Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

executor: Fix losing the auth string on changing SSL/TLS requirements #25268

Merged
merged 2 commits into from
Jun 10, 2021
Merged

executor: Fix losing the auth string on changing SSL/TLS requirements #25268

merged 2 commits into from
Jun 10, 2021

Conversation

dveeden
Copy link
Contributor

@dveeden dveeden commented Jun 8, 2021
edited
Loading

What problem does this PR solve?

Issue Number: close #25225

Problem Summary: An ALTER USER ... REQUIRE SSL would cause the authentication string of the user to get overwritten with an empty string

What is changed and how it works?

How it Works:

  • Don't change the authentication_string unless we have an AuthOpt
  • Check for SUPER when changing other accounts auth options.

Check List

Tests

  • Unit test (more might be useful, but there is one already)

Release note

  • Important security issue for handling ALTER USER statements

@dveeden dveeden requested a review from a team as a code owner June 8, 2021 16:32
@dveeden dveeden requested review from qw4990 and removed request for a team June 8, 2021 16:32
@ti-chi-bot ti-chi-bot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Jun 8, 2021
@github-actions github-actions bot added the sig/execution SIG execution label Jun 8, 2021
@dveeden dveeden force-pushed the fix_require_ssl_authstring branch from 769592f to 30623f3 Compare June 8, 2021 17:09
@ti-chi-bot ti-chi-bot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Jun 8, 2021
@dveeden dveeden force-pushed the fix_require_ssl_authstring branch from 30623f3 to 9392511 Compare June 8, 2021 17:16
@morgo morgo requested review from tiancaiamao and morgo June 8, 2021 17:49
@dveeden dveeden force-pushed the fix_require_ssl_authstring branch 2 times, most recently from 7acb03a to eb932b5 Compare June 8, 2021 18:06
@morgo
Copy link
Contributor

morgo commented Jun 9, 2021

/run_check_dev_2

@dveeden dveeden force-pushed the fix_require_ssl_authstring branch from eb932b5 to 6361d6f Compare June 9, 2021 14:55
@bb7133
Copy link
Member

bb7133 commented Jun 9, 2021

Please check the failed test case(https://ci.pingcap.net/blue/organizations/jenkins/tidb_ghpr_check_2/detail/tidb_ghpr_check_2/9707/pipeline)

[2021-06-09T15:01:55.875Z] ----------------------------------------------------------------------
[2021-06-09T15:01:55.875Z] FAIL: grant_test.go:369: testSuite3.TestMaintainAuthString
[2021-06-09T15:01:55.875Z] 
[2021-06-09T15:01:55.875Z] grant_test.go:373:
[2021-06-09T15:01:55.875Z]     tk.MustExec(`CREATE USER 'maint_auth_str1'@'%' REQUIRE SSL`)
[2021-06-09T15:01:55.875Z] /home/jenkins/agent/workspace/tidb_ghpr_check_2/go/src/github.com/pingcap/tidb/util/testkit/testkit.go:217:
[2021-06-09T15:01:55.875Z]     tk.c.Assert(err, check.IsNil, check.Commentf("sql:%s, %v, error stack %v", sql, args, errors.ErrorStack(err)))
[2021-06-09T15:01:55.875Z] ... value *errors.withStack = [executor:1396]Operation CREATE USER failed for 'maint_auth_str1'@'%' ("[executor:1396]Operation CREATE USER failed for 'maint_auth_str1'@'%'")
[2021-06-09T15:01:55.875Z] ... sql:CREATE USER 'maint_auth_str1'@'%' REQUIRE SSL, [], error stack [executor:1396]Operation CREATE USER failed for 'maint_auth_str1'@'%'
[2021-06-09T15:01:55.875Z] github.com/pingcap/errors.AddStack

@dveeden dveeden force-pushed the fix_require_ssl_authstring branch 2 times, most recently from bad3f4a to 7d64e1f Compare June 9, 2021 15:40
@dveeden dveeden force-pushed the fix_require_ssl_authstring branch from 7d64e1f to 125cdca Compare June 9, 2021 15:43
@morgo
Copy link
Contributor

morgo commented Jun 9, 2021

@dveeden I've verified that it is only 4.0+ affected and removed the earlier versions from cherry-pick.

morgo
morgo reviewed Jun 9, 2021
View reviewed changes
Copy link
Contributor

@morgo morgo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - just some style nits.

privilege/privileges/privileges_test.go Outdated Show resolved Hide resolved
executor/simple.go Outdated Show resolved Hide resolved
@tiancaiamao
Copy link
Contributor

/LGTM

Please address comments from @morgo

@ti-chi-bot
Copy link
Member

@tiancaiamao: Please use GitHub review feature instead of /lgtm [cancel] when you want to submit review to the pull request.
For how to use GitHub review feature, see also this document provided by GitHub.

For the reason we drop support to the commands, see also this page.
This reply is being used as a temporary reply during the migration of review process and will be removed on July 1st.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the ti-community-infra/tichi repository.

@dveeden dveeden force-pushed the fix_require_ssl_authstring branch from 125cdca to a67ee15 Compare June 10, 2021 05:39
@dveeden dveeden requested a review from morgo June 10, 2021 05:39
morgo
morgo approved these changes Jun 10, 2021
View reviewed changes
Copy link
Contributor

@morgo morgo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ti-chi-bot
Copy link
Member

@morgo: Thanks for your review. The bot only counts approvals from reviewers and higher roles in list, but you're still welcome to leave your comments.

In response to this:

LGTM

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the ti-community-infra/tichi repository.

@morgo morgo added the sig/sql-infra SIG: SQL Infra label Jun 10, 2021
@morgo morgo self-requested a review June 10, 2021 14:57
@ti-chi-bot
Copy link
Member

[REVIEW NOTIFICATION]

This pull request has been approved by:

  • morgo
  • tiancaiamao

To complete the pull request process, please ask the reviewers in the list to review by filling /cc @reviewer in the comment.
After your PR has acquired the required number of LGTMs, you can assign this pull request to the committer in the list by filling /assign @committer in the comment to help you merge this pull request.

The full list of commands accepted by this bot can be found here.

Reviewer can indicate their review by submitting an approval review.
Reviewer can cancel approval by submitting a request changes review.

@ti-chi-bot ti-chi-bot added status/LGT2 Indicates that a PR has LGTM 2. and removed status/LGT1 Indicates that a PR has LGTM 1. labels Jun 10, 2021
@morgo
Copy link
Contributor

morgo commented Jun 10, 2021

/merge

@ti-chi-bot
Copy link
Member

This pull request has been accepted and is ready to merge.

Commit hash: a67ee15

@ti-chi-bot ti-chi-bot added the status/can-merge Indicates a PR has been approved by a committer. label Jun 10, 2021
@morgo
Copy link
Contributor

morgo commented Jun 10, 2021

/run_check_dev_2

@morgo
Copy link
Contributor

morgo commented Jun 10, 2021

/run-check_dev_2

@ti-chi-bot ti-chi-bot merged commit faf139e into pingcap:master Jun 10, 2021
@ti-srebot ti-srebot mentioned this pull request Jun 10, 2021
Merged
ti-srebot pushed a commit to ti-srebot/tidb that referenced this pull request Jun 10, 2021
@dveeden @ti-srebot
cherry pick pingcap#25268 to release-4.0
181ad65 
Signed-off-by: ti-srebot <[email protected]>
@ti-srebot
Copy link
Contributor

cherry pick to release-4.0 in PR #25347

ti-srebot pushed a commit to ti-srebot/tidb that referenced this pull request Jun 10, 2021
@dveeden @ti-srebot
cherry pick pingcap#25268 to release-5.0
95382e7 
Signed-off-by: ti-srebot <[email protected]>
@ti-srebot ti-srebot mentioned this pull request Jun 10, 2021
Merged
@ti-srebot
Copy link
Contributor

cherry pick to release-5.0 in PR #25348

ti-srebot pushed a commit to ti-srebot/tidb that referenced this pull request Jun 10, 2021
@dveeden @ti-srebot
cherry pick pingcap#25268 to release-5.1
3484640 
Signed-off-by: ti-srebot <[email protected]>
@ti-srebot ti-srebot mentioned this pull request Jun 10, 2021
Merged
@ti-srebot
Copy link
Contributor

cherry pick to release-5.1 in PR #25349

ti-chi-bot pushed a commit that referenced this pull request Jun 11, 2021
@ti-srebot
executor: Fix losing the auth string on changing SSL/TLS requirements (
3ec1ba5 
…#25268) (#25349)
ti-chi-bot pushed a commit that referenced this pull request Jul 6, 2021
@ti-srebot
executor: Fix losing the auth string on changing SSL/TLS requirements (
77bce52 
…#25268) (#25347)
ti-chi-bot pushed a commit that referenced this pull request Jul 8, 2021
@ti-srebot
executor: Fix losing the auth string on changing SSL/TLS requirements (
78f2649 
…#25268) (#25348)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@morgo morgo morgo approved these changes

@tiancaiamao tiancaiamao tiancaiamao approved these changes

@qw4990 qw4990 Awaiting requested review from qw4990

Assignees
No one assigned
Labels
needs-cherry-pick-release-5.0 needs-cherry-pick-release-5.1 sig/execution SIG execution sig/sql-infra SIG: SQL Infra size/M Denotes a PR that changes 30-99 lines, ignoring generated files. status/can-merge Indicates a PR has been approved by a committer. status/LGT2 Indicates that a PR has LGTM 2.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

ALTER USER REQUIRE SSL or X509 clears out user's authentication_string (password)
6 participants
@dveeden @morgo @bb7133 @tiancaiamao @ti-chi-bot @ti-srebot