Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
MDEV-7597 Expiration of user passwords
This patch adds support for expiring user passwords. The following statements are extended: CREATE USER user@localhost PASSWORD EXPIRE [option] ALTER USER user@localhost PASSWORD EXPIRE [option] If no option is specified, the password is expired with immediate effect. If option is DEFAULT, global policy applies according to the default_password_lifetime system var (if 0, password never expires, if N, password expires every N days). If option is NEVER, the password never expires and if option is INTERVAL N DAY, the password expires every N days. The feature also supports the disconnect_on_expired_password system var and the --connect-expired-password client option. Closes #1166
- Loading branch information
1 parent
83de75d
commit 90ad4db
Showing
34 changed files
with
1,259 additions
and
99 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,207 @@ | ||
# | ||
# Only privileged users should be able to expire passwords | ||
# | ||
create user user1@localhost; | ||
alter user user1@localhost password expire; | ||
create user user2@localhost; | ||
connect con2,localhost,user2; | ||
connection con2; | ||
alter user user1@localhost password expire; | ||
ERROR 42000: Access denied; you need (at least one of) the CREATE USER privilege(s) for this operation | ||
disconnect con2; | ||
connection default; | ||
drop user user1@localhost; | ||
drop user user2@localhost; | ||
# | ||
# disconnect_on_expired_password=ON should deny a clients's connection | ||
# when the password is expired or put the client in sandbox mode if OFF | ||
# | ||
create user user1@localhost password expire; | ||
set global disconnect_on_expired_password=ON; | ||
connect(localhost,user1,,test,MYSQL_PORT,MYSQL_SOCK); | ||
connect con1,localhost,user1; | ||
ERROR HY000: Your password has expired. To log in you must change it using a client that supports expired passwords | ||
set global disconnect_on_expired_password=OFF; | ||
connect con1,localhost,user1; | ||
connection con1; | ||
select 1; | ||
ERROR HY000: You must SET PASSWORD before executing this statement | ||
disconnect con1; | ||
connection default; | ||
drop user user1@localhost; | ||
# | ||
# connect-expired-password option passed to client should override | ||
# the behavior of disconnect_on_expired_password server system var. | ||
# | ||
create user user1@localhost password expire; | ||
set global disconnect_on_expired_password=ON; | ||
connect(localhost,user1,,test,MYSQL_PORT,MYSQL_SOCK); | ||
connect con1,localhost,user1; | ||
ERROR HY000: Your password has expired. To log in you must change it using a client that supports expired passwords | ||
drop user user1@localhost; | ||
# | ||
# Manually expiring a password should have immediate effect | ||
# | ||
create user user1@localhost; | ||
alter user user1@localhost password expire; | ||
set global disconnect_on_expired_password=ON; | ||
connect(localhost,user1,,test,MYSQL_PORT,MYSQL_SOCK); | ||
connect con1,localhost,user1; | ||
ERROR HY000: Your password has expired. To log in you must change it using a client that supports expired passwords | ||
drop user user1@localhost; | ||
# | ||
# Sandbox mode should only allow change password statements | ||
# | ||
create user user1@localhost password expire; | ||
grant create user on *.* to user1@localhost; | ||
set global disconnect_on_expired_password=OFF; | ||
connect con1,localhost,user1; | ||
connection con1; | ||
select 1; | ||
ERROR HY000: You must SET PASSWORD before executing this statement | ||
set password=password(''); | ||
select 1; | ||
1 | ||
1 | ||
disconnect con1; | ||
connection default; | ||
drop user user1@localhost; | ||
# | ||
# Passwords are still expired after acl reload | ||
# | ||
set global disconnect_on_expired_password=ON; | ||
create user user1@localhost password expire; | ||
flush privileges; | ||
connect(localhost,user1,,test,MYSQL_PORT,MYSQL_SOCK); | ||
connect con1,localhost,user1; | ||
ERROR HY000: Your password has expired. To log in you must change it using a client that supports expired passwords | ||
drop user user1@localhost; | ||
# | ||
# JSON functions on global_priv reflect the correct state | ||
# of the password expiration columns | ||
# | ||
create user user1@localhost password expire; | ||
select host, user, JSON_VALUE(Priv, '$.password_last_changed') from mysql.global_priv where user='user1'; | ||
host user JSON_VALUE(Priv, '$.password_last_changed') | ||
localhost user1 0 | ||
alter user user1@localhost password expire never; | ||
select host, user, JSON_VALUE(Priv, '$.password_lifetime') from mysql.global_priv where user='user1'; | ||
host user JSON_VALUE(Priv, '$.password_lifetime') | ||
localhost user1 0 | ||
alter user user1@localhost password expire default; | ||
select host, user, JSON_VALUE(Priv, '$.password_lifetime') from mysql.global_priv where user='user1'; | ||
host user JSON_VALUE(Priv, '$.password_lifetime') | ||
localhost user1 -1 | ||
alter user user1@localhost password expire interval 123 day; | ||
select host, user, JSON_VALUE(Priv, '$.password_lifetime') from mysql.global_priv where user='user1'; | ||
host user JSON_VALUE(Priv, '$.password_lifetime') | ||
localhost user1 123 | ||
drop user user1@localhost; | ||
# | ||
# SHOW CREATE USER correctly displays the locking state of an user | ||
# | ||
create user user1@localhost; | ||
show create user user1@localhost; | ||
CREATE USER for user1@localhost | ||
CREATE USER 'user1'@'localhost' | ||
alter user user1@localhost password expire; | ||
show create user user1@localhost; | ||
CREATE USER for user1@localhost | ||
CREATE USER 'user1'@'localhost' PASSWORD EXPIRE | ||
set password for user1@localhost= password(''); | ||
alter user user1@localhost password expire default; | ||
show create user user1@localhost; | ||
CREATE USER for user1@localhost | ||
CREATE USER 'user1'@'localhost' | ||
alter user user1@localhost password expire never; | ||
show create user user1@localhost; | ||
CREATE USER for user1@localhost | ||
CREATE USER 'user1'@'localhost' PASSWORD EXPIRE NEVER | ||
alter user user1@localhost password expire interval 123 day; | ||
show create user user1@localhost; | ||
CREATE USER for user1@localhost | ||
CREATE USER 'user1'@'localhost' PASSWORD EXPIRE INTERVAL 123 DAY | ||
alter user user1@localhost password expire; | ||
show create user user1@localhost; | ||
CREATE USER for user1@localhost | ||
CREATE USER 'user1'@'localhost' PASSWORD EXPIRE | ||
set password for user1@localhost= password(''); | ||
show create user user1@localhost; | ||
CREATE USER for user1@localhost | ||
CREATE USER 'user1'@'localhost' PASSWORD EXPIRE INTERVAL 123 DAY | ||
drop user user1@localhost; | ||
# | ||
# Incorrect INTERVAL values should be rejected | ||
# | ||
create user user1@localhost password expire interval 0 day; | ||
ERROR HY000: Incorrect DAY value: '0' | ||
# | ||
# Password expiration fields are loaded properly on 10.3 tables | ||
# | ||
create user user1@localhost; | ||
show create user user1@localhost; | ||
CREATE USER for user1@localhost | ||
CREATE USER 'user1'@'localhost' PASSWORD EXPIRE NEVER | ||
flush privileges; | ||
show create user user1@localhost; | ||
CREATE USER for user1@localhost | ||
CREATE USER 'user1'@'localhost' PASSWORD EXPIRE NEVER | ||
alter user user1@localhost password expire; | ||
show create user user1@localhost; | ||
CREATE USER for user1@localhost | ||
CREATE USER 'user1'@'localhost' PASSWORD EXPIRE | ||
flush privileges; | ||
show create user user1@localhost; | ||
CREATE USER for user1@localhost | ||
CREATE USER 'user1'@'localhost' PASSWORD EXPIRE | ||
set password for user1@localhost= password(''); | ||
alter user user1@localhost password expire default; | ||
show create user user1@localhost; | ||
CREATE USER for user1@localhost | ||
CREATE USER 'user1'@'localhost' PASSWORD EXPIRE NEVER | ||
flush privileges; | ||
show create user user1@localhost; | ||
CREATE USER for user1@localhost | ||
CREATE USER 'user1'@'localhost' PASSWORD EXPIRE NEVER | ||
alter user user1@localhost password expire never; | ||
show create user user1@localhost; | ||
CREATE USER for user1@localhost | ||
CREATE USER 'user1'@'localhost' PASSWORD EXPIRE NEVER | ||
flush privileges; | ||
show create user user1@localhost; | ||
CREATE USER for user1@localhost | ||
CREATE USER 'user1'@'localhost' PASSWORD EXPIRE NEVER | ||
alter user user1@localhost password expire interval 123 day; | ||
show create user user1@localhost; | ||
CREATE USER for user1@localhost | ||
CREATE USER 'user1'@'localhost' PASSWORD EXPIRE NEVER | ||
flush privileges; | ||
show create user user1@localhost; | ||
CREATE USER for user1@localhost | ||
CREATE USER 'user1'@'localhost' PASSWORD EXPIRE NEVER | ||
alter user user1@localhost password expire; | ||
show create user user1@localhost; | ||
CREATE USER for user1@localhost | ||
CREATE USER 'user1'@'localhost' PASSWORD EXPIRE | ||
flush privileges; | ||
show create user user1@localhost; | ||
CREATE USER for user1@localhost | ||
CREATE USER 'user1'@'localhost' PASSWORD EXPIRE | ||
set global disconnect_on_expired_password=ON; | ||
connect(localhost,user1,,test,MYSQL_PORT,MYSQL_SOCK); | ||
connect con1,localhost,user1; | ||
ERROR HY000: Your password has expired. To log in you must change it using a client that supports expired passwords | ||
set global disconnect_on_expired_password=OFF; | ||
connect con1,localhost,user1; | ||
connection con1; | ||
select 1; | ||
ERROR HY000: You must SET PASSWORD before executing this statement | ||
set password=password(''); | ||
select 1; | ||
1 | ||
1 | ||
disconnect con1; | ||
connection default; | ||
drop user user1@localhost; | ||
set global disconnect_on_expired_password=default; | ||
set global default_password_lifetime=default; |
Oops, something went wrong.