Follow me on TwitterI recently blogged about Oracle killing one of its recent acquisitions a company called Virtual Iron. I posed a question if the same fate awaits MySQL. This proved to be a popular post and there was no shortage of comments. One particular comment identified what the person believes is a shortcoming of DB2:
The way DB2 manages users — via the OS — is a large hurdle for people coming from MySql (or any other DBMS for what that matters). DB2 express will never flourish before they provide user management like MySql and MS Sql have.
Brad Perkins replied that he considers this MySQL feature to be the weakest point of MySQL and that he actually appreciates the DB2 way of authenticating users:
I would have to strongly disagree with you on user mgmt and mysql. This is a strong plus for db2 not a detractor. If I have 80 nodes for mysql, which I do, I have to create the user on each instance where as in db2 I can do it once in NIS or LDAP. DB2 is way ahead of the curve in that regard. Also I believe M$ does this too… so this isn’t really that novel of a concept. From a security perspective mysql is a nightmare to manage as users are by default allowed to have no pass. This makes the auditors very nervous indeed. Having done extensive work with both databases I can tell you this is one of MySQL weakest features.
This back-and-forth in the comment stream made me think that there is a need to do some simple comparisons as to how different DBMS handle specific tasks. There is no way I can do a comprehensive treatment comparing all of the DBMS on all areas but I figured that once in a while I could post short articles on narrow topics. Since the conversation in the comment stream was around the differences in user authentication in DB2 and MySQL I figured this would be as good a place to start as any.
First thing first, let’s define what the term authentication really means. To ensure that data managed by the DBMS is protected from the prying eyes of the evil doers all DBMS manage assigning privileges and permissions to the users of the DBMS. However, before you can allow someone to access data or to perform an operation you must ensure that the user is who she claims she is. Authentication is the process of validating user’s identity. We are all familiar with providing user id and password when we log in to different systems and applications. In the simplest authentication scenarios the id+password pair is compared to what is stored in the system and a user is let in if there is a match or access is denied if the provided credentials do not match those stored in the system. Using id+password pair is only one example of user credential. Other examples include biometric information such as fingerprint or a retina scan, voice print, public key certificates like those described by the X.509 standard etc.
As I mentioned before, to ensure that the user is who she claims she is DBMS must compare the credentials provided with those that are known to be properly authenticating the user. Here is the dilemma: “how does the DBMS manage the credentials for the authentication process?”. Well, DBMS are all about managing data and these credentials (e.g. id+password) are just data so why not just store them in the database? Indeed, this is exactly what MySQL, Oracle and many other DBMS do. MySQL has a set of grant tables in a database (schema for DB2 people) called mysql. Specifically, there are columns in the table called user that contain hostname, user id and an encrypted password for every user account.
mysql> select Host, User, Password from mysql.user; +-----------+------+-------------------------------------------+ | Host | User | Password | +-----------+------+-------------------------------------------+ | localhost | root | *595E8DB4739AB8DC9771B264DF11A40995FD16A2 | | % | root | *595E8DB4739AB8DC9771B264DF11A40995FD16A2 | +-----------+------+-------------------------------------------+
If you describe this table you will also notice that it contains many more columns that store user privileges and there are columns that deal with x.509 certificates. Keeping account information in the database itself can be very convenient. For example, for an ISV having the application self contained and to be able to easily create and destroy accounts through the application itself is very attractive. You can also use database backups to back up account information and restore it if disaster strikes. However, in a typical enterprise environment, keeping account information in the same database as the application data can be very inconvenient. In a typical large organization, users need to use many applications located on a variety of systems. When each one of these applications and systems demands that a users create individual accounts with unique credentials users get overwhelmed and confused; “what was my id and password for the accounting system?”. Surveys of corporate IT Help Desks indicate that over 80% of the help desk calls are related to user identity issues. This becomes an even bigger headache when you consider the processes that are required to accommodate job changes or employee resignations. Say you had an employee leave the company. You now have to go every single system and application in your company and remove all of the accounts this employee may have had. Do you even know which systems and applications are affected? This is the reason many organizations prefer to use corporate directory systems (LDAP, Windows Active Directory i.e. Kerberos etc.) to manage all user accounts. At IBM, all employees get a single “intranet id” that we use to sign on to pretty much any application that we are authorized to use. I absolutely love it as I now only have to remember a single id and password. Gone are the days of writing up lists of ids and passwords and hiding them in that very secure place … under the keyboard. This issue is not unique to large enterprises. Out on the web, there is a big push behind using single sign-on solutions like OpenID to spare all of us the pain of trying to keep hundreds of accounts on various web sites.
Another common issue associated with individual applications managing accounts is inability to consistently apply organizational security standards. For example, your organization may mandate rules for non-trivial passwords (must be at least 8 characters, can’t repeat, must contain at least 2 digits, can’t have a name of your cat etc.) and if it does you can bet there will be a security audit that will nail you if any of the accounts don’t comply. MySQL does not provide any facility to help you enforce corporate password rules so you end up coding them in each application. This is not fun especially if you consider the fact that you have to maintain and change this code as the rules change … and they do change. And what about if this application is written by someone else and you don’t have access to source?
These are some of the reasons DB2 and several other DBMS like Microsoft SQL Server try to persuade DBAs not manage accounts in the database. Just like MySQL provides ability to plug in different storage engines, DB2 provides a plug-in architecture for managing user accounts and group membership. DB2 ships with a number of plug-ins and provides a documented open API for creating new plug-ins. This way an administrator can choose to use the security subsystem provided by the operating system (this is the default for DB2) or use corporate LDAP directories or Windows Active Directory (Kerberos). If you don’t mind writing a few lines of code you could go and create a plug-in that will authenticate your users by their retina scan or their iPhone. Say 3 full turns to the right, one full turn back, quarter turn to the right again; like a combination lock. I can see you are already thinking: “this would make a cool iLock app … almost as cool as the iFart which sold over 350000 copies … I can be the next internet millionaire!”. If you want to do something more prosaic, like use the same authentication like MySQL does i.e. keep account information in the database, you could use DB2 security plug-in to do that. Just look at this article by Gene Kligerman and follow his simple explanations.
It was not my intention to provide a complete essay on database security in this post. This is a topic that requires a book. For those interested in DB2 security I recommend Understanding DB2 9 Security
Thanks for stopping by. If you enjoyed reading this post, and may want to read more in the future subscribe to this blog and leave a comment.
i do like db2′s security model, but i have run into problems with it. though, in the end, i’m sure i just wasn’t doing it right.
i wanted to use kerberos auth on a particular AIX box, but only for user accounts, not system accounts, such as the instance owner. i had authentication set to SERVER, so my understanding was that db2 would reach out to the OS for the authentication, via db2ckpwd. however, it seemed that when db2ckpwd asked the OS, some of the user’s attributes were not being honored. rlogin, for example, was being honored, but the authentication method set for a user (krb5 if i remember corrrectly) was not.
so it may be better stated that the OS handles auth when set to SERVER BUT with caveat 1, 2, 3… etc. in the end, we probably just needed to create one of these plugins you speak about. we reverted to not using kerberos for now.
Awesome write-up on security model !!
I prefer OS authentication, but I do run into issues with it.
Our databases are running on AIX, while our business users mostly use PCs to run reports. When a new user joins the company, the AIX admin creates a user ID for this user and DBA creates the necessary views, grant table auth for this user etc. The problem is the password for the user. The AIX admins sets it up such that when the user logs in for first time it prompts for a new password, which is good. The bad is, this works only if the user logs into the AIX machine. If they try logging in thru the client they are using on the PC, this doesn’t work and they are not able to access the machine unless somebody else actually logs in to the AIX machine and changes the pwd for them. Which ends up mostly being the case since most of these users have never used any commandline tools (putty etc). And this way, these users never (almost never) change a password once its set since that requires logging into the AIX operating system. I find this to be the biggest issue since when a user ends up with no access these 3 groups will be finger pointing each other saying one of them messed up
(If you know any way around this, the solution would be welcome)
i also experience the same problems as peter. would love a solution!
Use the DB2 command :
CONNECT TO USER USING NEW CONFIRM
I realize that most do not use command line tools however, most can follow a script.
The one drawback to using the DB2 Command Line Processor is that it requires that DB2 Client be installed on a PC.
An alternative on Windows is to create a trivial executable that calls the SQLDriverConnect on Windows. This will launch a GUI panel through which you can change the password on a remote AIX/Linux/Windows server.
For an example as well as a picture of the GUI, please see the middle of the article that I wrote referenced by Leon above.
I’m not a DBA by any means, but I agree, the lack of authentication options in MySQL is a major drawback.
DB2′s approach seems to be the same as that of PostgreSQL, where there are a number of authentication plugins covering everything from LDAP/Kerberos to OS users to having everything just stored in the DB.
From the limited amount that I have used commercial DB’s like Oracle and MSSQL, it seems that PostgreSQL is firmly in that league, and MySQL is just now appearing on the horizon.
[...] Database Security: DB2 vs MySQL and how to make a million … – MySQL and DB2 use different approaches to database security and user authentication. This blog introduces advantages and drawbacks of both approaches. [...]
“keep account information in the database, you could use DB2 security plug-in to do that.”
Can we hope that internal authentication (OS independent) will be built into DB2 by IBM, at least
as an option ? I agree that OS authentication may be usefull in many situations, but OS dependency is often problematic and not always desirable.
I read Gene’s article, but it seems it’s hard to write plugin which is not platform specific.