1
0
mirror of https://github.com/MariaDB/server.git synced 2025-07-18 23:03:28 +03:00

MDEV-11340 Allow multiple alternative authentication methods for the same user

introduce the syntax

... IDENTIFIED { WITH | VIA }
      plugin [ { USING | AS } auth ]
 [ OR plugin [ { USING | AS } auth ]
 [ OR ... ]]

Server will try auth plugins in the specified order until the first
success. No protocol changes, server uses the existing "switch plugin"
packet.

The auth chain is stored in json as

  "auth_or":[{"plugin":"xxx","authentication_string":"yyy"},
             {},
             {"plugin":"foo","authentication_string":"bar"},
            ...],
  "plugin":"aaa", "authentication_string":"bbb"

Note:
* "auth_or" implies that there might be "auth_and" someday;
* one entry in the array is an empty object, meaning to take plugin/auth
  from the main json object. This preserves compatibility with
  the existing mysql.global_priv table and with the mysql.user view.
  This entry is preferrably a mysql_native_password plugin for a
  non-empty mysql.user.password column.

SET PASSWORD is supported and changes the password for the *first*
plugin in the chain that has a notion of a "password"
This commit is contained in:
Sergei Golubchik
2019-01-10 13:51:51 +01:00
parent 798d1a9ddf
commit 5b15cc613e
12 changed files with 1061 additions and 419 deletions

View File

@ -1,6 +1,6 @@
/*
Copyright (c) 2000, 2015, Oracle and/or its affiliates.
Copyright (c) 2008, 2018, MariaDB Corporation.
Copyright (c) 2008, 2019, MariaDB Corporation.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -5577,7 +5577,7 @@ void THD::get_definer(LEX_USER *definer, bool role)
{
definer->user= invoker.user;
definer->host= invoker.host;
definer->reset_auth();
definer->auth= NULL;
}
else
#endif