Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
M
MariaDB
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
nexedi
MariaDB
Commits
7516a3c7
Commit
7516a3c7
authored
Nov 25, 2014
by
Sergei Golubchik
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
strict_password_validation
parent
b8140467
Changes
10
Hide whitespace changes
Inline
Side-by-side
Showing
10 changed files
with
141 additions
and
2 deletions
+141
-2
mysql-test/r/mysqld--help.result
mysql-test/r/mysqld--help.result
+6
-0
mysql-test/suite/plugins/r/simple_password_check.result
mysql-test/suite/plugins/r/simple_password_check.result
+36
-0
mysql-test/suite/plugins/t/simple_password_check.test
mysql-test/suite/plugins/t/simple_password_check.test
+42
-0
mysql-test/suite/sys_vars/r/all_vars.result
mysql-test/suite/sys_vars/r/all_vars.result
+1
-0
mysql-test/suite/sys_vars/r/sysvars_server_embedded.result
mysql-test/suite/sys_vars/r/sysvars_server_embedded.result
+14
-0
mysql-test/suite/sys_vars/r/sysvars_server_notembedded.result
...l-test/suite/sys_vars/r/sysvars_server_notembedded.result
+14
-0
sql/mysqld.cc
sql/mysqld.cc
+1
-1
sql/mysqld.h
sql/mysqld.h
+1
-1
sql/sql_acl.cc
sql/sql_acl.cc
+19
-0
sql/sys_vars.cc
sql/sys_vars.cc
+7
-0
No files found.
mysql-test/r/mysqld--help.result
View file @
7516a3c7
...
@@ -987,6 +987,11 @@ The following options may be given as the first argument:
...
@@ -987,6 +987,11 @@ The following options may be given as the first argument:
--stored-program-cache=#
--stored-program-cache=#
The soft upper limit for number of cached stored routines
The soft upper limit for number of cached stored routines
for one connection.
for one connection.
--strict-password-validation
When password validation plugins are enabled, reject
passwords that cannot be validated (passwords specified
as a hash)
(Defaults to on; use --skip-strict-password-validation to disable.)
-s, --symbolic-links
-s, --symbolic-links
Enable symbolic link support.
Enable symbolic link support.
--sync-binlog=# Synchronously flush binary log to disk after every #th
--sync-binlog=# Synchronously flush binary log to disk after every #th
...
@@ -1348,6 +1353,7 @@ sort-buffer-size 2097152
...
@@ -1348,6 +1353,7 @@ sort-buffer-size 2097152
sql-mode
sql-mode
stack-trace TRUE
stack-trace TRUE
stored-program-cache 256
stored-program-cache 256
strict-password-validation TRUE
symbolic-links FALSE
symbolic-links FALSE
sync-binlog 0
sync-binlog 0
sync-frm FALSE
sync-frm FALSE
...
...
mysql-test/suite/plugins/r/simple_password_check.result
View file @
7516a3c7
...
@@ -109,6 +109,42 @@ ERROR HY000: Your password does not satisfy the current policy requirements
...
@@ -109,6 +109,42 @@ ERROR HY000: Your password does not satisfy the current policy requirements
set password for foo1 = old_password('qwe:123:ASD4');
set password for foo1 = old_password('qwe:123:ASD4');
ERROR HY000: Your password does not satisfy the current policy requirements
ERROR HY000: Your password does not satisfy the current policy requirements
set password for foo1 = password('qwe:123:ASD!');
set password for foo1 = password('qwe:123:ASD!');
select @@strict_password_validation;
@@strict_password_validation
1
set password for foo1 = '';
ERROR HY000: Your password does not satisfy the current policy requirements
set password for foo1 = '2222222222222222';
ERROR HY000: The MariaDB server is running with the --strict-password-validation option so it cannot execute this statement
set password for foo1 = '11111111111111111111111111111111111111111';
ERROR HY000: The MariaDB server is running with the --strict-password-validation option so it cannot execute this statement
create user foo2 identified by password '11111111111111111111111111111111111111111';
ERROR HY000: The MariaDB server is running with the --strict-password-validation option so it cannot execute this statement
grant select on *.* to foo2 identified by password '2222222222222222';
ERROR HY000: The MariaDB server is running with the --strict-password-validation option so it cannot execute this statement
create user foo2 identified with mysql_native_password using '11111111111111111111111111111111111111111';
ERROR HY000: The MariaDB server is running with the --strict-password-validation option so it cannot execute this statement
grant select on *.* to foo2 identified with mysql_old_password using '2222222222222222';
ERROR HY000: The MariaDB server is running with the --strict-password-validation option so it cannot execute this statement
create user foo2 identified with mysql_native_password using '';
ERROR HY000: Your password does not satisfy the current policy requirements
grant select on *.* to foo2 identified with mysql_old_password;
ERROR HY000: Your password does not satisfy the current policy requirements
update mysql.user set password='xxx' where user='foo1';
set global strict_password_validation=0;
set password for foo1 = '';
ERROR HY000: Your password does not satisfy the current policy requirements
set password for foo1 = '2222222222222222';
set password for foo1 = '11111111111111111111111111111111111111111';
create user foo2 identified by password '11111111111111111111111111111111111111111';
drop user foo2;
grant select on *.* to foo2 identified by password '2222222222222222';
drop user foo2;
create user foo2 identified with mysql_native_password using '11111111111111111111111111111111111111111';
drop user foo2;
grant select on *.* to foo2 identified with mysql_old_password using '2222222222222222';
drop user foo2;
set global strict_password_validation=1;
drop user foo1;
drop user foo1;
uninstall plugin simple_password_check;
uninstall plugin simple_password_check;
create user foo1 identified by 'pwd';
create user foo1 identified by 'pwd';
...
...
mysql-test/suite/plugins/t/simple_password_check.test
View file @
7516a3c7
...
@@ -58,6 +58,48 @@ set password for foo1 = password('qwe:123:4SD!');
...
@@ -58,6 +58,48 @@ set password for foo1 = password('qwe:123:4SD!');
--
error
ER_NOT_VALID_PASSWORD
--
error
ER_NOT_VALID_PASSWORD
set
password
for
foo1
=
old_password
(
'qwe:123:ASD4'
);
set
password
for
foo1
=
old_password
(
'qwe:123:ASD4'
);
set
password
for
foo1
=
password
(
'qwe:123:ASD!'
);
set
password
for
foo1
=
password
(
'qwe:123:ASD!'
);
# now, strict_password_validation
select
@@
strict_password_validation
;
--
error
ER_NOT_VALID_PASSWORD
set
password
for
foo1
=
''
;
--
error
ER_OPTION_PREVENTS_STATEMENT
set
password
for
foo1
=
'2222222222222222'
;
--
error
ER_OPTION_PREVENTS_STATEMENT
set
password
for
foo1
=
'11111111111111111111111111111111111111111'
;
--
error
ER_OPTION_PREVENTS_STATEMENT
create
user
foo2
identified
by
password
'11111111111111111111111111111111111111111'
;
--
error
ER_OPTION_PREVENTS_STATEMENT
grant
select
on
*.*
to
foo2
identified
by
password
'2222222222222222'
;
--
error
ER_OPTION_PREVENTS_STATEMENT
create
user
foo2
identified
with
mysql_native_password
using
'11111111111111111111111111111111111111111'
;
--
error
ER_OPTION_PREVENTS_STATEMENT
grant
select
on
*.*
to
foo2
identified
with
mysql_old_password
using
'2222222222222222'
;
--
error
ER_NOT_VALID_PASSWORD
create
user
foo2
identified
with
mysql_native_password
using
''
;
--
error
ER_NOT_VALID_PASSWORD
grant
select
on
*.*
to
foo2
identified
with
mysql_old_password
;
# direct updates are not protected
update
mysql
.
user
set
password
=
'xxx'
where
user
=
'foo1'
;
set
global
strict_password_validation
=
0
;
--
error
ER_NOT_VALID_PASSWORD
set
password
for
foo1
=
''
;
set
password
for
foo1
=
'2222222222222222'
;
set
password
for
foo1
=
'11111111111111111111111111111111111111111'
;
create
user
foo2
identified
by
password
'11111111111111111111111111111111111111111'
;
drop
user
foo2
;
grant
select
on
*.*
to
foo2
identified
by
password
'2222222222222222'
;
drop
user
foo2
;
create
user
foo2
identified
with
mysql_native_password
using
'11111111111111111111111111111111111111111'
;
drop
user
foo2
;
grant
select
on
*.*
to
foo2
identified
with
mysql_old_password
using
'2222222222222222'
;
drop
user
foo2
;
set
global
strict_password_validation
=
1
;
drop
user
foo1
;
drop
user
foo1
;
uninstall
plugin
simple_password_check
;
uninstall
plugin
simple_password_check
;
...
...
mysql-test/suite/sys_vars/r/all_vars.result
View file @
7516a3c7
...
@@ -10,5 +10,6 @@ there should be *no* long test name listed below:
...
@@ -10,5 +10,6 @@ there should be *no* long test name listed below:
select distinct variable_name as `there should be *no* variables listed below:` from t2
select distinct variable_name as `there should be *no* variables listed below:` from t2
left join t1 on variable_name=test_name where test_name is null;
left join t1 on variable_name=test_name where test_name is null;
there should be *no* variables listed below:
there should be *no* variables listed below:
strict_password_validation
drop table t1;
drop table t1;
drop table t2;
drop table t2;
mysql-test/suite/sys_vars/r/sysvars_server_embedded.result
View file @
7516a3c7
...
@@ -3647,6 +3647,20 @@ NUMERIC_BLOCK_SIZE 1
...
@@ -3647,6 +3647,20 @@ NUMERIC_BLOCK_SIZE 1
ENUM_VALUE_LIST NULL
ENUM_VALUE_LIST NULL
READ_ONLY NO
READ_ONLY NO
COMMAND_LINE_ARGUMENT REQUIRED
COMMAND_LINE_ARGUMENT REQUIRED
VARIABLE_NAME STRICT_PASSWORD_VALIDATION
SESSION_VALUE NULL
GLOBAL_VALUE ON
GLOBAL_VALUE_ORIGIN COMPILE-TIME
DEFAULT_VALUE ON
VARIABLE_SCOPE GLOBAL
VARIABLE_TYPE BOOLEAN
VARIABLE_COMMENT When password validation plugins are enabled, reject passwords that cannot be validated (passwords specified as a hash)
NUMERIC_MIN_VALUE NULL
NUMERIC_MAX_VALUE NULL
NUMERIC_BLOCK_SIZE NULL
ENUM_VALUE_LIST OFF,ON
READ_ONLY NO
COMMAND_LINE_ARGUMENT OPTIONAL
VARIABLE_NAME SYNC_BINLOG
VARIABLE_NAME SYNC_BINLOG
SESSION_VALUE NULL
SESSION_VALUE NULL
GLOBAL_VALUE 0
GLOBAL_VALUE 0
...
...
mysql-test/suite/sys_vars/r/sysvars_server_notembedded.result
View file @
7516a3c7
...
@@ -4249,6 +4249,20 @@ NUMERIC_BLOCK_SIZE 1
...
@@ -4249,6 +4249,20 @@ NUMERIC_BLOCK_SIZE 1
ENUM_VALUE_LIST NULL
ENUM_VALUE_LIST NULL
READ_ONLY NO
READ_ONLY NO
COMMAND_LINE_ARGUMENT REQUIRED
COMMAND_LINE_ARGUMENT REQUIRED
VARIABLE_NAME STRICT_PASSWORD_VALIDATION
SESSION_VALUE NULL
GLOBAL_VALUE ON
GLOBAL_VALUE_ORIGIN COMPILE-TIME
DEFAULT_VALUE ON
VARIABLE_SCOPE GLOBAL
VARIABLE_TYPE BOOLEAN
VARIABLE_COMMENT When password validation plugins are enabled, reject passwords that cannot be validated (passwords specified as a hash)
NUMERIC_MIN_VALUE NULL
NUMERIC_MAX_VALUE NULL
NUMERIC_BLOCK_SIZE NULL
ENUM_VALUE_LIST OFF,ON
READ_ONLY NO
COMMAND_LINE_ARGUMENT OPTIONAL
VARIABLE_NAME SYNC_BINLOG
VARIABLE_NAME SYNC_BINLOG
SESSION_VALUE NULL
SESSION_VALUE NULL
GLOBAL_VALUE 0
GLOBAL_VALUE 0
...
...
sql/mysqld.cc
View file @
7516a3c7
...
@@ -431,7 +431,7 @@ my_bool opt_safe_user_create = 0;
...
@@ -431,7 +431,7 @@ my_bool opt_safe_user_create = 0;
my_bool
opt_show_slave_auth_info
;
my_bool
opt_show_slave_auth_info
;
my_bool
opt_log_slave_updates
=
0
;
my_bool
opt_log_slave_updates
=
0
;
my_bool
opt_replicate_annotate_row_events
=
0
;
my_bool
opt_replicate_annotate_row_events
=
0
;
my_bool
opt_mysql56_temporal_format
=
0
;
my_bool
opt_mysql56_temporal_format
=
0
,
strict_password_validation
=
1
;
char
*
opt_slave_skip_errors
;
char
*
opt_slave_skip_errors
;
/*
/*
...
...
sql/mysqld.h
View file @
7516a3c7
...
@@ -748,7 +748,7 @@ extern my_bool opt_master_verify_checksum;
...
@@ -748,7 +748,7 @@ extern my_bool opt_master_verify_checksum;
extern
my_bool
opt_stack_trace
;
extern
my_bool
opt_stack_trace
;
extern
my_bool
opt_expect_abort
;
extern
my_bool
opt_expect_abort
;
extern
my_bool
opt_slave_sql_verify_checksum
;
extern
my_bool
opt_slave_sql_verify_checksum
;
extern
my_bool
opt_mysql56_temporal_format
;
extern
my_bool
opt_mysql56_temporal_format
,
strict_password_validation
;
extern
ulong
binlog_checksum_options
;
extern
ulong
binlog_checksum_options
;
extern
bool
max_user_connections_checking
;
extern
bool
max_user_connections_checking
;
extern
ulong
opt_binlog_dbug_fsync_sleep
;
extern
ulong
opt_binlog_dbug_fsync_sleep
;
...
...
sql/sql_acl.cc
View file @
7516a3c7
...
@@ -892,6 +892,17 @@ static bool validate_password(LEX_STRING *user, LEX_STRING *password)
...
@@ -892,6 +892,17 @@ static bool validate_password(LEX_STRING *user, LEX_STRING *password)
MariaDB_PASSWORD_VALIDATION_PLUGIN
,
&
data
);
MariaDB_PASSWORD_VALIDATION_PLUGIN
,
&
data
);
}
}
static
my_bool
check_if_exists
(
THD
*
,
plugin_ref
,
void
*
)
{
return
TRUE
;
}
static
bool
has_validation_plugins
()
{
return
plugin_foreach
(
NULL
,
check_if_exists
,
MariaDB_PASSWORD_VALIDATION_PLUGIN
,
NULL
);
}
/**
/**
Convert scrambled password to binary form, according to scramble type,
Convert scrambled password to binary form, according to scramble type,
Binary form is stored in user.salt.
Binary form is stored in user.salt.
...
@@ -1020,6 +1031,14 @@ static bool fix_lex_user(THD *thd, LEX_USER *user)
...
@@ -1020,6 +1031,14 @@ static bool fix_lex_user(THD *thd, LEX_USER *user)
return
true
;
return
true
;
}
}
}
}
else
{
if
(
strict_password_validation
&&
has_validation_plugins
())
{
my_error
(
ER_OPTION_PREVENTS_STATEMENT
,
MYF
(
0
),
"--strict-password-validation"
);
return
true
;
}
}
if
(
user
->
password
.
length
&&
!
user
->
auth
.
length
)
if
(
user
->
password
.
length
&&
!
user
->
auth
.
length
)
{
{
...
...
sql/sys_vars.cc
View file @
7516a3c7
...
@@ -5077,3 +5077,10 @@ static Sys_var_mybool Sys_mysql56_temporal_format(
...
@@ -5077,3 +5077,10 @@ static Sys_var_mybool Sys_mysql56_temporal_format(
"Use MySQL-5.6 (instead of MariaDB-5.3) format for TIME, DATETIME, TIMESTAMP columns."
,
"Use MySQL-5.6 (instead of MariaDB-5.3) format for TIME, DATETIME, TIMESTAMP columns."
,
GLOBAL_VAR
(
opt_mysql56_temporal_format
),
GLOBAL_VAR
(
opt_mysql56_temporal_format
),
CMD_LINE
(
OPT_ARG
),
DEFAULT
(
TRUE
),
NO_MUTEX_GUARD
,
NOT_IN_BINLOG
);
CMD_LINE
(
OPT_ARG
),
DEFAULT
(
TRUE
),
NO_MUTEX_GUARD
,
NOT_IN_BINLOG
);
static
Sys_var_mybool
Sys_strict_password_validation
(
"strict_password_validation"
,
"When password validation plugins are enabled, reject passwords "
"that cannot be validated (passwords specified as a hash)"
,
GLOBAL_VAR
(
strict_password_validation
),
CMD_LINE
(
OPT_ARG
),
DEFAULT
(
TRUE
),
NO_MUTEX_GUARD
,
NOT_IN_BINLOG
);
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment