3807 Georgi Kodinov 2012-01-30
Bug #13586336: SRVGEN - HIBISCUS: ISSUE DEPRECATION WARNING FOR
LEGACY AUTHENTICATION METHOD
Added warnings as follows :
1) Make the server option secure_auth ON per default and issue a warning
stating that legacy passwords are deprecated if it is ever overridden.
2) Issue a deprecation warning if a new user account ever is created or
otherwise configured to use the mysql_old_password plugin.
3) When upgrading an old system, issue deprecation warnings if an old
password hash digest is found in the password field.
Added tests for the new warnings and updated existing tests to
either set secure_auth back to FALSE or adjust the result where this is not
possible.
modified:
mysql-test/r/change_user.result
mysql-test/r/connect.result
mysql-test/r/mysql_upgrade.result
mysql-test/r/mysqld--help-notwin.result
mysql-test/r/mysqld--help-win.result
mysql-test/suite/sys_vars/r/old_passwords_func.result
mysql-test/suite/sys_vars/r/secure_auth_basic.result
mysql-test/suite/sys_vars/r/secure_auth_func.result
mysql-test/suite/sys_vars/t/secure_auth_basic.test
mysql-test/t/change_user.test
mysql-test/t/connect.test
mysql-test/t/mysql_upgrade.test
scripts/mysql_system_tables_fix.sql
sql/sql_acl.cc
sql/sys_vars.cc
3806 Nuno Carvalho 2012-01-30
BUG#13613270 - INCLUDE/WAIT_FOR_SLAVE_IO_ERROR.INC IS NOT USING INCLUDE/SHOW_SLAVE_STATUS.INC
Unlike in previous versions, include/wait_for_slave_io_error.inc is not
using include/show_slave_status.inc duplicating test code lines and not
taking advantage of include/show_slave_status.inc features.
Changed include/wait_for_slave_io_error.inc to use
include/show_slave_status.inc.
Updated tests results that use include/wait_for_slave_io_error.inc.
modified:
mysql-test/include/wait_for_slave_io_error.inc
mysql-test/suite/rpl/r/rpl_checksum.result
mysql-test/suite/rpl/r/rpl_log_pos.result
mysql-test/suite/rpl/r/rpl_manual_change_index_file.result
mysql-test/suite/rpl/r/rpl_packet.result
mysql-test/suite/rpl/r/rpl_row_event_max_size.result
mysql-test/suite/rpl/t/rpl_checksum.test
mysql-test/suite/rpl/t/rpl_log_pos.test
mysql-test/suite/rpl/t/rpl_manual_change_index_file.test
mysql-test/suite/rpl/t/rpl_packet.test
mysql-test/suite/rpl/t/rpl_row_event_max_size.test
=== modified file 'mysql-test/r/change_user.result'
--- a/mysql-test/r/change_user.result 2010-11-25 03:50:16 +0000
+++ b/mysql-test/r/change_user.result 2012-01-30 15:43:32 +0000
@@ -1,5 +1,10 @@
+SET GLOBAL secure_auth = OFF;
+Warnings:
+Warning 1287 'pre-4.1 password hash' is deprecated and will be removed in a future release. Please use post-4.1 password hash instead
grant select on test.* to test_nopw;
grant select on test.* to test_oldpw identified by password "09301740536db389";
+Warnings:
+Warning 1287 'pre-4.1 password hash' is deprecated and will be removed in a future release. Please use post-4.1 password hash instead
grant select on test.* to test_newpw identified by "newpw";
select user(), current_user(), database();
user() current_user() database()
@@ -82,3 +87,4 @@ IS_USED_LOCK('bug31418')
NULL
FLUSH STATUS;
Value of com_select did not change
+SET GLOBAL secure_auth = DEFAULT;
=== modified file 'mysql-test/r/connect.result'
--- a/mysql-test/r/connect.result 2011-08-19 13:04:28 +0000
+++ b/mysql-test/r/connect.result 2012-01-30 15:43:32 +0000
@@ -79,12 +79,17 @@ connect(localhost,test,zorro,test2,MASTE
ERROR 28000: Access denied for user 'test'@'localhost' (using password: YES)
connect(localhost,test,zorro,test,MASTER_PORT,MASTER_SOCKET);
ERROR 28000: Access denied for user 'test'@'localhost' (using password: YES)
+SET GLOBAL secure_auth = OFF;
+Warnings:
+Warning 1287 'pre-4.1 password hash' is deprecated and will be removed in a future release. Please use post-4.1 password hash instead
update mysql.user set password=old_password("gambling2") where user=_binary"test";
flush privileges;
set password="";
set password='gambling3';
ERROR HY000: Password hash should be a 41-digit hexadecimal number
set password=old_password('gambling3');
+Warnings:
+Warning 1287 'pre-4.1 password hash' is deprecated and will be removed in a future release. Please use post-4.1 password hash instead
show tables;
Tables_in_mysql
columns_priv
@@ -128,6 +133,7 @@ connect(localhost,test,zorro,test,MASTER
ERROR 28000: Access denied for user 'test'@'localhost' (using password: YES)
delete from mysql.user where user=_binary"test";
flush privileges;
+SET GLOBAL secure_auth = DEFAULT;
create table t1 (id integer not null auto_increment primary key);
create temporary table t2(id integer not null auto_increment primary key);
set @id := 1;
@@ -236,3 +242,32 @@ SET GLOBAL event_scheduler = OFF;
# ------------------------------------------------------------------
# -- End of 5.1 tests
# ------------------------------------------------------------------
+#
+# Bug #13586336 : SRVGEN - HIBISCUS: ISSUE DEPRECATION WARNING FOR
+# LEGACY AUTHENTICATION METHOD
+#
+#Expect 1
+SELECT @@global.secure_auth;
+@@global.secure_auth
+1
+SET old_passwords=true;
+#Expect deprecation warning
+CREATE USER old_pwd@localhost IDENTIFIED BY 'aha';
+Warnings:
+Warning 1287 'pre-4.1 password hash' is deprecated and will be removed in a future release. Please use post-4.1 password hash instead
+#Expect deprecation warning
+SET PASSWORD FOR old_pwd@localhost = OLD_PASSWORD('aha2');
+Warnings:
+Warning 1287 'pre-4.1 password hash' is deprecated and will be removed in a future release. Please use post-4.1 password hash instead
+#Expect deprecation warning
+GRANT SELECT on test.* TO old_gpwd@localhost
+IDENTIFIED BY 'aha3';
+Warnings:
+Warning 1287 'pre-4.1 password hash' is deprecated and will be removed in a future release. Please use post-4.1 password hash instead
+#Expected normal flush, no warnings
+FLUSH PRIVILEGES;
+DROP USER old_pwd@localhost, old_gpwd@localhost;
+SET old_passwords=default;
+# ------------------------------------------------------------------
+# -- End of 5.6 tests
+# ------------------------------------------------------------------
=== modified file 'mysql-test/r/mysql_upgrade.result'
--- a/mysql-test/r/mysql_upgrade.result 2011-12-12 12:55:18 +0000
+++ b/mysql-test/r/mysql_upgrade.result 2012-01-30 15:43:32 +0000
@@ -312,5 +312,48 @@ mysql.time_zone_name
mysql.time_zone_transition OK
mysql.time_zone_transition_type OK
mysql.user OK
+#
+# Bug# 13586336: issue deprecation warning
+# for legacy authentication method
+#
+CREATE USER 'bug13586336'@'localhost';
+SET PASSWORD FOR 'bug13586336'@'localhost' = OLD_PASSWORD('a');
+Warnings:
+Warning 1287 'pre-4.1 password hash' is deprecated and will be removed in a future release. Please use post-4.1 password hash instead
+Run mysql_upgrade with all privileges on a user
+Warning: Using a password on the command line interface can be insecure.
+Warning: Using a password on the command line interface can be insecure.
+mtr.global_suppressions OK
+mtr.test_suppressions OK
+mysql.columns_priv OK
+mysql.db OK
+mysql.event OK
+mysql.func OK
+mysql.general_log OK
+mysql.help_category OK
+mysql.help_keyword OK
+mysql.help_relation OK
+mysql.help_topic OK
+mysql.host OK
+mysql.innodb_index_stats OK
+mysql.innodb_table_stats OK
+mysql.ndb_binlog_index OK
+mysql.plugin OK
+mysql.proc OK
+mysql.procs_priv OK
+mysql.proxies_priv OK
+mysql.servers OK
+mysql.slave_master_info OK
+mysql.slave_relay_log_info OK
+mysql.slave_worker_info OK
+mysql.slow_log OK
+mysql.tables_priv OK
+mysql.time_zone OK
+mysql.time_zone_leap_second OK
+mysql.time_zone_name OK
+mysql.time_zone_transition OK
+mysql.time_zone_transition_type OK
+mysql.user OK
+DROP USER 'bug13586336'@'localhost';
End of tests
=== modified file 'mysql-test/r/mysqld--help-notwin.result'
--- a/mysql-test/r/mysqld--help-notwin.result 2012-01-30 10:34:28 +0000
+++ b/mysql-test/r/mysqld--help-notwin.result 2012-01-30 15:43:32 +0000
@@ -712,6 +712,7 @@ The following options may be given as th
write privileges to the mysql.user table.
--secure-auth Disallow authentication for accounts that have old
(pre-4.1) passwords
+ (Defaults to on; use --skip-secure-auth to disable.)
--secure-file-priv=name
Limit LOAD DATA, SELECT ... OUTFILE, and LOAD_FILE() to
files within specified directory
@@ -1083,7 +1084,7 @@ report-password (No default value)
report-port 3306
report-user (No default value)
safe-user-create FALSE
-secure-auth FALSE
+secure-auth TRUE
secure-file-priv (No default value)
server-id 0
show-slave-auth-info FALSE
=== modified file 'mysql-test/r/mysqld--help-win.result'
--- a/mysql-test/r/mysqld--help-win.result 2012-01-30 10:34:28 +0000
+++ b/mysql-test/r/mysqld--help-win.result 2012-01-30 15:43:32 +0000
@@ -712,6 +712,7 @@ The following options may be given as th
write privileges to the mysql.user table.
--secure-auth Disallow authentication for accounts that have old
(pre-4.1) passwords
+ (Defaults to on; use --skip-secure-auth to disable.)
--secure-file-priv=name
Limit LOAD DATA, SELECT ... OUTFILE, and LOAD_FILE() to
files within specified directory
@@ -1091,7 +1092,7 @@ report-password (No default value)
report-port 3306
report-user (No default value)
safe-user-create FALSE
-secure-auth FALSE
+secure-auth TRUE
secure-file-priv (No default value)
server-id 0
shared-memory FALSE
=== modified file 'mysql-test/suite/sys_vars/r/old_passwords_func.result'
--- a/mysql-test/suite/sys_vars/r/old_passwords_func.result 2008-12-19 15:12:15 +0000
+++ b/mysql-test/suite/sys_vars/r/old_passwords_func.result 2012-01-30 15:43:32 +0000
@@ -8,7 +8,11 @@ CREATE USER 'userNewPass2'@'localhost' I
SET GLOBAL old_passwords = TRUE;
SET SESSION old_passwords = TRUE;
CREATE USER 'userOldPass'@'localhost' IDENTIFIED BY 'pass3';
+Warnings:
+Warning 1287 'pre-4.1 password hash' is deprecated and will be removed in a future release. Please use post-4.1 password hash instead
SET GLOBAL secure_auth = FALSE;
+Warnings:
+Warning 1287 'pre-4.1 password hash' is deprecated and will be removed in a future release. Please use post-4.1 password hash instead
** Connecting con1 using username 'userNewPass1' **
SELECT CURRENT_USER();
CURRENT_USER()
=== modified file 'mysql-test/suite/sys_vars/r/secure_auth_basic.result'
--- a/mysql-test/suite/sys_vars/r/secure_auth_basic.result 2009-10-09 13:34:07 +0000
+++ b/mysql-test/suite/sys_vars/r/secure_auth_basic.result 2012-01-30 15:43:32 +0000
@@ -1,19 +1,21 @@
SET @global_start_value = @@global.secure_auth;
SELECT @global_start_value;
@global_start_value
-0
+1
'#--------------------FN_DYNVARS_143_01------------------------#'
-SET @@global.secure_auth = 1;
+SET @@global.secure_auth = 0;
+Warnings:
+Warning 1287 'pre-4.1 password hash' is deprecated and will be removed in a future release. Please use post-4.1 password hash instead
SET @@global.secure_auth = DEFAULT;
SELECT @@global.secure_auth;
@@global.secure_auth
-0
+1
'#---------------------FN_DYNVARS_143_02-------------------------#'
SET secure_auth = 1;
ERROR HY000: Variable 'secure_auth' is a GLOBAL variable and should be set with SET GLOBAL
SELECT @@secure_auth;
@@secure_auth
-0
+1
SELECT global.secure_auth;
ERROR 42S02: Unknown table 'global' in field list
SET global secure_auth = 1;
@@ -22,6 +24,8 @@ SELECT @@global.secure_auth;
1
'#--------------------FN_DYNVARS_143_03------------------------#'
SET @@global.secure_auth = 0;
+Warnings:
+Warning 1287 'pre-4.1 password hash' is deprecated and will be removed in a future release. Please use post-4.1 password hash instead
SELECT @@global.secure_auth;
@@global.secure_auth
0
@@ -83,6 +87,8 @@ VARIABLE_VALUE
ON
'#---------------------FN_DYNVARS_143_08-------------------------#'
SET @@global.secure_auth = OFF;
+Warnings:
+Warning 1287 'pre-4.1 password hash' is deprecated and will be removed in a future release. Please use post-4.1 password hash instead
SELECT @@global.secure_auth;
@@global.secure_auth
0
@@ -96,10 +102,12 @@ SELECT @@global.secure_auth;
@@global.secure_auth
1
SET @@global.secure_auth = FALSE;
+Warnings:
+Warning 1287 'pre-4.1 password hash' is deprecated and will be removed in a future release. Please use post-4.1 password hash instead
SELECT @@global.secure_auth;
@@global.secure_auth
0
SET @@global.secure_auth = @global_start_value;
SELECT @@global.secure_auth;
@@global.secure_auth
-0
+1
=== modified file 'mysql-test/suite/sys_vars/r/secure_auth_func.result'
--- a/mysql-test/suite/sys_vars/r/secure_auth_func.result 2008-12-19 15:12:15 +0000
+++ b/mysql-test/suite/sys_vars/r/secure_auth_func.result 2012-01-30 15:43:32 +0000
@@ -8,10 +8,14 @@ SELECT @@GLOBAL.secure_auth;
1 / ON Expected
'#--------------------FN_DYNVARS_144_02-------------------------#'
SET GLOBAL secure_auth = OFF;
+Warnings:
+Warning 1287 'pre-4.1 password hash' is deprecated and will be removed in a future release. Please use post-4.1 password hash instead
CREATE USER 'testUser'@'localhost' IDENTIFIED BY 'newpass';
** Connecting con_user1 using testUser **
** Connection default**
SET PASSWORD FOR 'testUser'@'localhost' = OLD_PASSWORD('newpass');
+Warnings:
+Warning 1287 'pre-4.1 password hash' is deprecated and will be removed in a future release. Please use post-4.1 password hash instead
** Connecting con_user2 using testUser **
** Connection default**
'#--------------------FN_DYNVARS_144_03-------------------------#'
@@ -20,6 +24,8 @@ SET PASSWORD FOR 'testUser'@'localhost'
** Connecting con_user3 using testUser **
** Connection default **
SET PASSWORD FOR 'testUser'@'localhost' = OLD_PASSWORD('newpass');
+Warnings:
+Warning 1287 'pre-4.1 password hash' is deprecated and will be removed in a future release. Please use post-4.1 password hash instead
** Connecting con_user4 using testUser **
ERROR HY000: Server is running in --secure-auth mode, but 'testUser'@'localhost' has a password in the old format; please change the password to the new format
Expected error "Server is in secure auth mode"
=== modified file 'mysql-test/suite/sys_vars/t/secure_auth_basic.test'
--- a/mysql-test/suite/sys_vars/t/secure_auth_basic.test 2009-10-09 13:34:07 +0000
+++ b/mysql-test/suite/sys_vars/t/secure_auth_basic.test 2012-01-30 15:43:32 +0000
@@ -42,7 +42,7 @@ SELECT @global_start_value;
# Display the DEFAULT value of secure_auth #
########################################################################
-SET @@global.secure_auth = 1;
+SET @@global.secure_auth = 0;
SET @@global.secure_auth = DEFAULT;
SELECT @@global.secure_auth;
=== modified file 'mysql-test/t/change_user.test'
--- a/mysql-test/t/change_user.test 2010-11-25 03:50:16 +0000
+++ b/mysql-test/t/change_user.test 2012-01-30 15:43:32 +0000
@@ -2,6 +2,7 @@
# functional change user tests
#
+SET GLOBAL secure_auth = OFF;
grant select on test.* to test_nopw;
grant select on test.* to test_oldpw identified by password "09301740536db389";
grant select on test.* to test_newpw identified by "newpw";
@@ -122,3 +123,5 @@ if ($after != $before){
die The value of com_select changed during change_user;
}
echo Value of com_select did not change;
+
+SET GLOBAL secure_auth = DEFAULT;
=== modified file 'mysql-test/t/connect.test'
--- a/mysql-test/t/connect.test 2010-11-25 03:50:16 +0000
+++ b/mysql-test/t/connect.test 2012-01-30 15:43:32 +0000
@@ -65,6 +65,7 @@ connect (fail_con,localhost,test,zorro,t
connect (fail_con,localhost,test,zorro,);
# check if old password version also works
+SET GLOBAL secure_auth = OFF;
update mysql.user set password=old_password("gambling2") where user=_binary"test";
flush privileges;
@@ -102,6 +103,7 @@ connect (fail_con,localhost,test,zorro,)
# do not depend on this test.
delete from mysql.user where user=_binary"test";
flush privileges;
+SET GLOBAL secure_auth = DEFAULT;
#
# Bug#12517 Clear user variables and replication events before
@@ -297,6 +299,37 @@ SET GLOBAL event_scheduler = OFF;
--echo # -- End of 5.1 tests
--echo # ------------------------------------------------------------------
+--echo #
+--echo # Bug #13586336 : SRVGEN - HIBISCUS: ISSUE DEPRECATION WARNING FOR
+--echo # LEGACY AUTHENTICATION METHOD
+--echo #
+
+--echo #Expect 1
+SELECT @@global.secure_auth;
+
+SET old_passwords=true;
+
+--echo #Expect deprecation warning
+CREATE USER old_pwd@localhost IDENTIFIED BY 'aha';
+
+--echo #Expect deprecation warning
+SET PASSWORD FOR old_pwd@localhost = OLD_PASSWORD('aha2');
+
+--echo #Expect deprecation warning
+GRANT SELECT on test.* TO old_gpwd@localhost
+ IDENTIFIED BY 'aha3';
+
+--echo #Expected normal flush, no warnings
+FLUSH PRIVILEGES;
+
+DROP USER old_pwd@localhost, old_gpwd@localhost;
+SET old_passwords=default;
+
+--echo # ------------------------------------------------------------------
+--echo # -- End of 5.6 tests
+--echo # ------------------------------------------------------------------
+
+
# Wait till all disconnects are completed
--source include/wait_until_count_sessions.inc
=== modified file 'mysql-test/t/mysql_upgrade.test'
--- a/mysql-test/t/mysql_upgrade.test 2011-12-12 12:55:18 +0000
+++ b/mysql-test/t/mysql_upgrade.test 2012-01-30 15:43:32 +0000
@@ -128,5 +128,16 @@ let $MYSQLD_DATADIR= `select @@datadir`;
# so the following command should never fail.
--remove_file $MYSQLD_DATADIR/mysql_upgrade_info
+--echo #
+--echo # Bug# 13586336: issue deprecation warning
+--echo # for legacy authentication method
+--echo #
+
+CREATE USER 'bug13586336'@'localhost';
+SET PASSWORD FOR 'bug13586336'@'localhost' = OLD_PASSWORD('a');
+--echo Run mysql_upgrade with all privileges on a user
+--exec $MYSQL_UPGRADE --skip-verbose --force 2>&1
+DROP USER 'bug13586336'@'localhost';
+
--echo
--echo End of tests
=== modified file 'scripts/mysql_system_tables_fix.sql'
--- a/scripts/mysql_system_tables_fix.sql 2011-08-19 13:24:24 +0000
+++ b/scripts/mysql_system_tables_fix.sql 2012-01-30 15:43:32 +0000
@@ -663,3 +663,20 @@ flush privileges;
ALTER TABLE slave_master_info ADD Ssl_crl TEXT CHARACTER SET utf8 COLLATE utf8_bin COMMENT 'The file used for the Certificate Revocation List (CRL)';
ALTER TABLE slave_master_info ADD Ssl_crlpath TEXT CHARACTER SET utf8 COLLATE utf8_bin COMMENT 'The path used for Certificate Revocation List (CRL) files';
+
+--
+-- Check for accounts with old pre-4.1 passwords and issue a warning
+--
+
+-- SCRAMBLED_PASSWORD_CHAR_LENGTH_323 = 16
+SET @deprecated_pwds=(SELECT COUNT(*) FROM mysql.user WHERE LENGTH(password) = 16 AND plugin='');
+
+-- signal the deprecation error
+DROP PROCEDURE IF EXISTS mysql.warn_pre41_pwd;
+CREATE PROCEDURE mysql.warn_pre41_pwd() SIGNAL SQLSTATE '01000' SET MESSAGE_TEXT='Pre-4.1 password hash is deprecated and will be removed in a future release. Please upgrade the user definitions using it to a new format.';
+SET @cmd='call mysql.warn_pre41_pwd()';
+SET @str=IF(@deprecated_pwds > 0, @cmd, 'SET @dummy=0');
+PREPARE stmt FROM @str;
+EXECUTE stmt;
+DROP PREPARE stmt;
+DROP PROCEDURE mysql.warn_pre41_pwd;
=== modified file 'sql/sql_acl.cc'
--- a/sql/sql_acl.cc 2011-12-12 12:55:18 +0000
+++ b/sql/sql_acl.cc 2012-01-30 15:43:32 +0000
@@ -188,6 +188,9 @@ static plugin_ref old_password_plugin;
#endif
static plugin_ref native_password_plugin;
+#define WARN_DEPRECATED_41_PWD_HASH(thd) \
+ WARN_DEPRECATED(thd, "pre-4.1 password hash", "post-4.1 password hash")
+
/* Classes */
struct acl_host_and_ip
@@ -2161,6 +2164,10 @@ static bool update_user_table(THD *thd,
}
store_record(table,record[1]);
table->field[2]->store(new_password, new_password_len, system_charset_info);
+
+ if (new_password_len == SCRAMBLED_PASSWORD_CHAR_LENGTH_323)
+ WARN_DEPRECATED_41_PWD_HASH(thd);
+
if ((error=table->file->ha_update_row(table->record[1],table->record[0])) &&
error != HA_ERR_RECORD_IS_THE_SAME)
{
@@ -2231,6 +2238,8 @@ static int replace_user_table(THD *thd,
my_error(ER_PASSWD_LENGTH, MYF(0), SCRAMBLED_PASSWORD_CHAR_LENGTH);
DBUG_RETURN(-1);
}
+ if (combo.password.length == SCRAMBLED_PASSWORD_CHAR_LENGTH_323)
+ WARN_DEPRECATED_41_PWD_HASH(thd);
password_len= combo.password.length;
password=combo.password.str;
}
=== modified file 'sql/sys_vars.cc'
--- a/sql/sys_vars.cc 2012-01-30 10:34:28 +0000
+++ b/sql/sys_vars.cc 2012-01-30 15:43:32 +0000
@@ -2334,12 +2334,25 @@ static Sys_var_mybool Sys_query_cache_wl
DEFAULT(FALSE));
#endif /* HAVE_QUERY_CACHE */
+static bool
+on_check_opt_secure_auth(sys_var *self, THD *thd, set_var *var)
+{
+ if (!var->save_result.ulonglong_value)
+ {
+ WARN_DEPRECATED(thd, "pre-4.1 password hash", "post-4.1 password hash");
+ }
+ return false;
+}
+
static Sys_var_mybool Sys_secure_auth(
"secure_auth",
"Disallow authentication for accounts that have old (pre-4.1) "
"passwords",
GLOBAL_VAR(opt_secure_auth), CMD_LINE(OPT_ARG),
- DEFAULT(FALSE));
+ DEFAULT(TRUE),
+ NO_MUTEX_GUARD, NOT_IN_BINLOG,
+ ON_CHECK(on_check_opt_secure_auth)
+ );
static Sys_var_charptr Sys_secure_file_priv(
"secure_file_priv",
No bundle (reason: useless for push emails).
| Thread |
|---|
| • bzr push into mysql-trunk branch (Georgi.Kodinov:3806 to 3807) Bug#13586336 | Georgi Kodinov | 31 Jan |
