From f1da1500cc9fc1b78bc74105a1a1a37725ff7427 Mon Sep 17 00:00:00 2001 From: cbcwestwolf <1004626265@qq.com> Date: Tue, 15 Oct 2024 20:44:59 +0800 Subject: [PATCH 1/4] *: make `default_authentication_plugin` more compatible with mysql --- pkg/executor/grant.go | 8 ++++++-- pkg/executor/show.go | 11 +++++++---- pkg/executor/simple.go | 18 +++++++++++++++--- pkg/privilege/privilege.go | 4 ++-- pkg/privilege/privileges/cache.go | 8 ++++++-- pkg/privilege/privileges/privileges.go | 8 ++++---- pkg/server/conn.go | 6 +++++- pkg/session/session.go | 5 +++-- pkg/session/types/sesson_interface.go | 2 +- 9 files changed, 49 insertions(+), 21 deletions(-) diff --git a/pkg/executor/grant.go b/pkg/executor/grant.go index efe517b836685..4f9ee84a9836e 100644 --- a/pkg/executor/grant.go +++ b/pkg/executor/grant.go @@ -33,6 +33,7 @@ import ( "github.com/pingcap/tidb/pkg/privilege" "github.com/pingcap/tidb/pkg/privilege/privileges" "github.com/pingcap/tidb/pkg/sessionctx" + "github.com/pingcap/tidb/pkg/sessionctx/variable" "github.com/pingcap/tidb/pkg/sessiontxn" "github.com/pingcap/tidb/pkg/table" "github.com/pingcap/tidb/pkg/util" @@ -167,7 +168,10 @@ func (e *GrantExec) Next(ctx context.Context, _ *chunk.Chunk) error { // It is required for compatibility with 5.7 but removed from 8.0 // since it results in a massive security issue: // spelling errors will create users with no passwords. - authPlugin := mysql.AuthNativePassword + authPlugin, err := e.Ctx().GetSessionVars().GlobalVarsAccessor.GetGlobalSysVar(variable.DefaultAuthPlugin) + if err != nil { + return err + } if user.AuthOpt != nil && user.AuthOpt.AuthPlugin != "" { authPlugin = user.AuthOpt.AuthPlugin } @@ -180,7 +184,7 @@ func (e *GrantExec) Next(ctx context.Context, _ *chunk.Chunk) error { if !ok { return errors.Trace(exeerrors.ErrPasswordFormat) } - _, err := internalSession.GetSQLExecutor().ExecuteInternal(internalCtx, + _, err = internalSession.GetSQLExecutor().ExecuteInternal(internalCtx, `INSERT INTO %n.%n (Host, User, authentication_string, plugin) VALUES (%?, %?, %?, %?);`, mysql.SystemDB, mysql.UserTable, user.User.Hostname, user.User.Username, pwd, authPlugin) if err != nil { diff --git a/pkg/executor/show.go b/pkg/executor/show.go index 9be4971cf68e4..5782ff434a8bc 100644 --- a/pkg/executor/show.go +++ b/pkg/executor/show.go @@ -1761,9 +1761,12 @@ func (e *ShowExec) fetchShowCreateUser(ctx context.Context) error { fmt.Sprintf("'%s'@'%s'", e.User.Username, e.User.Hostname)) } - authplugin := mysql.AuthNativePassword + authPlugin, err := e.Ctx().GetSessionVars().GlobalVarsAccessor.GetGlobalSysVar(variable.DefaultAuthPlugin) + if err != nil { + return errors.Trace(err) + } if len(rows) == 1 && rows[0].GetString(0) != "" { - authplugin = rows[0].GetString(0) + authPlugin = rows[0].GetString(0) } accountLockedRaw := rows[0].GetString(1) @@ -1841,13 +1844,13 @@ func (e *ShowExec) fetchShowCreateUser(ctx context.Context) error { authData := checker.GetEncodedPassword(e.User.Username, e.User.Hostname) authStr := "" - if !(authplugin == mysql.AuthSocket && authData == "") { + if !(authPlugin == mysql.AuthSocket && authData == "") { authStr = fmt.Sprintf(" AS '%s'", authData) } // FIXME: the returned string is not escaped safely showStr := fmt.Sprintf("CREATE USER '%s'@'%s' IDENTIFIED WITH '%s'%s REQUIRE %s%s %s ACCOUNT %s PASSWORD HISTORY %s PASSWORD REUSE INTERVAL %s%s%s%s", - e.User.Username, e.User.Hostname, authplugin, authStr, require, tokenIssuer, passwordExpiredStr, accountLocked, passwordHistory, passwordReuseInterval, failedLoginAttempts, passwordLockTimeDays, userAttributes) + e.User.Username, e.User.Hostname, authPlugin, authStr, require, tokenIssuer, passwordExpiredStr, accountLocked, passwordHistory, passwordReuseInterval, failedLoginAttempts, passwordLockTimeDays, userAttributes) e.appendRow([]any{showStr}) return nil } diff --git a/pkg/executor/simple.go b/pkg/executor/simple.go index 318a72a89a27e..7867c048d2e1c 100644 --- a/pkg/executor/simple.go +++ b/pkg/executor/simple.go @@ -1110,6 +1110,10 @@ func (e *SimpleExec) executeCreateUser(ctx context.Context, s *ast.CreateUserStm if savePasswdHistory { sqlescape.MustFormatSQL(sqlPasswordHistory, `INSERT INTO %n.%n (Host, User, Password) VALUES `, mysql.SystemDB, mysql.PasswordHistoryTable) } + defaultAuthPlugin, err := e.Ctx().GetSessionVars().GlobalVarsAccessor.GetGlobalSysVar(variable.DefaultAuthPlugin) + if err != nil { + return errors.Trace(err) + } users := make([]*auth.UserIdentity, 0, len(s.Specs)) for _, spec := range s.Specs { @@ -1141,7 +1145,7 @@ func (e *SimpleExec) executeCreateUser(ctx context.Context, s *ast.CreateUserStm e.Ctx().GetSessionVars().StmtCtx.AppendNote(err) continue } - authPlugin := mysql.AuthNativePassword + authPlugin := defaultAuthPlugin if spec.AuthOpt != nil && spec.AuthOpt.AuthPlugin != "" { authPlugin = spec.AuthOpt.AuthPlugin } @@ -1736,6 +1740,10 @@ func (e *SimpleExec) executeAlterUser(ctx context.Context, s *ast.AlterUserStmt) if _, err := sqlExecutor.ExecuteInternal(ctx, "BEGIN PESSIMISTIC"); err != nil { return err } + defaultAuthPlugin, err := e.Ctx().GetSessionVars().GlobalVarsAccessor.GetGlobalSysVar(variable.DefaultAuthPlugin) + if err != nil { + return err + } for _, spec := range s.Specs { user := e.Ctx().GetSessionVars().User @@ -1791,7 +1799,7 @@ func (e *SimpleExec) executeAlterUser(ctx context.Context, s *ast.AlterUserStmt) RequireAuthTokenOptions ) authTokenOptionHandler := noNeedAuthTokenOptions - currentAuthPlugin, err := privilege.GetPrivilegeManager(e.Ctx()).GetAuthPlugin(spec.User.Username, spec.User.Hostname) + currentAuthPlugin, err := privilege.GetPrivilegeManager(e.Ctx()).GetAuthPlugin(spec.User.Username, spec.User.Hostname, defaultAuthPlugin) if err != nil { return err } @@ -2502,7 +2510,11 @@ func (e *SimpleExec) executeSetPwd(ctx context.Context, s *ast.SetPwdStmt) error disableSandboxMode = true } - authplugin, err := privilege.GetPrivilegeManager(e.Ctx()).GetAuthPlugin(u, h) + defaultAuthPlugin, err := e.Ctx().GetSessionVars().GlobalVarsAccessor.GetGlobalSysVar(variable.DefaultAuthPlugin) + if err != nil { + return err + } + authplugin, err := privilege.GetPrivilegeManager(e.Ctx()).GetAuthPlugin(u, h, defaultAuthPlugin) if err != nil { return err } diff --git a/pkg/privilege/privilege.go b/pkg/privilege/privilege.go index cba7c122a7419..47ea66242bf2e 100644 --- a/pkg/privilege/privilege.go +++ b/pkg/privilege/privilege.go @@ -116,10 +116,10 @@ type Manager interface { IsDynamicPrivilege(privNameInUpper string) bool // GetAuthPluginForConnection gets the authentication plugin used in connection establishment. - GetAuthPluginForConnection(user, host string) (string, error) + GetAuthPluginForConnection(user, host, defaultAuthPlugin string) (string, error) // GetAuthPlugin gets the authentication plugin for the account identified by the user and host - GetAuthPlugin(user, host string) (string, error) + GetAuthPlugin(user, host, defaultAuthPlugin string) (string, error) } const key keyType = 0 diff --git a/pkg/privilege/privileges/cache.go b/pkg/privilege/privileges/cache.go index ac240b4e08895..28263e36ce11d 100644 --- a/pkg/privilege/privileges/cache.go +++ b/pkg/privilege/privileges/cache.go @@ -285,6 +285,8 @@ type MySQLPrivilege struct { ColumnsPriv []columnsPrivRecord DefaultRoles []defaultRoleRecord RoleGraph map[string]roleGraphEdgesTable + + defaultAuthPlugin string } // FindAllUserEffectiveRoles is used to find all effective roles grant to this user. @@ -397,7 +399,9 @@ func (p *MySQLPrivilege) LoadAll(ctx sessionctx.Context) error { } logutil.BgLogger().Warn("mysql.role_edges missing") } - return nil + + p.defaultAuthPlugin, err = ctx.GetSessionVars().GlobalVarsAccessor.GetGlobalSysVar(variable.DefaultAuthPlugin) + return err } func noSuchTable(err error) bool { @@ -665,7 +669,7 @@ func (p *MySQLPrivilege) decodeUserTableRow(row chunk.Row, fs []*resolve.ResultF if row.GetString(i) != "" { value.AuthPlugin = row.GetString(i) } else { - value.AuthPlugin = mysql.AuthNativePassword + value.AuthPlugin = p.defaultAuthPlugin } case f.ColumnAsName.L == "token_issuer": value.AuthTokenIssuer = row.GetString(i) diff --git a/pkg/privilege/privileges/privileges.go b/pkg/privilege/privileges/privileges.go index 66ad0f14749f0..2d4b5afb40d50 100644 --- a/pkg/privilege/privileges/privileges.go +++ b/pkg/privilege/privileges/privileges.go @@ -328,9 +328,9 @@ func (p *UserPrivileges) GetEncodedPassword(user, host string) string { } // GetAuthPluginForConnection gets the authentication plugin used in connection establishment. -func (p *UserPrivileges) GetAuthPluginForConnection(user, host string) (string, error) { +func (p *UserPrivileges) GetAuthPluginForConnection(user, host, defaultAuthPlugin string) (string, error) { if SkipWithGrant { - return mysql.AuthNativePassword, nil + return defaultAuthPlugin, nil } mysqlPriv := p.Handle.Get() @@ -359,9 +359,9 @@ func (p *UserPrivileges) GetAuthPluginForConnection(user, host string) (string, } // GetAuthPlugin gets the authentication plugin for the account identified by the user and host -func (p *UserPrivileges) GetAuthPlugin(user, host string) (string, error) { +func (p *UserPrivileges) GetAuthPlugin(user, host, defaultAuthPlugin string) (string, error) { if SkipWithGrant { - return mysql.AuthNativePassword, nil + return defaultAuthPlugin, nil } mysqlPriv := p.Handle.Get() record := mysqlPriv.connectionVerification(user, host) diff --git a/pkg/server/conn.go b/pkg/server/conn.go index e201ff3cb45cf..8aa19e43eb7eb 100644 --- a/pkg/server/conn.go +++ b/pkg/server/conn.go @@ -853,8 +853,12 @@ func (cc *clientConn) checkAuthPlugin(ctx context.Context, resp *handshake.Respo if err != nil { return nil, servererr.ErrAccessDenied.FastGenByArgs(cc.user, host, hasPassword) } + defaultAuthPlugin, err := cc.ctx.GetSessionVars().GlobalVarsAccessor.GetGlobalSysVar(variable.DefaultAuthPlugin) + if err != nil { + return nil, err + } // Get the plugin for the identity. - userplugin, err := cc.ctx.AuthPluginForUser(identity) + userplugin, err := cc.ctx.AuthPluginForUser(identity, defaultAuthPlugin) if err != nil { logutil.Logger(ctx).Warn("Failed to get authentication method for user", zap.String("user", cc.user), zap.String("host", host)) diff --git a/pkg/session/session.go b/pkg/session/session.go index 3f85fe77e9622..f3422066a6bfd 100644 --- a/pkg/session/session.go +++ b/pkg/session/session.go @@ -2706,9 +2706,10 @@ func (s *session) GetBuildPBCtx() *planctx.BuildPBContext { return bctx.(*planctx.BuildPBContext) } -func (s *session) AuthPluginForUser(user *auth.UserIdentity) (string, error) { +func (s *session) AuthPluginForUser(user *auth.UserIdentity, defaultAuthPlugin string) (string, error) { pm := privilege.GetPrivilegeManager(s) - authplugin, err := pm.GetAuthPluginForConnection(user.Username, user.Hostname) + + authplugin, err := pm.GetAuthPluginForConnection(user.Username, user.Hostname, defaultAuthPlugin) if err != nil { return "", err } diff --git a/pkg/session/types/sesson_interface.go b/pkg/session/types/sesson_interface.go index d3dfdfa3eca06..fa74ec5ac3a75 100644 --- a/pkg/session/types/sesson_interface.go +++ b/pkg/session/types/sesson_interface.go @@ -71,7 +71,7 @@ type Session interface { Close() Auth(user *auth.UserIdentity, auth, salt []byte, authConn conn.AuthConn) error AuthWithoutVerification(user *auth.UserIdentity) bool - AuthPluginForUser(user *auth.UserIdentity) (string, error) + AuthPluginForUser(user *auth.UserIdentity, defaultAuthPlugin string) (string, error) MatchIdentity(username, remoteHost string) (*auth.UserIdentity, error) // Return the information of the txn current running TxnInfo() *txninfo.TxnInfo From 5181ee58d31c26cddff6222bd40523393daf66eb Mon Sep 17 00:00:00 2001 From: cbcwestwolf <1004626265@qq.com> Date: Mon, 21 Oct 2024 15:25:15 +0800 Subject: [PATCH 2/4] add test --- pkg/executor/grant.go | 7 +++-- .../integrationtest/r/executor/simple.result | 31 +++++++++++++++++++ tests/integrationtest/t/executor/simple.test | 23 ++++++++++++++ 3 files changed, 58 insertions(+), 3 deletions(-) diff --git a/pkg/executor/grant.go b/pkg/executor/grant.go index 4f9ee84a9836e..38fb33073ccde 100644 --- a/pkg/executor/grant.go +++ b/pkg/executor/grant.go @@ -161,9 +161,10 @@ func (e *GrantExec) Next(ctx context.Context, _ *chunk.Chunk) error { if err != nil { return err } - if !exists && e.Ctx().GetSessionVars().SQLMode.HasNoAutoCreateUserMode() { - return exeerrors.ErrCantCreateUserWithGrant - } else if !exists { + if !exists { + if e.Ctx().GetSessionVars().SQLMode.HasNoAutoCreateUserMode() { + return exeerrors.ErrCantCreateUserWithGrant + } // This code path only applies if mode NO_AUTO_CREATE_USER is unset. // It is required for compatibility with 5.7 but removed from 8.0 // since it results in a massive security issue: diff --git a/tests/integrationtest/r/executor/simple.result b/tests/integrationtest/r/executor/simple.result index 161e37af4916b..3bf9bcdfa9bf2 100644 --- a/tests/integrationtest/r/executor/simple.result +++ b/tests/integrationtest/r/executor/simple.result @@ -454,3 +454,34 @@ id 1 2 set autocommit = default; +set global default_authentication_plugin = 'caching_sha2_password'; +create user default_sha256_user; +show create user default_sha256_user; +CREATE USER for default_sha256_user@% +CREATE USER 'default_sha256_user'@'%' IDENTIFIED WITH 'caching_sha2_password' AS '' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY DEFAULT PASSWORD REUSE INTERVAL DEFAULT +select plugin from mysql.user where user = 'default_sha256_user'; +plugin +caching_sha2_password +alter user default_sha256_user identified with 'tidb_sm3_password'; +show create user default_sha256_user; +CREATE USER for default_sha256_user@% +CREATE USER 'default_sha256_user'@'%' IDENTIFIED WITH 'tidb_sm3_password' AS '' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY DEFAULT PASSWORD REUSE INTERVAL DEFAULT +select plugin from mysql.user where user = 'default_sha256_user'; +plugin +tidb_sm3_password +alter user default_sha256_user identified with 'authentication_ldap_simple'; +show create user default_sha256_user; +CREATE USER for default_sha256_user@% +CREATE USER 'default_sha256_user'@'%' IDENTIFIED WITH 'authentication_ldap_simple' AS '' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY DEFAULT PASSWORD REUSE INTERVAL DEFAULT +select plugin from mysql.user where user = 'default_sha256_user'; +plugin +authentication_ldap_simple +alter user default_sha256_user identified with 'authentication_ldap_sasl'; +show create user default_sha256_user; +CREATE USER for default_sha256_user@% +CREATE USER 'default_sha256_user'@'%' IDENTIFIED WITH 'authentication_ldap_sasl' AS '' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY DEFAULT PASSWORD REUSE INTERVAL DEFAULT +select plugin from mysql.user where user = 'default_sha256_user'; +plugin +authentication_ldap_sasl +drop user default_sha256_user; +set global default_authentication_plugin = default; diff --git a/tests/integrationtest/t/executor/simple.test b/tests/integrationtest/t/executor/simple.test index b111b944099dd..c1e7f3fa5369d 100644 --- a/tests/integrationtest/t/executor/simple.test +++ b/tests/integrationtest/t/executor/simple.test @@ -487,3 +487,26 @@ rollback; select * from auto_new; set autocommit = default; + +# TestDefaultAuthPluginForCreateUser + +connection default; +set global default_authentication_plugin = 'caching_sha2_password'; +create user default_sha256_user; +show create user default_sha256_user; +select plugin from mysql.user where user = 'default_sha256_user'; + +alter user default_sha256_user identified with 'tidb_sm3_password'; +show create user default_sha256_user; +select plugin from mysql.user where user = 'default_sha256_user'; + +alter user default_sha256_user identified with 'authentication_ldap_simple'; +show create user default_sha256_user; +select plugin from mysql.user where user = 'default_sha256_user'; + +alter user default_sha256_user identified with 'authentication_ldap_sasl'; +show create user default_sha256_user; +select plugin from mysql.user where user = 'default_sha256_user'; + +drop user default_sha256_user; +set global default_authentication_plugin = default; \ No newline at end of file From 21b7e9380e5992cfcc8dbae779261e7e6834e153 Mon Sep 17 00:00:00 2001 From: cbcwestwolf <1004626265@qq.com> Date: Mon, 21 Oct 2024 16:12:35 +0800 Subject: [PATCH 3/4] update --- pkg/executor/simple.go | 12 ++---------- pkg/privilege/privilege.go | 4 ++-- pkg/privilege/privileges/cache.go | 8 ++------ pkg/privilege/privileges/privileges.go | 8 ++++---- pkg/server/conn.go | 6 +----- pkg/session/session.go | 5 ++--- pkg/session/types/sesson_interface.go | 2 +- tests/integrationtest/r/executor/simple.result | 8 ++++++++ tests/integrationtest/t/executor/simple.test | 4 ++++ 9 files changed, 26 insertions(+), 31 deletions(-) diff --git a/pkg/executor/simple.go b/pkg/executor/simple.go index 7867c048d2e1c..147888a307910 100644 --- a/pkg/executor/simple.go +++ b/pkg/executor/simple.go @@ -1740,10 +1740,6 @@ func (e *SimpleExec) executeAlterUser(ctx context.Context, s *ast.AlterUserStmt) if _, err := sqlExecutor.ExecuteInternal(ctx, "BEGIN PESSIMISTIC"); err != nil { return err } - defaultAuthPlugin, err := e.Ctx().GetSessionVars().GlobalVarsAccessor.GetGlobalSysVar(variable.DefaultAuthPlugin) - if err != nil { - return err - } for _, spec := range s.Specs { user := e.Ctx().GetSessionVars().User @@ -1799,7 +1795,7 @@ func (e *SimpleExec) executeAlterUser(ctx context.Context, s *ast.AlterUserStmt) RequireAuthTokenOptions ) authTokenOptionHandler := noNeedAuthTokenOptions - currentAuthPlugin, err := privilege.GetPrivilegeManager(e.Ctx()).GetAuthPlugin(spec.User.Username, spec.User.Hostname, defaultAuthPlugin) + currentAuthPlugin, err := privilege.GetPrivilegeManager(e.Ctx()).GetAuthPlugin(spec.User.Username, spec.User.Hostname) if err != nil { return err } @@ -2510,11 +2506,7 @@ func (e *SimpleExec) executeSetPwd(ctx context.Context, s *ast.SetPwdStmt) error disableSandboxMode = true } - defaultAuthPlugin, err := e.Ctx().GetSessionVars().GlobalVarsAccessor.GetGlobalSysVar(variable.DefaultAuthPlugin) - if err != nil { - return err - } - authplugin, err := privilege.GetPrivilegeManager(e.Ctx()).GetAuthPlugin(u, h, defaultAuthPlugin) + authplugin, err := privilege.GetPrivilegeManager(e.Ctx()).GetAuthPlugin(u, h) if err != nil { return err } diff --git a/pkg/privilege/privilege.go b/pkg/privilege/privilege.go index 47ea66242bf2e..cba7c122a7419 100644 --- a/pkg/privilege/privilege.go +++ b/pkg/privilege/privilege.go @@ -116,10 +116,10 @@ type Manager interface { IsDynamicPrivilege(privNameInUpper string) bool // GetAuthPluginForConnection gets the authentication plugin used in connection establishment. - GetAuthPluginForConnection(user, host, defaultAuthPlugin string) (string, error) + GetAuthPluginForConnection(user, host string) (string, error) // GetAuthPlugin gets the authentication plugin for the account identified by the user and host - GetAuthPlugin(user, host, defaultAuthPlugin string) (string, error) + GetAuthPlugin(user, host string) (string, error) } const key keyType = 0 diff --git a/pkg/privilege/privileges/cache.go b/pkg/privilege/privileges/cache.go index 28263e36ce11d..ac240b4e08895 100644 --- a/pkg/privilege/privileges/cache.go +++ b/pkg/privilege/privileges/cache.go @@ -285,8 +285,6 @@ type MySQLPrivilege struct { ColumnsPriv []columnsPrivRecord DefaultRoles []defaultRoleRecord RoleGraph map[string]roleGraphEdgesTable - - defaultAuthPlugin string } // FindAllUserEffectiveRoles is used to find all effective roles grant to this user. @@ -399,9 +397,7 @@ func (p *MySQLPrivilege) LoadAll(ctx sessionctx.Context) error { } logutil.BgLogger().Warn("mysql.role_edges missing") } - - p.defaultAuthPlugin, err = ctx.GetSessionVars().GlobalVarsAccessor.GetGlobalSysVar(variable.DefaultAuthPlugin) - return err + return nil } func noSuchTable(err error) bool { @@ -669,7 +665,7 @@ func (p *MySQLPrivilege) decodeUserTableRow(row chunk.Row, fs []*resolve.ResultF if row.GetString(i) != "" { value.AuthPlugin = row.GetString(i) } else { - value.AuthPlugin = p.defaultAuthPlugin + value.AuthPlugin = mysql.AuthNativePassword } case f.ColumnAsName.L == "token_issuer": value.AuthTokenIssuer = row.GetString(i) diff --git a/pkg/privilege/privileges/privileges.go b/pkg/privilege/privileges/privileges.go index 2d4b5afb40d50..66ad0f14749f0 100644 --- a/pkg/privilege/privileges/privileges.go +++ b/pkg/privilege/privileges/privileges.go @@ -328,9 +328,9 @@ func (p *UserPrivileges) GetEncodedPassword(user, host string) string { } // GetAuthPluginForConnection gets the authentication plugin used in connection establishment. -func (p *UserPrivileges) GetAuthPluginForConnection(user, host, defaultAuthPlugin string) (string, error) { +func (p *UserPrivileges) GetAuthPluginForConnection(user, host string) (string, error) { if SkipWithGrant { - return defaultAuthPlugin, nil + return mysql.AuthNativePassword, nil } mysqlPriv := p.Handle.Get() @@ -359,9 +359,9 @@ func (p *UserPrivileges) GetAuthPluginForConnection(user, host, defaultAuthPlugi } // GetAuthPlugin gets the authentication plugin for the account identified by the user and host -func (p *UserPrivileges) GetAuthPlugin(user, host, defaultAuthPlugin string) (string, error) { +func (p *UserPrivileges) GetAuthPlugin(user, host string) (string, error) { if SkipWithGrant { - return defaultAuthPlugin, nil + return mysql.AuthNativePassword, nil } mysqlPriv := p.Handle.Get() record := mysqlPriv.connectionVerification(user, host) diff --git a/pkg/server/conn.go b/pkg/server/conn.go index 8aa19e43eb7eb..e201ff3cb45cf 100644 --- a/pkg/server/conn.go +++ b/pkg/server/conn.go @@ -853,12 +853,8 @@ func (cc *clientConn) checkAuthPlugin(ctx context.Context, resp *handshake.Respo if err != nil { return nil, servererr.ErrAccessDenied.FastGenByArgs(cc.user, host, hasPassword) } - defaultAuthPlugin, err := cc.ctx.GetSessionVars().GlobalVarsAccessor.GetGlobalSysVar(variable.DefaultAuthPlugin) - if err != nil { - return nil, err - } // Get the plugin for the identity. - userplugin, err := cc.ctx.AuthPluginForUser(identity, defaultAuthPlugin) + userplugin, err := cc.ctx.AuthPluginForUser(identity) if err != nil { logutil.Logger(ctx).Warn("Failed to get authentication method for user", zap.String("user", cc.user), zap.String("host", host)) diff --git a/pkg/session/session.go b/pkg/session/session.go index f3422066a6bfd..3f85fe77e9622 100644 --- a/pkg/session/session.go +++ b/pkg/session/session.go @@ -2706,10 +2706,9 @@ func (s *session) GetBuildPBCtx() *planctx.BuildPBContext { return bctx.(*planctx.BuildPBContext) } -func (s *session) AuthPluginForUser(user *auth.UserIdentity, defaultAuthPlugin string) (string, error) { +func (s *session) AuthPluginForUser(user *auth.UserIdentity) (string, error) { pm := privilege.GetPrivilegeManager(s) - - authplugin, err := pm.GetAuthPluginForConnection(user.Username, user.Hostname, defaultAuthPlugin) + authplugin, err := pm.GetAuthPluginForConnection(user.Username, user.Hostname) if err != nil { return "", err } diff --git a/pkg/session/types/sesson_interface.go b/pkg/session/types/sesson_interface.go index fa74ec5ac3a75..d3dfdfa3eca06 100644 --- a/pkg/session/types/sesson_interface.go +++ b/pkg/session/types/sesson_interface.go @@ -71,7 +71,7 @@ type Session interface { Close() Auth(user *auth.UserIdentity, auth, salt []byte, authConn conn.AuthConn) error AuthWithoutVerification(user *auth.UserIdentity) bool - AuthPluginForUser(user *auth.UserIdentity, defaultAuthPlugin string) (string, error) + AuthPluginForUser(user *auth.UserIdentity) (string, error) MatchIdentity(username, remoteHost string) (*auth.UserIdentity, error) // Return the information of the txn current running TxnInfo() *txninfo.TxnInfo diff --git a/tests/integrationtest/r/executor/simple.result b/tests/integrationtest/r/executor/simple.result index 3bf9bcdfa9bf2..3859b6996e647 100644 --- a/tests/integrationtest/r/executor/simple.result +++ b/tests/integrationtest/r/executor/simple.result @@ -456,12 +456,19 @@ id set autocommit = default; set global default_authentication_plugin = 'caching_sha2_password'; create user default_sha256_user; +create role default_sha256_role; show create user default_sha256_user; CREATE USER for default_sha256_user@% CREATE USER 'default_sha256_user'@'%' IDENTIFIED WITH 'caching_sha2_password' AS '' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY DEFAULT PASSWORD REUSE INTERVAL DEFAULT select plugin from mysql.user where user = 'default_sha256_user'; plugin caching_sha2_password +show create user default_sha256_role; +CREATE USER for default_sha256_role@% +CREATE USER 'default_sha256_role'@'%' IDENTIFIED WITH 'caching_sha2_password' AS '' REQUIRE NONE PASSWORD EXPIRE ACCOUNT LOCK PASSWORD HISTORY DEFAULT PASSWORD REUSE INTERVAL DEFAULT +select plugin from mysql.user where user = 'default_sha256_role'; +plugin +caching_sha2_password alter user default_sha256_user identified with 'tidb_sm3_password'; show create user default_sha256_user; CREATE USER for default_sha256_user@% @@ -484,4 +491,5 @@ select plugin from mysql.user where user = 'default_sha256_user'; plugin authentication_ldap_sasl drop user default_sha256_user; +drop user default_sha256_role; set global default_authentication_plugin = default; diff --git a/tests/integrationtest/t/executor/simple.test b/tests/integrationtest/t/executor/simple.test index c1e7f3fa5369d..d181b008ed15f 100644 --- a/tests/integrationtest/t/executor/simple.test +++ b/tests/integrationtest/t/executor/simple.test @@ -493,8 +493,11 @@ set autocommit = default; connection default; set global default_authentication_plugin = 'caching_sha2_password'; create user default_sha256_user; +create role default_sha256_role; show create user default_sha256_user; select plugin from mysql.user where user = 'default_sha256_user'; +show create user default_sha256_role; +select plugin from mysql.user where user = 'default_sha256_role'; alter user default_sha256_user identified with 'tidb_sm3_password'; show create user default_sha256_user; @@ -509,4 +512,5 @@ show create user default_sha256_user; select plugin from mysql.user where user = 'default_sha256_user'; drop user default_sha256_user; +drop user default_sha256_role; set global default_authentication_plugin = default; \ No newline at end of file From fa4a9a166f1a4a2c5b43602dab451f4c87d57ada Mon Sep 17 00:00:00 2001 From: cbcwestwolf <1004626265@qq.com> Date: Mon, 21 Oct 2024 17:46:05 +0800 Subject: [PATCH 4/4] apply suggestions from dveeden --- .../integrationtest/r/executor/simple.result | 75 ++++++++++++------- tests/integrationtest/t/executor/simple.test | 58 ++++++++------ 2 files changed, 85 insertions(+), 48 deletions(-) diff --git a/tests/integrationtest/r/executor/simple.result b/tests/integrationtest/r/executor/simple.result index 3859b6996e647..ca40620c61b44 100644 --- a/tests/integrationtest/r/executor/simple.result +++ b/tests/integrationtest/r/executor/simple.result @@ -454,42 +454,63 @@ id 1 2 set autocommit = default; +set global default_authentication_plugin = 'invalid_auth_plugin'; +Error 1231 (42000): Variable 'default_authentication_plugin' can't be set to the value of 'invalid_auth_plugin' +set global default_authentication_plugin = 'auth_socket'; +Error 1231 (42000): Variable 'default_authentication_plugin' can't be set to the value of 'auth_socket' +set global default_authentication_plugin = 'tidb_sm3_password'; +create user default_sm3_user; +show create user default_sm3_user; +CREATE USER for default_sm3_user@% +CREATE USER 'default_sm3_user'@'%' IDENTIFIED WITH 'tidb_sm3_password' AS '' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY DEFAULT PASSWORD REUSE INTERVAL DEFAULT +select plugin from mysql.user where user = 'default_sm3_user'; +plugin +tidb_sm3_password set global default_authentication_plugin = 'caching_sha2_password'; -create user default_sha256_user; -create role default_sha256_role; -show create user default_sha256_user; -CREATE USER for default_sha256_user@% -CREATE USER 'default_sha256_user'@'%' IDENTIFIED WITH 'caching_sha2_password' AS '' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY DEFAULT PASSWORD REUSE INTERVAL DEFAULT -select plugin from mysql.user where user = 'default_sha256_user'; +create user default_sha2_user; +create user native_plugin_user identified with 'mysql_native_password'; +create role default_sha2_role; +show create user default_sha2_user; +CREATE USER for default_sha2_user@% +CREATE USER 'default_sha2_user'@'%' IDENTIFIED WITH 'caching_sha2_password' AS '' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY DEFAULT PASSWORD REUSE INTERVAL DEFAULT +select plugin from mysql.user where user = 'default_sha2_user'; plugin caching_sha2_password -show create user default_sha256_role; -CREATE USER for default_sha256_role@% -CREATE USER 'default_sha256_role'@'%' IDENTIFIED WITH 'caching_sha2_password' AS '' REQUIRE NONE PASSWORD EXPIRE ACCOUNT LOCK PASSWORD HISTORY DEFAULT PASSWORD REUSE INTERVAL DEFAULT -select plugin from mysql.user where user = 'default_sha256_role'; +show create user native_plugin_user; +CREATE USER for native_plugin_user@% +CREATE USER 'native_plugin_user'@'%' IDENTIFIED WITH 'mysql_native_password' AS '' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY DEFAULT PASSWORD REUSE INTERVAL DEFAULT +select plugin from mysql.user where user = 'native_plugin_user'; +plugin +mysql_native_password +show create user default_sha2_role; +CREATE USER for default_sha2_role@% +CREATE USER 'default_sha2_role'@'%' IDENTIFIED WITH 'caching_sha2_password' AS '' REQUIRE NONE PASSWORD EXPIRE ACCOUNT LOCK PASSWORD HISTORY DEFAULT PASSWORD REUSE INTERVAL DEFAULT +select plugin from mysql.user where user = 'default_sha2_role'; plugin caching_sha2_password -alter user default_sha256_user identified with 'tidb_sm3_password'; -show create user default_sha256_user; -CREATE USER for default_sha256_user@% -CREATE USER 'default_sha256_user'@'%' IDENTIFIED WITH 'tidb_sm3_password' AS '' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY DEFAULT PASSWORD REUSE INTERVAL DEFAULT -select plugin from mysql.user where user = 'default_sha256_user'; +alter user default_sha2_user identified with 'tidb_sm3_password'; +show create user default_sha2_user; +CREATE USER for default_sha2_user@% +CREATE USER 'default_sha2_user'@'%' IDENTIFIED WITH 'tidb_sm3_password' AS '' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY DEFAULT PASSWORD REUSE INTERVAL DEFAULT +select plugin from mysql.user where user = 'default_sha2_user'; plugin tidb_sm3_password -alter user default_sha256_user identified with 'authentication_ldap_simple'; -show create user default_sha256_user; -CREATE USER for default_sha256_user@% -CREATE USER 'default_sha256_user'@'%' IDENTIFIED WITH 'authentication_ldap_simple' AS '' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY DEFAULT PASSWORD REUSE INTERVAL DEFAULT -select plugin from mysql.user where user = 'default_sha256_user'; +alter user default_sha2_user identified with 'authentication_ldap_simple'; +show create user default_sha2_user; +CREATE USER for default_sha2_user@% +CREATE USER 'default_sha2_user'@'%' IDENTIFIED WITH 'authentication_ldap_simple' AS '' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY DEFAULT PASSWORD REUSE INTERVAL DEFAULT +select plugin from mysql.user where user = 'default_sha2_user'; plugin authentication_ldap_simple -alter user default_sha256_user identified with 'authentication_ldap_sasl'; -show create user default_sha256_user; -CREATE USER for default_sha256_user@% -CREATE USER 'default_sha256_user'@'%' IDENTIFIED WITH 'authentication_ldap_sasl' AS '' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY DEFAULT PASSWORD REUSE INTERVAL DEFAULT -select plugin from mysql.user where user = 'default_sha256_user'; +alter user default_sha2_user identified with 'authentication_ldap_sasl'; +show create user default_sha2_user; +CREATE USER for default_sha2_user@% +CREATE USER 'default_sha2_user'@'%' IDENTIFIED WITH 'authentication_ldap_sasl' AS '' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY DEFAULT PASSWORD REUSE INTERVAL DEFAULT +select plugin from mysql.user where user = 'default_sha2_user'; plugin authentication_ldap_sasl -drop user default_sha256_user; -drop user default_sha256_role; +drop user default_sm3_user; +drop user default_sha2_user; +drop user native_plugin_user; +drop user default_sha2_role; set global default_authentication_plugin = default; diff --git a/tests/integrationtest/t/executor/simple.test b/tests/integrationtest/t/executor/simple.test index d181b008ed15f..992b9af49e175 100644 --- a/tests/integrationtest/t/executor/simple.test +++ b/tests/integrationtest/t/executor/simple.test @@ -491,26 +491,42 @@ set autocommit = default; # TestDefaultAuthPluginForCreateUser connection default; + +--error 1231 +set global default_authentication_plugin = 'invalid_auth_plugin'; +--error 1231 +set global default_authentication_plugin = 'auth_socket'; + +set global default_authentication_plugin = 'tidb_sm3_password'; +create user default_sm3_user; +show create user default_sm3_user; +select plugin from mysql.user where user = 'default_sm3_user'; + set global default_authentication_plugin = 'caching_sha2_password'; -create user default_sha256_user; -create role default_sha256_role; -show create user default_sha256_user; -select plugin from mysql.user where user = 'default_sha256_user'; -show create user default_sha256_role; -select plugin from mysql.user where user = 'default_sha256_role'; - -alter user default_sha256_user identified with 'tidb_sm3_password'; -show create user default_sha256_user; -select plugin from mysql.user where user = 'default_sha256_user'; - -alter user default_sha256_user identified with 'authentication_ldap_simple'; -show create user default_sha256_user; -select plugin from mysql.user where user = 'default_sha256_user'; - -alter user default_sha256_user identified with 'authentication_ldap_sasl'; -show create user default_sha256_user; -select plugin from mysql.user where user = 'default_sha256_user'; - -drop user default_sha256_user; -drop user default_sha256_role; +create user default_sha2_user; +create user native_plugin_user identified with 'mysql_native_password'; +create role default_sha2_role; +show create user default_sha2_user; +select plugin from mysql.user where user = 'default_sha2_user'; +show create user native_plugin_user; +select plugin from mysql.user where user = 'native_plugin_user'; +show create user default_sha2_role; +select plugin from mysql.user where user = 'default_sha2_role'; + +alter user default_sha2_user identified with 'tidb_sm3_password'; +show create user default_sha2_user; +select plugin from mysql.user where user = 'default_sha2_user'; + +alter user default_sha2_user identified with 'authentication_ldap_simple'; +show create user default_sha2_user; +select plugin from mysql.user where user = 'default_sha2_user'; + +alter user default_sha2_user identified with 'authentication_ldap_sasl'; +show create user default_sha2_user; +select plugin from mysql.user where user = 'default_sha2_user'; + +drop user default_sm3_user; +drop user default_sha2_user; +drop user native_plugin_user; +drop user default_sha2_role; set global default_authentication_plugin = default; \ No newline at end of file