mirror of
https://github.com/MariaDB/server.git
synced 2025-11-12 10:22:39 +03:00
7c40996cc8
Support SET PASSWORD for authentication plugins. Authentication plugin API is extended with two optional methods: * hash_password() is used to compute a password hash (or digest) from the plain-text password. This digest will be stored in mysql.user table * preprocess_hash() is used to convert this digest into some memory representation that can be later used to authenticate a user. Build-in plugins convert the hash from hexadecimal or base64 to binary, to avoid doing it on every authentication attempt. Note a change in behavior: when loading privileges (on startup or on FLUSH PRIVILEGES) an account with an unknown plugin was loaded with a warning (e.g. "Plugin 'foo' is not loaded"). But such an account could not be used for authentication until the plugin is installed. Now an account like that will not be loaded at all (with a warning, still). Indeed, without plugin's preprocess_hash() method the server cannot know how to load an account. Thus, if a new authentication plugin is installed run-time, one might need FLUSH PRIVILEGES to activate all existing accounts that were using this new plugin.
125 lines
3.9 KiB
Plaintext
125 lines
3.9 KiB
Plaintext
--source include/not_embedded.inc
|
|
|
|
if (!$SIMPLE_PASSWORD_CHECK_SO) {
|
|
skip No SIMPLE_PASSWORD_CHECK plugin;
|
|
}
|
|
|
|
install soname "simple_password_check";
|
|
|
|
--vertical_results
|
|
--replace_result .dll .so
|
|
select * from information_schema.plugins where plugin_name='simple_password_check';
|
|
|
|
select * from information_schema.system_variables where variable_name like 'simple_password_check%' order by 1;
|
|
--horizontal_results
|
|
|
|
--error ER_NOT_VALID_PASSWORD
|
|
create user foo1 identified by 'pwd';
|
|
|
|
# Create user with no password.
|
|
--error ER_NOT_VALID_PASSWORD
|
|
create user foo1;
|
|
|
|
--error ER_NOT_VALID_PASSWORD
|
|
grant select on *.* to foo1 identified by 'pwd';
|
|
|
|
--error ER_NOT_VALID_PASSWORD
|
|
grant select on *.* to `FooBar1!` identified by 'FooBar1!';
|
|
|
|
grant select on *.* to `BarFoo1!` identified by 'FooBar1!';
|
|
drop user `BarFoo1!`;
|
|
|
|
create user foo1 identified by 'aA.12345';
|
|
grant select on *.* to foo1;
|
|
drop user foo1;
|
|
|
|
set global simple_password_check_digits=3;
|
|
set global simple_password_check_letters_same_case=3;
|
|
set global simple_password_check_other_characters=3;
|
|
show variables like 'simple_password_check_%';
|
|
|
|
create user foo1 identified by '123:qwe:ASD!';
|
|
drop user foo1;
|
|
|
|
--error ER_NOT_VALID_PASSWORD
|
|
create user foo1 identified by '-23:qwe:ASD!';
|
|
|
|
--error ER_NOT_VALID_PASSWORD
|
|
create user foo1 identified by '123:4we:ASD!';
|
|
|
|
--error ER_NOT_VALID_PASSWORD
|
|
create user foo1 identified by '123:qwe:4SD!';
|
|
|
|
--error ER_NOT_VALID_PASSWORD
|
|
create user foo1 identified by '123:qwe:ASD4';
|
|
|
|
create user foo1 identified by '123:qwe:ASD!';
|
|
--error ER_NOT_VALID_PASSWORD
|
|
set password for foo1 = password('qwe:-23:ASD!');
|
|
--error ER_NOT_VALID_PASSWORD
|
|
set password for foo1 = old_password('4we:123:ASD!');
|
|
--error ER_NOT_VALID_PASSWORD
|
|
set password for foo1 = password('qwe:123:4SD!');
|
|
--error ER_NOT_VALID_PASSWORD
|
|
set password for foo1 = old_password('qwe:123:ASD4');
|
|
set password for foo1 = password('qwe:123:ASD!');
|
|
|
|
# now, strict_password_validation
|
|
select @@strict_password_validation;
|
|
|
|
--error ER_NOT_VALID_PASSWORD
|
|
set password for foo1 = '';
|
|
--error ER_OPTION_PREVENTS_STATEMENT
|
|
set password for foo1 = '2222222222222222';
|
|
--error ER_OPTION_PREVENTS_STATEMENT
|
|
set password for foo1 = '11111111111111111111111111111111111111111';
|
|
--error ER_OPTION_PREVENTS_STATEMENT
|
|
create user foo2 identified by password '11111111111111111111111111111111111111111';
|
|
--error ER_OPTION_PREVENTS_STATEMENT
|
|
grant select on *.* to foo2 identified by password '2222222222222222';
|
|
--error ER_OPTION_PREVENTS_STATEMENT
|
|
create user foo2 identified with mysql_native_password using '11111111111111111111111111111111111111111';
|
|
--error ER_OPTION_PREVENTS_STATEMENT
|
|
grant select on *.* to foo2 identified with mysql_old_password using '2222222222222222';
|
|
--error ER_NOT_VALID_PASSWORD
|
|
create user foo2 identified with mysql_native_password using '';
|
|
--error ER_NOT_VALID_PASSWORD
|
|
grant select on *.* to foo2 identified with mysql_old_password using '';
|
|
--error ER_NOT_VALID_PASSWORD
|
|
grant select on *.* to foo2 identified with mysql_old_password;
|
|
|
|
# direct updates are not protected
|
|
update mysql.user set password='xxx' where user='foo1';
|
|
|
|
set global strict_password_validation=0;
|
|
|
|
--error ER_NOT_VALID_PASSWORD
|
|
set password for foo1 = '';
|
|
set password for foo1 = '2222222222222222';
|
|
set password for foo1 = '11111111111111111111111111111111111111111';
|
|
create user foo2 identified by password '11111111111111111111111111111111111111111';
|
|
drop user foo2;
|
|
grant select on *.* to foo2 identified by password '2222222222222222';
|
|
drop user foo2;
|
|
create user foo2 identified with mysql_native_password using '11111111111111111111111111111111111111111';
|
|
drop user foo2;
|
|
grant select on *.* to foo2 identified with mysql_old_password using '2222222222222222';
|
|
drop user foo2;
|
|
|
|
set global strict_password_validation=1;
|
|
drop user foo1;
|
|
|
|
#
|
|
# MDEV-9940 CREATE ROLE blocked by password validation plugin
|
|
#
|
|
create role r1;
|
|
drop role r1;
|
|
|
|
flush privileges;
|
|
|
|
uninstall plugin simple_password_check;
|
|
|
|
create user foo1 identified by 'pwd';
|
|
drop user foo1;
|
|
|