-
Notifications
You must be signed in to change notification settings - Fork 5.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
*: Support more PASSWORD REQUIRE CURRENT options | tidb-test=pr/2363 #54683
base: master
Are you sure you want to change the base?
Conversation
Skipping CI for Draft Pull Request. |
Hi @dveeden. Thanks for your PR. PRs from untrusted users cannot be marked as trusted with I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
/test all |
@dveeden: Cannot trigger testing until a trusted user reviews the PR and leaves an In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
/test all |
@dveeden: Cannot trigger testing until a trusted user reviews the PR and leaves an In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
/ok-to-test |
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #54683 +/- ##
=================================================
- Coverage 73.2879% 57.4296% -15.8583%
=================================================
Files 1638 1836 +198
Lines 453742 690401 +236659
=================================================
+ Hits 332538 396495 +63957
- Misses 100823 266820 +165997
- Partials 20381 27086 +6705
Flags with carried forward coverage won't be shown. Click here to find out more.
|
/test all |
/test all |
/retest |
/test all |
/retest |
That file relies heavily on |
/retest |
…ring sets withPassword to true
/retest |
/retest |
1 similar comment
/retest |
Create_Tablespace_Priv ENUM('N','Y') NOT NULL DEFAULT 'N', | ||
Password_reuse_history smallint unsigned DEFAULT NULL, | ||
Password_reuse_time smallint unsigned DEFAULT NULL, | ||
Password_require_current ENUM('N','Y') DEFAULT NULL, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
how about put Password_require_current
under column of user_attirbutes
for better cross-version system table compatibility?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I prefer to put Password_require_current
as a new field in mysql.user
for better compatibility with mysql's
https://dev.mysql.com/doc/mysql-security-excerpt/8.0/en/grant-tables.html#grant-tables-user-db
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, let's do this in the same way as MySQL unless there is a very strong reason not to do that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it seems pr #39460 has addressed the compatibility problem here. so, i am fine with the change. but please make sure to do a cross version backup restore testing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A backup of TiDB-with-this-PR to a vanilla TiDB returns this:
dvaneeden@dve-carbon:~$ tiup br restore full -s /tmp/b_full/
Checking updates for component br... Starting component br: /home/dvaneeden/.tiup/components/br/v8.3.0/br restore full -s /tmp/b_full/
Detail BR log in /tmp/br.log.2024-08-22T09.43.39+0200
[2024/08/22 09:43:41.949 +02:00] [INFO] [collector.go:77] ["Full Restore failed summary"] [total-ranges=0] [ranges-succeed=0] [ranges-failed=0]
#######################################################################
# the target cluster is not compatible with the backup data,
# you can use '--with-sys-table=false' to skip restoring system tables
#######################################################################
Error: missing column in cluster data, table: user, col: Password_require_current enum('N','Y'): [BR:Restore:ErrRestoreIncompatibleSys]incompatible system table
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can make BR to succeed with this patch:
diff --git a/br/pkg/restore/snap_client/systable_restore.go b/br/pkg/restore/snap_client/systable_restore.go
index a99d9925b1..7b758422d2 100644
--- a/br/pkg/restore/snap_client/systable_restore.go
+++ b/br/pkg/restore/snap_client/systable_restore.go
@@ -276,7 +276,7 @@ func (rc *SnapClient) replaceTemporaryTableToSystable(ctx context.Context, ti *m
zap.Stringer("schema", db.Name))
// target column order may different with source cluster
columnNames := make([]string, 0, len(ti.Columns))
- for _, col := range ti.Columns {
+ for _, col := range db.ExistingTables[tableName].Columns {
columnNames = append(columnNames, utils.EncloseName(col.Name.L))
}
colListStr := strings.Join(columnNames, ",")
@@ -384,13 +384,19 @@ func CheckSysTableCompatibility(dom *domain.Domain, tables []*metautil.Table) er
col := backupTi.Columns[i]
clusterCol := clusterColMap[col.Name.L]
if clusterCol == nil {
- log.Error("missing column in cluster data",
- zap.Stringer("table", table.Info.Name),
- zap.String("col", fmt.Sprintf("%s %s", col.Name, col.FieldType.String())))
- return errors.Annotatef(berrors.ErrRestoreIncompatibleSys,
- "missing column in cluster data, table: %s, col: %s %s",
- table.Info.Name.O,
- col.Name, col.FieldType.String())
+ if col.Name.L == "password_require_current" {
+ log.Error("ignoring missing column in cluster data",
+ zap.Stringer("table", table.Info.Name),
+ zap.String("col", fmt.Sprintf("%s %s", col.Name, col.FieldType.String())))
+ } else {
+ log.Error("missing column in cluster data",
+ zap.Stringer("table", table.Info.Name),
+ zap.String("col", fmt.Sprintf("%s %s", col.Name, col.FieldType.String())))
+ return errors.Annotatef(berrors.ErrRestoreIncompatibleSys,
+ "missing column in cluster data, table: %s, col: %s %s",
+ table.Info.Name.O,
+ col.Name, col.FieldType.String())
+ }
}
}
}
This patch:
- Makes the "missing column in cluster data" non-fatal for the "password_require_current" column
- Uses the list of columns for the target table instead of the list of columns of the source table. Maybe this should check for columns that are present in both if we actually want to do it like this.
However the result is that the PASSWORD REQUIRE CURRENT (DEFAULT|OPTIONAL|)
part of the user definition gets lost as there isn't a column for that. I think this might be acceptable but not supporting this and requiring --with-sys-table=false
might be a good option as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Restoring a backup of TiDB v8.3.0 vanilla on TiDB-with-this-PR works:
From the logs:
[2024/08/22 10:49:10.696 +02:00] [WARN] [systable_restore.go:349] ["missing column in backup data"] [table=user] [col="Password_require_current enum('N','Y')"]
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/retest |
/retest |
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@dveeden: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
What problem does this PR solve?
Issue Number: close #54660
Problem Summary:
Support a global (
password_require_current
) and per account (mysql.user.Password_require_current
) policy for requiring the current password when changing the password.What changed and how does it work?
parser:
PASSWORD REQUIRE CURRENT
PASSWORD REQUIRE CURRENT OPTIONAL
ALTER USER...IDENTIFIED BY ... REPLACE ...
ALTER USER...IDENTIFIED WITH ... BY ... REPLACE ...
ALTER USER() IDENTIFIED BY ... REPLACE ...
ErrIncorrectCurrentPassword
ErrMissingCurrentPassword
ErrCurrentPasswordNotRequired
session:
Password_require_current
column tomysql.user
sessionctx/variable:
password_require_current
system variableexecutor:
SHOW CREATE USER
outputALTER USER ... PASSWORD REQUIRE CURRENT ...
ALTER USER
errno:
ErrIncorrectCurrentPassword
ErrMissingCurrentPassword
ErrCurrentPasswordNotRequired
privilege:
Questions and remarks
TestAbnormalMySQLTable
has a comment that says it is testing with amysql.user
table synchronized from MySQL. However the supplied data looks like a TiDBmysql.user
table instead. Is this test correct? Should this be multiple tests, with MySQL 5.7,8.0 and 8.4? Maybe 9.0? @CbcWestwolf ? TestAbnormalMySQLTable has multiple issues. #54924(*UserPrivilege).checkPassword()
for example needs to do something different based on what authentication plugin is being used. Maybe we can makeauth.CheckHashingPassword()
more generic, but then we should probably change the name. Maybe an interface is best, but probably that's out of scope for this PR.show.go
has a "FIXME: the returned string is not escaped safely" comment. Maybe we should fix this outside of this PR?mysql_native_password
,tidb_sm3_password
andcaching_sha2_password
. For other methods more testing and work might be needed.PASSWORD()
function andSET PASSWORD = PASSWORD(...)
from the MySQL 5.7 era. Might be good to start the process of removing this (outside of this PR).Documentation needed
ALTER USER
docs to include:ALTER USER...PASSWORD REQUIRE CURRENT ...
ALTER USER...IDENTIFIED BY... REPLACE ...
password_require_current
mysql.user
docsTODO
For log redaction and audit logging:
These take care of this for
SET PASSWORD
andALTER USER
:(*AlterUserStmt).SecureText()
was updated anyway to make the intention clear.REPLACE <password>
syntax is only used withSET PASSWORD
andALTER USER
statements, which both already deal with passwords.Check List
Tests
Side effects
Documentation
Release note
Please refer to Release Notes Language Style Guide to write a quality release note.