I don't care which persistence token they get as long as they are all the same.
This also uses LDAP for authentication in case that matters.
I am open to pretty much any suggestion, including something non-rails related.
Edit
To update this, I cannot remove LDAP authentication. I really have no desire to replace authlogic. I was thinking of something like a rake task or shell script to handle the syncing.
I am perfectly fine coming up with my own idea, just want to see if someone knows the best way.
Thank you all for any help.
You might really be looking for a central authentication service (CAS) -- something that will enable Single Sign On (SSO).
This enables you to log on to different services. It will work something like
User requests http://server1
server1 checks if the user is authenticated against the local store. If not:
server1 redirects user to something like http://casserver?return=server1
casserver actually gets the username/password or credentials, authenticates them, and:
casserver redirects to http://server1
Then:
User requests http://server2
server2 redirects user to http://casserver?return=server2
casserver redirects user to http://server2 with the authtoken
That way the user does not enter credentials more than once.
OAuth works like this (over-simplified)
People have used the java based CAS . Some posts:
http://weblog.plexobject.com/?p=1682
http://thinkrelevance.com/blog/2007/01/08/cas-sso-and-rails.html