Commit c9a9ae65 authored by Oleksandr Byelkin's avatar Oleksandr Byelkin

MDEV-26650: Failed ALTER USER/GRANT statement removes the password from the cache

Starting from 10.4 AUTH is not part of ACL_USER so changes have to be done
over a copy, and bring in the cache only in case of success.
parent a736a317
...@@ -161,3 +161,23 @@ flush privileges; ...@@ -161,3 +161,23 @@ flush privileges;
uninstall plugin simple_password_check; uninstall plugin simple_password_check;
create user foo1 identified by 'pwd'; create user foo1 identified by 'pwd';
drop user foo1; drop user foo1;
#
# MDEV-26650: Failed ALTER USER/GRANT statement removes the
# password from the cache
#
create user foo1@localhost identified by '<GDFH:3ghj';
show grants for foo1@localhost;
Grants for foo1@localhost
GRANT USAGE ON *.* TO `foo1`@`localhost` IDENTIFIED BY PASSWORD '*1D62FA326F98258451ED56A404F15452423DCC1D'
install soname "simple_password_check";
ALTER USER foo1@localhost identified by 'foo1';
ERROR HY000: Operation ALTER USER failed for 'foo1'@'localhost'
show grants for foo1@localhost;
Grants for foo1@localhost
GRANT USAGE ON *.* TO `foo1`@`localhost` IDENTIFIED BY PASSWORD '*1D62FA326F98258451ED56A404F15452423DCC1D'
flush privileges;
show grants for foo1@localhost;
Grants for foo1@localhost
GRANT USAGE ON *.* TO `foo1`@`localhost` IDENTIFIED BY PASSWORD '*1D62FA326F98258451ED56A404F15452423DCC1D'
drop user foo1@localhost;
uninstall plugin simple_password_check;
...@@ -122,3 +122,17 @@ uninstall plugin simple_password_check; ...@@ -122,3 +122,17 @@ uninstall plugin simple_password_check;
create user foo1 identified by 'pwd'; create user foo1 identified by 'pwd';
drop user foo1; drop user foo1;
--echo #
--echo # MDEV-26650: Failed ALTER USER/GRANT statement removes the
--echo # password from the cache
--echo #
create user foo1@localhost identified by '<GDFH:3ghj';
show grants for foo1@localhost;
install soname "simple_password_check";
--error ER_CANNOT_USER
ALTER USER foo1@localhost identified by 'foo1';
show grants for foo1@localhost;
flush privileges;
show grants for foo1@localhost;
drop user foo1@localhost;
uninstall plugin simple_password_check;
...@@ -3227,21 +3227,22 @@ static int acl_user_update(THD *thd, ACL_USER *acl_user, uint nauth, ...@@ -3227,21 +3227,22 @@ static int acl_user_update(THD *thd, ACL_USER *acl_user, uint nauth,
const Account_options &options, const Account_options &options,
const ulong privileges) const ulong privileges)
{ {
ACL_USER_PARAM::AUTH *work_copy= NULL;
if (nauth) if (nauth)
{ {
if (acl_user->nauth >= nauth) if (!(work_copy= (ACL_USER_PARAM::AUTH*)
acl_user->nauth= nauth; alloc_root(thd->mem_root, nauth * sizeof(ACL_USER_PARAM::AUTH))))
else return 1;
acl_user->alloc_auth(&acl_memroot, nauth);
USER_AUTH *auth= combo.auth; USER_AUTH *auth= combo.auth;
for (uint i= 0; i < nauth; i++, auth= auth->next) for (uint i= 0; i < nauth; i++, auth= auth->next)
{ {
acl_user->auth[i].plugin= auth->plugin; work_copy[i].plugin= auth->plugin;
acl_user->auth[i].auth_string= safe_lexcstrdup_root(&acl_memroot, auth->auth_str); work_copy[i].auth_string= safe_lexcstrdup_root(&acl_memroot,
if (fix_user_plugin_ptr(acl_user->auth + i)) auth->auth_str);
acl_user->auth[i].plugin= safe_lexcstrdup_root(&acl_memroot, auth->plugin); if (fix_user_plugin_ptr(work_copy + i))
if (set_user_auth(thd, acl_user->user, acl_user->auth + i, auth->pwtext)) work_copy[i].plugin= safe_lexcstrdup_root(&acl_memroot, auth->plugin);
if (set_user_auth(thd, acl_user->user, work_copy + i, auth->pwtext))
return 1; return 1;
} }
} }
...@@ -3269,11 +3270,34 @@ static int acl_user_update(THD *thd, ACL_USER *acl_user, uint nauth, ...@@ -3269,11 +3270,34 @@ static int acl_user_update(THD *thd, ACL_USER *acl_user, uint nauth,
if (options.account_locked != ACCOUNTLOCK_UNSPECIFIED) if (options.account_locked != ACCOUNTLOCK_UNSPECIFIED)
acl_user->account_locked= options.account_locked == ACCOUNTLOCK_LOCKED; acl_user->account_locked= options.account_locked == ACCOUNTLOCK_LOCKED;
/* Unexpire the user password */ if (thd->is_error())
{
// If something went wrong (including OOM) we will not spoil acl cache
return 1;
}
/* Unexpire the user password and copy AUTH (when no more errors possible)*/
if (nauth) if (nauth)
{ {
acl_user->password_expired= false; acl_user->password_expired= false;
acl_user->password_last_changed= thd->query_start();; acl_user->password_last_changed= thd->query_start();
if (acl_user->nauth >= nauth)
{
acl_user->nauth= nauth;
}
else
{
if (acl_user->alloc_auth(&acl_memroot, nauth))
{
/*
acl_user is a copy, so NULL assigned in case of an error do not
change the acl cache
*/
return 1;
}
}
DBUG_ASSERT(work_copy); // allocated under the same condinition
memcpy(acl_user->auth, work_copy, nauth * sizeof(ACL_USER_PARAM::AUTH));
} }
switch (options.password_expire) { switch (options.password_expire) {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment