Commit 68910e70 authored by Sergei Golubchik's avatar Sergei Golubchik

MDEV-9273 ERROR 1819 on grant statment for existing user

Cannot do password validation in fix_lex_user(), we don't know
there what "GRANT ... TO user" means - creating a new user with
an empty password (need validation) or granting privileges
to an existing user (no validation needed).

Move validation down into replace_user_table(). And copy into
check_change_password().
parent d14c4c78
...@@ -79,6 +79,7 @@ ERROR HY000: Your password does not satisfy the current policy requirements ...@@ -79,6 +79,7 @@ ERROR HY000: Your password does not satisfy the current policy requirements
grant select on *.* to `BarFoo1!` identified by 'FooBar1!'; grant select on *.* to `BarFoo1!` identified by 'FooBar1!';
drop user `BarFoo1!`; drop user `BarFoo1!`;
create user foo1 identified by 'aA.12345'; create user foo1 identified by 'aA.12345';
grant select on *.* to foo1;
drop user foo1; drop user foo1;
set global simple_password_check_digits=3; set global simple_password_check_digits=3;
set global simple_password_check_letters_same_case=3; set global simple_password_check_letters_same_case=3;
...@@ -129,7 +130,7 @@ ERROR HY000: The MariaDB server is running with the --strict-password-validation ...@@ -129,7 +130,7 @@ ERROR HY000: The MariaDB server is running with the --strict-password-validation
create user foo2 identified with mysql_native_password using ''; create user foo2 identified with mysql_native_password using '';
ERROR HY000: Your password does not satisfy the current policy requirements ERROR HY000: Your password does not satisfy the current policy requirements
grant select on *.* to foo2 identified with mysql_old_password; grant select on *.* to foo2 identified with mysql_old_password;
ERROR HY000: Your password does not satisfy the current policy requirements ERROR 28000: Can't find any matching row in the user table
update mysql.user set password='xxx' where user='foo1'; update mysql.user set password='xxx' where user='foo1';
set global strict_password_validation=0; set global strict_password_validation=0;
set password for foo1 = ''; set password for foo1 = '';
......
...@@ -26,6 +26,7 @@ grant select on *.* to `BarFoo1!` identified by 'FooBar1!'; ...@@ -26,6 +26,7 @@ grant select on *.* to `BarFoo1!` identified by 'FooBar1!';
drop user `BarFoo1!`; drop user `BarFoo1!`;
create user foo1 identified by 'aA.12345'; create user foo1 identified by 'aA.12345';
grant select on *.* to foo1;
drop user foo1; drop user foo1;
set global simple_password_check_digits=3; set global simple_password_check_digits=3;
...@@ -78,7 +79,7 @@ create user foo2 identified with mysql_native_password using '111111111111111111 ...@@ -78,7 +79,7 @@ create user foo2 identified with mysql_native_password using '111111111111111111
grant select on *.* to foo2 identified with mysql_old_password using '2222222222222222'; grant select on *.* to foo2 identified with mysql_old_password using '2222222222222222';
--error ER_NOT_VALID_PASSWORD --error ER_NOT_VALID_PASSWORD
create user foo2 identified with mysql_native_password using ''; create user foo2 identified with mysql_native_password using '';
--error ER_NOT_VALID_PASSWORD --error ER_PASSWORD_NO_MATCH
grant select on *.* to foo2 identified with mysql_old_password; grant select on *.* to foo2 identified with mysql_old_password;
# direct updates are not protected # direct updates are not protected
......
...@@ -1050,9 +1050,6 @@ static bool fix_lex_user(THD *thd, LEX_USER *user) ...@@ -1050,9 +1050,6 @@ static bool fix_lex_user(THD *thd, LEX_USER *user)
return true; return true;
} }
if (validate_password(user))
return true;
if (user->pwtext.length && !user->pwhash.length) if (user->pwtext.length && !user->pwhash.length)
{ {
size_t scramble_length; size_t scramble_length;
...@@ -2747,7 +2744,8 @@ bool check_change_password(THD *thd, LEX_USER *user) ...@@ -2747,7 +2744,8 @@ bool check_change_password(THD *thd, LEX_USER *user)
{ {
LEX_USER *real_user= get_current_user(thd, user); LEX_USER *real_user= get_current_user(thd, user);
if (fix_and_copy_user(real_user, user, thd)) if (fix_and_copy_user(real_user, user, thd) ||
validate_password(real_user))
return true; return true;
*user= *real_user; *user= *real_user;
...@@ -3461,6 +3459,10 @@ static int replace_user_table(THD *thd, TABLE *table, LEX_USER &combo, ...@@ -3461,6 +3459,10 @@ static int replace_user_table(THD *thd, TABLE *table, LEX_USER &combo,
store_record(table,record[1]); // Save copy for update store_record(table,record[1]); // Save copy for update
} }
if (!old_row_exists || combo.pwtext.length || combo.pwhash.length)
if (validate_password(&combo))
goto end;
/* Update table columns with new privileges */ /* Update table columns with new privileges */
Field **tmp_field; Field **tmp_field;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment