[MDEV-9016] Account Management Commands being written to binlog - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Not a Bug
Affects Version/s: 10.0.21
Fix Version/s: N/A
Component/s: Admin statements
Labels:
None
Environment:
CentOs 7.1

Description

Issuing a CREATE USER command on a MariaDB 10.0 database setup for row based replication using GTID causes the statement to be written to the binlog in clear text.

Not only is this a security risk, as the password appears in plain text in a text file, it causes Master-Master(hot spare) replication to fail by consuming a bin log sequence number on a box that is not expected to produce any (adding user to hot spare), creating a sequence number out of order replication failure.

Would such a statement ever even be evaluated on a slave, even if the server was not in 'row' based replication mode?

– From the binlog:

#151026 12:37:44 server id 122  end_log_pos 1071839282  Query   thread_id=58251 exec_time=0     error_code=0

SET TIMESTAMP=1445888264/*!*/;

SET @@session.pseudo_thread_id=58251/*!*/;

SET @@session.foreign_key_checks=1, @@session.sql_auto_is_null=0, @@session.unique_checks=1, @@session.autocommit=1/*!*/;

SET @@session.sql_mode=0/*!*/;

SET @@session.auto_increment_increment=1, @@session.auto_increment_offset=1/*!*/;

/*!\C utf8 *//*!*/;

SET @@session.character_set_client=33,@@session.collation_connection=33,@@session.collation_server=8/*!*/;

SET @@session.lc_time_names=0/*!*/;

SET @@session.collation_database=DEFAULT/*!*/;

CREATE USER 'testuser'@'%' IDENTIFIED BY 'my_password_in_clear_text'

/*!*/;

DELIMITER ;

# End of log file

ROLLBACK /* added by mysqlbinlog */;

/*!50003 SET COMPLETION_TYPE=@OLD_COMPLETION_TYPE*/;

/*!50530 SET @@SESSION.PSEUDO_SLAVE_MODE=0*/;

######################################

relevant settings from my.cnf.d/server.cnf

--------------------------------------------

#-----------------------------------

# MASTER REPLICATION OPTIONS

#-----------------------------------

server_id =                                     122

gtid-domain-id=                                 0

log-bin=                                        mariadb.bin

log-basename=                                   ds

binlog-do-db=                                   positioning

binlog-format=                                  ROW

sync_binlog =                                   1

#-----------------------------------

# SLAVE REPLICATION OPTIONS

#-----------------------------------

relay-log-index =                               relay-bin.index

relay-log =                                     relay-bin

replicate-events-marked-for-skip=               FILTER_ON_MASTER

replicate-do-db=                                positioning

log-slave-updates=                              1

gtid-strict-mode=                               1

slave_skip_errors =                             all

innodb_flush_log_at_trx_commit=                 1

slave_parallel_threads =                        4

slave_parallel_max_queued=                      100031072

Attachments

Issue Links

duplicates

MDEV-9042 CREATE USER passwords being written to bin log in clear text

Open

Activity

People

Assignee:: Unassigned

Reporter:: Mark Punak

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2015-10-26 23:37

Updated:: 2019-07-26 22:26

Resolved:: 2015-10-30 02:03

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.