Commit 7516a3c7 authored by Sergei Golubchik's avatar Sergei Golubchik

strict_password_validation

parent b8140467
...@@ -987,6 +987,11 @@ The following options may be given as the first argument: ...@@ -987,6 +987,11 @@ The following options may be given as the first argument:
--stored-program-cache=# --stored-program-cache=#
The soft upper limit for number of cached stored routines The soft upper limit for number of cached stored routines
for one connection. for one connection.
--strict-password-validation
When password validation plugins are enabled, reject
passwords that cannot be validated (passwords specified
as a hash)
(Defaults to on; use --skip-strict-password-validation to disable.)
-s, --symbolic-links -s, --symbolic-links
Enable symbolic link support. Enable symbolic link support.
--sync-binlog=# Synchronously flush binary log to disk after every #th --sync-binlog=# Synchronously flush binary log to disk after every #th
...@@ -1348,6 +1353,7 @@ sort-buffer-size 2097152 ...@@ -1348,6 +1353,7 @@ sort-buffer-size 2097152
sql-mode sql-mode
stack-trace TRUE stack-trace TRUE
stored-program-cache 256 stored-program-cache 256
strict-password-validation TRUE
symbolic-links FALSE symbolic-links FALSE
sync-binlog 0 sync-binlog 0
sync-frm FALSE sync-frm FALSE
......
...@@ -109,6 +109,42 @@ ERROR HY000: Your password does not satisfy the current policy requirements ...@@ -109,6 +109,42 @@ ERROR HY000: Your password does not satisfy the current policy requirements
set password for foo1 = old_password('qwe:123:ASD4'); set password for foo1 = old_password('qwe:123:ASD4');
ERROR HY000: Your password does not satisfy the current policy requirements ERROR HY000: Your password does not satisfy the current policy requirements
set password for foo1 = password('qwe:123:ASD!'); set password for foo1 = password('qwe:123:ASD!');
select @@strict_password_validation;
@@strict_password_validation
1
set password for foo1 = '';
ERROR HY000: Your password does not satisfy the current policy requirements
set password for foo1 = '2222222222222222';
ERROR HY000: The MariaDB server is running with the --strict-password-validation option so it cannot execute this statement
set password for foo1 = '11111111111111111111111111111111111111111';
ERROR HY000: The MariaDB server is running with the --strict-password-validation option so it cannot execute this statement
create user foo2 identified by password '11111111111111111111111111111111111111111';
ERROR HY000: The MariaDB server is running with the --strict-password-validation option so it cannot execute this statement
grant select on *.* to foo2 identified by password '2222222222222222';
ERROR HY000: The MariaDB server is running with the --strict-password-validation option so it cannot execute this statement
create user foo2 identified with mysql_native_password using '11111111111111111111111111111111111111111';
ERROR HY000: The MariaDB server is running with the --strict-password-validation option so it cannot execute this statement
grant select on *.* to foo2 identified with mysql_old_password using '2222222222222222';
ERROR HY000: The MariaDB server is running with the --strict-password-validation option so it cannot execute this statement
create user foo2 identified with mysql_native_password using '';
ERROR HY000: Your password does not satisfy the current policy requirements
grant select on *.* to foo2 identified with mysql_old_password;
ERROR HY000: Your password does not satisfy the current policy requirements
update mysql.user set password='xxx' where user='foo1';
set global strict_password_validation=0;
set password for foo1 = '';
ERROR HY000: Your password does not satisfy the current policy requirements
set password for foo1 = '2222222222222222';
set password for foo1 = '11111111111111111111111111111111111111111';
create user foo2 identified by password '11111111111111111111111111111111111111111';
drop user foo2;
grant select on *.* to foo2 identified by password '2222222222222222';
drop user foo2;
create user foo2 identified with mysql_native_password using '11111111111111111111111111111111111111111';
drop user foo2;
grant select on *.* to foo2 identified with mysql_old_password using '2222222222222222';
drop user foo2;
set global strict_password_validation=1;
drop user foo1; drop user foo1;
uninstall plugin simple_password_check; uninstall plugin simple_password_check;
create user foo1 identified by 'pwd'; create user foo1 identified by 'pwd';
......
...@@ -58,6 +58,48 @@ set password for foo1 = password('qwe:123:4SD!'); ...@@ -58,6 +58,48 @@ set password for foo1 = password('qwe:123:4SD!');
--error ER_NOT_VALID_PASSWORD --error ER_NOT_VALID_PASSWORD
set password for foo1 = old_password('qwe:123:ASD4'); set password for foo1 = old_password('qwe:123:ASD4');
set password for foo1 = password('qwe:123:ASD!'); set password for foo1 = password('qwe:123:ASD!');
# now, strict_password_validation
select @@strict_password_validation;
--error ER_NOT_VALID_PASSWORD
set password for foo1 = '';
--error ER_OPTION_PREVENTS_STATEMENT
set password for foo1 = '2222222222222222';
--error ER_OPTION_PREVENTS_STATEMENT
set password for foo1 = '11111111111111111111111111111111111111111';
--error ER_OPTION_PREVENTS_STATEMENT
create user foo2 identified by password '11111111111111111111111111111111111111111';
--error ER_OPTION_PREVENTS_STATEMENT
grant select on *.* to foo2 identified by password '2222222222222222';
--error ER_OPTION_PREVENTS_STATEMENT
create user foo2 identified with mysql_native_password using '11111111111111111111111111111111111111111';
--error ER_OPTION_PREVENTS_STATEMENT
grant select on *.* to foo2 identified with mysql_old_password using '2222222222222222';
--error ER_NOT_VALID_PASSWORD
create user foo2 identified with mysql_native_password using '';
--error ER_NOT_VALID_PASSWORD
grant select on *.* to foo2 identified with mysql_old_password;
# direct updates are not protected
update mysql.user set password='xxx' where user='foo1';
set global strict_password_validation=0;
--error ER_NOT_VALID_PASSWORD
set password for foo1 = '';
set password for foo1 = '2222222222222222';
set password for foo1 = '11111111111111111111111111111111111111111';
create user foo2 identified by password '11111111111111111111111111111111111111111';
drop user foo2;
grant select on *.* to foo2 identified by password '2222222222222222';
drop user foo2;
create user foo2 identified with mysql_native_password using '11111111111111111111111111111111111111111';
drop user foo2;
grant select on *.* to foo2 identified with mysql_old_password using '2222222222222222';
drop user foo2;
set global strict_password_validation=1;
drop user foo1; drop user foo1;
uninstall plugin simple_password_check; uninstall plugin simple_password_check;
......
...@@ -10,5 +10,6 @@ there should be *no* long test name listed below: ...@@ -10,5 +10,6 @@ there should be *no* long test name listed below:
select distinct variable_name as `there should be *no* variables listed below:` from t2 select distinct variable_name as `there should be *no* variables listed below:` from t2
left join t1 on variable_name=test_name where test_name is null; left join t1 on variable_name=test_name where test_name is null;
there should be *no* variables listed below: there should be *no* variables listed below:
strict_password_validation
drop table t1; drop table t1;
drop table t2; drop table t2;
...@@ -3647,6 +3647,20 @@ NUMERIC_BLOCK_SIZE 1 ...@@ -3647,6 +3647,20 @@ NUMERIC_BLOCK_SIZE 1
ENUM_VALUE_LIST NULL ENUM_VALUE_LIST NULL
READ_ONLY NO READ_ONLY NO
COMMAND_LINE_ARGUMENT REQUIRED COMMAND_LINE_ARGUMENT REQUIRED
VARIABLE_NAME STRICT_PASSWORD_VALIDATION
SESSION_VALUE NULL
GLOBAL_VALUE ON
GLOBAL_VALUE_ORIGIN COMPILE-TIME
DEFAULT_VALUE ON
VARIABLE_SCOPE GLOBAL
VARIABLE_TYPE BOOLEAN
VARIABLE_COMMENT When password validation plugins are enabled, reject passwords that cannot be validated (passwords specified as a hash)
NUMERIC_MIN_VALUE NULL
NUMERIC_MAX_VALUE NULL
NUMERIC_BLOCK_SIZE NULL
ENUM_VALUE_LIST OFF,ON
READ_ONLY NO
COMMAND_LINE_ARGUMENT OPTIONAL
VARIABLE_NAME SYNC_BINLOG VARIABLE_NAME SYNC_BINLOG
SESSION_VALUE NULL SESSION_VALUE NULL
GLOBAL_VALUE 0 GLOBAL_VALUE 0
......
...@@ -4249,6 +4249,20 @@ NUMERIC_BLOCK_SIZE 1 ...@@ -4249,6 +4249,20 @@ NUMERIC_BLOCK_SIZE 1
ENUM_VALUE_LIST NULL ENUM_VALUE_LIST NULL
READ_ONLY NO READ_ONLY NO
COMMAND_LINE_ARGUMENT REQUIRED COMMAND_LINE_ARGUMENT REQUIRED
VARIABLE_NAME STRICT_PASSWORD_VALIDATION
SESSION_VALUE NULL
GLOBAL_VALUE ON
GLOBAL_VALUE_ORIGIN COMPILE-TIME
DEFAULT_VALUE ON
VARIABLE_SCOPE GLOBAL
VARIABLE_TYPE BOOLEAN
VARIABLE_COMMENT When password validation plugins are enabled, reject passwords that cannot be validated (passwords specified as a hash)
NUMERIC_MIN_VALUE NULL
NUMERIC_MAX_VALUE NULL
NUMERIC_BLOCK_SIZE NULL
ENUM_VALUE_LIST OFF,ON
READ_ONLY NO
COMMAND_LINE_ARGUMENT OPTIONAL
VARIABLE_NAME SYNC_BINLOG VARIABLE_NAME SYNC_BINLOG
SESSION_VALUE NULL SESSION_VALUE NULL
GLOBAL_VALUE 0 GLOBAL_VALUE 0
......
...@@ -431,7 +431,7 @@ my_bool opt_safe_user_create = 0; ...@@ -431,7 +431,7 @@ my_bool opt_safe_user_create = 0;
my_bool opt_show_slave_auth_info; my_bool opt_show_slave_auth_info;
my_bool opt_log_slave_updates= 0; my_bool opt_log_slave_updates= 0;
my_bool opt_replicate_annotate_row_events= 0; my_bool opt_replicate_annotate_row_events= 0;
my_bool opt_mysql56_temporal_format= 0; my_bool opt_mysql56_temporal_format=0, strict_password_validation= 1;
char *opt_slave_skip_errors; char *opt_slave_skip_errors;
/* /*
......
...@@ -748,7 +748,7 @@ extern my_bool opt_master_verify_checksum; ...@@ -748,7 +748,7 @@ extern my_bool opt_master_verify_checksum;
extern my_bool opt_stack_trace; extern my_bool opt_stack_trace;
extern my_bool opt_expect_abort; extern my_bool opt_expect_abort;
extern my_bool opt_slave_sql_verify_checksum; extern my_bool opt_slave_sql_verify_checksum;
extern my_bool opt_mysql56_temporal_format; extern my_bool opt_mysql56_temporal_format, strict_password_validation;
extern ulong binlog_checksum_options; extern ulong binlog_checksum_options;
extern bool max_user_connections_checking; extern bool max_user_connections_checking;
extern ulong opt_binlog_dbug_fsync_sleep; extern ulong opt_binlog_dbug_fsync_sleep;
......
...@@ -892,6 +892,17 @@ static bool validate_password(LEX_STRING *user, LEX_STRING *password) ...@@ -892,6 +892,17 @@ static bool validate_password(LEX_STRING *user, LEX_STRING *password)
MariaDB_PASSWORD_VALIDATION_PLUGIN, &data); MariaDB_PASSWORD_VALIDATION_PLUGIN, &data);
} }
static my_bool check_if_exists(THD *, plugin_ref, void *)
{
return TRUE;
}
static bool has_validation_plugins()
{
return plugin_foreach(NULL, check_if_exists,
MariaDB_PASSWORD_VALIDATION_PLUGIN, NULL);
}
/** /**
Convert scrambled password to binary form, according to scramble type, Convert scrambled password to binary form, according to scramble type,
Binary form is stored in user.salt. Binary form is stored in user.salt.
...@@ -1020,6 +1031,14 @@ static bool fix_lex_user(THD *thd, LEX_USER *user) ...@@ -1020,6 +1031,14 @@ static bool fix_lex_user(THD *thd, LEX_USER *user)
return true; return true;
} }
} }
else
{
if (strict_password_validation && has_validation_plugins())
{
my_error(ER_OPTION_PREVENTS_STATEMENT, MYF(0), "--strict-password-validation");
return true;
}
}
if (user->password.length && !user->auth.length) if (user->password.length && !user->auth.length)
{ {
......
...@@ -5077,3 +5077,10 @@ static Sys_var_mybool Sys_mysql56_temporal_format( ...@@ -5077,3 +5077,10 @@ static Sys_var_mybool Sys_mysql56_temporal_format(
"Use MySQL-5.6 (instead of MariaDB-5.3) format for TIME, DATETIME, TIMESTAMP columns.", "Use MySQL-5.6 (instead of MariaDB-5.3) format for TIME, DATETIME, TIMESTAMP columns.",
GLOBAL_VAR(opt_mysql56_temporal_format), GLOBAL_VAR(opt_mysql56_temporal_format),
CMD_LINE(OPT_ARG), DEFAULT(TRUE), NO_MUTEX_GUARD, NOT_IN_BINLOG); CMD_LINE(OPT_ARG), DEFAULT(TRUE), NO_MUTEX_GUARD, NOT_IN_BINLOG);
static Sys_var_mybool Sys_strict_password_validation(
"strict_password_validation",
"When password validation plugins are enabled, reject passwords "
"that cannot be validated (passwords specified as a hash)",
GLOBAL_VAR(strict_password_validation),
CMD_LINE(OPT_ARG), DEFAULT(TRUE), NO_MUTEX_GUARD, NOT_IN_BINLOG);
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment