Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-10956

Strict Password Validation Breaks Replication

Details

    • 10.1.19, 10.1.20, 10.1.21

    Description

      With strict password validation being enabled by default (and also have a password validation plugin enabled), changing a password will break replication.

      SET PASSWORD FOR 'w'@'localhost' = PASSWORD('PLAINtext-password!!99');


      Last_SQL_Error: Error 'The MariaDB server is running with the --strict-password-validation option so it cannot execute this statement' on query. Default database: ''. Query: 'SET PASSWORD FOR 'w'@'localhost'='*4045DC6C4FBF96E66F67118A73C6A85EB2BF28A9''

      The password is written to the binary log as a hash, which strict password validation prevents.

      A possible workaround seems to be to disable strict password validation and then re-enable it after the password change events:

      STOP SLAVE;
      		 
      SET GLOBAL strict_password_validation = OFF;
      		 
      START SLAVE;
      		 
      -- wait
      		 
      SET GLOBAL strict_password_validation = ON;

      It seems like there should be a "exemption" of some sort in the password validation plugins to allow these events from a master so slaves don't break.

      Attachments

        Activity

          Ascending order - Click to sort in descending order
          wfong Will Fong created issue -
          elenst Elena Stepanova made changes -
          Field Original Value New Value
          Status Open [ 1 ] Confirmed [ 10101 ]
          elenst Elena Stepanova made changes -
          Fix Version/s 10.1 [ 16100 ]
          holyfoot Alexey Botchkov made changes -
          Assignee Alexey Botchkov [ holyfoot ]
          ratzpo Rasmus Johansson (Inactive) made changes -
          Sprint 10.1.19 [ 109 ]
          ratzpo Rasmus Johansson (Inactive) made changes -
          Rank Ranked higher
          ratzpo Rasmus Johansson (Inactive) made changes -
          Sprint 10.1.19 [ 109 ] 10.1.19, 10.1.20 [ 109, 119 ]
          serg Sergei Golubchik made changes -
          Priority Major [ 3 ] Critical [ 2 ]
          serg Sergei Golubchik made changes -
          Description With strict password validation being enabled by default (and also have a password validation plugin enabled), changing a password will break replication.

          {code}
          SET PASSWORD FOR 'w'@'localhost' = PASSWORD('PLAINtext-password!!99');
          {code}

          {code}
          Last_SQL_Error: Error 'The MariaDB server is running with the --strict-password-validation option so it cannot execute this statement' on query. Default database: ''. Query: 'SET PASSWORD FOR 'w'@'localhost'='*4045DC6C4FBF96E66F67118A73C6A85EB2BF28A9''
          {code}

          The password is written to the binary log as a hash, which strict password validation prevents.

          A possible workaround seems to be to disable strict password validation and then re-enable it after the password change events:

          STOP SLAVE;
          SET GLOBAL strict_password_validation = OFF;
          START SLAVE;
          <wait>
          SET GLOBAL strict_password_validation = ON;


          It seems like there should be a "exemption" of some sort in the password validation plugins to allow these events from a master so slaves don't break.


          		With strict password validation being enabled by default (and also have a password validation plugin enabled), changing a password will break replication.

          {code}
          SET PASSWORD FOR 'w'@'localhost' = PASSWORD('PLAINtext-password!!99');
          {code}

          {code}
          Last_SQL_Error: Error 'The MariaDB server is running with the --strict-password-validation option so it cannot execute this statement' on query. Default database: ''. Query: 'SET PASSWORD FOR 'w'@'localhost'='*4045DC6C4FBF96E66F67118A73C6A85EB2BF28A9''
          {code}

          The password is written to the binary log as a hash, which strict password validation prevents.

          A possible workaround seems to be to disable strict password validation and then re-enable it after the password change events:

          {code:sql}
          STOP SLAVE;
          SET GLOBAL strict_password_validation = OFF;
          START SLAVE;
          -- wait
          SET GLOBAL strict_password_validation = ON;
          {code}

          It seems like there should be a "exemption" of some sort in the password validation plugins to allow these events from a master so slaves don't break.


          ratzpo Rasmus Johansson (Inactive) made changes -
          Sprint 10.1.19, 10.1.20 [ 109, 119 ] 10.1.19, 10.1.20, 10.1.21 [ 109, 119, 130 ]
          holyfoot Alexey Botchkov made changes -
          Status Confirmed [ 10101 ] In Progress [ 3 ]
          holyfoot Alexey Botchkov made changes -
          Assignee Alexey Botchkov [ holyfoot ] Sergei Golubchik [ serg ]
          Status In Progress [ 3 ] In Review [ 10002 ]
          serg Sergei Golubchik made changes -
          Assignee Sergei Golubchik [ serg ] Alexey Botchkov [ holyfoot ]
          Status In Review [ 10002 ] Stalled [ 10000 ]
          holyfoot Alexey Botchkov made changes -
          issue.field.resolutiondate 2017-01-17 12:02:14.0 2017-01-17 12:02:14.007
          holyfoot Alexey Botchkov made changes -
          Fix Version/s 10.1.21 [ 22113 ]
          Fix Version/s 10.1 [ 16100 ]
          Resolution Fixed [ 1 ]
          Status Stalled [ 10000 ] Closed [ 6 ]
          serg Sergei Golubchik made changes -
          Workflow MariaDB v3 [ 77669 ] MariaDB v4 [ 151009 ]

          People

            holyfoot Alexey Botchkov
            wfong Will Fong
            Votes:
            2 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.