[MDEV-18119] upgrading from 10.3 to 10.4 can result in the password for a user to be wiped out Created: 2019-01-02  Updated: 2019-02-04  Resolved: 2019-02-04

Status: Closed
Project: MariaDB Server
Component/s: Authentication and Privilege System
Affects Version/s: 10.4
Fix Version/s: 10.4.3

Type: Bug Priority: Critical
Reporter: Travis Assignee: Sergei Golubchik
Resolution: Fixed Votes: 0
Labels: None
Environment:

OS: CentOS Linux release 7.5.1804 (Core)
Kernel: 3.10.0-862.3.2.el7.x86_64
Arch: x86_64
Environment: unknown-envtype
CPU: Intel Xeon E312xx (Sandy Bridge) w/ 4 core(s)

Issue Links:
Relates
relates to MDEV-18118 MySQL users can break if using mysql_... Closed

 Description   
Details

Upgrading from 10.3 to 10.4 can result in the password for a user using 'mysql_native_password' to be removed.

version 10.3

# mysql --version
 
mysql  Ver 15.1 Distrib 10.3.11-MariaDB, for Linux (x86_64) using readline 5.1
 
# mysql mysql -e "select User,Host,plugin,Password,authentication_string from user where User='cptest';"
 
+--------+------+-----------------------+-------------------------------------------+-----------------------+
 
| User   | Host | plugin                | Password                                  | authentication_string |
 
+--------+------+-----------------------+-------------------------------------------+-----------------------+
 
| cptest | %    | mysql_native_password | *A8C0FBBC868C0ABC516A6CED06C02974BEC047C2 |                       |
 
+--------+------+-----------------------+-------------------------------------------+-----------------------+

  • upgrade to 10.4

notice that the user no longer has a password:

# mysql --version
 
mysql  Ver 15.1 Distrib 10.4.1-MariaDB, for Linux (x86_64) using readline 5.1
 
# mysql mysql -e "select User,Host,plugin,Password,authentication_string from user where User='cptest';"
 
+--------+------+-----------------------+----------+-----------------------+
 
| User   | Host | plugin                | Password | authentication_string |
 
+--------+------+-----------------------+----------+-----------------------+
 
| cptest | %    | mysql_native_password |          |                       |
 
+--------+------+-----------------------+----------+-----------------------+

Suggested Resolution / Expected Behavior
  • I would expect that the password maintained in the Password column would either be retained upon upgrading to 10.4 or it would be migrated over to the authentication_string column if the expectation is that all passwords are maintained there

 Comments   
Comment by Elena Stepanova [ 2019-01-03 ]

Thanks for the report.

It's a valid scenario at least upon upgrading from MySQL 5.6.
Still reproducible even with the new mysql.user structure in 10.4.2.

Generated at Thu Feb 08 08:41:38 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.