Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
10.4.16
-
None
Description
A user that has been set to PASSWORD EXPIRE and not have it unlocked by any of:
- alter user user2@localhost PASSWORD EXPIRE NEVER
- alter user user2@localhost PASSWORD EXPIRE INTERVAL 60 DAY
- alter user user2@localhost PASSWORD EXPIRE DEFAULT
10.4-4d6c6611443f1e0e1cdab34ac6e320031e7f980b |
MariaDB [(none)]> create user user2@localhost PASSWORD EXPIRE NEVER; show create user user2@localhost; select * from mysql.global_priv where user='user2';
|
Query OK, 0 rows affected (0.001 sec)
|
|
+-------------------------------------------------------+
|
| CREATE USER for user2@localhost |
|
+-------------------------------------------------------+
|
| CREATE USER `user2`@`localhost` PASSWORD EXPIRE NEVER |
|
+-------------------------------------------------------+
|
1 row in set (0.000 sec)
|
|
+-----------+-------+-----------------------------------------------------------------------------------------------------------------------------------+
|
| Host | User | Priv |
|
+-----------+-------+-----------------------------------------------------------------------------------------------------------------------------------+
|
| localhost | user2 | {"access":0,"plugin":"mysql_native_password","authentication_string":"","password_last_changed":1604464098,"password_lifetime":0} |
|
+-----------+-------+-----------------------------------------------------------------------------------------------------------------------------------+
|
1 row in set (0.001 sec)
|
|
MariaDB [(none)]> alter user user2@localhost PASSWORD EXPIRE ; show create user user2@localhost; select * from mysql.global_priv where user='user2';
|
Query OK, 0 rows affected (0.001 sec)
|
|
+-------------------------------------------------+
|
| CREATE USER for user2@localhost |
|
+-------------------------------------------------+
|
| CREATE USER `user2`@`localhost` PASSWORD EXPIRE |
|
+-------------------------------------------------+
|
1 row in set (0.000 sec)
|
|
+-----------+-------+--------------------------------------------------------------------------------------------------------------------------+
|
| Host | User | Priv |
|
+-----------+-------+--------------------------------------------------------------------------------------------------------------------------+
|
| localhost | user2 | {"access":0,"plugin":"mysql_native_password","authentication_string":"","password_last_changed":0,"password_lifetime":0} |
|
+-----------+-------+--------------------------------------------------------------------------------------------------------------------------+
|
1 row in set (0.001 sec)
|
|
MariaDB [(none)]> alter user user2@localhost PASSWORD EXPIRE NEVER; show create user user2@localhost; select * from mysql.global_priv where user='user2';
|
Query OK, 0 rows affected (0.001 sec)
|
|
+-------------------------------------------------+
|
| CREATE USER for user2@localhost |
|
+-------------------------------------------------+
|
| CREATE USER `user2`@`localhost` PASSWORD EXPIRE |
|
+-------------------------------------------------+
|
1 row in set (0.000 sec)
|
|
+-----------+-------+--------------------------------------------------------------------------------------------------------------------------+
|
| Host | User | Priv |
|
+-----------+-------+--------------------------------------------------------------------------------------------------------------------------+
|
| localhost | user2 | {"access":0,"plugin":"mysql_native_password","authentication_string":"","password_last_changed":0,"password_lifetime":0} |
|
+-----------+-------+--------------------------------------------------------------------------------------------------------------------------+
|
1 row in set (0.001 sec)
|
|
MariaDB [(none)]> alter user user2@localhost PASSWORD EXPIRE INTERVAL 60 DAY; show create user user2@localhost; select * from mysql.global_priv where user='user2
|
';
|
Query OK, 0 rows affected (0.000 sec)
|
|
+-------------------------------------------------+
|
| CREATE USER for user2@localhost |
|
+-------------------------------------------------+
|
| CREATE USER `user2`@`localhost` PASSWORD EXPIRE |
|
+-------------------------------------------------+
|
1 row in set (0.000 sec)
|
|
+-----------+-------+---------------------------------------------------------------------------------------------------------------------------+
|
| Host | User | Priv |
|
+-----------+-------+---------------------------------------------------------------------------------------------------------------------------+
|
| localhost | user2 | {"access":0,"plugin":"mysql_native_password","authentication_string":"","password_last_changed":0,"password_lifetime":60} |
|
+-----------+-------+---------------------------------------------------------------------------------------------------------------------------+
|
1 row in set (0.001 sec)
|
|
MariaDB [(none)]> alter user user2@localhost PASSWORD EXPIRE DEFAULT; show create user user2@localhost; select * from mysql.global_priv where user='user2';
|
Query OK, 0 rows affected (0.000 sec)
|
|
+-------------------------------------------------+
|
| CREATE USER for user2@localhost |
|
+-------------------------------------------------+
|
| CREATE USER `user2`@`localhost` PASSWORD EXPIRE |
|
+-------------------------------------------------+
|
1 row in set (0.000 sec)
|
|
+-----------+-------+---------------------------------------------------------------------------------------------------------------------------+
|
| Host | User | Priv |
|
+-----------+-------+---------------------------------------------------------------------------------------------------------------------------+
|
| localhost | user2 | {"access":0,"plugin":"mysql_native_password","authentication_string":"","password_last_changed":0,"password_lifetime":-1} |
|
+-----------+-------+---------------------------------------------------------------------------------------------------------------------------+
|
|
So I'm assuming that any of the unexpired variants should set password_last_changed=NOW if its 0. At a minimum the `show create user` is incorrect.
robertbindar thanks for describing MySQL behavior. While password expiration is compatibility implemented, and in this MDEV we want to ensure that a save/restore generates the same user especially as this part of
MDEV-23630. We don't have to implement their bugs/deficiencies.ref: MDEV-24103 for last_password_changed save/restore, though I'm almost tempted to WONTFIX MDEV-24103 even though the restore isn't perfect and restored users are given extra grace for their password changes.
On lambda's, there's other very specific parts of code in a function. Probably a static function is sufficient. Save lambdas where there's a need to change the function ptr/assignment.