authentication plugin: SET PASSWORD support.
The syntax could stay the as before:
The PASSWORD() syntax will need to use the plugin-specific password hashing callback. There is no need to have per-plugin password hashing function. For example, writing PASSWORD() for the user, who uses mysql_old_password will be the same as using OLD_PASSWORD() function in earlier MySQL/MariaDB versions. OLD_PASSWORD() syntax could stay or, better, could be removed as nobody should be using that plugin anymore.
The same syntax can be used for CREATE USER and GRANT:
This makes the standalone PASSWORD function will become somewhat confusing, because it'll use double-SHA1 hashing, it cannot use the "corresponding user's auth plugin", because it's not run in the user context. Possible solutions:
- Add an optional second argument to specify a plugin, or
- Keep it that way, it's good that one cannot arbitrarily invoke plugin's password hashing function. We've had a lot of issues [*] before when users tried to use PASSWORD() as a generic password-hashing function for their applications. It is not, it's an internal MariaDB authentication plugin dependent password hashing, only to be used for MariaDB authentication. Not allowing a user to use plugin hashing directly will create less possibilities for abusing it.
[*] In MySQL 4.0.0 (or 4.1.0?) we've tried to salt passwords, so that PASSWORD() would use a random salt. Got huge number of complains about PASSWORD() being non-deterministic, it broke all applications where users did, like