Skip to content

feat: per-user authentication plugin framework #5290

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
rophy wants to merge 4 commits into
base: v3.0
Choose a base branch
from
Open

feat: per-user authentication plugin framework #5290

rophy wants to merge 4 commits into from
+2,199 −6

Conversation

@rophy
Copy link

@rophy rophy commented Jan 11, 2026

Summary

Adds per-user auth plugin support via mysql_users.attributes:

INSERT INTO mysql_users (username, password, attributes, frontend, backend)
VALUES ('app_user', '', '{"auth_plugin": "static", "static_password": "secret"}', 1, 0);
  • New ProxySQL_Auth_Plugin interface
  • Plugin loading via auth_plugins config
  • AUTH_SWITCH flow for clear-text credentials
  • Backend user mapping via backend_username attribute

Included Plugins

  1. static - validates against password in attributes (reference implementation)
  2. k8s - validates Kubernetes ServiceAccount tokens via TokenReview API

Tests

  • Integration tests for static plugin
  • Unit tests for k8s plugin (mock-based)

Docs

  • doc/internal/MySQL_AuthPlugin.md

rophy added 2 commits January 11, 2026 10:31
@rophy
feat: add per-user authentication plugin framework
3f7bf26 
Adds a new per-user auth plugin system that allows different users
to authenticate using different methods via the auth_plugin attribute
in mysql_users.attributes.

Includes:
- ProxySQL_Auth_Plugin interface (include/MySQL_AuthPlugin.h)
- Plugin loading via auth_plugins config (src/main.cpp)
- AUTH_SWITCH flow for clear-text credential (lib/MySQL_Protocol.cpp)
- Static auth plugin as reference implementation
- Integration tests and documentation
@rophy
feat: add Kubernetes ServiceAccount auth plugin
a023b9c 
Validates K8s ServiceAccount JWT tokens via TokenReview API.
Username format: namespace/serviceaccount (must match token identity).

Features:
- Direct TokenReview API integration (no external validator)
- Configurable timeout via K8S_TIMEOUT_MS env var
- Dependency injection for testability
- 24 unit tests with mock K8s client
@gemini-code-assist
Copy link

gemini-code-assist bot commented Jan 11, 2026

Summary of Changes

Hello @rophy, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a flexible and extensible per-user authentication plugin framework for ProxySQL. It allows administrators to configure diverse authentication mechanisms for individual users, moving beyond traditional password-based methods. This is particularly beneficial for integrating with modern identity providers and orchestrators like Kubernetes, enabling more secure and dynamic credential management without modifying ProxySQL's core logic.

Highlights

  • New Authentication Plugin Framework: Introduced a new ProxySQL_Auth_Plugin interface for extending authentication methods, allowing for highly customizable per-user authentication.
  • Dynamic Plugin Loading: Enabled dynamic loading of authentication plugins via a new auth_plugins configuration variable, supporting runtime extensibility.
  • AUTH_SWITCH Flow Integration: Implemented an AUTH_SWITCH flow within the MySQL protocol handler to securely obtain clear-text credentials (like tokens or passwords) for plugin validation.
  • Backend User Mapping: Added support for mapping frontend users, authenticated by plugins, to distinct backend users using the backend_username attribute in mysql_users.
  • Reference Plugins Included: Provided two reference plugins: a static password validator for simple cases and a k8s plugin for Kubernetes ServiceAccount token validation via the TokenReview API.
  • Comprehensive Testing: Included integration tests for the static plugin and unit tests for the Kubernetes plugin, ensuring the framework's reliability and correctness.
  • Detailed Documentation: Added new internal documentation (doc/internal/MySQL_AuthPlugin.md) detailing the design, configuration, and usage of the new authentication framework.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

gemini-code-assist[bot]
gemini-code-assist bot reviewed Jan 11, 2026
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This PR introduces a powerful and flexible per-user authentication plugin framework. The design is well-thought-out, with a clear interface for plugins, good separation of concerns (e.g., using dependency injection for the Kubernetes client), and comprehensive documentation and tests. The inclusion of both a simple static plugin and a more complex k8s plugin serves as a great reference for future plugin developers.

I have one major concern regarding the connection counting logic when both this new plugin framework and the existing LDAP plugin are used concurrently. I've provided detailed comments and suggestions in lib/MySQL_Session.cpp to address this.

Overall, this is an excellent feature addition to ProxySQL.

@rophy
Copy link
Author

rophy commented Jan 11, 2026
edited
Loading

Hi, nowadays many apps and DBs are deployed inside Kubernetes.

I am exploring possibilities to leverage Kubernetes ServiceAccount - a form of system identity defined and managed by Kubernetes, to enable passwordless authentication of MariaDB: https://github.com/rophy/mariadb-auth-k8s

As a bonus, I think it might be useful for proxysql to support this as well, so I tried to mimic the concepts of existing proxysql LDAP auth support into a generic auth plugin framework. Wanted to know if proxysql team is interested in such idea.

Disclaimer: Code is AI generated. I as human oversee the design, reviewed the test cases, and made sure the test cases pass in local dev container and local kubernetes cluster (kind).

rophy added 2 commits January 11, 2026 13:43
@rophy
fix: use separate flag for auth plugin connection counting
dee06c4 
When both LDAP module and per-user auth plugins are configured,
auth plugin users were incorrectly having their connections counted
by LDAP's counter instead of GloMyAuth.

Add use_auth_plugin flag to distinguish auth plugin users from LDAP
users, ensuring correct connection counting regardless of whether
LDAP module is loaded.
@rophy
fix: avoid strlen for empty string checks
b208f55 
Replace strlen(s) == 0 with s[0] == '\0' to avoid potential
issues with non-null-terminated strings and satisfy static
analysis checks.
@sonarqubecloud
Copy link

sonarqubecloud bot commented Jan 11, 2026

Quality Gate Failed Quality Gate failed

Failed conditions
2 Security Hotspots

See analysis details on SonarQube Cloud

@mirostauder
Copy link
Collaborator

mirostauder commented Jan 11, 2026

retest this please

@rophy
Copy link
Author

rophy commented Jan 11, 2026

retest this please

The PR involves building plugins (.so) so your existing CI pipeline will definitely fail.

If OK, I'd also like to propose a common local-first build & test environment, to help external contributers have more consistent test results with proxysql team: #5292

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rophy @mirostauder