privilege, session, server: consistently map user login to identity (#30204) #30450
Conversation
Signed-off-by: ti-srebot <ti-srebot@pingcap.com>
|
[REVIEW NOTIFICATION] This pull request has been approved by:
To complete the pull request process, please ask the reviewers in the list to review by filling The full list of commands accepted by this bot can be found here. Reviewer can indicate their review by submitting an approval review. |
|
/run-all-tests |
ti-chi-bot
added
do-not-merge/release-note-label-needed
ti-chi-bot
removed
the
do-not-merge/release-note-label-needed
ti-srebot
added
size/XL
|
@morgo you're already a collaborator in bot's repo. |
|
The merge for this was unfortunately complicated. There are a lot of changes in master that are related, so I had to merge some in that were not in the PR on master. |
| case mysql.AuthCachingSha2Password: | ||
| resp.Auth, err = cc.authSha(ctx) | ||
| if err != nil { | ||
| return err | ||
| } | ||
| case mysql.AuthNativePassword: |
There was a problem hiding this comment.
This is intentional. It was removed from master, I believe because this is handled in cc.checkAuthPlugin instead. The code could be cleaned up slightly, but that's for another PR.
| if cc.ctx == nil { | ||
| err := cc.openSession() | ||
| if err != nil { | ||
| return err | ||
| } | ||
| } | ||
| userplugin, err := cc.ctx.AuthPluginForUser(&auth.UserIdentity{Username: cc.user, Hostname: cc.peerHost}) | ||
| _, err := cc.checkAuthPlugin(ctx, resp) | ||
| if err != nil { | ||
| return err | ||
| } | ||
| if userplugin != mysql.AuthNativePassword && userplugin != "" { | ||
| return errNotSupportedAuthMode | ||
| } |
There was a problem hiding this comment.
These changes are also based on master, and checkAuthPlugin does these checks.
|
/run-check_dev |
There was a problem hiding this comment.
Tested with https://github.com/dveeden/tidb_client_test:
TiDB Client Test
Connected to:
Release Version: v5.3.0-4-g635c0bab4
Edition: Community
Git Commit Hash: 635c0bab4eb54a801b0f3f12577b8b25bb0e5431
Git Branch: release-5.3-7fc6ebbda4dd
UTC Build Time: 2021-12-20 15:04:40
GoVersion: go1.16.11
Race Enabled: false
TiKV Min Version: v3.0.0-60965b006877ca7234adaced7890d7b029ed1306
Check Table Before Drop: false
Clients:
/home/dvaneeden/opt/mysql/5.1.73/bin/mysql
/home/dvaneeden/opt/mysql/5.7.31/bin/mysql
/home/dvaneeden/opt/mysql/5.7.36/bin/mysql
/home/dvaneeden/opt/mysql/8.0.22/bin/mysql
/home/dvaneeden/opt/mysql/8.0.25/bin/mysql
/home/dvaneeden/opt/mysql/8.0.26/bin/mysql
/home/dvaneeden/opt/mysql/8.0.27/bin/mysql
-----------------------------------------------
Testing with mysql_native_password as default authentication plugin
Testing /home/dvaneeden/opt/mysql/5.1.73/bin/mysql: success=8, failures=0
Testing /home/dvaneeden/opt/mysql/5.7.31/bin/mysql: success=8, failures=0
Testing /home/dvaneeden/opt/mysql/5.7.36/bin/mysql: success=8, failures=0
Testing /home/dvaneeden/opt/mysql/8.0.22/bin/mysql: success=8, failures=0
Testing /home/dvaneeden/opt/mysql/8.0.25/bin/mysql: success=8, failures=0
Testing /home/dvaneeden/opt/mysql/8.0.26/bin/mysql: success=8, failures=0
Testing /home/dvaneeden/opt/mysql/8.0.27/bin/mysql: success=8, failures=0
Testing with caching_sha2_password as default authentication plugin
Testing /home/dvaneeden/opt/mysql/5.1.73/bin/mysql: success=8, failures=0
Testing /home/dvaneeden/opt/mysql/5.7.31/bin/mysql: success=8, failures=0
Testing /home/dvaneeden/opt/mysql/5.7.36/bin/mysql: success=8, failures=0
Testing /home/dvaneeden/opt/mysql/8.0.22/bin/mysql: success=8, failures=0
Testing /home/dvaneeden/opt/mysql/8.0.25/bin/mysql: success=8, failures=0
Testing /home/dvaneeden/opt/mysql/8.0.26/bin/mysql: success=8, failures=0
Testing /home/dvaneeden/opt/mysql/8.0.27/bin/mysql: success=8, failures=0
|
/run-check_dev |
|
Hi @morgo , v5.3 is about to release a new version in a few days, maybe we can continue to merge this pr. Thanks! |
Yes, it must be merged. It is release blocking according to our criteria. |
|
/run-check_dev |
ti-chi-bot
added
status/LGT2
zhouqiang-cl
added
the
cherry-pick-approved
|
/run-mysql-test tidb-test=pr/1583 |
|
/run-mysql-test tidb-test=pr/1583 |
|
The mysql-test itself seems to be broken. I've tested the changes locally in mysql-test and it passed. |
|
/run-mysql-test tidb-test=pr/1583 |
|
/rebuild |
1 similar comment
|
/rebuild |
|
/run-mysql-test |
|
/run-mysql-test tidb-test=pr/1583 |
|
/merge |
|
This pull request has been accepted and is ready to merge. Commit hash: 635c0ba
|
ti-chi-bot
added
the
status/can-merge
|
/run-mysql-test tidb-test=pr/1583 |
|
/rebuild |
cherry-pick #30204 to release-5.3
You can switch your code base to this Pull Request by using git-extras:
# In tidb repo: git pr https://github.com/pingcap/tidb/pull/30450After apply modifications, you can push your change to this PR via:
What problem does this PR solve?
Problem Summary:
TiDB server uses different rules to map a user to an identity depending on the code area. This cleans up how identity is mapped using a consistent function:
MatchIdentity().What is changed and how it works?
Check List
Tests
Side effects
The rules might be slightly different in the event that there are two 'root' users with different hosts (not a common practice, but it's possible users are doing this). This PR follows more consistent behavior with MySQL.
Documentation
Release note