Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-9016

Account Management Commands being written to binlog

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Not a Bug
    • 10.0.21
    • N/A
    • Admin statements
    • None
    • CentOs 7.1

    Description

      Issuing a CREATE USER command on a MariaDB 10.0 database setup for row based replication using GTID causes the statement to be written to the binlog in clear text.

      Not only is this a security risk, as the password appears in plain text in a text file, it causes Master-Master(hot spare) replication to fail by consuming a bin log sequence number on a box that is not expected to produce any (adding user to hot spare), creating a sequence number out of order replication failure.

      Would such a statement ever even be evaluated on a slave, even if the server was not in 'row' based replication mode?

      – From the binlog:

      #151026 12:37:44 server id 122  end_log_pos 1071839282  Query   thread_id=58251 exec_time=0     error_code=0
      SET TIMESTAMP=1445888264/*!*/;
      SET @@session.pseudo_thread_id=58251/*!*/;
      SET @@session.foreign_key_checks=1, @@session.sql_auto_is_null=0, @@session.unique_checks=1, @@session.autocommit=1/*!*/;
      SET @@session.sql_mode=0/*!*/;
      SET @@session.auto_increment_increment=1, @@session.auto_increment_offset=1/*!*/;
      /*!\C utf8 *//*!*/;
      SET @@session.character_set_client=33,@@session.collation_connection=33,@@session.collation_server=8/*!*/;
      SET @@session.lc_time_names=0/*!*/;
      SET @@session.collation_database=DEFAULT/*!*/;
      CREATE USER 'testuser'@'%' IDENTIFIED BY 'my_password_in_clear_text'
      /*!*/;
      DELIMITER ;
      # End of log file
      ROLLBACK /* added by mysqlbinlog */;
      /*!50003 SET COMPLETION_TYPE=@OLD_COMPLETION_TYPE*/;
      /*!50530 SET @@SESSION.PSEUDO_SLAVE_MODE=0*/;

      ######################################

      relevant settings from my.cnf.d/server.cnf

      --------------------------------------------
      #-----------------------------------
      # MASTER REPLICATION OPTIONS
      #-----------------------------------
      server_id =                                     122
      gtid-domain-id=                                 0
       
      log-bin=                                        mariadb.bin
      log-basename=                                   ds
      binlog-do-db=                                   positioning
      binlog-format=                                  ROW
      sync_binlog =                                   1
       
      #-----------------------------------
      # SLAVE REPLICATION OPTIONS
      #-----------------------------------
      relay-log-index =                               relay-bin.index
      relay-log =                                     relay-bin
       
      replicate-events-marked-for-skip=               FILTER_ON_MASTER   
      replicate-do-db=                                positioning
       
      log-slave-updates=                              1
      gtid-strict-mode=                               1
       
      slave_skip_errors =                             all
      innodb_flush_log_at_trx_commit=                 1
       
      slave_parallel_threads =                        4
      slave_parallel_max_queued=                      100031072

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              MarkP Mark Punak
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.