[MDEV-24122] Minor updates to MariaDB 10.2/10.3 seems to be adding a DEFAULT ROLE to the show grants command that is invalid. Created: 2020-11-04 Updated: 2021-03-30 Resolved: 2021-01-23 |
|
| Status: | Closed |
| Project: | MariaDB Server |
| Component/s: | Upgrades |
| Affects Version/s: | 10.2.35, 10.3.26 |
| Fix Version/s: | 10.2.37, 10.3.28, 10.4.18, 10.5.9 |
| Type: | Bug | Priority: | Critical |
| Reporter: | cPanel Senior Tech's | Assignee: | Daniel Black |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Attachments: |
Screen Shot 2020-11-04 at 1.37.00 AM.png
affected_datadir.tar.xz.partaa
affected_datadir.tar.xz.partab
|
||||||||
| Issue Links: |
|
||||||||
| Description |
|
Possibly related to the recent change in: The default role is set to 0 (which is incorrect).
This causes database users to have invalid grants.
This breaks the cPanel "Databases" interface. (Screenshot attached) This does not occur for all servers that update to these versions and the cause of some of them breaking has yet to be determined. Downgrading solves the issue. Additionally, another workaround that we have used is to set the default role to NONE.
|
| Comments |
| Comment by Anel Husakovic [ 2020-11-04 ] | |||||||||||||||||||||||||||||||||||||||||||||
|
So you have in 10.2.34 user1@localhost without any grants and default roles and after you upgraded with mysql_upgrade on 10.2.35 you obtained this type of error, right? | |||||||||||||||||||||||||||||||||||||||||||||
| Comment by cPanel Senior Tech's [ 2020-11-04 ] | |||||||||||||||||||||||||||||||||||||||||||||
|
Hello, Sorry, I should have provided the before command as well. Here it is:
That's the default/standard. After the upgrade (mysql_upgrade) to 10.3.26, it shows the above but also the SET DEFAULT ROLE
I should also mention that there are no defined roles found within the information_schema db. (Before and after the mysql_upgrade)...
Does that help? | |||||||||||||||||||||||||||||||||||||||||||||
| Comment by Anel Husakovic [ 2020-11-04 ] | |||||||||||||||||||||||||||||||||||||||||||||
|
Does this happen between major versions or minor?
Can you help me how to repeat please for tomorrow? Thanks. | |||||||||||||||||||||||||||||||||||||||||||||
| Comment by cPanel Senior Tech's [ 2020-11-04 ] | |||||||||||||||||||||||||||||||||||||||||||||
|
Anel, this is happening on minor version updates with both 10.2 and 10.3 (we don't support 10.4 or 10.5 yet but it's likely happening there too). Users have stepped from 10.2.34 -> 10.2.35 with a yum update and started observing this behavior. We have found that new installations are not affected and we've found a small subset of systems that weren't impacted (i.e. they had no default role set in SHOW GRANTS even after update). We've not been able to find differences between the setups, but the majority of customers are observing this behavior. We've received over a hundred inquiries on this in the last 12 hours. | |||||||||||||||||||||||||||||||||||||||||||||
| Comment by cPanel Senior Tech's [ 2020-11-04 ] | |||||||||||||||||||||||||||||||||||||||||||||
|
It's further important to note that even if we set a broken user to NONE with:
as soon as you restart MariaDB it goes back to:
| |||||||||||||||||||||||||||||||||||||||||||||
| Comment by Hans Borresen [ 2020-11-04 ] | |||||||||||||||||||||||||||||||||||||||||||||
|
It happens between minor updates.
Setting the role to "none" temporarily fixes it:
However, it comes back after a restart of MariaDB:
| |||||||||||||||||||||||||||||||||||||||||||||
| Comment by Anel Husakovic [ 2020-11-04 ] | |||||||||||||||||||||||||||||||||||||||||||||
|
Just as a workaround can you please try this patch 17b182810b397248, although culprit should be somewhere else set_var_default_role::update/real_role variable. | |||||||||||||||||||||||||||||||||||||||||||||
| Comment by Daniel Black [ 2020-11-04 ] | |||||||||||||||||||||||||||||||||||||||||||||
|
I suspect this was a problem in the mysql upgrade from mysql-5.7 that was only just fixed in the last release by Can you include the `show create table mysql.user`? MariaDB (badly by most accounts), assumes the columns in this table are a specific order. There shouldn't be extra columns before the last column `is_role`. The table definition should be: If its not this order, use a`ALTER TABLE USER` to get the right order, and then`FLUSH PRIVILEGES` | |||||||||||||||||||||||||||||||||||||||||||||
| Comment by Hans Borresen [ 2020-11-05 ] | |||||||||||||||||||||||||||||||||||||||||||||
|
Anel, I have attached a copy of an affected datadir to the case. This was from a server which had upgraded to 10.3.26 The root pass in the datadir is set to testpassword123!@# You can set it up as follows (make sure mariadb is not running when doing this):
On commit 64fe9d6d9a (which is prior to 4e987b1c6ba7a)
On commit 4e987b1c6ba7a:
On commit 17b1828 (your patch):
Now the "SET ROLE" statement is no longer invalid. However, I would expect that for users without a custom role, nothing should be shown – right? That seems to be the case if you install 10.2.35 or 10.3.26 directly and then create users. It is also the case when creating a new user on your patched version:
Given this, I would expect to also see nothing for the "hanstest" user, since it doesn't have any custom role. I think something in the datadir may be in a weird state for users who upgraded from older versions of MariaDB. Daniel:
| |||||||||||||||||||||||||||||||||||||||||||||
| Comment by Daniel Black [ 2020-11-05 ] | |||||||||||||||||||||||||||||||||||||||||||||
|
hborresen thanks for that. The `password_last_changed`, `password_lifetime`, and `account_locked` are all mysql5.7 columns that aren't used in mariadb. They are causing a problem because of the ordinal usage of this table internally by MariaDB. A such the `password_lifetime` is being used as the default role, hence `0`. I recommend for existing installs:
This can be safely done on all MariaDB versions. Even MariaDB-10.4+ that implements password lifetimes and account locks stores them in the mysql.global_priv table. If you have existing roles or max_statement time usage this may be revered back to a default state. No code changes are required related to this correction. | |||||||||||||||||||||||||||||||||||||||||||||
| Comment by Daniel Black [ 2020-11-05 ] | |||||||||||||||||||||||||||||||||||||||||||||
|
anel up for review? bb-10.2-danielblack- First commit uses mysql_upgrade to ensure that the mysql5.7 columns are out of the way. Second commit does a more thorough mysql.user check to see if the column name and the base type of the column are what's expected on start up. | |||||||||||||||||||||||||||||||||||||||||||||
| Comment by Anel Husakovic [ 2020-11-05 ] | |||||||||||||||||||||||||||||||||||||||||||||
|
Thanks hborresen for your inputs, we are currently in review. | |||||||||||||||||||||||||||||||||||||||||||||
| Comment by Hans Borresen [ 2020-11-05 ] | |||||||||||||||||||||||||||||||||||||||||||||
|
I am a bit curious – in the new commit (f68885b17aa3de30b1a8d70c12fe2eb6c09c2750), why move the columns to the end? Since you don't expect them to exist at all, I would have expected you to drop them, as you suggested in the comment. | |||||||||||||||||||||||||||||||||||||||||||||
| Comment by Daniel Black [ 2020-11-06 ] | |||||||||||||||||||||||||||||||||||||||||||||
|
hborresen, thanks for the test data.
On moving to the end, I tried to explain it in https://github.com/MariaDB/server/commit/8bc4268ce476c4e595896e568fc17980b806781d, that they do get used in mysql_upgrade in 10.4, where MariaDB finally does support password expiry and account locking. I could do a different commit for 10.4, but I figured they could be used in rapid succession. I'm going to ask around for other opinions on this, however if you have one I'd like to hear it too. If the server does keep the mysql5.7 columns lying around, I'll change https://github.com/MariaDB/server/commit/f68885b17aa3de30b1a8d70c12fe2eb6c09c2750, so it doesn't leave `2020-11-05 16:31:35 140598436198336 [ERROR] Column count of mysql.user is wrong. Expected 46, found 49. The table is probably corrupted` in the error log. (commit deleted - there was no mysql_upgrade error - I was running a 10.2 mysql_upgrade on a 10.3 datadir) | |||||||||||||||||||||||||||||||||||||||||||||
| Comment by Hans Borresen [ 2020-11-06 ] | |||||||||||||||||||||||||||||||||||||||||||||
I don't have an opinion – I was just curious. I wasn't aware the migration to 10.4 would account for those tables. | |||||||||||||||||||||||||||||||||||||||||||||
| Comment by Sergei Golubchik [ 2020-11-09 ] | |||||||||||||||||||||||||||||||||||||||||||||
|
danblack, I think your last commit is a bit too much. We specifically don't test for mysql.user structure because the privilege code adjusts and any older structure is also correct, should not cause any warnings. | |||||||||||||||||||||||||||||||||||||||||||||
| Comment by Daniel Black [ 2020-11-10 ] | |||||||||||||||||||||||||||||||||||||||||||||
|
Thanks for looking serg I was most of the way though https://github.com/MariaDB/server/commit/4fe72f32e4fb1b0849429bb781903e2d23a5c3a3 before I noticed this. Changes are:
The message still is which I don't particularly like the corrupted aspect of by without introducing messages or removing the last sentence was hard to change. Do you have a preference towards leaving the mysql-5.7 columns vs dropping them (which avoids the too many in most cases)? | |||||||||||||||||||||||||||||||||||||||||||||
| Comment by Sergei Golubchik [ 2020-11-10 ] | |||||||||||||||||||||||||||||||||||||||||||||
|
I thought you need to preserve mysql-5.7 columns as later mariadb versions support password expiration and account locking | |||||||||||||||||||||||||||||||||||||||||||||
| Comment by Daniel Black [ 2020-11-11 ] | |||||||||||||||||||||||||||||||||||||||||||||
|
> I thought you need to preserve mysql-5.7 columns as later mariadb versions support password expiration and account locking Yes, there's just a user experience failure if they go from 5.7 to <= 10.3 as password expiry/ account locking go dormant (though I have engineered the last_password_change to stay current even though nothing enforces the expiry). If its then considerable months/years before the 10.4 upgrade occurs they will suddenly have accounts locked and passwords expired (because expiry was never enforced) that were fine in <=10.3 (even though they where locked in the 5.7 days). `SHOW CREATE USER` will reveal the account lock and expiry if present however. | |||||||||||||||||||||||||||||||||||||||||||||
| Comment by Daniel Black [ 2020-11-16 ] | |||||||||||||||||||||||||||||||||||||||||||||
|
I've resolved my doubts about keeping the columns in existence: So sufficient as minimal fix is: Is limiting the cases where the mysql.user structure is tests to !bootstrap, !mysql_user_table_is_in_short_password_format sufficient to not be too much now? | |||||||||||||||||||||||||||||||||||||||||||||
| Comment by Daniel Black [ 2020-12-04 ] | |||||||||||||||||||||||||||||||||||||||||||||
|
cvicentiu can you review and merge if appropriate:
before reassigning back to serg to look at:
(which you're welcome to review too). | |||||||||||||||||||||||||||||||||||||||||||||
| Comment by Vicențiu Ciorbaru [ 2021-01-22 ] | |||||||||||||||||||||||||||||||||||||||||||||
|
Hi danblack! I think the patch is ok. There are a few changes I'd make to help explain the problem more clearly.
OK to push from me. | |||||||||||||||||||||||||||||||||||||||||||||
| Comment by Sergei Golubchik [ 2021-01-22 ] | |||||||||||||||||||||||||||||||||||||||||||||
|
danblack, please, for this bug you don't need more than a couple of lines of the commit comment. Something like
| |||||||||||||||||||||||||||||||||||||||||||||
| Comment by Daniel Black [ 2021-01-23 ] | |||||||||||||||||||||||||||||||||||||||||||||
|
Thanks for the reviews |