[MDEV-18290] Users identified via ed25519 are broken after upgrade to 10.4 - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Duplicate
Affects Version/s: 10.4(EOL)
Fix Version/s: N/A
Component/s: Authentication and Privilege System
Labels:
None

Description

On 10.3 or earlier versions, create a user identified via ed25519 plugin:

MariaDB [test]> install soname 'auth_ed25519';

Query OK, 0 rows affected (0.00 sec)

MariaDB [test]> create user foo@localhost identified via ed25519 using 'test';

Query OK, 0 rows affected (0.01 sec)

MariaDB [test]> select user, host, password, plugin, authentication_string from mysql.user where user = 'foo' \G

*************************** 1. row ***************************

                 user: foo

                 host: localhost

             password:

               plugin: ed25519

authentication_string: test

1 row in set (0.00 sec)

Shutdown the server, start 10.4 on the same datadir, run mysql_upgrade.

MariaDB [test]> select plugin_name, plugin_status from information_schema.plugins where plugin_name = 'ed25519';

+-------------+---------------+

| plugin_name | plugin_status |

+-------------+---------------+

| ed25519     | ACTIVE        |

+-------------+---------------+

1 row in set (0.00 sec)

MariaDB [test]> show grants for foo@localhost;

ERROR 1141 (42000): There is no such grant defined for user 'foo' on host 'localhost'

MariaDB [test]> select user, host, password, plugin, authentication_string from mysql.user where user = 'foo' \G

*************************** 1. row ***************************

                 User: foo

                 Host: localhost

             Password:

               plugin: ed25519

authentication_string: test

1 row in set (0.01 sec)

It appears that the rules have become stricter, and now authentication_string must be the hashed password. Unfortunately, it's not that simple to unset/update the password. I did it eventually this way:

MariaDB [test]> update mysql.global_priv set Priv = '{"access":0,"ssl_type":0,"ssl_cipher":"","x509_issuer":"","x509_subject":"","max_questions":0,"max_updates":0,"max_connections":0,"max_user_connections":0,"max_statement_time":0.000000,"plugin":"ed25519","authentication_string":"","default_role":"","is_role":false}' where user = 'foo';

Query OK, 1 row affected (0.01 sec)

Rows matched: 1  Changed: 1  Warnings: 0

MariaDB [test]> flush privileges;

Query OK, 0 rows affected (0.00 sec)

Now it works:

MariaDB [test]> show grants for foo@localhost;

+----------------------------------------------------------------+

| Grants for foo@localhost                                       |

+----------------------------------------------------------------+

| GRANT USAGE ON *.* TO 'foo'@'localhost' IDENTIFIED VIA ed25519 |

+----------------------------------------------------------------+

1 row in set (0.00 sec)

Attachments

Issue Links

is duplicated by

MDEV-17950 SHOW GRANTS FOR does not work for a user identified with non-existing plugin

Closed

Activity

People

Assignee:: Sergei Golubchik

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2019-01-17 22:14

Updated:: 2019-01-18 14:06

Resolved:: 2019-01-18 10:55

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server