[MDEV-21929] Enhance ALTER USER for multiple authentication methods Created: 2020-03-12  Updated: 2020-03-12

Status: Open
Project: MariaDB Server
Component/s: Authentication and Privilege System
Fix Version/s: None

Type: Task Priority: Major
Reporter: Geoff Montee (Inactive) Assignee: Ralf Gebhardt
Resolution: Unresolved Votes: 0
Labels: None

Issue Links:
Problem/Incident
is caused by MDEV-11340 Allow multiple alternative authentica... Closed
Relates
relates to MDEV-21928 ALTER USER doesn't remove excess auth... Closed

 Description   

Ideally, it would probably make sense to provide ALTER USER syntax that supports multiple types of operations related to the multiple authentication methods functionality introduced by MDEV-11340.

For example, let's say that we have the default root@localhost account:

 
 
MariaDB [(none)]> SHOW CREATE USER 'root'@'localhost';
 
+----------------------------------------------------------------------------------------------------+
 
| CREATE USER for root@localhost                                                                     |
 
+----------------------------------------------------------------------------------------------------+
 
| CREATE USER 'root'@'localhost' IDENTIFIED VIA mysql_native_password USING 'invalid' OR unix_socket |
 
+----------------------------------------------------------------------------------------------------+
 
1 row in set (0.000 sec)

Users might want ALTER USER statements like:

  • An ALTER USER statement to set the authentication methods to exactly what the statement says, and discard any existing ones. I think the syntax for that would be the currently supported syntax:

-- change authentication method, discard existing ones
 
ALTER USER 'root'@'localhost' IDENTIFIED VIA mysql_native_password USING PASSWORD('password');

  • An ALTER USER statement to modify an existing authentication method, and leave the user account's other existing authentication methods as-is. This syntax might make sense:

-- change existing authentication method, keep other existing ones too
 
ALTER USER 'root'@'localhost' MODIFY IDENTIFIED VIA mysql_native_password USING PASSWORD('password');

  • An ALTER USER statement to add a new authentication method to the beginning of the list, and leave other existing authentication methods as-is. This syntax might make sense:

-- add new authentication method to beginning, keep existing ones too
 
ALTER USER 'root'@'localhost' ADD IDENTIFIED VIA pam USING 'mariadb' FIRST;

  • An ALTER USER statement to add a new authentication method to the end of the list, and leave other existing authentication methods as-is. This syntax might make sense:

-- add new authentication method to end, keep existing ones too
 
ALTER USER 'root'@'localhost' ADD IDENTIFIED VIA pam USING 'mariadb' LAST;


Generated at Thu Feb 08 09:10:54 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.