*: Support more PASSWORD REQUIRE CURRENT options | tidb-test=pr/2363 #54683
Conversation
|
Skipping CI for Draft Pull Request. |
ti-chi-bot
bot
added
do-not-merge/invalid-title
release-note-none
|
Hi @dveeden. Thanks for your PR. PRs from untrusted users cannot be marked as trusted with I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
dveeden
changed the title
|
/test all |
|
@dveeden: Cannot trigger testing until a trusted user reviews the PR and leaves an In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/test all |
|
@dveeden: Cannot trigger testing until a trusted user reviews the PR and leaves an In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/ok-to-test |
ti-chi-bot
bot
added
ok-to-test
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #54683 +/- ##
================================================
+ Coverage 72.8739% 75.6721% +2.7982%
================================================
Files 1576 1609 +33
Lines 440775 475241 +34466
================================================
+ Hits 321210 359625 +38415
+ Misses 99821 93786 -6035
- Partials 19744 21830 +2086
Flags with carried forward coverage won't be shown. Click here to find out more.
|
|
/test all |
|
/test all |
dveeden
changed the title
|
/retest |
|
/test all |
There was a problem hiding this comment.
Maybe more tests should be ported to cover the scenarios in password-reverification-policy and t/password_require_current.test
| if ver >= version212 { | ||
| return | ||
| } | ||
| doReentrantDDL(s, "ALTER TABLE mysql.user ADD COLUMN IF NOT EXISTS `Password_require_current` enum('N','Y') DEFAULT NULL AFTER `Password_reuse_time`") |
There was a problem hiding this comment.
Would it (add a new field into mysql.user) break any compatibility with tools like BR, DM or TiCDC?
PTAL, thanks! cc @BornChanger @D3Hunter @asddongmen
There was a problem hiding this comment.
DM doesn't query this table explicitly.
| ByHashString bool | ||
| HashString string | ||
| AuthPlugin string | ||
| ReplaceString string |
There was a problem hiding this comment.
Since a new field containing password is been added, log redact (general log or audit log) should consider this scenario. /cc @xhebox @lcwangchao
Refer to https://github.com/pingcap/tidb/pull/2722/files, I misunderstood TestAbnormalMySQLTable previously and add |
|
/retest |
That file relies heavily on |
ti-chi-bot
bot
added
the
needs-rebase
ti-chi-bot
bot
removed
the
needs-rebase
|
/retest |
…ring sets withPassword to true
|
/retest |
|
/retest |
1 similar comment
|
/retest |
| Create_Tablespace_Priv ENUM('N','Y') NOT NULL DEFAULT 'N', | ||
| Password_reuse_history smallint unsigned DEFAULT NULL, | ||
| Password_reuse_time smallint unsigned DEFAULT NULL, | ||
| Password_require_current ENUM('N','Y') DEFAULT NULL, |
There was a problem hiding this comment.
how about put Password_require_current under column of user_attirbutes for better cross-version system table compatibility?
There was a problem hiding this comment.
I prefer to put Password_require_current as a new field in mysql.user for better compatibility with mysql's
https://dev.mysql.com/doc/mysql-security-excerpt/8.0/en/grant-tables.html#grant-tables-user-db
There was a problem hiding this comment.
Yes, let's do this in the same way as MySQL unless there is a very strong reason not to do that.
There was a problem hiding this comment.
it seems pr #39460 has addressed the compatibility problem here. so, i am fine with the change. but please make sure to do a cross version backup restore testing.
There was a problem hiding this comment.
A backup of TiDB-with-this-PR to a vanilla TiDB returns this:
dvaneeden@dve-carbon:~$ tiup br restore full -s /tmp/b_full/
Checking updates for component br... Starting component br: /home/dvaneeden/.tiup/components/br/v8.3.0/br restore full -s /tmp/b_full/
Detail BR log in /tmp/br.log.2024-08-22T09.43.39+0200
[2024/08/22 09:43:41.949 +02:00] [INFO] [collector.go:77] ["Full Restore failed summary"] [total-ranges=0] [ranges-succeed=0] [ranges-failed=0]
#######################################################################
# the target cluster is not compatible with the backup data,
# you can use '--with-sys-table=false' to skip restoring system tables
#######################################################################
Error: missing column in cluster data, table: user, col: Password_require_current enum('N','Y'): [BR:Restore:ErrRestoreIncompatibleSys]incompatible system table
There was a problem hiding this comment.
I can make BR to succeed with this patch:
diff --git a/br/pkg/restore/snap_client/systable_restore.go b/br/pkg/restore/snap_client/systable_restore.go
index a99d9925b1..7b758422d2 100644
--- a/br/pkg/restore/snap_client/systable_restore.go
+++ b/br/pkg/restore/snap_client/systable_restore.go
@@ -276,7 +276,7 @@ func (rc *SnapClient) replaceTemporaryTableToSystable(ctx context.Context, ti *m
zap.Stringer("schema", db.Name))
// target column order may different with source cluster
columnNames := make([]string, 0, len(ti.Columns))
- for _, col := range ti.Columns {
+ for _, col := range db.ExistingTables[tableName].Columns {
columnNames = append(columnNames, utils.EncloseName(col.Name.L))
}
colListStr := strings.Join(columnNames, ",")
@@ -384,13 +384,19 @@ func CheckSysTableCompatibility(dom *domain.Domain, tables []*metautil.Table) er
col := backupTi.Columns[i]
clusterCol := clusterColMap[col.Name.L]
if clusterCol == nil {
- log.Error("missing column in cluster data",
- zap.Stringer("table", table.Info.Name),
- zap.String("col", fmt.Sprintf("%s %s", col.Name, col.FieldType.String())))
- return errors.Annotatef(berrors.ErrRestoreIncompatibleSys,
- "missing column in cluster data, table: %s, col: %s %s",
- table.Info.Name.O,
- col.Name, col.FieldType.String())
+ if col.Name.L == "password_require_current" {
+ log.Error("ignoring missing column in cluster data",
+ zap.Stringer("table", table.Info.Name),
+ zap.String("col", fmt.Sprintf("%s %s", col.Name, col.FieldType.String())))
+ } else {
+ log.Error("missing column in cluster data",
+ zap.Stringer("table", table.Info.Name),
+ zap.String("col", fmt.Sprintf("%s %s", col.Name, col.FieldType.String())))
+ return errors.Annotatef(berrors.ErrRestoreIncompatibleSys,
+ "missing column in cluster data, table: %s, col: %s %s",
+ table.Info.Name.O,
+ col.Name, col.FieldType.String())
+ }
}
}
}This patch:
- Makes the "missing column in cluster data" non-fatal for the "password_require_current" column
- Uses the list of columns for the target table instead of the list of columns of the source table. Maybe this should check for columns that are present in both if we actually want to do it like this.
However the result is that the PASSWORD REQUIRE CURRENT (DEFAULT|OPTIONAL|) part of the user definition gets lost as there isn't a column for that. I think this might be acceptable but not supporting this and requiring --with-sys-table=false might be a good option as well.
There was a problem hiding this comment.
Restoring a backup of TiDB v8.3.0 vanilla on TiDB-with-this-PR works:
From the logs:
[2024/08/22 10:49:10.696 +02:00] [WARN] [systable_restore.go:349] ["missing column in backup data"] [table=user] [col="Password_require_current enum('N','Y')"]
|
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/retest |
|
/retest |
dveeden
removed
the
needs-rebase
|
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
ti-chi-bot
bot
added
the
needs-rebase
What problem does this PR solve?
Issue Number: close #54660
Problem Summary:
Support a global (
password_require_current) and per account (mysql.user.Password_require_current) policy for requiring the current password when changing the password.What changed and how does it work?
parser:
PASSWORD REQUIRE CURRENTPASSWORD REQUIRE CURRENT OPTIONALALTER USER...IDENTIFIED BY ... REPLACE ...ALTER USER...IDENTIFIED WITH ... BY ... REPLACE ...ALTER USER() IDENTIFIED BY ... REPLACE ...ErrIncorrectCurrentPasswordErrMissingCurrentPasswordErrCurrentPasswordNotRequiredsession:
Password_require_currentcolumn tomysql.usersessionctx/variable:
password_require_currentsystem variableexecutor:
SHOW CREATE USERoutputALTER USER ... PASSWORD REQUIRE CURRENT ...ALTER USERerrno:
ErrIncorrectCurrentPasswordErrMissingCurrentPasswordErrCurrentPasswordNotRequiredprivilege:
Questions and remarks
TestAbnormalMySQLTablehas a comment that says it is testing with amysql.usertable synchronized from MySQL. However the supplied data looks like a TiDBmysql.usertable instead. Is this test correct? Should this be multiple tests, with MySQL 5.7,8.0 and 8.4? Maybe 9.0? @CbcWestwolf ? TestAbnormalMySQLTable has multiple issues. #54924(*UserPrivilege).checkPassword()for example needs to do something different based on what authentication plugin is being used. Maybe we can makeauth.CheckHashingPassword()more generic, but then we should probably change the name. Maybe an interface is best, but probably that's out of scope for this PR.show.gohas a "FIXME: the returned string is not escaped safely" comment. Maybe we should fix this outside of this PR?mysql_native_password,tidb_sm3_passwordandcaching_sha2_password. For other methods more testing and work might be needed.PASSWORD()function andSET PASSWORD = PASSWORD(...)from the MySQL 5.7 era. Might be good to start the process of removing this (outside of this PR).Documentation needed
ALTER USERdocs to include:ALTER USER...PASSWORD REQUIRE CURRENT ...ALTER USER...IDENTIFIED BY... REPLACE ...password_require_currentmysql.userdocsTODO
For log redaction and audit logging:
These take care of this for
SET PASSWORDandALTER USER:(*AlterUserStmt).SecureText()was updated anyway to make the intention clear.REPLACE <password>syntax is only used withSET PASSWORDandALTER USERstatements, which both already deal with passwords.Check List
Tests
Side effects
Documentation
Release note
Please refer to Release Notes Language Style Guide to write a quality release note.