(MODULES-7487) Check authentication string for user password on MariaDB 10.2.16+ #1135
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Since MariaDB 10.2.16, the `SET PASSWORD` command stores user passwords in the `mysql_native_password` plugin `authentication_string` instead of in the `password` column: ``` +------+-----------+----------+-----------------------+-------------------------------------------+ | user | host | password | plugin | authentication_string | +------+-----------+----------+-----------------------+-------------------------------------------+ | root | localhost | | mysql_native_password | *01396341988BCA5088C3A5DB5D7E434947096D4F | +------+-----------+----------+-----------------------+-------------------------------------------+ ``` The `puppetlabs/mysql` checks the `password` column instead of the `authentication_string` on all versions of MariaDB, resulting in every Puppet run attempting to update managed user passwords even when they haven't changed. Update the if statement to check the plugin authentication string on MariaDB 10.2.16 and newer.
alexjfisher
added a commit
to alexjfisher/puppetlabs-mysql
that referenced
this pull request
May 14, 2019
…ency The change introduced in mariadb 10.2.16 (and 10.3.8) where: > the `SET PASSWORD` command stores user passwords in the `mysql_native_password` plugin `authentication_string` instead of in the `password` column was addressed in puppetlabs#1135 This behaviour was short-lived. In 10.2.19 and 10.3.11 the old behaviour was restored. > The fix in the commit dd6e74c62a2 made sure that the password field is always set, because that was the original issue that broke third-party tools. See https://jira.mariadb.org/browse/MDEV-16774 This commit is based on https://tickets.puppetlabs.com/browse/MODULES-6875?focusedCommentId=645260&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-645260
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Since MariaDB 10.2.16, the
SET PASSWORDcommand stores user passwords in themysql_native_passwordpluginauthentication_stringinstead of in thepasswordcolumn ofmysql.user.The module checks the
passwordcolumn instead of theauthentication_stringon all versions of MariaDB. In every Puppet run involving MariaDB 10.2.16 and newer, the module attempts to updatemanaged user passwords even when they haven't changed (
Notice: /Stage[main]/Mysql::Server::Root_password/Mysql_user[root@localhost]/password_hash: changed password) because thepasswordfield is always empty.Update the if statement to check the plugin authentication string on MariaDB 10.2.16 and newer.
See also MariaDB JIRA ticket MDEV-16774.