Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-10956

Strict Password Validation Breaks Replication

Details

    • 10.1.19, 10.1.20, 10.1.21

    Description

      With strict password validation being enabled by default (and also have a password validation plugin enabled), changing a password will break replication.

      SET PASSWORD FOR 'w'@'localhost' = PASSWORD('PLAINtext-password!!99');


      Last_SQL_Error: Error 'The MariaDB server is running with the --strict-password-validation option so it cannot execute this statement' on query. Default database: ''. Query: 'SET PASSWORD FOR 'w'@'localhost'='*4045DC6C4FBF96E66F67118A73C6A85EB2BF28A9''

      The password is written to the binary log as a hash, which strict password validation prevents.

      A possible workaround seems to be to disable strict password validation and then re-enable it after the password change events:

      STOP SLAVE;
      		 
      SET GLOBAL strict_password_validation = OFF;
      		 
      START SLAVE;
      		 
      -- wait
      		 
      SET GLOBAL strict_password_validation = ON;

      It seems like there should be a "exemption" of some sort in the password validation plugins to allow these events from a master so slaves don't break.

      Attachments

        Activity

          Ascending order - Click to sort in descending order
          Richard Richard Stracke added a comment -

          Bug is already in 10.1.16

          Richard Richard Stracke added a comment - Bug is already in 10.1.16
          cy3572 Chunli Yao added a comment -

          the same bug impacts Galera cluster replication by using xtrabackup as well(version 10.1.17).

          cy3572 Chunli Yao added a comment - the same bug impacts Galera cluster replication by using xtrabackup as well(version 10.1.17).
          holyfoot Alexey Botchkov added a comment -

          I decided to turn off password validation in slave threads completely. Well maybe we should still validate plaintext passwords there, but i don't feel so at the moment.

          http://lists.askmonty.org/pipermail/commits/2017-January/010432.html

          holyfoot Alexey Botchkov added a comment - I decided to turn off password validation in slave threads completely. Well maybe we should still validate plaintext passwords there, but i don't feel so at the moment. http://lists.askmonty.org/pipermail/commits/2017-January/010432.html
          holyfoot Alexey Botchkov added a comment -

          http://lists.askmonty.org/pipermail/commits/2017-January/010446.html

          holyfoot Alexey Botchkov added a comment - http://lists.askmonty.org/pipermail/commits/2017-January/010446.html

          People

            holyfoot Alexey Botchkov
            wfong Will Fong
            Votes:
            2 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.