Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-10112

mysql_secure_installation should use GRANT, REVOKE, etc for galera support

Details

    Description

      Currently the mysql_secure_installation script execute DELETE and UPDATE and so forth. This is not compatible with Galera as these tables are MyISAM.

      Please change them to use GRANT, REVOKE, etc...

      Attachments

        Issue Links

          is part of

          Bug - A problem which impairs or prevents the functions of the product. MDEV-26593 Replace mysql_secure_installation with a notice that it is useless

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open

          Activity

            Ascending order - Click to sort in descending order
            michaeldg Michaël de groot created issue -
            serg Sergei Golubchik made changes -
            Field Original Value New Value
            Priority Major [ 3 ] Minor [ 4 ]
            michaeldg Michaël de groot made changes -
            Priority Minor [ 4 ] Major [ 3 ]
            michaeldg Michaël de groot made changes -
            Priority Major [ 3 ] Blocker [ 1 ]
            michaeldg Michaël de groot added a comment -

            Hi,

            As this issue is open for a year now and still a big problem to all first-time Galera users, increasing priority.

            As far as I know there is no work-around, except not uing mysql_secure_installation. Instead, you could use the corresponding GRANT statements.

            Thanks,
            Michaël

            michaeldg Michaël de groot added a comment - Hi, As this issue is open for a year now and still a big problem to all first-time Galera users, increasing priority. As far as I know there is no work-around, except not uing mysql_secure_installation. Instead, you could use the corresponding GRANT statements. Thanks, Michaël
            michaeldg Michaël de groot made changes -
            Fix Version/s 10.2 [ 14601 ]
            serg Sergei Golubchik made changes -
            Priority Blocker [ 1 ] Major [ 3 ]
            serg Sergei Golubchik made changes -
            Fix Version/s 10.3 [ 22126 ]
            Fix Version/s 10.2 [ 14601 ]
            flyswimr_vz George added a comment -

            Hi Michaël,
            We have been able to run mysql_secure_installation in non-production with Galera - simply by running it on each Galera node (and we did not run this script on the first node in the cluster before adding more nodes, we did it after..) So far everything seems fine..but maybe not according to your comment in this JIRA ticket?

            Based on what you are saying and what is presented here: https://mariadb.com/kb/en/library/mysql_secure_installation/
            Is this not a recommended approach in production simply because someone may neglect to run it on all nodes (said first-time user incorrectly assuming mysql.user changes would not be transported to the other nodes), or is there some other issue? I'm a little confused since I would think it is preferable to run the types of commands in the script, as opposed to not using mysql_secure_installation e.g. do_query "DELETE FROM mysql.db WHERE Db='test' OR Db='test
            _%'"

            Thanks!

            flyswimr_vz George added a comment - Hi Michaël, We have been able to run mysql_secure_installation in non-production with Galera - simply by running it on each Galera node (and we did not run this script on the first node in the cluster before adding more nodes, we did it after..) So far everything seems fine..but maybe not according to your comment in this JIRA ticket? Based on what you are saying and what is presented here: https://mariadb.com/kb/en/library/mysql_secure_installation/ Is this not a recommended approach in production simply because someone may neglect to run it on all nodes (said first-time user incorrectly assuming mysql.user changes would not be transported to the other nodes), or is there some other issue? I'm a little confused since I would think it is preferable to run the types of commands in the script, as opposed to not using mysql_secure_installation e.g. do_query "DELETE FROM mysql.db WHERE Db='test' OR Db='test _%'" Thanks!
            danblack Daniel Black added a comment -

            mysql_secure_installation.cc from mysql has most of thse fixed.

            Otherwise/alternately we can do queries like:

            set_root_password

            SELECT CONCAT('ALTER USER IF EXISTS ',
            		 
                            GROUP_CONCAT(
            		 
                                CONCAT('\'', User, '\'@\'', Host, '\'', ' IDENTIFIED BY '$esc_pass')
            		 
                            )
            		 
                        ) INTO @str
            		 
                        FROM mysql.user
            		 
                        WHERE User='root'
            		 
                    PREPARE stmt FROM @str;
            		 
                    EXECUTE stmt;
            		 
                    DROP PREPARE stmt;

            remove_remote_root

                    SELECT CONCAT('DROP USER IF EXISTS ',
            		 
                            GROUP_CONCAT(
            		 
                                CONCAT('\'', User, '\'@\'', Host, '\'')
            		 
                            )
            		 
                        ) INTO @str
            		 
                        FROM mysql.user
            		 
                        WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');
            		 
                    PREPARE stmt FROM @str;
            		 
                    EXECUTE stmt;
            		 
                    DROP PREPARE stmt;

            danblack Daniel Black added a comment - mysql_secure_installation.cc from mysql has most of thse fixed. Otherwise/alternately we can do queries like: set_root_password SELECT CONCAT( 'ALTER USER IF EXISTS ' , GROUP_CONCAT( CONCAT( '\'' , User , '\'@\'' , Host, '\'' , ' IDENTIFIED BY ' $esc_pass ') ) ) INTO @str FROM mysql.user WHERE User=' root' PREPARE stmt FROM @str; EXECUTE stmt; DROP PREPARE stmt; remove_remote_root SELECT CONCAT( 'DROP USER IF EXISTS ' , GROUP_CONCAT( CONCAT( '\'' , User , '\'@\'' , Host, '\'' ) ) ) INTO @str FROM mysql. user WHERE User = 'root' AND Host NOT IN ( 'localhost' , '127.0.0.1' , '::1' ); PREPARE stmt FROM @str; EXECUTE stmt; DROP PREPARE stmt;
            serg Sergei Golubchik made changes -
            Fix Version/s 10.4 [ 22408 ]
            danblack Daniel Black made changes -
            Assignee Anel Husakovic [ anel ]
            danblack Daniel Black added a comment - - edited

            Suggested SQL fragments https://github.com/vitessio/vitess/pull/7318/files

            danblack Daniel Black added a comment - - edited Suggested SQL fragments https://github.com/vitessio/vitess/pull/7318/files
            otto Otto Kekäläinen made changes -
            serg Sergei Golubchik made changes -
            Workflow MariaDB v3 [ 75763 ] MariaDB v4 [ 130480 ]
            julien.fritsch Julien Fritsch made changes -
            Fix Version/s 10.3 [ 22126 ]
            vlad.radu Vlad Radu made changes -
            Labels foundation

            People

              anel Anel Husakovic
              michaeldg Michaël de groot
              Votes:
              8 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.