Before this change the unix socket auth plugin returned true only when
the OS socket user id matches the MariaDB user name.
The authentication string was ignored.
Now if an authentication string is defined with in `unix_socket`
authentication rule, then the authentication string will be used to
compare with the socket's user name, and the plugin will return a
positive if matching.
Make the plugin to fill in the @@external_user variable.
This change is similar to MySQL commit of
https://github.com/mysql/mysql-server/commit/6ddbc58e.
However there's one difference with above commit:
- For MySQL, both Unix user matches DB user name and Unix user matches the
authentication string will be allowed to connect.
- For MariaDB, we only allows the Unix user matches the authentication
string to connect, if the authentication string is defined.
This is because allowing both Unix user names has risks and couldn't
handle the case that a customer only wants to allow one single Unix user
to connect which doesn't matches the DB user name.
If DB user is created with multiple unix_socket options for example:
`create user A identified via unix_socket as 'B' or unix_socket as 'C';`
Then both Unix user of B and C are accepted.
Existing MTR test of `plugins.unix_socket` is not impacted.
Also add a new MTR test to verify authentication with authentication
string. See the MTR test cases for supported/unsupported cases.
All new code of the whole pull request, including one or several files
that are either new files or modified ones, are contributed under the
BSD-new license. I am contributing on behalf of my employer Amazon Web
Services, Inc.
Support SET PASSWORD for authentication plugins.
Authentication plugin API is extended with two optional methods:
* hash_password() is used to compute a password hash (or digest)
from the plain-text password. This digest will be stored in mysql.user
table
* preprocess_hash() is used to convert this digest into some memory
representation that can be later used to authenticate a user.
Build-in plugins convert the hash from hexadecimal or base64 to binary,
to avoid doing it on every authentication attempt.
Note a change in behavior: when loading privileges (on startup or on
FLUSH PRIVILEGES) an account with an unknown plugin was loaded with a
warning (e.g. "Plugin 'foo' is not loaded"). But such an account could
not be used for authentication until the plugin is installed. Now an
account like that will not be loaded at all (with a warning, still).
Indeed, without plugin's preprocess_hash() method the server cannot know
how to load an account. Thus, if a new authentication plugin is
installed run-time, one might need FLUSH PRIVILEGES to activate all
existing accounts that were using this new plugin.
Remove ONLY_IF clause in MYSQL_ADD_PLUGIN and the requirement
that every plugin's CMakeLists.txt *must* do MYSQL_ADD_PLUGIN
for PLUGIN_XXX=YES to work. This was very fragile and cannot be
relied on.
Use a different implementation of =YES check - iterate all
PLUGIN_* variables and see which one doesn't have a matching target.
Revert all ONLY_IF changes in CMakeLists.txt files.
* Introduce a set of PLUGIN_xxx cmake options with values
NO, STATIC, DYNAMIC, AUTO, YES (abort if plugin is not compiled)
* Deprecate redundant and ambiguous WITH_xxx, WITH_PLUGIN_xxx,
WITH_xxx_STORAGE_ENGINE, WITHOUT_xxx, WITHOUT_PLUGIN_xxx,
WITHOUT_xxx_STORAGE_ENGINE
* Actually check whether a plugin is disabled (DISABLED keyword was
always present, but it was ignored until now).
* Support conditionally disabled plugins - keyword ONLY_IF
* Use ONLY_IF for conditionally skipping plugins, instead of
doing MYSQL_ADD_PLUGIN conditionally as before. Because if
MYSQL_ADD_PLUGIN isn't done at all, PLUGIN_xxx=YES cannot work.
out of libmysql into separate dynamic plugins in the plugin/ directory.
move dialog and auth_socket plugins out of the plugin directory with examples into
dedicated directories in plugin/
