Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ALTER USER REQUIRE SSL or X509 clears out user's authentication_string (password) #25225

Closed
zhangguiyu opened this issue Jun 7, 2021 · 2 comments · Fixed by #25268
Closed

ALTER USER REQUIRE SSL or X509 clears out user's authentication_string (password) #25225

zhangguiyu opened this issue Jun 7, 2021 · 2 comments · Fixed by #25268
Labels
severity/moderate sig/sql-infra SIG: SQL Infra type/bug The issue is confirmed as a bug.

Comments

@zhangguiyu
Copy link

zhangguiyu commented Jun 7, 2021
edited
Loading

Bug Report

Please answer these questions before submitting your issue. Thanks!

1. Minimal reproduce step (Required)

mysql> select user,host,authentication_string from mysql.user;
+-------------+-----------+-------------------------------------------+
| user        | host      | authentication_string                     |
+-------------+-----------+-------------------------------------------+
| root        | localhost |                                           |
| backup      | %         | *9CDD29A76B21FC5186F5D9F0316EB3D7EADC695E |
| remote_root | %         | *2DBC7422585CBFB7E0404FF9E0228C33E22BD92A |
+-------------+-----------+-------------------------------------------+
3 rows in set (0.23 sec)

mysql> alter user backup require SSL;
Query OK, 0 rows affected (1.49 sec)

mysql> select user,host,authentication_string from mysql.user;
+-------------+-----------+-------------------------------------------+
| user        | host      | authentication_string                     |
+-------------+-----------+-------------------------------------------+
| root        | localhost |                                           |
| backup      | %         |                                           |
| remote_root | %         | *2DBC7422585CBFB7E0404FF9E0228C33E22BD92A |
+-------------+-----------+-------------------------------------------+
3 rows in set (0.31 sec)

2. What did you expect to see? (Required)

User require SSL or X509 to login

3. What did you see instead (Required)

Yes, SSL or X509 enabled. but user password also set to blank or some value, basically user can no longer login. the password must then be reset.

4. What is your TiDB version? (Required)

Server version: 5.7.25-TiDB-v5.0.0-rc TiDB Server (Apache License 2.0) Community Edition, MySQL 5.7 compatible
@zhangguiyu zhangguiyu added the type/bug The issue is confirmed as a bug. label Jun 7, 2021
@morgo
Copy link
Contributor

morgo commented Jun 8, 2021

Verified against master:

CREATE USER u1 IDENTIFIED BY 'acdc';
ALTER USER u1 REQUIRE SSL;
select user,host,authentication_string from mysql.user;

..

mysql> CREATE USER u1 IDENTIFIED BY 'acdc';
Query OK, 0 rows affected (0.04 sec)

mysql> select user,host,authentication_string from mysql.user;
+-------------+------+-------------------------------------------+
| user        | host | authentication_string                     |
+-------------+------+-------------------------------------------+
| root        | %    |                                           |
| backupadmin | %    |                                           |
| u1          | %    | *B50FBDB37F1256824274912F2A1CE648082C3F1F |
+-------------+------+-------------------------------------------+
3 rows in set (0.01 sec)

mysql> ALTER USER u1 REQUIRE SSL;
Query OK, 0 rows affected (0.04 sec)

mysql> select user,host,authentication_string from mysql.user;
+-------------+------+-----------------------+
| user        | host | authentication_string |
+-------------+------+-----------------------+
| root        | %    |                       |
| backupadmin | %    |                       |
| u1          | %    |                       |
+-------------+------+-----------------------+
3 rows in set (0.00 sec)

mysql> SELECT tidb_version()\G
*************************** 1. row ***************************
tidb_version(): Release Version: v5.2.0-alpha-8-gd2c477529
Edition: Community
Git Commit Hash: d2c47752958087c7b7fe229bda4a56af90f5216d
Git Branch: fix-restore-permissions
UTC Build Time: 2021-06-07 20:24:47
GoVersion: go1.16.4
Race Enabled: false
TiKV Min Version: v3.0.0-60965b006877ca7234adaced7890d7b029ed1306
Check Table Before Drop: false
1 row in set (0.00 sec)

@dveeden dveeden mentioned this issue Jun 8, 2021
Merged
dveeden added a commit to dveeden/tidb that referenced this issue Jun 10, 2021
@dveeden
executor: Fix losing the auth string on changing SSL/TLS requirements
a67ee15 
closes pingcap#25225
@ti-srebot
Copy link
Contributor

Please edit this comment or add a new comment to complete the following information

Not a bug

  1. Remove the 'type/bug' label
  2. Add notes to indicate why it is not a bug

Duplicate bug

  1. Add the 'type/duplicate' label
  2. Add the link to the original bug

Bug

Note: Make Sure that 'component', and 'severity' labels are added
Example for how to fill out the template: #20100

1. Root Cause Analysis (RCA) (optional)

2. Symptom (optional)

3. All Trigger Conditions (optional)

4. Workaround (optional)

5. Affected versions

6. Fixed versions

This was referenced Jun 10, 2021
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
severity/moderate sig/sql-infra SIG: SQL Infra type/bug The issue is confirmed as a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

executor: Fix losing the auth string on changing SSL/TLS requirements dveeden/tidb
4 participants
@morgo @zhangguiyu @jingshanglu @ti-srebot