MDEV-26715 Windows/installer - allow passwordless login for root

Allow passwordless login in addition to usual login with password, when
creating 'root' user during install.

The effect of that change is that "local administrators" group are
allowed to connect as root user. This is done via gssapi authentication
plugin.

Clients that are not aware of gssapi client plugin, can still login with
password credentials.

mysql-test/main/mysql_install_db_win_admin.result

+use mysql;
+Running bootstrap
+Creating my.ini file
+Removing default user
+Allowing remote access for user root
+Setting root password
+Creation of the database was successful
+# Kill the server
+# restart: --datadir=MYSQLTEST_VARDIR/tmp/ddir
+connect  root,localhost,root,wrongpass,mysql;
+# Kill the server
+# restart

mysql-test/main/mysql_install_db_win_admin.test

+--source include/windows.inc
+--source include/check_windows_admin.inc
+--source include/have_innodb.inc
+
+# Create database  in tmp directory using mysql_install_db.exe,
+# and start server from this directory.
+let $ddir= $MYSQLTEST_VARDIR/tmp/ddir;
+use mysql;
+exec $MYSQL_INSTALL_DB_EXE --datadir=$ddir --password=foo -R;
+--source include/kill_mysqld.inc
+let $restart_parameters=--datadir=$ddir;
+--source include/start_mysqld.inc
+
+# Check that connect with wrong password succeeds
+connect (root,localhost,root,wrongpass,mysql);
+
+--source include/kill_mysqld.inc
+let $restart_parameters=;
+rmdir $ddir;
+--source include/start_mysqld.inc
+

mysql-test/main/mysqld--help.test

@@ -41,7 +41,7 @@ perl;
               wsrep file-key-management cracklib-password-check user-variables
               provider-bzip2 provider-lzma provider-lzo
               thread-pool-groups thread-pool-queues thread-pool-stats
-              thread-pool-waits hashicorp provider/;
+              thread-pool-waits hashicorp provider gssapi/;
 
   # And substitute the content some environment variables with their
   # names:

mysql-test/mariadb-test-run.pl

@@ -1769,7 +1769,8 @@ sub collect_mysqld_features {
            and $1 ne "innodb-buffer-page"
            and $1 ne "innodb-lock-waits"
            and $1 ne "innodb-locks"
-           and $1 ne "innodb-trx";
+           and $1 ne "innodb-trx"
+           and $1 ne "gssapi";
       next;
     }
 

plugin/auth_gssapi/CMakeLists.txt

@@ -46,11 +46,15 @@ ELSE()
  ENDIF()
 ENDIF ()
 
-
+IF(WIN32)
+  SET(AUTH_GSSAPI_DEFAULT DEFAULT)
+ELSE()
+  SET(AUTH_GSSAPI_DEFAULT)
+ENDIF()
 MYSQL_ADD_PLUGIN(auth_gssapi server_plugin.cc ${GSSAPI_SERVER} ${GSSAPI_ERRMSG}
                  LINK_LIBRARIES ${GSSAPI_LIBS}
-                 COMPONENT gssapi-server
-                 MODULE_ONLY)
+                 ${AUTH_GSSAPI_DEFAULT}
+                 COMPONENT gssapi-server)
 
 # disabled in favor of libmariadb/plugins/auth/auth_gssapi_client.c
 #

plugin/auth_gssapi/mysql-test/auth_gssapi/basic.result

-INSTALL SONAME 'auth_gssapi';
-Warnings:
-Note	1105	SSPI: using principal name 'localhost', mech 'Negotiate'
 CREATE USER 'GSSAPI_SHORTNAME' IDENTIFIED WITH gssapi;
 connect  con1,localhost,$GSSAPI_SHORTNAME,,;
 SELECT USER(),CURRENT_USER();
@@ -23,4 +20,3 @@ DROP USER usr1;
 CREATE USER nosuchuser IDENTIFIED WITH gssapi AS 'nosuchuser@EXAMPLE.COM';
 ERROR 28000: GSSAPI name mismatch, requested 'nosuchuser@EXAMPLE.COM', actual name 'GSSAPI_FULLNAME'
 DROP USER nosuchuser;
-UNINSTALL SONAME 'auth_gssapi';

plugin/auth_gssapi/mysql-test/auth_gssapi/basic.test

---replace_regex /name '[^']+'/name 'localhost'/
-INSTALL SONAME 'auth_gssapi';
-
 #
 # CREATE USER without 'AS' clause
 #
@@ -42,5 +39,3 @@ CREATE USER nosuchuser IDENTIFIED WITH gssapi AS 'nosuchuser@EXAMPLE.COM';
 connect (con1,localhost,nosuchuser,,);
 --enable_query_log
 DROP USER nosuchuser;
-
-UNINSTALL SONAME 'auth_gssapi';
\ No newline at end of file

plugin/auth_gssapi/mysql-test/auth_gssapi/groups.result

-INSTALL SONAME 'auth_gssapi';
-Warnings:
-Note	1105	SSPI: using principal name 'localhost', mech 'Negotiate'
 CREATE USER 'nosuchgroup' IDENTIFIED WITH gssapi AS 'GROUP:nosuchgroup';
 connect(localhost,nosuchuser,,test,MASTER_MYPORT,MASTER_MYSOCK);
 connect  con1,localhost,nosuchuser,,;
@@ -41,4 +38,3 @@ connect  con1,localhost,me_sid,,;
 disconnect con1;
 connection default;
 DROP USER me_sid;
-UNINSTALL SONAME 'auth_gssapi';

plugin/auth_gssapi/mysql-test/auth_gssapi/groups.test

 source include/windows.inc;
 --replace_regex /name '[^']+'/name 'localhost'/
-INSTALL SONAME 'auth_gssapi';
+
 
 
 # Invalid group name
@@ -68,6 +68,3 @@ connect (con1,localhost,me_sid,,);
 disconnect con1;
 connection default;
 DROP USER me_sid;
\ No newline at end of file
-
-
-UNINSTALL SONAME 'auth_gssapi';
\ No newline at end of file

plugin/auth_gssapi/mysql-test/auth_gssapi/multiauth.result

-INSTALL SONAME 'auth_gssapi';
-Warnings:
-Note	1105	SSPI: using principal name 'localhost', mech 'Negotiate'
 CREATE USER 'nosuchuser' IDENTIFIED WITH gssapi OR mysql_native_password as password("good");
 connect(localhost,nosuchuser,,test,MASTER_MYPORT,MASTER_MYSOCK);
 connect  con1,localhost,nosuchuser,,;
@@ -31,4 +28,3 @@ GSSAPI_SHORTNAME@localhost	GSSAPI_SHORTNAME@%
 disconnect con1;
 connection default;
 DROP USER 'GSSAPI_SHORTNAME';
-UNINSTALL SONAME 'auth_gssapi';

plugin/auth_gssapi/mysql-test/auth_gssapi/multiauth.test

---replace_regex /name '[^']+'/name 'localhost'/
-INSTALL SONAME 'auth_gssapi';
-
 # gssapi,password
 CREATE USER 'nosuchuser' IDENTIFIED WITH gssapi OR mysql_native_password as password("good");
 replace_result $MASTER_MYSOCK MASTER_MYSOCK $MASTER_MYPORT MASTER_MYPORT;
@@ -33,4 +30,3 @@ connection default;
 replace_result $GSSAPI_SHORTNAME GSSAPI_SHORTNAME;
 eval DROP USER '$GSSAPI_SHORTNAME';
 
-UNINSTALL SONAME 'auth_gssapi';

plugin/auth_gssapi/mysql-test/auth_gssapi/suite.opt

---loose-gssapi-keytab-path=$GSSAPI_KEYTAB_PATH --loose-gssapi-principal-name=$GSSAPI_PRINCIPAL_NAME
+--loose-gssapi=ON --loose-gssapi-keytab-path=$GSSAPI_KEYTAB_PATH --loose-gssapi-principal-name=$GSSAPI_PRINCIPAL_NAME --plugin-load-add=$AUTH_GSSAPI_SO

plugin/auth_gssapi/mysql-test/auth_gssapi/suite.pm

+
 package My::Suite::AuthGSSAPI;
 
 @ISA = qw(My::Suite);
 
-return "No AUTH_GSSAPI plugin" unless $ENV{AUTH_GSSAPI_SO};
+return "No AUTH_GSSAPI plugin" unless ($ENV{AUTH_GSSAPI_SO} or $::mysqld_variables{gssapi} eq "ON");
 
 return "Not run for embedded server" if $::opt_embedded_server;
 

plugin/auth_gssapi/server_plugin.cc

@@ -141,7 +141,7 @@ static struct st_mysql_auth server_handler= {
   gssapi_auth, NULL, NULL
 };
 
-maria_declare_plugin(gssapi_server)
+maria_declare_plugin(auth_gssapi)
 {
   MYSQL_AUTHENTICATION_PLUGIN,
   &server_handler,

sql/mysql_install_db.cc

@@ -438,7 +438,10 @@ static constexpr const char* update_root_passwd=
   "UPDATE mysql.global_priv SET priv=json_set(priv,"
   "'$.password_last_changed', UNIX_TIMESTAMP(),"
   "'$.plugin','mysql_native_password',"
-  "'$.authentication_string','%s') where User='root';\n";
+  "'$.authentication_string','%s',"
+  "'$.auth_or', json_array(json_object(), json_object('plugin', 'gssapi','authentication_string','SID:BA'))"
+  ") where User= 'root';\n ";
+
 static constexpr char remove_default_user_cmd[]=
   "DELETE FROM mysql.user where User='';\n";
 static constexpr char allow_remote_root_access_cmd[]=