- 14 Feb, 2024 1 commit
-
-
Sergei Golubchik authored
Revert "Deb: Stop shipping mariadb-plugin-spider separately, include in server" This reverts commit 9945d482.
-
- 13 Feb, 2024 1 commit
-
-
Otto Kekäläinen authored
Instead of having a separate plugin, simply include Spider in the main MariaDB Server package and let users manually enable on server installs where they want to run it.
-
- 12 Feb, 2024 12 commits
-
-
Nikita Malyavin authored
Restrict access to KEY_PERIOD_USAGE: show the constraint record iff any non-select privilege on any table column is granted. Also drop the unprivileged user in the end of test and add merge anchor.
-
Nikita Malyavin authored
Set the correct values for idx_field1, idx_field2 (i.e. db and table name fields) of ST_SCHEMA_TABLE instance.
-
Nikita Malyavin authored
-
Nikita Malyavin authored
Move table open result processing to the caller * st_schema_table::process_table doesn't have to check whether the table was opened successfully * It also doesn't have to check for a thd error and convert it to a warning * This simplifies adding new tables into information_schema * A callback still can output some info to a user in case of error. In order to do this, I_S_EXTENDED_ERROR_HANDLING should be specified in i_s_requested_object.
-
Nikita Malyavin authored
Now one can call thd->sql_command_flags() instead of sql_command_flags[thd->lex->sql_command].
-
Nikita Malyavin authored
Two new information_schema views are added: * PERIOD table -- columns TABLE_CATALOG, TABLE_SCHEMA, TABLE_NAME, PERIOD_NAME, START_COLUMN_NAME, END_COLUMN_NAME. * KEY_PERIOD_USAGE -- works similar to KEY_COLUMN_USAGE, but for periods. Columns CONSTRAINT_CATALOG, CONSTRAINT_SCHEMA, CONSTRAINT_NAME, TABLE_CATALOG, TABLE_SCHEMA, TABLE_NAME, PERIOD_NAME Two new columns are added to the COLUMNS view: IS_SYSTEM_TIME_PERIOD_START, IS_SYSTEM_TIME_PERIOD_END - contain YES/NO.
-
Nikita Malyavin authored
Embedded server has an option to opt out grant checks. sql_show.cc: reduce ifdefs by using embedded acl stub calls sql_acl.cc: add stub for embedded get_column_grant
-
Nikita Malyavin authored
-
Nikita Malyavin authored
-
Nikita Malyavin authored
-
Nikita Malyavin authored
-
Daniel Black authored
-
- 09 Feb, 2024 1 commit
-
-
Vladislav Vaintroub authored
Adjust test after fixing the C/C. On Windows, use --host=127.0.0.2 to fake "insecure" transport with TCP connection for test purposes. 127.0.0.2 is loopback address, that can be used instead of usual 127.0.0.1 Unfortunately, this technique does not work on all *nixes the same, notably neither on BSDs nor Solaris. Thus default --host=localhost remains "insecure" transport,when TCP is used. but it is not that critical, the "self-signed" is not nearly as annoying on *nixes as it is on Windows.
-
- 08 Feb, 2024 1 commit
-
-
Alexander Barkov authored
Changing the format in error messages: - ER_PACKAGE_ROUTINE_IN_SPEC_NOT_DEFINED_IN_BODY - ER_PACKAGE_ROUTINE_FORWARD_DECLARATION_NOT_DEFINED from "Subroutine 'db.pkg.f1' ..." to a more clear: "FUNCTION `db.pkg.f1` ..." "PROCEDURE `db.pkg.p1` ..."
-
- 05 Feb, 2024 2 commits
-
-
Brandon Nesterenko authored
This reverts commit c37b2087. In c37b20887, when re-binlogging a GTID event on a replica, it will overwrite the thread_id from the primary to be the value of the slave applier (SQL thread or parallel worker). This should be the value of the original thread_id on the master connection though, to both help track temporary tables, and be consistent with Query_log_event. Reverting the commit to re-target 11.5, so we can re-test with the corrected thread_id.
-
Alexander Barkov authored
When displaying the ER_SP_DOES_NOT_EXIST error, use Sp_handler::type_lex_cstring() to the the underlying object type: - PROCEDURE - FUNCTION - PACKAGE - PACKAGE BODY instead of hard-coded "FUNCTION or PROCEDURE".
-
- 04 Feb, 2024 18 commits
-
-
Sergei Golubchik authored
-
Sergei Golubchik authored
-
Sergei Golubchik authored
* --ssl-verify-server-cert was not enabled explicitly, and * CA was not specified, and * fingerprint was not specified, and * protocol is TCP, and * no password was provided insecure passwordless logins are common in test environment, let's not break them. practically, it hardly makes sense to have strong MitM protection if an attacker can simply login without a password. Covers mariadb, mariadb-admin, mariadb-binlog, mariadb-dump
-
Sergei Golubchik authored
enable ssl + ssl_verify_server_cert in the internal client too * fix replication tests to disable master_ssl_verify_server_cert because accounts are passwordless - except rpl.rpl_ssl1 * fix federated/federatedx/connect to disable SSL_VERIFY_SERVER_CERT because they cannot configure an ssl connection * fix spider to disable ssl_verify_server_cert, if configuration says so, as spider _can_ configure an ssl connection * memory leak in embedded test-connect
-
Sergei Golubchik authored
port the client-side implementation from C/C to the internal client. add the test.
-
Sergei Golubchik authored
because it doesn't work. CONC-635.
-
Sergei Golubchik authored
it's not an ssl option, so shouldn't be in mysql_ssl_free(), which frees ssl options, and only unless CLIENT_REMEMBER_OPTIONS is set. mysql->connector_fd must be freed when mysql->net.vio is closed and fd becomes no longer valid
-
Sergei Golubchik authored
use SSL_VERIFY_PEER with the "always ok" callback, instead of SSL_VERIFY_NONE with no callback. The latter doesn't work correctly in wolfSSL, it accepts self-signed certificates just fine (as in OpenSSL), but after that SSL_get_verify_result() returns X509_V_OK, while it returns an error (e.g. X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) in OpenSSL.
-
Sergei Golubchik authored
X509_check_host() and X509_check_ip_asc() exist in all supported SSL libraries in OpenSSL >= 1.0.2 and in the bundled WolfSSL And X509_free() handles NULL pointers all right.
-
Sergei Golubchik authored
* type of mi->ssl_verify_server_cert must be my_bool, because it's passed by address to mysql_options(), and the latter expects my_bool * explicitly disable ssl in MYSQL if mi->ssl is 0 * remove dead code (`#ifdef NOT_USED`) * remove useless casts and checks replacing empty strings with NULL (new_VioSSLFd() does that internally)
-
Sergei Golubchik authored
-
Sergei Golubchik authored
except in bootstrap
-
Sergei Golubchik authored
if the server is started with --ssl but without neither --ssl-key nor --ssl-cert, let it automatically generate a self-signed certificate. It's generated in memory only and never saved to disk.
-
Sergei Golubchik authored
when neither --ssl-key nor --ssl-cert were set, the errror was "Private key does not match the certificate public key" changed to "Unable to get certificate"
-
Sergei Golubchik authored
-
Sergei Golubchik authored
verify that --ssl-verify-server-cert detects cert mismatch, but with --disable-ssl-verify-server-cert the connection succeeds
-
Sergei Golubchik authored
implement --ssl-fp and --ssl-fplist for all clients. --ssl-fp takes one certificate fingerprint, for example, 00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:00:11:22:33 --ssl-fplist takes a path to a file with one fingerprint per line. if the server's certificate fingerprint matches ssl-fp or is found in the file - the certificate is considered verified. If the fingerprint is specified but doesn't match - the connection is aborted independently from the --ssl-verify-server-cert
-
Sergei Golubchik authored
if the client enabled --ssl-verify-server-cert, then the server certificate is verified as follows: * if --ssl-ca or --ssl-capath were specified, the cert must have a proper signature by the specified CA (or CA in the path) and the cert's hostname must match the server's hostname. If the cert isn't signed or a hostname is wrong - the connection is aborted. * if MARIADB_OPT_TLS_PEER_FP was used and the fingerprint matches, the connection is allowed, if it doesn't match - aborted. * If the connection uses unix socket or named pipes - it's allowed. (consistent with server's --require-secure-transport behavior) otherwise the cert is still in doubt, we don't know if we can trust it or there's an active MitM in progress. * If the user has provided no password or the server requested an authentication plugin that sends the password in cleartext - the connection is aborted. * Perform the authentication. If the server accepts the password, it'll send SHA2(scramble || password hash || cert fingerprint) with the OK packet. * Verify the SHA2 digest, if it matches - the connection is allowed, otherwise it's aborted.
-
- 03 Feb, 2024 4 commits
-
-
Sergei Golubchik authored
-
Sergei Golubchik authored
char is a character, uchar is an octet. casts removed (or added) as needed
-
Sergei Golubchik authored
not default_mysqld.cnf. The latter has only server settings, it misses mtr-specific client configuration Except for spider, that doesn't use mysqld.1 server and default_my.cnf starts it automatically. Spider tests have to include both default_mysqld.cnf and default_client.cnf
-
Sergei Golubchik authored
it's for client auth plugins only, server auth plugin should never return it, because they cannot send a correct OK packet. (OK packet is quite complex and carries a lot of information that only the server knows)
-