mirror/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-01-16 12:02:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
mariadb/scripts/mariadb_system_tables_data.sql

55 lines
3.2 KiB
MySQL
Raw Normal View History

mysql-5.5.31 merge
2013-05-07 13:05:09 +02:00
-- Copyright (c) 2007, 2013, Oracle and/or its affiliates.
- Added/updated copyright headers - Removed files specific to compiling on OS/2 - Removed files specific to SCO Unix packaging - Removed "libmysqld/copyright", text is included in documentation - Removed LaTeX headers for NDB Doxygen documentation - Removed obsolete NDB files - Removed "mkisofs" binaries - Removed the "cvs2cl.pl" script - Changed a few GPL texts to use "program" instead of "library"
2010-12-28 19:57:23 +01:00
--
-- This program is free software; you can redistribute it and/or modify
-- it under the terms of the GNU General Public License as published by
-- the Free Software Foundation; version 2 of the License.
--
-- This program is distributed in the hope that it will be useful,
-- but WITHOUT ANY WARRANTY; without even the implied warranty of
-- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-- GNU General Public License for more details.
--
-- You should have received a copy of the GNU General Public License
-- along with this program; if not, write to the Free Software
Update FSF Address * Update wrong zip-code
2019-05-11 20:29:06 +02:00
-- Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1335 USA
- Added/updated copyright headers - Removed files specific to compiling on OS/2 - Removed files specific to SCO Unix packaging - Removed "libmysqld/copyright", text is included in documentation - Removed LaTeX headers for NDB Doxygen documentation - Removed obsolete NDB files - Removed "mkisofs" binaries - Removed the "cvs2cl.pl" script - Changed a few GPL texts to use "program" instead of "library"
2010-12-28 19:57:23 +01:00
Bug#20166 mysql-test-run.pl does not test system privilege tables creation - Split out initial data in mysql_system_tables.sql to it's own file - Use file from mysql_install_db and mysql-test-run scripts/mysql_system_tables_fix.sql: Rename: scripts/mysql_fix_privilege_tables.sql.in -> scripts/mysql_system_tables_fix.sql mysql-test/mysql-test-run.pl: - Add mysql_system_tables_data.sql as part of the bootstrap - Remove the addition of pid to end of bootstrap.sql, now to file used for bootstrap will be $opt_vardir/tmp/bootstrap.sql - Improve error message descibing how to find cause of a failed bootstrap scripts/Makefile.am: - Rename mysql_fix_privileg_tables.sql.in to mysql_system_tables_fix.sql - Build mysql_fix_privilege_tables from mysql_system_tables.sql and mysql_system_tables_fix.sql - Add mysql_system_tables_fix.sql to EXTRA_DIST scripts/mysql_install_db.sh: - Use mysql_system_tables_data.sql file when bootstrapping mysql, it will contain initial data for MysQL system tables scripts/mysql_system_tables.sql: Move initial data for system tables to it's own file scripts/mysql_system_tables_data.sql: Move initial data for system tables to it's own file
2007-02-28 14:26:58 +01:00
--
Lintian complains on spelling error The lintian check complains on spelling error: https://salsa.debian.org/mariadb-team/mariadb-10.3/-/jobs/95739
2018-12-21 21:06:08 +01:00
-- The initial data for system tables of MySQL Server
Bug#20166 mysql-test-run.pl does not test system privilege tables creation - Split out initial data in mysql_system_tables.sql to it's own file - Use file from mysql_install_db and mysql-test-run scripts/mysql_system_tables_fix.sql: Rename: scripts/mysql_fix_privilege_tables.sql.in -> scripts/mysql_system_tables_fix.sql mysql-test/mysql-test-run.pl: - Add mysql_system_tables_data.sql as part of the bootstrap - Remove the addition of pid to end of bootstrap.sql, now to file used for bootstrap will be $opt_vardir/tmp/bootstrap.sql - Improve error message descibing how to find cause of a failed bootstrap scripts/Makefile.am: - Rename mysql_fix_privileg_tables.sql.in to mysql_system_tables_fix.sql - Build mysql_fix_privilege_tables from mysql_system_tables.sql and mysql_system_tables_fix.sql - Add mysql_system_tables_fix.sql to EXTRA_DIST scripts/mysql_install_db.sh: - Use mysql_system_tables_data.sql file when bootstrapping mysql, it will contain initial data for MysQL system tables scripts/mysql_system_tables.sql: Move initial data for system tables to it's own file scripts/mysql_system_tables_data.sql: Move initial data for system tables to it's own file
2007-02-28 14:26:58 +01:00
--
Bug #32219: too many hosts in default grant tables 6.0.3 Fix is to remove any references to the current hostname when running mysql_install_db --cross-bootstrap. (The dist-hook make target makes this call, and the resulting data directory is included in the source distribution as win/data/*.) Also, a few other clean-ups to mysql_install_db while there. Makefile.am: Adapt to clean-up in mysql_install_db (--windows becomes --cross-bootstrap) scripts/mysql_install_db.sh: Filter out references to the current hostname when performing a cross-bootstrap installation by removing any lines which contain the string "@current_hostname". Deprecate the old --windows option; use --cross-bootstrap instead, since it more accurately reflects the purpose. Other clean-up: the wrong syntax was being used to test the exit status of mysqld --bootstrap. It mostly worked, as long as mysqld succeeded. However, it was not robust. scripts/mysql_system_tables_data.sql: Rename local @hostname variable to @current_hostname, which is a more unique label to search on. mysql_install_db now filters out all lines which include "@current_hostname" during a --cross-bootstrap installation.
2007-11-30 06:14:43 +01:00
-- When setting up a "cross bootstrap" database (e.g., creating data on a Unix
-- host which will later be included in a Windows zip file), any lines
-- containing "@current_hostname" are filtered out by mysql_install_db.
Bug#11746817:MYSQL_INSTALL_DB CREATES WILDCARD GRANTS WHEN HOST HAS '_' IN THE HOSTNAME Problem: ======= '_' and '%' are treated as a wildcards by the ACL code and this is documented in the manual. The problem with mysql_install_db is that it does not take this into account when creating the initial GRANT tables: --- cut --- REPLACE INTO tmp_user SELECT @current_hostname,'root','','Y', 'Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y', 'Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','', 0,0,0,0 FROM dual WHERE LOWER( @current_hostname) != 'localhost'; --- cut --- If @current_hostname contains any wildcard characters, then a wildcard entry will be defined for the 'root' user, which is a flaw. Analysis: ======== As per the bug description when we have a hostname with a wildcard character in it, it allows clients from several other hosts with similar name pattern to connect to the server as root. For example, if the hostname is like 'host_.com' then the same name is logged in mysql.user table. This allows 'root' users from other hosts like 'host1.com', 'host2.com' ... to connect to the server as root user. While creating the intial GRANT tables we do not have a check for wildcard characters in hostname. Fix: === As part of fix escape character "\" is added before wildcard character to make it a plain character, so that the one and only host with the exact name will be able to connect to the server. scripts/mysql_system_tables_data.sql: while creating default users get the hostname and replace the wildcard characters within the hostname after escaping them.
2013-02-19 10:01:11 +01:00
-- Get the hostname, if the hostname has any wildcard character like "_" or "%"
-- add escape character in front of wildcard character to convert "_" or "%" to
-- a plain character
Bug #12917164 DROP USER CAN'T DROP USERS WITH LEGACY UPPER CASE HOST NAME ANYMORE Description: It is not possible to drop users with host names with upper case letters in them. i.e DROP USER 'root'@'Tmp_Host_Name'; is failing with error. Analysis: Since the fix 11748570 we came up with lower case hostnames as standard. But in the current bug the hostname is created by mysql_install_db script is still having upper case hostnames. So, if we have the hostname with upper case letters like(Tmp_Host_Name) then we will have as it is stored in the mysql.user table. In this case if use "'DROP USER 'root'@'Tmp_Host_Name';" it gives error because we do compare with the lower case of hostname since the 11748570 fix. Fix: We need to convert the hostname to lower case before storing into the mysql.user table when we run the mysql_install_db script.
2013-10-31 18:32:44 +01:00
SELECT LOWER( REPLACE((SELECT REPLACE(@@hostname,'_','\_')),'%','\%') )INTO @current_hostname;
MDEV-12484 Enable unix socket authentication by default Change the default authentication for root@localhost to IDENTIFIED VIA mysql_native_password USING 'invalid' OR unix_socket which provides secure passwordless login, while still allowing SET PASSWORD to work as expected. Also create a second all-privilege account for the user that owns datadir (and thus has full access to the data anyway). Compile unix_socket plugin statically into the server.
2019-02-05 16:07:07 +01:00
SELECT '{"access":18446744073709551615}' INTO @all_privileges;
SELECT '{"access":18446744073709551615,"plugin":"mysql_native_password","authentication_string":"invalid","auth_or":[{},{"plugin":"unix_socket"}]}' into @all_with_auth;
MDEV-17658 change the structure of mysql.user table Implement User_table_json. Fix scripts to use mysql.global_priv. Fix tests.
2018-11-24 14:13:41 +01:00
-- Fill "global_priv" table with default users allowing root access
-- from local machine if "global_priv" table didn't exist before
CREATE TEMPORARY TABLE tmp_user_nopasswd LIKE global_priv;
CREATE TEMPORARY TABLE tmp_user_socket LIKE global_priv;
mysql_install_db enhancements to facilitate Debian bug#848616 fix In Debian, the default install is made more secure by omitting the anonymous user and by making the root account authenticate by unix socket authentication instead of the default password-less root. However, Debian hard-codes this change in mysql_install_db, which breaks that program for other users. This commit instead implements new general options for mysql_install_db that can be used by anyone to similarly perform a more secure install: --skip-auth-anonymous-user: omits the anonymous user. --auth-root-authentication-method=normal: Keeps the existing behaviour with a password-less root account. Currently on by default. --auth-root-socket-user=USER --auth-root-authentication-method=socket: creates the MariaDB root user with the name USER (defaults to 'root') and using unix socket authentication. This way, only that user has MariaDB root access after install. The idea with --auth-root-authentication-method=normal is that applications that need this behaviour can give that option explicitly. Then eventually we could make --auth-root-authentication-method=socket the default, giving a more secure default installation. Note that it is perfectly possible to do a secure install with --auth-root-authentication-method=normal. For example, installing a private server just for local access by a single OS-level user, by using --skip-networking and putting the connection socket in a location without public access. So it is important to preserve this API for backwards compatibility.
2017-01-13 11:25:38 +01:00
-- Classic passwordless root account.
MDEV-17658 change the structure of mysql.user table Implement User_table_json. Fix scripts to use mysql.global_priv. Fix tests.
2018-11-24 14:13:41 +01:00
INSERT INTO tmp_user_nopasswd VALUES ('localhost','root',@all_privileges);
REPLACE INTO tmp_user_nopasswd SELECT @current_hostname,'root',@all_privileges FROM dual WHERE @current_hostname != 'localhost';
REPLACE INTO tmp_user_nopasswd VALUES ('127.0.0.1','root',@all_privileges);
REPLACE INTO tmp_user_nopasswd VALUES ('::1','root',@all_privileges);
MDEV-14578: mysql_install_db install unix_socket plugin when --auth-root-authentication-method=socket $ cmake -DPLUGIN_AUTH_SOCKET=STATIC ../mariadb-server-10.2/ $ scripts/mysql_install_db --datadir=/tmp/mysqldatadir-auth-static --auth-root-socket-user=dan --auth-root-authentication-method=socket --builddir=. --srcdir=../mariadb-server-10.2 Installing MariaDB/MySQL system tables in '/tmp/mysqldatadir-auth-static' ... OK $ client/mysql -S /tmp/mysql.sock -e 'show create user dan@localhost' +----------------------------------------------------------+ | CREATE USER for dan@localhost | +----------------------------------------------------------+ | CREATE USER 'dan'@'localhost' IDENTIFIED VIA unix_socket | +----------------------------------------------------------+ $ cmake -DPLUGIN_AUTH_SOCKET=NO ../mariadb-server-10.2/ $ scripts/mysql_install_db --datadir=/tmp/mysqldatadir-auth-none --auth-root-socket-user=dan --auth-root-authentication-method=socket --builddir=. --srcdir=../mariadb-server-10.2 Installing MariaDB/MySQL system tables in '/tmp/mysqldatadir-auth-none' ... ERROR: 1126 Can't open shared library '.../plugin/auth_socket/auth_socket.so' (errno: 2, cannot open shared object file: No such file or directory) 2018-05-01 11:38:56 0 [ERROR] Aborting $ cmake -DPLUGIN_AUTH_SOCKET=DYNAMIC ../mariadb-server-10.2/ $ scripts/mysql_install_db --datadir=/tmp/mysqldatadir-auth-dyn --auth-root-socket-user=dan --auth-root-authentication-method=socket --builddir=. --srcdir=../mariadb-server-10.2 Installing MariaDB/MySQL system tables in '/tmp/mysqldatadir-auth-dyn' ... OK $ ./sql/mysqld --datadir=/tmp/mysqldatadir-auth-dyn --lc-messages-dir=${PWD}/sql/share --plugin-dir=./plugin/auth_socket/ $ client/mysql -S /tmp/mysql.sock -e 'show create user dan@localhost' +----------------------------------------------------------+ | CREATE USER for dan@localhost | +----------------------------------------------------------+ | CREATE USER 'dan'@'localhost' IDENTIFIED VIA unix_socket | +----------------------------------------------------------+ $ sudo make install $ sudo chmod a+rwx /usr/local/mysql/data $ cd /usr/local/mysql/ $ scripts/mysql_install_db --auth-root-socket-user=dan --auth-root-authentication-method=socket Installing MariaDB/MySQL system tables in './data' ... OK .. $ bin/mysqld_safe $ client/mysql -S /tmp/mysql.sock -e 'show create user dan@localhost' +----------------------------------------------------------+ | CREATE USER for dan@localhost | +----------------------------------------------------------+ | CREATE USER 'dan'@'localhost' IDENTIFIED VIA unix_socket | +----------------------------------------------------------+ Merges #767
2018-05-18 07:10:52 +02:00
-- More secure root account using unix socket auth.
MDEV-12484 Enable unix socket authentication by default Change the default authentication for root@localhost to IDENTIFIED VIA mysql_native_password USING 'invalid' OR unix_socket which provides secure passwordless login, while still allowing SET PASSWORD to work as expected. Also create a second all-privilege account for the user that owns datadir (and thus has full access to the data anyway). Compile unix_socket plugin statically into the server.
2019-02-05 16:07:07 +01:00
INSERT INTO tmp_user_socket VALUES ('localhost', 'root',@all_with_auth);
REPLACE INTO tmp_user_socket VALUES ('localhost',IFNULL(@auth_root_socket, 'root'),@all_with_auth);
MDEV-14578: mysql_install_db install unix_socket plugin when --auth-root-authentication-method=socket $ cmake -DPLUGIN_AUTH_SOCKET=STATIC ../mariadb-server-10.2/ $ scripts/mysql_install_db --datadir=/tmp/mysqldatadir-auth-static --auth-root-socket-user=dan --auth-root-authentication-method=socket --builddir=. --srcdir=../mariadb-server-10.2 Installing MariaDB/MySQL system tables in '/tmp/mysqldatadir-auth-static' ... OK $ client/mysql -S /tmp/mysql.sock -e 'show create user dan@localhost' +----------------------------------------------------------+ | CREATE USER for dan@localhost | +----------------------------------------------------------+ | CREATE USER 'dan'@'localhost' IDENTIFIED VIA unix_socket | +----------------------------------------------------------+ $ cmake -DPLUGIN_AUTH_SOCKET=NO ../mariadb-server-10.2/ $ scripts/mysql_install_db --datadir=/tmp/mysqldatadir-auth-none --auth-root-socket-user=dan --auth-root-authentication-method=socket --builddir=. --srcdir=../mariadb-server-10.2 Installing MariaDB/MySQL system tables in '/tmp/mysqldatadir-auth-none' ... ERROR: 1126 Can't open shared library '.../plugin/auth_socket/auth_socket.so' (errno: 2, cannot open shared object file: No such file or directory) 2018-05-01 11:38:56 0 [ERROR] Aborting $ cmake -DPLUGIN_AUTH_SOCKET=DYNAMIC ../mariadb-server-10.2/ $ scripts/mysql_install_db --datadir=/tmp/mysqldatadir-auth-dyn --auth-root-socket-user=dan --auth-root-authentication-method=socket --builddir=. --srcdir=../mariadb-server-10.2 Installing MariaDB/MySQL system tables in '/tmp/mysqldatadir-auth-dyn' ... OK $ ./sql/mysqld --datadir=/tmp/mysqldatadir-auth-dyn --lc-messages-dir=${PWD}/sql/share --plugin-dir=./plugin/auth_socket/ $ client/mysql -S /tmp/mysql.sock -e 'show create user dan@localhost' +----------------------------------------------------------+ | CREATE USER for dan@localhost | +----------------------------------------------------------+ | CREATE USER 'dan'@'localhost' IDENTIFIED VIA unix_socket | +----------------------------------------------------------+ $ sudo make install $ sudo chmod a+rwx /usr/local/mysql/data $ cd /usr/local/mysql/ $ scripts/mysql_install_db --auth-root-socket-user=dan --auth-root-authentication-method=socket Installing MariaDB/MySQL system tables in './data' ... OK .. $ bin/mysqld_safe $ client/mysql -S /tmp/mysql.sock -e 'show create user dan@localhost' +----------------------------------------------------------+ | CREATE USER for dan@localhost | +----------------------------------------------------------+ | CREATE USER 'dan'@'localhost' IDENTIFIED VIA unix_socket | +----------------------------------------------------------+ Merges #767
2018-05-18 07:10:52 +02:00
IF @auth_root_socket is not null THEN
MDEV-14578: mysql_install_db install unix_socket plugin when --auth-root-authentication-method=socket post-merge fixes
2018-06-18 11:51:27 +02:00
IF not exists(select 1 from information_schema.plugins where plugin_name='unix_socket') THEN
INSTALL SONAME 'auth_socket'; END IF; END IF;
mysql_install_db enhancements to facilitate Debian bug#848616 fix In Debian, the default install is made more secure by omitting the anonymous user and by making the root account authenticate by unix socket authentication instead of the default password-less root. However, Debian hard-codes this change in mysql_install_db, which breaks that program for other users. This commit instead implements new general options for mysql_install_db that can be used by anyone to similarly perform a more secure install: --skip-auth-anonymous-user: omits the anonymous user. --auth-root-authentication-method=normal: Keeps the existing behaviour with a password-less root account. Currently on by default. --auth-root-socket-user=USER --auth-root-authentication-method=socket: creates the MariaDB root user with the name USER (defaults to 'root') and using unix socket authentication. This way, only that user has MariaDB root access after install. The idea with --auth-root-authentication-method=normal is that applications that need this behaviour can give that option explicitly. Then eventually we could make --auth-root-authentication-method=socket the default, giving a more secure default installation. Note that it is perfectly possible to do a secure install with --auth-root-authentication-method=normal. For example, installing a private server just for local access by a single OS-level user, by using --skip-networking and putting the connection socket in a location without public access. So it is important to preserve this API for backwards compatibility.
2017-01-13 11:25:38 +01:00
cleanup: remove reduntant variable
2019-02-05 16:02:25 +01:00
INSERT INTO global_priv SELECT * FROM tmp_user_nopasswd WHERE @had_user_table=0 AND @auth_root_socket IS NULL;
MDEV-17658 change the structure of mysql.user table Implement User_table_json. Fix scripts to use mysql.global_priv. Fix tests.
2018-11-24 14:13:41 +01:00
INSERT INTO global_priv SELECT * FROM tmp_user_socket WHERE @had_user_table=0 AND @auth_root_socket IS NOT NULL;
WL#1054: Pluggable authentication support Merged the implementation to a new base tree.
2010-08-09 10:32:50 +02:00
Bug #57916: Fix the naming of the proxy_priv table 1. Fixed the name of the table to proxies_priv 2. Fixed the column names to be of the form Capitalized_lowecarse instead of Capitalized_Capitalized 3. Added Timestamp and Grantor columns 4. Added tests to plugin_auth to check the table structure 5. Updated the existing tests
2010-11-02 16:45:26 +01:00
CREATE TEMPORARY TABLE tmp_proxies_priv LIKE proxies_priv;
MDEV-21194: mariadb-install-db doesn't properly grant proxy privileges to all created user accounts mariadb-install-db --auth-root-authentication-method=normal created 4 root accounts by default, but only two of these had PROXY privilege granted. mariadb-install-db (default option --auth-root-authentication-method=socket) as non-root user also didn't grant PROXY priv to the created nonroot@localhost user. To fix this, in mysql_system_tables_data.sql, we re-use tmp_user_nopasswd as this contains the list of all root users. REPLACE INTO tmp_proxies_priv SELECT @current_hostname, IFNULL(@auth_root_socket, 'root') creates the $user@$current_host but will not error if @auth_root_socket is null. Note @current_hostname lines are filtered out with --cross-bootstrap in mariadb-install-db so it was needed to include this expression for consistency. Like the existing mysql_system_tables.sql is used to create teh $user@localhost proxies_priv. Test cases roles.acl_statistics, perfschema,privilege_table_io depends on the number of proxy users. After: --auth-root-authentication-method=normal: MariaDB [mysql]> select * from global_priv; +-----------+-------------+--------------------------------------------------------------------------------------------------------------------------+ | Host | User | Priv | +-----------+-------------+--------------------------------------------------------------------------------------------------------------------------+ | localhost | mariadb.sys | {"access":0,"plugin":"mysql_native_password","authentication_string":"","account_locked":true,"password_last_changed":0} | | localhost | root | {"access":18446744073709551615} | | bark | root | {"access":18446744073709551615} | | 127.0.0.1 | root | {"access":18446744073709551615} | | ::1 | root | {"access":18446744073709551615} | | localhost | | {} | | bark | | {} | +-----------+-------------+--------------------------------------------------------------------------------------------------------------------------+ 7 rows in set (0.001 sec) MariaDB [mysql]> select * from proxies_priv; +-----------+------+--------------+--------------+------------+---------+---------------------+ | Host | User | Proxied_host | Proxied_user | With_grant | Grantor | Timestamp | +-----------+------+--------------+--------------+------------+---------+---------------------+ | localhost | root | | | 1 | | 2023-07-10 12:12:24 | | 127.0.0.1 | root | | | 1 | | 2023-07-10 12:12:24 | | ::1 | root | | | 1 | | 2023-07-10 12:12:24 | | bark | root | | | 1 | | 2023-07-10 12:12:24 | +-----------+------+--------------+--------------+------------+---------+---------------------+ --auth-root-authentication-method=socket: MariaDB [mysql]> select * from proxies_priv; +-----------+------+--------------+--------------+------------+---------+---------------------+ | Host | User | Proxied_host | Proxied_user | With_grant | Grantor | Timestamp | +-----------+------+--------------+--------------+------------+---------+---------------------+ | localhost | root | | | 1 | | 2023-07-10 12:11:55 | | localhost | dan | | | 1 | | 2023-07-10 12:11:55 | | bark | dan | | | 1 | | 2023-07-10 12:11:55 | +-----------+------+--------------+--------------+------------+---------+---------------------+ 3 rows in set (0.017 sec) MariaDB [mysql]> select * from global_priv; +-----------+-------------+--------------------------------------------------------------------------------------------------------------------------------------------+ | Host | User | Priv | +-----------+-------------+--------------------------------------------------------------------------------------------------------------------------------------------+ | localhost | mariadb.sys | {"access":0,"plugin":"mysql_native_password","authentication_string":"","account_locked":true,"password_last_changed":0} | | localhost | root | {"access":18446744073709551615,"plugin":"mysql_native_password","authentication_string":"invalid","auth_or":[{},{"plugin":"unix_socket"}]} | | localhost | dan | {"access":18446744073709551615,"plugin":"mysql_native_password","authentication_string":"invalid","auth_or":[{},{"plugin":"unix_socket"}]} | | localhost | | {} | | bark | | {} | +-----------+-------------+--------------------------------------------------------------------------------------------------------------------------------------------+ 5 rows in set (0.000 sec) MariaDB [mysql]> show grants; +----------------------------------------------------------------------------------------------------------------------------------------+ | Grants for dan@localhost | +----------------------------------------------------------------------------------------------------------------------------------------+ | GRANT ALL PRIVILEGES ON *.* TO `dan`@`localhost` IDENTIFIED VIA mysql_native_password USING 'invalid' OR unix_socket WITH GRANT OPTION | | GRANT PROXY ON ''@'%' TO 'dan'@'localhost' WITH GRANT OPTION | +----------------------------------------------------------------------------------------------------------------------------------------+
2023-07-10 04:15:30 +02:00
INSERT INTO tmp_proxies_priv SELECT Host, User, '', '', TRUE, '', now() FROM tmp_user_nopasswd WHERE Host != 'localhost' AND @auth_root_socket IS NULL;
REPLACE INTO tmp_proxies_priv SELECT @current_hostname, IFNULL(@auth_root_socket, 'root'), '', '', TRUE, '', now() FROM DUAL WHERE @current_hostname != 'localhost';
Bug #57916: Fix the naming of the proxy_priv table 1. Fixed the name of the table to proxies_priv 2. Fixed the column names to be of the form Capitalized_lowecarse instead of Capitalized_Capitalized 3. Added Timestamp and Grantor columns 4. Added tests to plugin_auth to check the table structure 5. Updated the existing tests
2010-11-02 16:45:26 +01:00
INSERT INTO proxies_priv SELECT * FROM tmp_proxies_priv WHERE @had_proxies_priv_table=0;
MDEV-21194: mariadb-install-db doesn't properly grant proxy privileges to all created user accounts mariadb-install-db --auth-root-authentication-method=normal created 4 root accounts by default, but only two of these had PROXY privilege granted. mariadb-install-db (default option --auth-root-authentication-method=socket) as non-root user also didn't grant PROXY priv to the created nonroot@localhost user. To fix this, in mysql_system_tables_data.sql, we re-use tmp_user_nopasswd as this contains the list of all root users. REPLACE INTO tmp_proxies_priv SELECT @current_hostname, IFNULL(@auth_root_socket, 'root') creates the $user@$current_host but will not error if @auth_root_socket is null. Note @current_hostname lines are filtered out with --cross-bootstrap in mariadb-install-db so it was needed to include this expression for consistency. Like the existing mysql_system_tables.sql is used to create teh $user@localhost proxies_priv. Test cases roles.acl_statistics, perfschema,privilege_table_io depends on the number of proxy users. After: --auth-root-authentication-method=normal: MariaDB [mysql]> select * from global_priv; +-----------+-------------+--------------------------------------------------------------------------------------------------------------------------+ | Host | User | Priv | +-----------+-------------+--------------------------------------------------------------------------------------------------------------------------+ | localhost | mariadb.sys | {"access":0,"plugin":"mysql_native_password","authentication_string":"","account_locked":true,"password_last_changed":0} | | localhost | root | {"access":18446744073709551615} | | bark | root | {"access":18446744073709551615} | | 127.0.0.1 | root | {"access":18446744073709551615} | | ::1 | root | {"access":18446744073709551615} | | localhost | | {} | | bark | | {} | +-----------+-------------+--------------------------------------------------------------------------------------------------------------------------+ 7 rows in set (0.001 sec) MariaDB [mysql]> select * from proxies_priv; +-----------+------+--------------+--------------+------------+---------+---------------------+ | Host | User | Proxied_host | Proxied_user | With_grant | Grantor | Timestamp | +-----------+------+--------------+--------------+------------+---------+---------------------+ | localhost | root | | | 1 | | 2023-07-10 12:12:24 | | 127.0.0.1 | root | | | 1 | | 2023-07-10 12:12:24 | | ::1 | root | | | 1 | | 2023-07-10 12:12:24 | | bark | root | | | 1 | | 2023-07-10 12:12:24 | +-----------+------+--------------+--------------+------------+---------+---------------------+ --auth-root-authentication-method=socket: MariaDB [mysql]> select * from proxies_priv; +-----------+------+--------------+--------------+------------+---------+---------------------+ | Host | User | Proxied_host | Proxied_user | With_grant | Grantor | Timestamp | +-----------+------+--------------+--------------+------------+---------+---------------------+ | localhost | root | | | 1 | | 2023-07-10 12:11:55 | | localhost | dan | | | 1 | | 2023-07-10 12:11:55 | | bark | dan | | | 1 | | 2023-07-10 12:11:55 | +-----------+------+--------------+--------------+------------+---------+---------------------+ 3 rows in set (0.017 sec) MariaDB [mysql]> select * from global_priv; +-----------+-------------+--------------------------------------------------------------------------------------------------------------------------------------------+ | Host | User | Priv | +-----------+-------------+--------------------------------------------------------------------------------------------------------------------------------------------+ | localhost | mariadb.sys | {"access":0,"plugin":"mysql_native_password","authentication_string":"","account_locked":true,"password_last_changed":0} | | localhost | root | {"access":18446744073709551615,"plugin":"mysql_native_password","authentication_string":"invalid","auth_or":[{},{"plugin":"unix_socket"}]} | | localhost | dan | {"access":18446744073709551615,"plugin":"mysql_native_password","authentication_string":"invalid","auth_or":[{},{"plugin":"unix_socket"}]} | | localhost | | {} | | bark | | {} | +-----------+-------------+--------------------------------------------------------------------------------------------------------------------------------------------+ 5 rows in set (0.000 sec) MariaDB [mysql]> show grants; +----------------------------------------------------------------------------------------------------------------------------------------+ | Grants for dan@localhost | +----------------------------------------------------------------------------------------------------------------------------------------+ | GRANT ALL PRIVILEGES ON *.* TO `dan`@`localhost` IDENTIFIED VIA mysql_native_password USING 'invalid' OR unix_socket WITH GRANT OPTION | | GRANT PROXY ON ''@'%' TO 'dan'@'localhost' WITH GRANT OPTION | +----------------------------------------------------------------------------------------------------------------------------------------+
2023-07-10 04:15:30 +02:00
DROP TABLE tmp_user_nopasswd, tmp_user_socket, tmp_proxies_priv;
Reference in a new issue Copy permalink