mysql_user: fix user_mod on MySQL(-like) 5.7+ (Fixes #3003) #5388
mysql_user: fix user_mod on MySQL(-like) 5.7+ (Fixes #3003) #5388
Conversation
Thanks @wouteroostervld. To the current maintainers, @Jmainguy please review according to guidelines (http://docs.ansible.com/ansible/developing_modules.html#module-checklist) and comment with text 'shipit', 'needs_revision' or 'close_me' as appropriate. [This message brought to you by your friendly Ansibull-bot.] |
This is a security issue because setting a cleartext password for users with auth_plugin other than mysql_native_password in MySQL 5.7+ does nothing, completes 'succesfully' and generates no error or warning. This specifically goes wrong with percona 5.7. The root-user deafult has the unix-socket plugin configured, so setting pw is a no-op. |
@wouteroostervld Does this work on older mysql versions? |
@abadger: no the special syntax is only executed on 5.7+, otherwise it falls back to the old syntax. The MySQL-version check was already available. |
But maybe the capability check variable "old_user_mgmt" could be named clearer. The original intent was to check only the removal of old style user management in 5.7+. But that is not the only thing that is different. Suggestions? |
Looks good to my eyeballs, I will test tonight (in a few hours) and update on the results of my testing. |
Notes from my testing. On a default install of mysql (percona in my tests) 5.7
So the password must be changed manually before ansible will work. Trying to update the password following examples from mysql.com will give the following errors
Now that the password is changed, ansible will work
https://docs.ansible.com/ansible/mysql_user_module.html doesnt mention that auth_plugin is a configurable option at the moment |
@wouteroostervld is it safe to say, this is waiting on #3589 to be merged before this can be merged? |
@Jmainguy: Looks you tested another problem. The test is if you can set a password for a user if it has auth_sock enabled. (This was the case in my 'default install' using the PPA in Ubuntu from Percona.) My patch just fixed this specific case for a user with auth_socket plugin configured: https://www.percona.com/blog/2016/03/16/change-user-password-in-mysql-5-7-with-plugin-auth_socket/ It's not depending on #3589. If you look at the code you see it already uses 'ALTER USER ... WITH mysql_native_password' in some cases but not all. It just fixes mysql_user with cleartextpw's to behave the same way as with hashes. So it's not a feature but a bug. |
So, as usual I was super confused. This PR affects setting the mysql_native_password (which ansible supports atm), and it affects mysql / forks greater than or equal to 5.7, and also all of mariadb. Before we were not explicitly calling out the plugin to use, this PR fixes that so that if another plugin is the default, that the native_password plugin still gets updated (which is the default for everything I have used personally). I tested the PR and it works.
I recommend merging this and backporting it as needed. @wouteroostervld Thanks for working this up and explaining it to me. @jctanner @jimi-c thanks for reminding me to test this and do my job. |
Thanks again to @wouteroostervld for this PR, and thanks @Jmainguy for reviewing. Marking for inclusion. [This message brought to you by your friendly Ansibull-bot.] |
Merged and cherry-picked to stable-2.2 and stable-2.1. |
ISSUE TYPE
COMPONENT NAME
mysql_user
ANSIBLE VERSION
SUMMARY
FIxes #3003. This patch fixes adding a cleartext password for a user which has configured auth_plugin other than mysql_native_password on MySQL-(like) 5.7+.