diff options
| -rw-r--r-- | cmake/build_configurations/mysql_release.cmake | 3 | ||||
| -rw-r--r-- | mysql-test/main/failed_auth_unixsocket.result | 2 | ||||
| -rw-r--r-- | mysql-test/main/failed_auth_unixsocket.test | 2 | ||||
| -rw-r--r-- | mysql-test/main/mysql_upgrade-6984.result | 2 | ||||
| -rw-r--r-- | mysql-test/main/mysql_upgrade-6984.test | 2 | ||||
| -rw-r--r-- | mysql-test/suite/roles/i_s_applicable_roles_is_default.result | 2 | ||||
| -rw-r--r-- | mysql-test/suite/roles/i_s_applicable_roles_is_default.test | 2 | ||||
| -rw-r--r-- | scripts/mysql_install_db.sh | 27 | ||||
| -rw-r--r-- | scripts/mysql_system_tables_data.sql | 7 |
9 files changed, 30 insertions, 19 deletions
diff --git a/cmake/build_configurations/mysql_release.cmake b/cmake/build_configurations/mysql_release.cmake index 105855a0bd1..4b399a131f5 100644 --- a/cmake/build_configurations/mysql_release.cmake +++ b/cmake/build_configurations/mysql_release.cmake @@ -98,17 +98,20 @@ ELSEIF(RPM) SET(CHECKMODULE /usr/bin/checkmodule CACHE STRING "") SET(SEMODULE_PACKAGE /usr/bin/semodule_package CACHE STRING "") SET(WITH_LIBARCHIVE ON CACHE STRING "") + SET(PLUGIN_AUTH_SOCKET YES) ELSEIF(DEB) SET(WITH_SSL system CACHE STRING "") SET(WITH_ZLIB system CACHE STRING "") SET(WITH_LIBWRAP ON) SET(HAVE_EMBEDDED_PRIVILEGE_CONTROL ON) SET(WITH_LIBARCHIVE ON CACHE STRING "") + SET(PLUGIN_AUTH_SOCKET YES) ELSE() SET(WITH_SSL bundled CACHE STRING "") SET(WITH_ZLIB bundled CACHE STRING "") SET(WITH_JEMALLOC static CACHE STRING "") SET(WITH_LIBARCHIVE STATIC CACHE STRING "") + SET(PLUGIN_AUTH_SOCKET STATIC) ENDIF() IF(NOT COMPILATION_COMMENT) diff --git a/mysql-test/main/failed_auth_unixsocket.result b/mysql-test/main/failed_auth_unixsocket.result index 690476cd753..eb02479431b 100644 --- a/mysql-test/main/failed_auth_unixsocket.result +++ b/mysql-test/main/failed_auth_unixsocket.result @@ -8,6 +8,6 @@ flush privileges; connect(localhost,USER,,test,MASTER_PORT,MASTER_SOCKET); ERROR 28000: Access denied for user 'USER'@'localhost' ERROR 28000: Access denied for user 'USER'@'localhost' -update mysql.global_priv set priv=json_remove(priv, '$.plugin'); +update mysql.global_priv set priv=json_compact(json_remove(priv, '$.plugin')); flush privileges; uninstall plugin unix_socket; diff --git a/mysql-test/main/failed_auth_unixsocket.test b/mysql-test/main/failed_auth_unixsocket.test index a7ae7d64a6b..01fb09e1c46 100644 --- a/mysql-test/main/failed_auth_unixsocket.test +++ b/mysql-test/main/failed_auth_unixsocket.test @@ -36,7 +36,7 @@ connect (fail,localhost,$USER); --error ER_ACCESS_DENIED_NO_PASSWORD_ERROR change_user $USER; -update mysql.global_priv set priv=json_remove(priv, '$.plugin'); +update mysql.global_priv set priv=json_compact(json_remove(priv, '$.plugin')); flush privileges; uninstall plugin unix_socket; diff --git a/mysql-test/main/mysql_upgrade-6984.result b/mysql-test/main/mysql_upgrade-6984.result index 87f3c1a5359..ad48004a2a3 100644 --- a/mysql-test/main/mysql_upgrade-6984.result +++ b/mysql-test/main/mysql_upgrade-6984.result @@ -63,6 +63,6 @@ test Phase 7/7: Running 'FLUSH PRIVILEGES' OK connect con1,localhost,root,foo,,,; -update mysql.global_priv set priv=json_remove(priv, '$.plugin', '$.authentication_string'); +update mysql.global_priv set priv=json_compact(json_remove(priv, '$.plugin', '$.authentication_string')); flush privileges; set global event_scheduler=OFF; diff --git a/mysql-test/main/mysql_upgrade-6984.test b/mysql-test/main/mysql_upgrade-6984.test index a036b7a08a0..ad2b95314b0 100644 --- a/mysql-test/main/mysql_upgrade-6984.test +++ b/mysql-test/main/mysql_upgrade-6984.test @@ -17,7 +17,7 @@ update mysql.global_priv set priv=json_set(priv, '$.plugin', 'mysql_native_passw connect(con1,localhost,root,foo,,,); -update mysql.global_priv set priv=json_remove(priv, '$.plugin', '$.authentication_string'); +update mysql.global_priv set priv=json_compact(json_remove(priv, '$.plugin', '$.authentication_string')); flush privileges; # Load event table set global event_scheduler=OFF; diff --git a/mysql-test/suite/roles/i_s_applicable_roles_is_default.result b/mysql-test/suite/roles/i_s_applicable_roles_is_default.result index 32498d11390..ee7d17f3a1f 100644 --- a/mysql-test/suite/roles/i_s_applicable_roles_is_default.result +++ b/mysql-test/suite/roles/i_s_applicable_roles_is_default.result @@ -78,4 +78,4 @@ drop role role3; drop role role2; drop role role1; drop user foo; -update mysql.global_priv set priv=json_remove(priv, '$.default_role'); +update mysql.global_priv set priv=json_compact(json_remove(priv, '$.default_role')); diff --git a/mysql-test/suite/roles/i_s_applicable_roles_is_default.test b/mysql-test/suite/roles/i_s_applicable_roles_is_default.test index b6f6f9ba879..0e6436924a9 100644 --- a/mysql-test/suite/roles/i_s_applicable_roles_is_default.test +++ b/mysql-test/suite/roles/i_s_applicable_roles_is_default.test @@ -59,4 +59,4 @@ drop role role3; drop role role2; drop role role1; drop user foo; -update mysql.global_priv set priv=json_remove(priv, '$.default_role'); +update mysql.global_priv set priv=json_compact(json_remove(priv, '$.default_role')); diff --git a/scripts/mysql_install_db.sh b/scripts/mysql_install_db.sh index 8cb55e519e7..54b5bed4546 100644 --- a/scripts/mysql_install_db.sh +++ b/scripts/mysql_install_db.sh @@ -37,8 +37,8 @@ force=0 in_rpm=0 ip_only=0 cross_bootstrap=0 -auth_root_authentication_method=normal -auth_root_socket_user='root' +auth_root_authentication_method=socket +auth_root_socket_user="" skip_test_db=0 usage() @@ -46,17 +46,17 @@ usage() cat <<EOF Usage: $0 [OPTIONS] --auth-root-authentication-method=normal|socket - Chooses the authentication method for the created initial - root user. The default is 'normal' to creates a root user - that can login without password, which can be insecure. - The alternative 'socket' allows only the system root user - to login as MariaDB root; this requires the unix socket - authentication plugin. + Chooses the authentication method for the created + initial root user. The historical behavior is 'normal' + to creates a root user that can login without password, + which can be insecure. The default behavior 'socket' + sets an invalid root password but allows the system root + user to login as MariaDB root without a password. --auth-root-socket-user=user Used with --auth-root-authentication-method=socket. It - specifies the name of the MariaDB root account, as well - as of the system account allowed to access it. Defaults - to 'root'. + specifies the name of the second MariaDB root account, + as well as of the system account allowed to access it. + Defaults to the value of --user. --basedir=path The path to the MariaDB installation directory. --builddir=path If using --srcdir with out-of-directory builds, you will need to set this to the location of the build @@ -505,6 +505,11 @@ cat_sql() { echo "use mysql;" + # Use $auth_root_socket_user if explicitly specified. + # Otherwise use the owner of datadir - ${user:-$USER} + # Use 'root' as a fallback + auth_root_socket_user=${auth_root_socket_user:-${user:-${USER:-root}}} + case "$auth_root_authentication_method" in normal) echo "SET @auth_root_socket=NULL;" diff --git a/scripts/mysql_system_tables_data.sql b/scripts/mysql_system_tables_data.sql index bf473db7527..9d0088aa333 100644 --- a/scripts/mysql_system_tables_data.sql +++ b/scripts/mysql_system_tables_data.sql @@ -25,7 +25,9 @@ -- add escape character in front of wildcard character to convert "_" or "%" to -- a plain character SELECT LOWER( REPLACE((SELECT REPLACE(@@hostname,'_','\_')),'%','\%') )INTO @current_hostname; -SELECT json_object('access',cast(-1 as unsigned)) INTO @all_privileges; +SELECT '{"access":18446744073709551615}' INTO @all_privileges; +SELECT '{"access":18446744073709551615,"plugin":"mysql_native_password","authentication_string":"invalid","auth_or":[{},{"plugin":"unix_socket"}]}' into @all_with_auth; + -- Fill "global_priv" table with default users allowing root access -- from local machine if "global_priv" table didn't exist before @@ -37,7 +39,8 @@ REPLACE INTO tmp_user_nopasswd SELECT @current_hostname,'root',@all_privileges F REPLACE INTO tmp_user_nopasswd VALUES ('127.0.0.1','root',@all_privileges); REPLACE INTO tmp_user_nopasswd VALUES ('::1','root',@all_privileges); -- More secure root account using unix socket auth. -INSERT INTO tmp_user_socket VALUES ('localhost',IFNULL(@auth_root_socket, 'root'),json_set(@all_privileges, '$.plugin', 'unix_socket')); +INSERT INTO tmp_user_socket VALUES ('localhost', 'root',@all_with_auth); +REPLACE INTO tmp_user_socket VALUES ('localhost',IFNULL(@auth_root_socket, 'root'),@all_with_auth); IF @auth_root_socket is not null THEN IF not exists(select 1 from information_schema.plugins where plugin_name='unix_socket') THEN INSTALL SONAME 'auth_socket'; END IF; END IF; |