Skip to content
Permalink
Browse files

MDEV-7985: MySQL Users Break when Migrating to MariaDB, part 2

Gave priority to password field when using a native authentication
plugin.

Also, prevented a user from setting an invalid auth_string, when using
native authentication.
  • Loading branch information...
cvicentiu committed May 5, 2015
1 parent 7b70b0d commit d3a3adb8337ae530cbcb75719f55889d1352b98f
Showing with 436 additions and 30 deletions.
  1. +197 −0 mysql-test/r/show_grants_with_plugin-7985.result
  2. +161 −0 mysql-test/t/show_grants_with_plugin-7985.test
  3. +78 −30 sql/sql_acl.cc
@@ -0,0 +1,197 @@
call mtr.add_suppression("password and an authentication plugin");
#
# Create a user with mysql_native_password plugin.
# The user has no password or auth_string set.
#
create user u1;
GRANT SELECT ON mysql.* to u1 IDENTIFIED VIA mysql_native_password;
select user, host, password, plugin, authentication_string from mysql.user where user = 'u1';
user host password plugin authentication_string
u1 % mysql_native_password
#
# The user's grants should show no password at all.
#
show grants for u1;
Grants for u1@%
GRANT USAGE ON *.* TO 'u1'@'%'
GRANT SELECT ON `mysql`.* TO 'u1'@'%'
#
# Test to see if connecting with no password is succesful.
#
connect con1, localhost, u1,,;
show grants;
Grants for u1@%
GRANT USAGE ON *.* TO 'u1'@'%'
GRANT SELECT ON `mysql`.* TO 'u1'@'%'
disconnect con1;
connection default;
#
# Test after flushing privileges.
#
flush privileges;
connect con1, localhost, u1,,;
show grants;
Grants for u1@%
GRANT USAGE ON *.* TO 'u1'@'%'
GRANT SELECT ON `mysql`.* TO 'u1'@'%'
disconnect con1;
connection default;
#
# Now add a mysql_native password string in authentication_string.
#
GRANT SELECT ON mysql.* to u1 IDENTIFIED VIA mysql_native_password
USING '*7AFEFD08B6B720E781FB000CAA418F54FA662626';
select user, host, password, plugin, authentication_string from mysql.user where user = 'u1';
user host password plugin authentication_string
u1 % mysql_native_password *7AFEFD08B6B720E781FB000CAA418F54FA662626
#
# Test to see if connecting with password is succesful.
#
connect con1, localhost, u1,'SOMETHING',;
show grants;
Grants for u1@%
GRANT USAGE ON *.* TO 'u1'@'%' IDENTIFIED BY PASSWORD '*7AFEFD08B6B720E781FB000CAA418F54FA662626'
GRANT SELECT ON `mysql`.* TO 'u1'@'%'
disconnect con1;
connection default;
#
# Test after flushing privileges.
#
flush privileges;
connect con1, localhost, u1,'SOMETHING',;
show grants;
Grants for u1@%
GRANT USAGE ON *.* TO 'u1'@'%' IDENTIFIED BY PASSWORD '*7AFEFD08B6B720E781FB000CAA418F54FA662626'
GRANT SELECT ON `mysql`.* TO 'u1'@'%'
disconnect con1;
connection default;
#
# Now we also set a password for the user.
#
set password for u1 = PASSWORD('SOMETHINGELSE');
select user, host, password, plugin, authentication_string from mysql.user where user = 'u1';
user host password plugin authentication_string
u1 % *054B7BBD2B9A553DA560520DCD3F76DA2D81B7C6 mysql_native_password *7AFEFD08B6B720E781FB000CAA418F54FA662626
#
# Here we should use the password field, as that primes over
# the authentication_string field.
#
show grants for u1;
Grants for u1@%
GRANT USAGE ON *.* TO 'u1'@'%' IDENTIFIED BY PASSWORD '*054B7BBD2B9A553DA560520DCD3F76DA2D81B7C6'
GRANT SELECT ON `mysql`.* TO 'u1'@'%'
#
# Logging in with the user's password should work.
#
connect con1, localhost, u1,'SOMETHINGELSE',;
show grants;
Grants for u1@%
GRANT USAGE ON *.* TO 'u1'@'%' IDENTIFIED BY PASSWORD '*054B7BBD2B9A553DA560520DCD3F76DA2D81B7C6'
GRANT SELECT ON `mysql`.* TO 'u1'@'%'
disconnect con1;
connection default;
#
# Reload privileges and test logging in again.
#
flush privileges;
show grants for u1;
Grants for u1@%
GRANT USAGE ON *.* TO 'u1'@'%' IDENTIFIED BY PASSWORD '*054B7BBD2B9A553DA560520DCD3F76DA2D81B7C6'
GRANT SELECT ON `mysql`.* TO 'u1'@'%'
#
# Here we connect via the user's password again.
#
connect con1, localhost, u1,'SOMETHINGELSE',;
show grants;
Grants for u1@%
GRANT USAGE ON *.* TO 'u1'@'%' IDENTIFIED BY PASSWORD '*054B7BBD2B9A553DA560520DCD3F76DA2D81B7C6'
GRANT SELECT ON `mysql`.* TO 'u1'@'%'
disconnect con1;
connection default;
#
# Now we remove the authentication plugin password, flush privileges and
# try again.
#
update mysql.user set authentication_string = '' where user='u1';
select user, host, password, plugin, authentication_string from mysql.user where user = 'u1';
user host password plugin authentication_string
u1 % *054B7BBD2B9A553DA560520DCD3F76DA2D81B7C6 mysql_native_password
flush privileges;
show grants for u1;
Grants for u1@%
GRANT USAGE ON *.* TO 'u1'@'%' IDENTIFIED BY PASSWORD '*054B7BBD2B9A553DA560520DCD3F76DA2D81B7C6'
GRANT SELECT ON `mysql`.* TO 'u1'@'%'
#
# Here we connect via the user's password.
#
connect con1, localhost, u1,'SOMETHINGELSE',;
select user, host, password, plugin, authentication_string from mysql.user where user = 'u1';
user host password plugin authentication_string
u1 % *054B7BBD2B9A553DA560520DCD3F76DA2D81B7C6 mysql_native_password
disconnect con1;
connection default;
#
# Try and set a wrong auth_string password, with mysql_native_password.
# Make sure it fails.
#
GRANT USAGE ON *.* TO u1 IDENTIFIED VIA mysql_native_password USING 'asd';
ERROR HY000: Password hash should be a 41-digit hexadecimal number
#
# Now set a correct password.
#
GRANT SELECT ON mysql.* to u1 IDENTIFIED VIA mysql_native_password
USING '*7AFEFD08B6B720E781FB000CAA418F54FA662626';
show grants for u1;
Grants for u1@%
GRANT USAGE ON *.* TO 'u1'@'%' IDENTIFIED BY PASSWORD '*7AFEFD08B6B720E781FB000CAA418F54FA662626'
GRANT SELECT ON `mysql`.* TO 'u1'@'%'
#
# Test if the user can now use that password instead.
#
connect con1, localhost, u1,'SOMETHING',;
show grants;
Grants for u1@%
GRANT USAGE ON *.* TO 'u1'@'%' IDENTIFIED BY PASSWORD '*7AFEFD08B6B720E781FB000CAA418F54FA662626'
GRANT SELECT ON `mysql`.* TO 'u1'@'%'
disconnect con1;
#
# Test if the user can now use that password instead, after flushing privileges;
#
connection default;
flush privileges;
connect con1, localhost, u1,'SOMETHING',;
show grants;
Grants for u1@%
GRANT USAGE ON *.* TO 'u1'@'%' IDENTIFIED BY PASSWORD '*7AFEFD08B6B720E781FB000CAA418F54FA662626'
GRANT SELECT ON `mysql`.* TO 'u1'@'%'
disconnect con1;
connection default;
#
# Clear all passwords from the user.
#
GRANT SELECT ON mysql.* to u1 IDENTIFIED VIA mysql_native_password;
select user, host, password, plugin, authentication_string from mysql.user where user = 'u1';
user host password plugin authentication_string
u1 % mysql_native_password
#
# Test no password connect.
#
connect con1, localhost, u1,,;
show grants;
Grants for u1@%
GRANT USAGE ON *.* TO 'u1'@'%'
GRANT SELECT ON `mysql`.* TO 'u1'@'%'
disconnect con1;
connection default;
#
# Test no password connect, after flushing privileges.
#
flush privileges;
connect con1, localhost, u1,,;
show grants;
Grants for u1@%
GRANT USAGE ON *.* TO 'u1'@'%'
GRANT SELECT ON `mysql`.* TO 'u1'@'%'
disconnect con1;
connection default;
drop user u1;
@@ -0,0 +1,161 @@
--source include/not_embedded.inc
--enable_connect_log
call mtr.add_suppression("password and an authentication plugin");

--echo #
--echo # Create a user with mysql_native_password plugin.
--echo # The user has no password or auth_string set.
--echo #

create user u1;
GRANT SELECT ON mysql.* to u1 IDENTIFIED VIA mysql_native_password;
select user, host, password, plugin, authentication_string from mysql.user where user = 'u1';

--echo #
--echo # The user's grants should show no password at all.
--echo #
show grants for u1;
--echo #
--echo # Test to see if connecting with no password is succesful.
--echo #
--connect (con1, localhost, u1,,)
show grants;
--disconnect con1

--connection default
--echo #
--echo # Test after flushing privileges.
--echo #
flush privileges;
--connect (con1, localhost, u1,,)
show grants;
--disconnect con1

--connection default
--echo #
--echo # Now add a mysql_native password string in authentication_string.
--echo #
# Password string is SOMETHING
GRANT SELECT ON mysql.* to u1 IDENTIFIED VIA mysql_native_password
USING '*7AFEFD08B6B720E781FB000CAA418F54FA662626';
select user, host, password, plugin, authentication_string from mysql.user where user = 'u1';
--echo #
--echo # Test to see if connecting with password is succesful.
--echo #
--connect (con1, localhost, u1,'SOMETHING',)
show grants;
--disconnect con1

--connection default
--echo #
--echo # Test after flushing privileges.
--echo #
flush privileges;
--connect (con1, localhost, u1,'SOMETHING',)
show grants;
--disconnect con1
--connection default

--echo #
--echo # Now we also set a password for the user.
--echo #
set password for u1 = PASSWORD('SOMETHINGELSE');
select user, host, password, plugin, authentication_string from mysql.user where user = 'u1';

--echo #
--echo # Here we should use the password field, as that primes over
--echo # the authentication_string field.
--echo #
show grants for u1;

--echo #
--echo # Logging in with the user's password should work.
--echo #
--connect (con1, localhost, u1,'SOMETHINGELSE',)
show grants;
--disconnect con1
--connection default
--echo #
--echo # Reload privileges and test logging in again.
--echo #
flush privileges;
show grants for u1;
--echo #
--echo # Here we connect via the user's password again.
--echo #
--connect (con1, localhost, u1,'SOMETHINGELSE',)
show grants;
--disconnect con1
--connection default

--echo #
--echo # Now we remove the authentication plugin password, flush privileges and
--echo # try again.
--echo #
update mysql.user set authentication_string = '' where user='u1';
select user, host, password, plugin, authentication_string from mysql.user where user = 'u1';
flush privileges;
show grants for u1;
--echo #
--echo # Here we connect via the user's password.
--echo #
--connect (con1, localhost, u1,'SOMETHINGELSE',)
select user, host, password, plugin, authentication_string from mysql.user where user = 'u1';
--disconnect con1
--connection default

--echo #
--echo # Try and set a wrong auth_string password, with mysql_native_password.
--echo # Make sure it fails.
--echo #
--error ER_PASSWD_LENGTH
GRANT USAGE ON *.* TO u1 IDENTIFIED VIA mysql_native_password USING 'asd';
--echo #
--echo # Now set a correct password.
--echo #
GRANT SELECT ON mysql.* to u1 IDENTIFIED VIA mysql_native_password
USING '*7AFEFD08B6B720E781FB000CAA418F54FA662626';
show grants for u1;

--echo #
--echo # Test if the user can now use that password instead.
--echo #
--connect (con1, localhost, u1,'SOMETHING',)
show grants;
--disconnect con1

--echo #
--echo # Test if the user can now use that password instead, after flushing privileges;
--echo #
--connection default
flush privileges;

--connect (con1, localhost, u1,'SOMETHING',)
show grants;
--disconnect con1
--connection default

--echo #
--echo # Clear all passwords from the user.
--echo #
GRANT SELECT ON mysql.* to u1 IDENTIFIED VIA mysql_native_password;
select user, host, password, plugin, authentication_string from mysql.user where user = 'u1';

--echo #
--echo # Test no password connect.
--echo #
--connect (con1, localhost, u1,,)
show grants;
--disconnect con1
--connection default

--echo #
--echo # Test no password connect, after flushing privileges.
--echo #
flush privileges;
--connect (con1, localhost, u1,,)
show grants;
--disconnect con1
--connection default

drop user u1;

0 comments on commit d3a3adb

Please sign in to comment.
You can’t perform that action at this time.