Allow passwordless login in addition to usual login with password, when
creating 'root' user during install.
The effect of that change is that "local administrators" group are
allowed to connect as root user. This is done via gssapi authentication
plugin.
Clients that are not aware of gssapi client plugin, can still login with
password credentials.
Support membership tests in SSPI with special prefix form
CREATE USER u IDENTIFIED WITH gssapi AS "GROUP:<group_name>"
or
CREATE USER u IDENTIFIED WITH gssapi AS "SID:<sid>"
If user is created as one of the above, after successful SSPI handshake,
this will happen
1) If "GROUP:" prefix is used, then <group_name> is translated to SID
using LookupAccountName() API
2) SSPI user is checked for SID membership with
ImpersonateSecurityContext() and CheckMembership() APIs
Note, that it <group>/<sid> do not need strictly to refer to an actual
group.
Identity test is also supported, e.g "GROUP:<users_name>" or
"SID:<user_sid>" will work too.
Well-known SIDs (in SDDL syntax) appear to be supported such as
"SID:WD" will refer to World/Everyone (== "SID:S-1-1-0")
or
"SID:BA" will refer to Administrators (== "SID:S-1-5-32-544")
In UAC environments, for successful checks against Administrators group,
elevation(Run As Administrator) might be necessary, since CheckMembership()
needs groups to be marked as enabled in the token group list.
introduce the syntax
... IDENTIFIED { WITH | VIA }
plugin [ { USING | AS } auth ]
[ OR plugin [ { USING | AS } auth ]
[ OR ... ]]
Server will try auth plugins in the specified order until the first
success. No protocol changes, server uses the existing "switch plugin"
packet.
The auth chain is stored in json as
"auth_or":[{"plugin":"xxx","authentication_string":"yyy"},
{},
{"plugin":"foo","authentication_string":"bar"},
...],
"plugin":"aaa", "authentication_string":"bbb"
Note:
* "auth_or" implies that there might be "auth_and" someday;
* one entry in the array is an empty object, meaning to take plugin/auth
from the main json object. This preserves compatibility with
the existing mysql.global_priv table and with the mysql.user view.
This entry is preferrably a mysql_native_password plugin for a
non-empty mysql.user.password column.
SET PASSWORD is supported and changes the password for the *first*
plugin in the chain that has a notion of a "password"
