Skip to content

Commit

Permalink
Merge branch 'mysql-8.4' into mysql-trunk
Browse files Browse the repository at this point in the history
Change-Id: Ib5987d3e1b7559b1d0ef338b3f689e31cced85a9
  • Loading branch information
Michal Jankowski committed Feb 27, 2024
2 parents c88b0fa + c62af60 commit 25fd4ef
Show file tree
Hide file tree
Showing 12 changed files with 58 additions and 26 deletions.
8 changes: 4 additions & 4 deletions mysql-test/r/plugin_auth.result
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ SELECT plugin,authentication_string FROM mysql.user WHERE User='plug';
plugin authentication_string
test_plugin_server plug_dest
## test plugin auth
ERROR 28000: Access denied for user 'plug'@'localhost' (using password: YES)
ERROR HY000: Access denied for user 'plug'@'localhost', missing proxy privilege.
GRANT PROXY ON plug_dest TO plug;
test proxies_priv columns
SELECT * FROM mysql.proxies_priv WHERE user !='root';
Expand Down Expand Up @@ -87,7 +87,7 @@ CREATE USER grant_plug_dest2 IDENTIFIED BY 'grant_plug_dest_passwd2';
# ALL PRIVILEGES doesn't include PROXY
GRANT ALL PRIVILEGES ON *.* TO grant_plug;
REVOKE SYSTEM_USER ON *.* FROM grant_plug;
ERROR 28000: Access denied for user 'grant_plug'@'localhost' (using password: YES)
ERROR HY000: Access denied for user 'grant_plug'@'localhost', missing proxy privilege.
GRANT ALL PRIVILEGES,PROXY ON grant_plug_dest TO grant_plug;
ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ',PROXY ON grant_plug_dest TO grant_plug' at line 1
this should fail : can't combine PROXY
Expand Down Expand Up @@ -464,7 +464,7 @@ CREATE USER user_name_len_22_0dest IDENTIFIED BY 'plug_dest_passwd';
SELECT plugin,authentication_string FROM mysql.user WHERE User='plug';
plugin authentication_string
## test plugin auth
ERROR 28000: Access denied for user 'user_name_len_22_01234'@'localhost' (using password: YES)
ERROR HY000: Access denied for user 'user_name_len_22_01234'@'localhost', missing proxy privilege.
GRANT PROXY ON user_name_len_22_0dest TO user_name_len_22_01234;
test proxies_priv columns
SELECT * FROM mysql.proxies_priv WHERE user !='root';
Expand Down Expand Up @@ -495,7 +495,7 @@ CREATE USER очень_очень_очень_длинный_дест__ IDENTIFIE
SELECT plugin,authentication_string FROM mysql.user WHERE User='plug';
plugin authentication_string
## test plugin auth
ERROR 28000: Access denied for user 'очень_очень_очень_длинный_'@'localhost' (using password: YES)
ERROR HY000: Access denied for user 'очень_очень_очень_длинный_'@'localhost', missing proxy privilege.
GRANT PROXY ON очень_очень_очень_длинный_дест__ TO очень_очень_очень_длинный_юзер__;
test proxies_priv columns
SELECT * FROM mysql.proxies_priv WHERE user !='root';
Expand Down
8 changes: 4 additions & 4 deletions mysql-test/r/plugin_auth_qa_1.result
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ CREATE USER plug_user
IDENTIFIED WITH test_plugin_server AS 'plug_dest';
CREATE USER plug_dest IDENTIFIED BY 'plug_dest_passwd';
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'plug_user'@'localhost' (using password: YES)
ERROR 6126 (HY000): Access denied for user 'plug_user'@'localhost', missing proxy privilege.
GRANT PROXY ON plug_dest TO plug_user;
mysql: [Warning] Using a password on the command line interface can be insecure.
current_user()
Expand All @@ -17,7 +17,7 @@ user()
plug_user@localhost
RENAME USER plug_dest TO new_dest;
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'plug_user'@'localhost' (using password: YES)
ERROR 6127 (HY000): Access denied for user 'plug_user'@'localhost', proxied user doesn't exist.
GRANT PROXY ON new_dest TO plug_user;
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'plug_user'@'localhost' (using password: YES)
Expand Down Expand Up @@ -137,7 +137,7 @@ NULL
connection default;
disconnect proxy_con;
connect(proxy_con,localhost,proxy_user,proxied_user);
ERROR 28000: Access denied for user 'proxy_user'@'localhost' (using password: YES)
ERROR HY000: Access denied for user 'proxy_user'@'localhost', missing proxy privilege.
GRANT PROXY ON proxied_user TO ''@'';
connect(proxy_con,localhost,proxied_user,proxied_user_passwd);
SELECT USER(),CURRENT_USER();
Expand Down Expand Up @@ -173,7 +173,7 @@ NULL
connection default;
disconnect proxy_con;
connect(proxy_con,localhost,proxy_user,proxied_user);
ERROR 28000: Access denied for user 'proxy_user'@'localhost' (using password: YES)
ERROR HY000: Access denied for user 'proxy_user'@'localhost', missing proxy privilege.
GRANT PROXY ON proxied_user TO ''@'';
connect(proxy_con,localhost,proxied_user,proxied_user_passwd);
SELECT USER(),CURRENT_USER();
Expand Down
2 changes: 1 addition & 1 deletion mysql-test/r/plugin_auth_qa_2.result
Original file line number Diff line number Diff line change
Expand Up @@ -112,7 +112,7 @@ qa_test_6_dest caching_sha2_password
qa_test_6_user qa_auth_interface
exec MYSQL PLUGIN_AUTH_OPT -h localhost -P MASTER_MYPORT --user=qa_test_6_user --password=qa_test_6_dest test_user_db -e "SELECT current_user(),user(),@@local.proxy_user,@@local.external_user;" 2>&1
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'qa_test_6_user'@'localhost' (using password: YES)
ERROR 6126 (HY000): Access denied for user 'qa_test_6_user'@'localhost', missing proxy privilege.
CREATE USER root IDENTIFIED WITH qa_auth_interface AS 'qa_test_6_dest';
GRANT PROXY ON qa_test_6_dest TO root;
SELECT user,plugin FROM mysql.user WHERE user NOT IN ('root', 'mysql.sys', 'mysql.session', 'mysql.infoschema');
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,7 @@ COUNT_UNKNOWN_ERRORS 0
FIRST_ERROR_SEEN set
LAST_ERROR_SEEN set
install plugin test_plugin_server soname 'PLUGIN_AUTH';
ERROR 28000: Access denied for user 'plug'@'santa.claus.ipv4.example.com' (using password: YES)
ERROR HY000: Access denied for user 'plug'@'santa.claus.ipv4.example.com', missing proxy privilege.
"Dumping performance_schema.host_cache"
IP 192.0.2.4
HOST santa.claus.ipv4.example.com
Expand Down Expand Up @@ -123,7 +123,7 @@ COUNT_LOCAL_ERRORS 0
COUNT_UNKNOWN_ERRORS 0
FIRST_ERROR_SEEN set
LAST_ERROR_SEEN set
ERROR 28000: Access denied for user 'plug'@'santa.claus.ipv4.example.com' (using password: YES)
ERROR HY000: Access denied for user 'plug'@'santa.claus.ipv4.example.com', missing proxy privilege.
"Dumping performance_schema.host_cache"
IP 192.0.2.4
HOST santa.claus.ipv4.example.com
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,7 @@ COUNT_UNKNOWN_ERRORS 0
FIRST_ERROR_SEEN set
LAST_ERROR_SEEN set
install plugin test_plugin_server soname 'PLUGIN_AUTH';
ERROR 28000: Access denied for user 'plug'@'santa.claus.ipv6.example.com' (using password: YES)
ERROR HY000: Access denied for user 'plug'@'santa.claus.ipv6.example.com', missing proxy privilege.
"Dumping performance_schema.host_cache"
IP 2001:db8::6:6
HOST santa.claus.ipv6.example.com
Expand Down Expand Up @@ -123,7 +123,7 @@ COUNT_LOCAL_ERRORS 0
COUNT_UNKNOWN_ERRORS 0
FIRST_ERROR_SEEN set
LAST_ERROR_SEEN set
ERROR 28000: Access denied for user 'plug'@'santa.claus.ipv6.example.com' (using password: YES)
ERROR HY000: Access denied for user 'plug'@'santa.claus.ipv6.example.com', missing proxy privilege.
"Dumping performance_schema.host_cache"
IP 2001:db8::6:6
HOST santa.claus.ipv6.example.com
Expand Down
4 changes: 2 additions & 2 deletions mysql-test/suite/perfschema/t/hostcache_ipv4_auth_plugin.test
Original file line number Diff line number Diff line change
Expand Up @@ -50,15 +50,15 @@ connect (con3,"127.0.0.1",plug,plug_dest,test,$MASTER_MYPORT,,,auth_test_plugin)
eval install plugin test_plugin_server soname '$PLUGIN_AUTH';

--disable_query_log
--error ER_ACCESS_DENIED_ERROR
--error ER_ACCESS_DENIED_NO_PROXY_GRANT
connect (con2,"127.0.0.1",plug,plug_dest,test,$MASTER_MYPORT,,,auth_test_plugin);
--enable_query_log

--connection default
--source ../include/hostcache_dump.inc

--disable_query_log
--error ER_ACCESS_DENIED_ERROR
--error ER_ACCESS_DENIED_NO_PROXY_GRANT
connect (con3,"127.0.0.1",plug,plug_dest,test,$MASTER_MYPORT,,,auth_test_plugin);
--enable_query_log

Expand Down
4 changes: 2 additions & 2 deletions mysql-test/suite/perfschema/t/hostcache_ipv6_auth_plugin.test
Original file line number Diff line number Diff line change
Expand Up @@ -51,15 +51,15 @@ connect (con3,"::1",plug,plug_dest,test,$MASTER_MYPORT,,,auth_test_plugin);
eval install plugin test_plugin_server soname '$PLUGIN_AUTH';

--disable_query_log
--error ER_ACCESS_DENIED_ERROR
--error ER_ACCESS_DENIED_NO_PROXY_GRANT
connect (con2,"::1",plug,plug_dest,test,$MASTER_MYPORT,,,auth_test_plugin);
--enable_query_log

--connection default
--source ../include/hostcache_dump.inc

--disable_query_log
--error ER_ACCESS_DENIED_ERROR
--error ER_ACCESS_DENIED_NO_PROXY_GRANT
connect (con3,"::1",plug,plug_dest,test,$MASTER_MYPORT,,,auth_test_plugin);
--enable_query_log

Expand Down
8 changes: 4 additions & 4 deletions mysql-test/t/plugin_auth.test
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ SELECT plugin,authentication_string FROM mysql.user WHERE User='plug';
--echo ## test plugin auth
--disable_query_log
# This should fail, no grant
--error ER_ACCESS_DENIED_ERROR
--error ER_ACCESS_DENIED_NO_PROXY_GRANT
connect(plug_con,localhost,plug,plug_dest);
--enable_query_log

Expand Down Expand Up @@ -123,7 +123,7 @@ GRANT ALL PRIVILEGES ON *.* TO grant_plug;
REVOKE SYSTEM_USER ON *.* FROM grant_plug;
--disable_query_log
# This should fail, no grant
--error ER_ACCESS_DENIED_ERROR
--error ER_ACCESS_DENIED_NO_PROXY_GRANT
connect(grant_plug_con,localhost,grant_plug,grant_plug_dest);
--enable_query_log

Expand Down Expand Up @@ -606,7 +606,7 @@ SELECT plugin,authentication_string FROM mysql.user WHERE User='plug';
--echo ## test plugin auth
--disable_query_log
# This should fail, no grant
--error ER_ACCESS_DENIED_ERROR
--error ER_ACCESS_DENIED_NO_PROXY_GRANT
connect(plug_user22,localhost,user_name_len_22_01234,user_name_len_22_0dest);
--enable_query_log

Expand All @@ -633,7 +633,7 @@ SELECT plugin,authentication_string FROM mysql.user WHERE User='plug';
--echo ## test plugin auth
--disable_query_log
# This should fail, no grant
--error ER_ACCESS_DENIED_ERROR
--error ER_ACCESS_DENIED_NO_PROXY_GRANT
connect(plug_user32,localhost,очень_очень_очень_длинный_юзер__,очень_очень_очень_длинный_дест__);
--enable_query_log

Expand Down
4 changes: 2 additions & 2 deletions mysql-test/t/plugin_auth_qa_1.test
Original file line number Diff line number Diff line change
Expand Up @@ -128,7 +128,7 @@ disconnect proxy_con;
--echo connect(proxy_con,localhost,proxy_user,proxied_user);
--disable_query_log
# This should fail, no grant
--error ER_ACCESS_DENIED_ERROR
--error ER_ACCESS_DENIED_NO_PROXY_GRANT
connect(proxy_con,localhost,proxy_user,proxied_user);
--enable_query_log
GRANT PROXY ON proxied_user TO ''@'';
Expand Down Expand Up @@ -165,7 +165,7 @@ disconnect proxy_con;
--echo connect(proxy_con,localhost,proxy_user,proxied_user);
--disable_query_log
# This should fail, no grant
--error ER_ACCESS_DENIED_ERROR
--error ER_ACCESS_DENIED_NO_PROXY_GRANT
connect(proxy_con,localhost,proxy_user,proxied_user);
--enable_query_log
GRANT PROXY ON proxied_user TO ''@'';
Expand Down
6 changes: 6 additions & 0 deletions share/messages_to_clients.txt
Original file line number Diff line number Diff line change
Expand Up @@ -10385,6 +10385,12 @@ ER_WARN_DEPRECATED_NON_STANDARD_KEY
ER_FK_NO_UNIQUE_INDEX_PARENT
eng "Failed to add the foreign key constraint. Missing unique key for constraint '%s' in the referenced table '%s'"

ER_ACCESS_DENIED_NO_PROXY_GRANT
eng "Access denied for user '%-.48s'@'%-.64s', missing proxy privilege."

ER_ACCESS_DENIED_NO_PROXY
eng "Access denied for user '%-.48s'@'%-.64s', proxied user doesn't exist."

#
# End of 8.1+ error messages (server-to-client).
# Do NOT add messages intended for the error log above!
Expand Down
11 changes: 10 additions & 1 deletion share/messages_to_error_log.txt
Original file line number Diff line number Diff line change
Expand Up @@ -5325,7 +5325,7 @@ ER_LDAP_AUTH_SETTING_USERNAME
ER_LDAP_AUTH_USER_AUTH_DATA
eng "User authentication data: %s size: %lu"

ER_LDAP_AUTH_INFO_FOR_USER
OBSOLETE_ER_LDAP_AUTH_INFO_FOR_USER
eng "User is authenticated as: %s external user: %s"

ER_LDAP_AUTH_USER_GROUP_SEARCH_INFO
Expand Down Expand Up @@ -12698,6 +12698,15 @@ ER_THREAD_POOL_MTL_DISABLE
ER_THREAD_POOL_MTL_REENABLE
eng "Re-enabling MTL in thread group %u since it is down to %u long running transactions."

ER_LDAP_AUTH_INFO_USER_MAP
eng "Login user: %s@%s (external: %s) authenticated as: %s"

ER_ACCESS_DENIED_NO_PROXY_GRANT_WITH_NAME
eng "Access denied for user '%s'@'%s', missing proxy privilege to '%s'."

ER_ACCESS_DENIED_NO_PROXY_WITH_NAME
eng "Access denied for user '%s'@'%s', proxied user '%s' doesn't exist."

# DO NOT add server-to-client messages here;
# they go in messages_to_clients.txt
# in the same directory as this file.
Expand Down
21 changes: 19 additions & 2 deletions sql/auth/sql_authentication.cc
Original file line number Diff line number Diff line change
Expand Up @@ -1605,6 +1605,20 @@ bool auth_plugin_supports_expiration(const char *plugin_name) {
return auth_plugin_is_built_in(plugin_name);
}

/**
a helper function to report cannot proxy error in all the proper places
*/
static void cannot_proxy_error(THD *thd, const MPVIO_EXT &mpvio,
int server_error, int client_error) {
my_error(client_error, MYF(0), mpvio.auth_info.user_name,
mpvio.auth_info.host_or_ip, mpvio.auth_info.authenticated_as);
query_logger.general_log_print(thd, COM_CONNECT, ER_DEFAULT(client_error),
mpvio.auth_info.user_name,
mpvio.auth_info.host_or_ip);
LogErr(INFORMATION_LEVEL, server_error, mpvio.auth_info.user_name,
mpvio.auth_info.host_or_ip, mpvio.auth_info.authenticated_as);
}

/**
a helper function to report an access denied error in all the proper places
*/
Expand Down Expand Up @@ -4177,7 +4191,9 @@ int acl_authenticate(THD *thd, enum_server_command command) {
Host_errors errors;
errors.m_proxy_user = 1;
inc_host_errors(mpvio.ip, &errors);
login_failed_error(thd, &mpvio, mpvio.auth_info.password_used);
cannot_proxy_error(thd, mpvio,
ER_ACCESS_DENIED_NO_PROXY_GRANT_WITH_NAME,
ER_ACCESS_DENIED_NO_PROXY_GRANT);
goto end;
}

Expand All @@ -4196,7 +4212,8 @@ int acl_authenticate(THD *thd, enum_server_command command) {
Host_errors errors;
errors.m_proxy_user_acl = 1;
inc_host_errors(mpvio.ip, &errors);
login_failed_error(thd, &mpvio, mpvio.auth_info.password_used);
cannot_proxy_error(thd, mpvio, ER_ACCESS_DENIED_NO_PROXY_WITH_NAME,
ER_ACCESS_DENIED_NO_PROXY);
goto end;
}
acl_user = acl_proxy_user->copy(thd->mem_root);
Expand Down

0 comments on commit 25fd4ef

Please sign in to comment.