MXS-1627: Only load users that use default auth plugin

The list of users that is used for authentication shoudl only consist of users that do not use an explicit authentication plugin. This way authentication fails before any connections to the backend servers are done.
mariadb-corporation · Jan 29, 2018 · 6068850 · 6068850
1 parent 4dc9b56
commit 6068850
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/server/modules/authenticator/MySQLAuth/dbusers.c b/server/modules/authenticator/MySQLAuth/dbusers.c
@@ -44,11 +44,11 @@
 
 #define NEW_LOAD_DBUSERS_QUERY "SELECT u.user, u.host, d.db, u.select_priv, u.%s \
     FROM mysql.user AS u LEFT JOIN mysql.db AS d \
-    ON (u.user = d.user AND u.host = d.host) %s \
+    ON (u.user = d.user AND u.host = d.host) WHERE u.plugin = '' %s \
     UNION \
     SELECT u.user, u.host, t.db, u.select_priv, u.%s \
     FROM mysql.user AS u LEFT JOIN mysql.tables_priv AS t \
-    ON (u.user = t.user AND u.host = t.host) %s"
+    ON (u.user = t.user AND u.host = t.host) WHERE u.plugin = '' %s"
 
 static int get_users(SERV_LISTENER *listener, bool skip_local);
 static MYSQL *gw_mysql_init(void);
@@ -59,7 +59,7 @@ static bool get_hostname(DCB *dcb, char *client_hostname, size_t size);
 static char* get_new_users_query(const char *server_version, bool include_root)
 {
     const char* password = strstr(server_version, "5.7.") ? MYSQL57_PASSWORD : MYSQL_PASSWORD;
-    const char *with_root = include_root ? "" : "WHERE u.user NOT IN ('root')";
+    const char *with_root = include_root ? "" : " AND u.user NOT IN ('root')";
 
     size_t n_bytes = snprintf(NULL, 0, NEW_LOAD_DBUSERS_QUERY, password, with_root, password, with_root);
     char *rval = MXS_MALLOC(n_bytes + 1);