mirror of
https://github.com/MariaDB/server.git
synced 2025-01-30 18:41:56 +01:00
5b779c220d
Per b9f3f06857, mysql_system_tables_data.sql creates
a mysql_native_password with a salted hash of "invalid" so that `set password`
will detect a native password can be applied:.
SHOW CREATE USER; diligently uses this value in its output
generating the SQL:
MariaDB [(none)]> show create user;
+---------------------------------------------------------------------------------------------------+
| CREATE USER for dan@localhost |
+---------------------------------------------------------------------------------------------------+
| CREATE USER `dan`@`localhost` IDENTIFIED VIA mysql_native_password USING 'invalid' OR unix_socket |
+---------------------------------------------------------------------------------------------------+
Attempting to execute this before this patch results in:
MariaDB [(none)]> CREATE USER `dan2`@`localhost` IDENTIFIED VIA mysql_native_password USING 'invalid' OR unix_socket;
ERROR 1372 (HY000): Password hash should be a 41-digit hexadecimal number
As such, deep the implementation of mysql_native_password we make "invalid" valid (pun intended)
such that the above create user will succeed. We do this by storing
"*THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE" (credit: Oracle MySQL), that is of an INCORRECT
length for a scramble.
In native_password_authenticate we check the length of this cached value
and immediately fail if it is anything other than the scramble length.
native_password_get_salt is only called in the context of set_user_salt, so all setting of native
passwords to hashed content of 'invalid', quite literally create an invalid password.
So other forms of "invalid" are valid SQL in creating invalid passwords:
MariaDB [(none)]> set password = 'invalid';
Query OK, 0 rows affected (0.001 sec)
MariaDB [(none)]> alter user dan@localhost IDENTIFIED BY PASSWORD 'invalid';
Query OK, 0 rows affected (0.000 sec)
closes #1628
Reviewer: serg@mariadb.com
90 lines
2.8 KiB
Text
90 lines
2.8 KiB
Text
--source include/not_embedded.inc
|
|
|
|
select priv into @root_priv from mysql.global_priv where user='root' and host='localhost';
|
|
|
|
select * from mysql.user where user = 'root' and host = 'localhost';
|
|
--echo # Test syntax
|
|
--echo #
|
|
--echo # These 2 selects should have no changes from the first one.
|
|
alter user CURRENT_USER;
|
|
select * from mysql.user where user = 'root' and host = 'localhost';
|
|
alter user CURRENT_USER();
|
|
select * from mysql.user where user = 'root' and host = 'localhost';
|
|
|
|
create user foo;
|
|
select * from mysql.user where user = 'foo';
|
|
alter user foo;
|
|
select * from mysql.user where user = 'foo';
|
|
|
|
--echo # Test super privilege works correctly with a read only database.
|
|
SET @start_read_only = @@global.read_only;
|
|
SET GLOBAL read_only=1;
|
|
grant create user on *.* to foo;
|
|
|
|
--echo # Currently no super privileges.
|
|
connect (a, localhost, foo);
|
|
select @@global.read_only;
|
|
|
|
--error ER_OPTION_PREVENTS_STATEMENT
|
|
alter user foo;
|
|
|
|
--echo # Grant super privilege to the user.
|
|
connection default;
|
|
grant super on *.* to foo;
|
|
|
|
--echo # We now have super privilege. We should be able to run alter user.
|
|
connect (b, localhost, foo);
|
|
alter user foo;
|
|
|
|
connection default;
|
|
SET GLOBAL read_only = @start_read_only;
|
|
|
|
--echo # Test inexistant user.
|
|
--error ER_CANNOT_USER
|
|
alter user boo;
|
|
--echo #--warning ER_CANNOT_USER
|
|
alter user if exists boo;
|
|
|
|
--echo # Test password related altering.
|
|
alter user foo identified by 'something';
|
|
select * from mysql.user where user = 'foo';
|
|
|
|
alter user foo identified by 'something2';
|
|
select * from mysql.user where user = 'foo';
|
|
|
|
alter user foo identified by password '*88C89BE093D4ECF72D039F62EBB7477EA1FD4D63';
|
|
select * from mysql.user where user = 'foo';
|
|
|
|
alter user foo identified by password 'invalid';
|
|
select * from mysql.user where user = 'foo';
|
|
|
|
--error ER_CANNOT_USER
|
|
alter user foo identified with 'somecoolplugin';
|
|
show warnings;
|
|
|
|
alter user foo identified with 'mysql_old_password';
|
|
select * from mysql.user where user = 'foo';
|
|
|
|
alter user foo identified with 'mysql_old_password' using '0123456789ABCDEF';
|
|
select * from mysql.user where user = 'foo';
|
|
|
|
--echo # Test ssl related altering.
|
|
alter user foo identified by 'something' require SSL;
|
|
select * from mysql.user where user = 'foo';
|
|
|
|
alter user foo identified by 'something' require X509;
|
|
select * from mysql.user where user = 'foo';
|
|
|
|
alter user foo identified by 'something'
|
|
require cipher 'text' issuer 'foo_issuer' subject 'foo_subject';
|
|
select * from mysql.user where user = 'foo';
|
|
|
|
--echo # Test resource limits altering.
|
|
alter user foo with MAX_QUERIES_PER_HOUR 10
|
|
MAX_UPDATES_PER_HOUR 20
|
|
MAX_CONNECTIONS_PER_HOUR 30
|
|
MAX_USER_CONNECTIONS 40;
|
|
select * from mysql.user where user = 'foo';
|
|
drop user foo;
|
|
|
|
update mysql.global_priv set priv=@root_priv where user='root' and host='localhost';
|