Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[2018.3] Fixes to verify_login in mysql module #50551

Conversation

Projects
None yet
3 participants
@garethgreenaway
Copy link
Member

commented Nov 16, 2018

What does this PR do?

Ensure that verify_login is using the host from the connection_args and not the host associated with the user. Adding a test to ensure user_exists when the passed host is the MySQL wildcard %.

What issues does this PR fix or reference?

#50542

Previous Behavior

When user_exists was called with a wildcard hostname, %, then verify login would fail because it was trying to connect to that as a real hostname.

New Behavior

We should ensure we're using the hostname from connection_args when verifying the login.

Tests written?

Yes

Commits signed with GPG?

Yes

Please review Salt's Contributing Guide for best practices.

See GitHub's page on GPG signing for more information about signing commits with GPG.

Ensure that verify_login is using the host from the connection_args a…
…nd not the host associated with the user. Adding a test to ensure user_exists when the passed host is the MySQL wildcard %.

@garethgreenaway garethgreenaway requested a review from Ch3LL Nov 16, 2018

@doug-stratoscale
Copy link

left a comment

Thanks for taking a look at and fixing my issue..

However, I think there is a problem with the approach here for checking if a user exists. The hostname passed into the user_exists call is supposed to be the client host not the server host. Mysql users are specified by client host so "user1@host1" is different from "user1@host2". Using verify_login to check if "user1@host1" exists won't work because the verify method may be running for a host other than where "user1" intends to connect from. I believe this is why the original code was using a query against the INFORMATION_SCHEMA to determine existence.

@garethgreenaway

This comment has been minimized.

Copy link
Member Author

commented Nov 19, 2018

@doug-stratoscale the user_exists function is still checking the user table that both the user and host are valid, the host parameter is not used to determine which MySQL host to connect to, that is found in connection_args. The verify_login function is checking that the password is valid for MySQL versions higher than 8.0.11 when the password hashing mechanism changed and can no longer use the PASSWORD function from MySQL.

@doug-stratoscale

This comment has been minimized.

Copy link

commented Nov 19, 2018

@garethgreenaway Thanks for the clarification - I looked at the code again ( :) ) and it makes sense.

@garethgreenaway

This comment has been minimized.

Copy link
Member Author

commented Nov 19, 2018

@doug-stratoscale No worries! Appreciate the second pair of eyes 😄

garethgreenaway added some commits Nov 19, 2018

@garethgreenaway garethgreenaway requested a review from saltstack/team-core Nov 20, 2018

garethgreenaway added some commits Nov 21, 2018

@cachedout cachedout merged commit 26759c2 into saltstack:2018.3 Nov 26, 2018

10 checks passed

WIP Ready for review
Details
continuous-integration/jenkins/pr-merge This commit looks good
Details
jenkins/pr/docs The docs job has passed
Details
jenkins/pr/lint The lint job has passed
Details
jenkins/pr/py2-centos-7 The py2-centos-7 job has passed
Details
jenkins/pr/py2-ubuntu-1604 The py2-ubuntu-1604 job has passed
Details
jenkins/pr/py2-windows-2016 The py2-windows-2016 job has passed
Details
jenkins/pr/py3-centos-7 The py3-centos-7 job has passed
Details
jenkins/pr/py3-ubuntu-1604 The py3-ubuntu-1604 job has passed
Details
jenkins/pr/py3-windows-2016 The py3-windows-2016 job has passed
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.