Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

(MODULES-7487) Check authentication string for user password on MariaDB 10.2.16+ #1135

Merged
merged 1 commit into from
Oct 11, 2018
Merged

Conversation

gguillotte
Copy link
Contributor

@gguillotte gguillotte commented Oct 5, 2018

Since MariaDB 10.2.16, the SET PASSWORD command stores user passwords in the mysql_native_password plugin authentication_string instead of in the password column of mysql.user.

The module checks the password column instead of the authentication_string on all versions of MariaDB. In every Puppet run involving MariaDB 10.2.16 and newer, the module attempts to update
managed user passwords even when they haven't changed (Notice: /Stage[main]/Mysql::Server::Root_password/Mysql_user[root@localhost]/password_hash: changed password) because the password field is always empty.

Update the if statement to check the plugin authentication string on MariaDB 10.2.16 and newer.

See also MariaDB JIRA ticket MDEV-16774.

Since MariaDB 10.2.16, the `SET PASSWORD` command stores user passwords
in the `mysql_native_password` plugin `authentication_string` instead of
in the `password` column:

```
+------+-----------+----------+-----------------------+-------------------------------------------+
| user | host      | password | plugin                | authentication_string                     |
+------+-----------+----------+-----------------------+-------------------------------------------+
| root | localhost |          | mysql_native_password | *01396341988BCA5088C3A5DB5D7E434947096D4F |
+------+-----------+----------+-----------------------+-------------------------------------------+
```

The `puppetlabs/mysql` checks the `password` column instead of the
`authentication_string` on all versions of MariaDB, resulting in every
Puppet run attempting to update managed user passwords even when they
haven't changed.

Update the if statement to check the plugin authentication string on
MariaDB 10.2.16 and newer.
@david22swan david22swan merged commit 1766b85 into puppetlabs:master Oct 11, 2018
alexjfisher added a commit to alexjfisher/puppetlabs-mysql that referenced this pull request May 14, 2019
…ency

The change introduced in mariadb 10.2.16 (and 10.3.8) where:

> the `SET PASSWORD` command stores user passwords
in the `mysql_native_password` plugin `authentication_string` instead of
in the `password` column

was addressed in puppetlabs#1135

This behaviour was short-lived.  In 10.2.19 and 10.3.11 the old
behaviour was restored.

> The fix in the commit dd6e74c62a2 made sure that the password field is always set, because that was the original issue that broke third-party tools.

See https://jira.mariadb.org/browse/MDEV-16774

This commit is based on
https://tickets.puppetlabs.com/browse/MODULES-6875?focusedCommentId=645260&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-645260
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants