MDEV-19316: mysql_secure_installation offers to rename root user

[ManjotS]

This PR fixes MDEV-19316

mysql_secure_installation should offer to rename root to another name (default to short hostname) before prompting for root password change.

[an3l]

Line 311, you used $rootuser, why not here ?

[ManjotS]

311 is return, unsure what you are asking

[an3l]

Hi @ManjotS,
any update regarding the review?

[vuvova]

Note https://jira.mariadb.org/browse/MDEV-19650

[ManjotS]

@vuvova I don't think that MDEV will effect this PR.. unless you think we should have secure installation redefine mysql.user view, which it could.

[vuvova]

MDEV-19650 says that renaming a root user, breaks mysql.user, makes it unusable.

I think it's very relevant to a PR about renaming the root user.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[ManjotS]

I am a MariaDB Corp employee and this work was done as part of my employment. Don't need CLA.

[an3l]

@ManjotS can you try locally to run your query? I couldn't.

UPDATE mysql.global_priv SET User='foo' WHERE User='root';
SET @v1 := (SELECT CONCAT("CREATE OR REPLACE DEFINER=`'"foo"'`@`localhost` VIEW `mysql`.`user` AS ", view_definition, ";") FROM information_schema.views WHERE table_schema="mysql" and table_name="user"); EXECUTE IMMEDIATE @v1;

[an3l]

Based on MDEV-19650, mariadb.sys@localhost is a definer for mysql.user and as such we can change the root.
Simple rename user should work.
However there is some ongoing work which will ask user which user to use and I think we can add option to rename the user too.

[grooverdan]

@ManjotS I took your concepts and wrote ddd6677 to keep it compatible with the goals of MDEV-10112 (Galera replication of changes - which is also getting corrected in the tree of changes). Related to MDEV-22486 its all about ensuring that non-root access can be used and overall this has simplified the implementation somewhat.

If there's unix socket authentication it won't prompt the change.

It currently will rename to $user@% if the user doesn't enter an explicit host portion like bob@localhost that I'll probably correct to preserve the host part of the original.

I know this change has been requested for a long time. Sorry for the delay. Is there any other desired and anti-desired aspects of this implementation in development to fix MDEV-19316?

[ManjotS]

That was quite a simplification, but I am happy with it!

[LinuxJedi]

Hi @ManjotS,

I'm going through older pull requests to help move them forward. I see that @an3l is continuing development of this based on your work in his branch bb-10.4-anel-mysql-secureinstall. For this reason, I will close this pull request for now. You are welcome to reopen at if you feel this is in error.

Also, feel free to comment further in MDEV-19316.