database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-07-27 18:02:13 +03:00
Code Activity

MDEV-12321 authentication plugin: SET PASSWORD support

Browse Source 
Support SET PASSWORD for authentication plugins.

Authentication plugin API is extended with two optional methods:
* hash_password() is used to compute a password hash (or digest)
  from the plain-text password. This digest will be stored in mysql.user
  table
* preprocess_hash() is used to convert this digest into some memory
  representation that can be later used to authenticate a user.
  Build-in plugins convert the hash from hexadecimal or base64 to binary,
  to avoid doing it on every authentication attempt.

Note a change in behavior: when loading privileges (on startup or on
FLUSH PRIVILEGES) an account with an unknown plugin was loaded with a
warning (e.g. "Plugin 'foo' is not loaded"). But such an account could
not be used for authentication until the plugin is installed. Now an
account like that will not be loaded at all (with a warning, still).
Indeed, without plugin's preprocess_hash() method the server cannot know
how to load an account. Thus, if a new authentication plugin is
installed run-time, one might need FLUSH PRIVILEGES to activate all
existing accounts that were using this new plugin.
This commit is contained in:
Sergei Golubchik
2018-10-17 12:48:13 +02:00
parent 14e181a434
commit 7c40996cc8
37 changed files with 711 additions and 478 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
mysql-test/main/failed_auth_unixsocket.test
View File

@ -7,20 +7,26 @@
update mysql.user set plugin='unix_socket';
flush privileges;
--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT $USER USER
--error ER_PLUGIN_IS_NOT_LOADED
connect (fail,localhost,$USER);
# Make sure that the replace works, even if $USER is 'user' or something else
# that matches other parts of the error message.
let $replace=Access denied for user '$USER';
--error ER_PLUGIN_IS_NOT_LOADED
--echo connect(localhost,USER,,test,MASTER_PORT,MASTER_SOCKET);
--replace_result $replace "Access denied for user 'USER'"
--disable_query_log
--error ER_ACCESS_DENIED_ERROR
connect (fail,localhost,$USER);
--enable_query_log
--replace_result $replace "Access denied for user 'USER'"
--error ER_ACCESS_DENIED_ERROR
change_user $USER;
eval install plugin unix_socket soname '$AUTH_SOCKET_SO';
flush privileges;
# Make sure that the replace works, even if $USER is 'user' or something else
# that matches other parts of the error message.
--echo connect(localhost,USER,,test,MASTER_PORT,MASTER_SOCKET);
--let $replace=Access denied for user '$USER'
--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT $replace "Access denied for user 'USER'"
--replace_result $replace "Access denied for user 'USER'"
--disable_query_log
--error ER_ACCESS_DENIED_NO_PASSWORD_ERROR
connect (fail,localhost,$USER);