phpmyadmin / phpmyadmin

A web interface for MySQL and MariaDB
https://www.phpmyadmin.net/
GNU General Public License v2.0
7.17k stars 3.38k forks source link

Allow authenticators to provide username for saving settings. #17146

Open fliespl opened 2 years ago

fliespl commented 2 years ago

Is your feature request related to a problem? Please describe.

Possibility to use single login info for many users, while being able to save their settings with external username (i.e. SSO auth).

Describe the solution you'd like

Currently database user is also used for storing user ui settings, query history etc. It would be great to provide a mechanism that would allow authenticators to seperate database info from user which is used for storing settings inside database (pma tables - i.e. pmahistory).

Let's say we provide DATABASE_USER, DATABASE_PASSWORD variables, users login using SSO via gitlab. Our plugin authenticates users, but settings are shared between them since database login/pass is used. We don't want to create seperate mysql users for everyone since this is mainly dev env.

We haven't found a better way than "hacking it" by using:

DatabaseInterface.php

    public function connect(int $mode, ?array $server = null, ?int $target = null)
    {
        [$user, $password, $server] = Config::getConnectionParams($mode, $server);

        global $auth_plugin;
        if($mode === self::CONNECT_USER && is_a($auth_plugin, 'PhpMyAdmin\Plugins\Auth\AuthenticationSSO')) {
            $user = $auth_plugin->getMysqlUser();
            $password = $auth_plugin->getMysqlPassword();
        } 

And filling fake password + username / email inside authenticator class. This way settings are stored with user email, but database connection uses other settings.

AuthenticatorSSO.php
        $this->user = $this->getUserEmail();
        $this->password = 'fake';

Best course of action would be to allow authenticators to set under which user should settings be saved.

ibennetch commented 2 years ago

This is an interesting use case and I'm open to improving this. In the moment, I don't have any specific thoughts about what to do, but wanted to comment that I see how it is annoying to you. I agree that some extension of the fake user idea might be a good solution.

fliespl commented 2 years ago

Thanks @ibennetch. I wouldn't call it annoying - just a minor inconvenience, since we managed to achieve the goal (but hacky way). Just mentioned it in case there are other users interested in such approach.