Mirrors
/
mariadb
mirror of https://github.com/MariaDB/server
3
0
Fork 0
Code Releases Activity
Browse Source

MDEV-7597 Expiration of user passwords 

post-merge changes:
* handle password expiration on old tables like everything else -
  make changes in memory, even if they cannot be done on disk
* merge "debug" tests with non-debug tests, they don't use dbug anyway
* only run rpl password expiration in MIXED mode, it doesn't replicate
  anything, so no need to repeat it thrice
* restore update_user_table_password() prototype, it should not change
  ACL_USER, this is done in acl_user_update()
* don't parse json twice in get_password_lifetime and get_password_expired
* remove LEX_USER::is_changing_password, see if there was any auth instead
* avoid overflow in expiration calculations
* don't initialize Account_options in the constructor, it's bzero-ed later
* don't create ulong sysvars - they're not portable, prefer uint or ulonglong
* misc simplifications
bb-10.4-elenst-no-mdev371
Sergei Golubchik 7 years ago
parent
90ad4dbd17
commit
1e6210161d
21 changed files with 251 additions and 359 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 2
      mysql-test/main/mysql_upgrade.result
  2. 58
      mysql-test/main/password_expiration.result
  3. 67
      mysql-test/main/password_expiration.test
  4. 55
      mysql-test/main/password_expiration_dbug.result
  5. 75
      mysql-test/main/password_expiration_dbug.test
  6. 99
      mysql-test/suite/funcs_1/r/is_user_privileges.result
  7. 22
      mysql-test/suite/funcs_1/t/is_user_privileges.test
  8. 3
      mysql-test/suite/plugins/r/multiauth.result
  9. 2
      mysql-test/suite/plugins/t/multiauth.test
  10. 0
      mysql-test/suite/rpl/r/password_expiration.result
  11. 1
      mysql-test/suite/rpl/t/password_expiration.test
  12. 2
      mysql-test/suite/sys_vars/r/sysvars_server_embedded.result
  13. 2
      mysql-test/suite/sys_vars/r/sysvars_server_notembedded.result
  14. 2
      sql/mysqld.cc
  15. 2
      sql/mysqld.h
  16. 173
      sql/sql_acl.cc
  17. 10
      sql/sql_lex.h
  18. 16
      sql/sql_yacc.yy
  19. 16
      sql/sql_yacc_ora.yy
  20. 1
      sql/structs.h
  21. 2
      sql/sys_vars.cc

2
mysql-test/main/mysql_upgrade.result
View File

@ -596,7 +596,7 @@ drop view mysql.user_bak;
create user 'user3'@'localhost' identified with mysql_native_password as password('a_password');
show create user user3@localhost;
CREATE USER for user3@localhost
CREATE USER 'user3'@'localhost' IDENTIFIED BY PASSWORD '*5DC1D11F45824A9DD613961F05C1EC1E7A1601AA' PASSWORD EXPIRE NEVER
CREATE USER 'user3'@'localhost' IDENTIFIED BY PASSWORD '*5DC1D11F45824A9DD613961F05C1EC1E7A1601AA'
update mysql.user set password=authentication_string, authentication_string='' where user='user3';
select password,plugin,authentication_string from mysql.user where user='user3';
password plugin authentication_string

58
mysql-test/main/password_expiration.result
View File

@ -141,7 +141,7 @@ ERROR HY000: Incorrect DAY value: '0'
create user user1@localhost;
show create user user1@localhost;
CREATE USER for user1@localhost
CREATE USER 'user1'@'localhost' PASSWORD EXPIRE NEVER
CREATE USER 'user1'@'localhost'
flush privileges;
show create user user1@localhost;
CREATE USER for user1@localhost
@ -158,7 +158,7 @@ set password for user1@localhost= password('');
alter user user1@localhost password expire default;
show create user user1@localhost;
CREATE USER for user1@localhost
CREATE USER 'user1'@'localhost' PASSWORD EXPIRE NEVER
CREATE USER 'user1'@'localhost'
flush privileges;
show create user user1@localhost;
CREATE USER for user1@localhost
@ -174,7 +174,7 @@ CREATE USER 'user1'@'localhost' PASSWORD EXPIRE NEVER
alter user user1@localhost password expire interval 123 day;
show create user user1@localhost;
CREATE USER for user1@localhost
CREATE USER 'user1'@'localhost' PASSWORD EXPIRE NEVER
CREATE USER 'user1'@'localhost' PASSWORD EXPIRE INTERVAL 123 DAY
flush privileges;
show create user user1@localhost;
CREATE USER for user1@localhost
@ -205,3 +205,55 @@ connection default;
drop user user1@localhost;
set global disconnect_on_expired_password=default;
set global default_password_lifetime=default;
#
# PASSWORD EXPIRE DEFAULT should use the default_password_lifetime
# system var to set the number of days till expiration
#
set global disconnect_on_expired_password= ON;
set global default_password_lifetime= 2;
create user user1@localhost password expire default;
set @tstamp_expired= UNIX_TIMESTAMP(NOW() - INTERVAL 3 DAY);
update mysql.global_priv set
priv=json_set(priv, '$.password_last_changed', @tstamp_expired)
where user='user1';
flush privileges;
connect(localhost,user1,,test,MYSQL_PORT,MYSQL_SOCK);
connect con1,localhost,user1;
ERROR HY000: Your password has expired. To log in you must change it using a client that supports expired passwords
drop user user1@localhost;
#
# PASSWORD EXPIRE INTERVAL should expire a client's password after
# X days and not before
#
set global disconnect_on_expired_password= ON;
create user user1@localhost password expire interval 2 day;
connect con1,localhost,user1;
disconnect con1;
connection default;
set @tstamp_expired= UNIX_TIMESTAMP(NOW() - INTERVAL 3 DAY);
update mysql.global_priv set
priv=json_set(priv, '$.password_last_changed', @tstamp_expired)
where user='user1';
flush privileges;
connect(localhost,user1,,test,MYSQL_PORT,MYSQL_SOCK);
connect con1,localhost,user1;
ERROR HY000: Your password has expired. To log in you must change it using a client that supports expired passwords
drop user user1@localhost;
#
# PASSWORD EXPIRE NEVER should override the other policies and never
# expire a client's password
#
set global disconnect_on_expired_password= ON;
create user user1@localhost password expire interval 2 day;
alter user user1@localhost password expire never;
set @tstamp_expired= UNIX_TIMESTAMP() - 3;
update mysql.global_priv set
priv=json_set(priv, '$.password_last_changed', @tstamp_expired)
where user='user1';
flush privileges;
connect con1,localhost,user1;
disconnect con1;
connection default;
drop user user1@localhost;
set global disconnect_on_expired_password= default;
set global default_password_lifetime= default;

67
mysql-test/main/password_expiration.test
View File

@ -194,3 +194,70 @@ set global disconnect_on_expired_password=default;
set global default_password_lifetime=default;
--source include/switch_to_mysql_global_priv.inc
#
# Test password expiration INTERVAL and default_password_lifetime options
#
--echo #
--echo # PASSWORD EXPIRE DEFAULT should use the default_password_lifetime
--echo # system var to set the number of days till expiration
--echo #
set global disconnect_on_expired_password= ON;
set global default_password_lifetime= 2;
create user user1@localhost password expire default;
set @tstamp_expired= UNIX_TIMESTAMP(NOW() - INTERVAL 3 DAY);
update mysql.global_priv set
priv=json_set(priv, '$.password_last_changed', @tstamp_expired)
where user='user1';
flush privileges;
--replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK
--error ER_MUST_CHANGE_PASSWORD_LOGIN
connect(con1,localhost,user1);
drop user user1@localhost;
--echo #
--echo # PASSWORD EXPIRE INTERVAL should expire a client's password after
--echo # X days and not before
--echo #
set global disconnect_on_expired_password= ON;
create user user1@localhost password expire interval 2 day;
--replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK
connect(con1,localhost,user1);
disconnect con1;
connection default;
set @tstamp_expired= UNIX_TIMESTAMP(NOW() - INTERVAL 3 DAY);
update mysql.global_priv set
priv=json_set(priv, '$.password_last_changed', @tstamp_expired)
where user='user1';
flush privileges;
--replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK
--error ER_MUST_CHANGE_PASSWORD_LOGIN
connect(con1,localhost,user1);
drop user user1@localhost;
--echo #
--echo # PASSWORD EXPIRE NEVER should override the other policies and never
--echo # expire a client's password
--echo #
set global disconnect_on_expired_password= ON;
create user user1@localhost password expire interval 2 day;
alter user user1@localhost password expire never;
set @tstamp_expired= UNIX_TIMESTAMP() - 3;
update mysql.global_priv set
priv=json_set(priv, '$.password_last_changed', @tstamp_expired)
where user='user1';
flush privileges;
--replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK
connect(con1,localhost,user1);
disconnect con1;
connection default;
drop user user1@localhost;
set global disconnect_on_expired_password= default;
set global default_password_lifetime= default;

55
mysql-test/main/password_expiration_dbug.result
View File

@ -1,55 +0,0 @@
set @old_dbug= @@global.debug_dbug;
set global debug_dbug= "+d,password_expiration_interval_sec";
#
# PASSWORD EXPIRE DEFAULT should use the default_password_lifetime
# system var to set the number of days till expiration
#
set global disconnect_on_expired_password= ON;
set global default_password_lifetime= 2;
create user user1@localhost password expire default;
set @tstamp_expired= UNIX_TIMESTAMP() - 3;
update mysql.global_priv set
priv=json_set(priv, '$.password_last_changed', @tstamp_expired)
where user='user1';
flush privileges;
connect(localhost,user1,,test,MYSQL_PORT,MYSQL_SOCK);
connect con1,localhost,user1;
ERROR HY000: Your password has expired. To log in you must change it using a client that supports expired passwords
drop user user1@localhost;
#
# PASSWORD EXPIRE INTERVAL should expire a client's password after
# X seconds and not before
#
set global disconnect_on_expired_password= ON;
create user user1@localhost password expire interval 2 day;
connect con1,localhost,user1;
disconnect con1;
connection default;
set @tstamp_expired= UNIX_TIMESTAMP() - 3;
update mysql.global_priv set
priv=json_set(priv, '$.password_last_changed', @tstamp_expired)
where user='user1';
flush privileges;
connect(localhost,user1,,test,MYSQL_PORT,MYSQL_SOCK);
connect con1,localhost,user1;
ERROR HY000: Your password has expired. To log in you must change it using a client that supports expired passwords
drop user user1@localhost;
#
# PASSWORD EXPIRE NEVER should override the other policies and never
# expire a client's password
#
set global disconnect_on_expired_password= ON;
create user user1@localhost password expire interval 2 day;
alter user user1@localhost password expire never;
set @tstamp_expired= UNIX_TIMESTAMP() - 3;
update mysql.global_priv set
priv=json_set(priv, '$.password_last_changed', @tstamp_expired)
where user='user1';
flush privileges;
connect con1,localhost,user1;
disconnect con1;
connection default;
drop user user1@localhost;
set global debug_dbug= @old_dbug;
set global disconnect_on_expired_password= default;
set global default_password_lifetime= default;

75
mysql-test/main/password_expiration_dbug.test
View File

@ -1,75 +0,0 @@
#
# Test password expiration INTERVAL and default_password_lifetime options
#
--source include/have_debug.inc
--source include/not_embedded.inc
set @old_dbug= @@global.debug_dbug;
set global debug_dbug= "+d,password_expiration_interval_sec";
--echo #
--echo # PASSWORD EXPIRE DEFAULT should use the default_password_lifetime
--echo # system var to set the number of days till expiration
--echo #
set global disconnect_on_expired_password= ON;
set global default_password_lifetime= 2;
create user user1@localhost password expire default;
set @tstamp_expired= UNIX_TIMESTAMP() - 3;
update mysql.global_priv set
priv=json_set(priv, '$.password_last_changed', @tstamp_expired)
where user='user1';
flush privileges;
--replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK
--error ER_MUST_CHANGE_PASSWORD_LOGIN
connect(con1,localhost,user1);
drop user user1@localhost;
--echo #
--echo # PASSWORD EXPIRE INTERVAL should expire a client's password after
--echo # X seconds and not before
--echo #
set global disconnect_on_expired_password= ON;
create user user1@localhost password expire interval 2 day;
--replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK
connect(con1,localhost,user1);
disconnect con1;
connection default;
set @tstamp_expired= UNIX_TIMESTAMP() - 3;
update mysql.global_priv set
priv=json_set(priv, '$.password_last_changed', @tstamp_expired)
where user='user1';
flush privileges;
--replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK
--error ER_MUST_CHANGE_PASSWORD_LOGIN
connect(con1,localhost,user1);
drop user user1@localhost;
--echo #
--echo # PASSWORD EXPIRE NEVER should override the other policies and never
--echo # expire a client's password
--echo #
set global disconnect_on_expired_password= ON;
create user user1@localhost password expire interval 2 day;
alter user user1@localhost password expire never;
set @tstamp_expired= UNIX_TIMESTAMP() - 3;
update mysql.global_priv set
priv=json_set(priv, '$.password_last_changed', @tstamp_expired)
where user='user1';
flush privileges;
--replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK
connect(con1,localhost,user1);
disconnect con1;
connection default;
drop user user1@localhost;
set global debug_dbug= @old_dbug;
set global disconnect_on_expired_password= default;
set global default_password_lifetime= default;

99
mysql-test/suite/funcs_1/r/is_user_privileges.result
View File

@ -92,8 +92,7 @@ json_detailed(priv) {
"access": 0,
"plugin": "mysql_native_password",
"authentication_string": "",
"password_last_changed": 0,
"password_lifetime": -1
"password_last_changed": #
}
host localhost
user testuser2
@ -101,8 +100,7 @@ json_detailed(priv) {
"access": 6,
"plugin": "mysql_native_password",
"authentication_string": "",
"password_last_changed": 0,
"password_lifetime": -1
"password_last_changed": #
}
host localhost
user testuser3
@ -110,8 +108,7 @@ json_detailed(priv) {
"access": 0,
"plugin": "mysql_native_password",
"authentication_string": "",
"password_last_changed": 0,
"password_lifetime": -1
"password_last_changed": #
}
#
# Add GRANT OPTION db_datadict.* to testuser1;
@ -143,8 +140,7 @@ json_detailed(priv) {
"access": 0,
"plugin": "mysql_native_password",
"authentication_string": "",
"password_last_changed": 0,
"password_lifetime": -1
"password_last_changed": #
}
host localhost
user testuser2
@ -152,8 +148,7 @@ json_detailed(priv) {
"access": 6,
"plugin": "mysql_native_password",
"authentication_string": "",
"password_last_changed": 0,
"password_lifetime": -1
"password_last_changed": #
}
host localhost
user testuser3
@ -161,8 +156,7 @@ json_detailed(priv) {
"access": 0,
"plugin": "mysql_native_password",
"authentication_string": "",
"password_last_changed": 0,
"password_lifetime": -1
"password_last_changed": #
}
connect testuser1, localhost, testuser1, , db_datadict;
SELECT * FROM information_schema.user_privileges
@ -180,8 +174,7 @@ json_detailed(priv) {
"access": 0,
"plugin": "mysql_native_password",
"authentication_string": "",
"password_last_changed": 0,
"password_lifetime": -1
"password_last_changed": #
}
host localhost
user testuser2
@ -189,8 +182,7 @@ json_detailed(priv) {
"access": 6,
"plugin": "mysql_native_password",
"authentication_string": "",
"password_last_changed": 0,
"password_lifetime": -1
"password_last_changed": #
}
host localhost
user testuser3
@ -198,8 +190,7 @@ json_detailed(priv) {
"access": 0,
"plugin": "mysql_native_password",
"authentication_string": "",
"password_last_changed": 0,
"password_lifetime": -1
"password_last_changed": #
}
SHOW GRANTS;
Grants for testuser1@localhost
@ -239,8 +230,7 @@ json_detailed(priv) {
"access": 1,
"plugin": "mysql_native_password",
"authentication_string": "",
"password_last_changed": 0,
"password_lifetime": -1
"password_last_changed": #
}
host localhost
user testuser2
@ -248,8 +238,7 @@ json_detailed(priv) {
"access": 6,
"plugin": "mysql_native_password",
"authentication_string": "",
"password_last_changed": 0,
"password_lifetime": -1
"password_last_changed": #
}
host localhost
user testuser3
@ -257,8 +246,7 @@ json_detailed(priv) {
"access": 0,
"plugin": "mysql_native_password",
"authentication_string": "",
"password_last_changed": 0,
"password_lifetime": -1
"password_last_changed": #
}
GRANT SELECT ON *.* TO 'testuser1'@'localhost' WITH GRANT OPTION;
#
@ -290,8 +278,7 @@ json_detailed(priv) {
"access": 1025,
"plugin": "mysql_native_password",
"authentication_string": "",
"password_last_changed": 0,
"password_lifetime": -1
"password_last_changed": #
}
host localhost
user testuser2
@ -299,8 +286,7 @@ json_detailed(priv) {
"access": 6,
"plugin": "mysql_native_password",
"authentication_string": "",
"password_last_changed": 0,
"password_lifetime": -1
"password_last_changed": #
}
host localhost
user testuser3
@ -308,8 +294,7 @@ json_detailed(priv) {
"access": 0,
"plugin": "mysql_native_password",
"authentication_string": "",
"password_last_changed": 0,
"password_lifetime": -1
"password_last_changed": #
}
connection testuser1;
SELECT * FROM information_schema.user_privileges
@ -327,8 +312,7 @@ json_detailed(priv) {
"access": 1025,
"plugin": "mysql_native_password",
"authentication_string": "",
"password_last_changed": 0,
"password_lifetime": -1
"password_last_changed": #
}
host localhost
user testuser2
@ -336,8 +320,7 @@ json_detailed(priv) {
"access": 6,
"plugin": "mysql_native_password",
"authentication_string": "",
"password_last_changed": 0,
"password_lifetime": -1
"password_last_changed": #
}
host localhost
user testuser3
@ -345,8 +328,7 @@ json_detailed(priv) {
"access": 0,
"plugin": "mysql_native_password",
"authentication_string": "",
"password_last_changed": 0,
"password_lifetime": -1
"password_last_changed": #
}
SHOW GRANTS;
Grants for testuser1@localhost
@ -416,8 +398,7 @@ json_detailed(priv) {
"access": 0,
"plugin": "mysql_native_password",
"authentication_string": "",
"password_last_changed": 0,
"password_lifetime": -1
"password_last_changed": #
}
host localhost
user testuser2
@ -425,8 +406,7 @@ json_detailed(priv) {
"access": 6,
"plugin": "mysql_native_password",
"authentication_string": "",
"password_last_changed": 0,
"password_lifetime": -1
"password_last_changed": #
}
host localhost
user testuser3
@ -434,8 +414,7 @@ json_detailed(priv) {
"access": 0,
"plugin": "mysql_native_password",
"authentication_string": "",
"password_last_changed": 0,
"password_lifetime": -1
"password_last_changed": #
}
connection testuser1;
SELECT * FROM information_schema.user_privileges
@ -500,8 +479,7 @@ json_detailed(priv) {
"access": 0,
"plugin": "mysql_native_password",
"authentication_string": "",
"password_last_changed": 0,
"password_lifetime": -1
"password_last_changed": #
}
host localhost
user testuser2
@ -509,8 +487,7 @@ json_detailed(priv) {
"access": 6,
"plugin": "mysql_native_password",
"authentication_string": "",
"password_last_changed": 0,
"password_lifetime": -1
"password_last_changed": #
}
host localhost
user testuser3
@ -518,8 +495,7 @@ json_detailed(priv) {
"access": 0,
"plugin": "mysql_native_password",
"authentication_string": "",
"password_last_changed": 0,
"password_lifetime": -1
"password_last_changed": #
}
connection testuser1;
SELECT * FROM information_schema.user_privileges
@ -537,8 +513,7 @@ json_detailed(priv) {
"access": 0,
"plugin": "mysql_native_password",
"authentication_string": "",
"password_last_changed": 0,
"password_lifetime": -1
"password_last_changed": #
}
host localhost
user testuser2
@ -546,8 +521,7 @@ json_detailed(priv) {
"access": 6,
"plugin": "mysql_native_password",
"authentication_string": "",
"password_last_changed": 0,
"password_lifetime": -1
"password_last_changed": #
}
host localhost
user testuser3
@ -555,8 +529,7 @@ json_detailed(priv) {
"access": 0,
"plugin": "mysql_native_password",
"authentication_string": "",
"password_last_changed": 0,
"password_lifetime": -1
"password_last_changed": #
}
SHOW GRANTS;
Grants for testuser1@localhost
@ -581,8 +554,7 @@ json_detailed(priv) {
"access": 0,
"plugin": "mysql_native_password",
"authentication_string": "",
"password_last_changed": 0,
"password_lifetime": -1
"password_last_changed": #
}
host localhost
user testuser2
@ -590,8 +562,7 @@ json_detailed(priv) {
"access": 6,
"plugin": "mysql_native_password",
"authentication_string": "",
"password_last_changed": 0,
"password_lifetime": -1
"password_last_changed": #
}
host localhost
user testuser3
@ -599,8 +570,7 @@ json_detailed(priv) {
"access": 0,
"plugin": "mysql_native_password",
"authentication_string": "",
"password_last_changed": 0,
"password_lifetime": -1
"password_last_changed": #
}
SHOW GRANTS;
Grants for testuser1@localhost
@ -640,8 +610,7 @@ json_detailed(priv) {
"access": 0,
"plugin": "mysql_native_password",
"authentication_string": "",
"password_last_changed": 0,
"password_lifetime": -1
"password_last_changed": #
}
host localhost
user testuser2
@ -649,8 +618,7 @@ json_detailed(priv) {
"access": 6,
"plugin": "mysql_native_password",
"authentication_string": "",
"password_last_changed": 0,
"password_lifetime": -1
"password_last_changed": #
}
host localhost
user testuser3
@ -658,8 +626,7 @@ json_detailed(priv) {
"access": 0,
"plugin": "mysql_native_password",
"authentication_string": "",
"password_last_changed": 0,
"password_lifetime": -1
"password_last_changed": #
}
connection testuser1;
SELECT * FROM information_schema.user_privileges

22
mysql-test/suite/funcs_1/t/is_user_privileges.test
View File

@ -103,7 +103,7 @@ WHERE user LIKE 'testuser%' ORDER BY host, user;
let $my_show= SHOW GRANTS;
--vertical_results
eval $my_select1;
--replace_regex /password_last_changed": [0-9]*/password_last_changed": 0/
--replace_regex /password_last_changed": [0-9]*/password_last_changed": #/
eval $my_select2;
--horizontal_results
@ -112,7 +112,7 @@ eval $my_select2;
GRANT UPDATE ON db_datadict.* TO 'testuser1'@'localhost' WITH GRANT OPTION;
--vertical_results
eval $my_select1;
--replace_regex /password_last_changed": [0-9]*/password_last_changed": 0/
--replace_regex /password_last_changed": [0-9]*/password_last_changed": #/
eval $my_select2;
--horizontal_results
@ -120,7 +120,7 @@ eval $my_select2;
connect (testuser1, localhost, testuser1, , db_datadict);
--vertical_results
eval $my_select1;
--replace_regex /password_last_changed": [0-9]*/password_last_changed": 0/
--replace_regex /password_last_changed": [0-9]*/password_last_changed": #/
eval $my_select2;
--horizontal_results
eval $my_show;
@ -134,7 +134,7 @@ GRANT SELECT ON *.* TO 'testuser1'@'localhost';
--echo # Here <SELECT NO> is shown correctly for testuser1;
--vertical_results
eval $my_select1;
--replace_regex /password_last_changed": [0-9]*/password_last_changed": 0/
--replace_regex /password_last_changed": [0-9]*/password_last_changed": #/
eval $my_select2;
--horizontal_results
@ -143,7 +143,7 @@ GRANT SELECT ON *.* TO 'testuser1'@'localhost' WITH GRANT OPTION;
--echo # Here <SELECT YES> is shown correctly for testuser1;
--vertical_results
eval $my_select1;
--replace_regex /password_last_changed": [0-9]*/password_last_changed": 0/
--replace_regex /password_last_changed": [0-9]*/password_last_changed": #/
eval $my_select2;
--horizontal_results
@ -151,7 +151,7 @@ eval $my_select2;
connection testuser1;
--vertical_results
eval $my_select1;
--replace_regex /password_last_changed": [0-9]*/password_last_changed": 0/
--replace_regex /password_last_changed": [0-9]*/password_last_changed": #/
eval $my_select2;
--horizontal_results
eval $my_show;
@ -180,7 +180,7 @@ connection default;
REVOKE ALL PRIVILEGES, GRANT OPTION FROM 'testuser1'@'localhost';
--vertical_results
eval $my_select1;
--replace_regex /password_last_changed": [0-9]*/password_last_changed": 0/
--replace_regex /password_last_changed": [0-9]*/password_last_changed": #/
eval $my_select2;
--horizontal_results
@ -213,14 +213,14 @@ GRANT ALL ON db_datadict.* TO 'testuser1'@'localhost' WITH GRANT OPTION;
GRANT SELECT ON mysql.global_priv TO 'testuser1'@'localhost';
--vertical_results
eval $my_select1;
--replace_regex /password_last_changed": [0-9]*/password_last_changed": 0/
--replace_regex /password_last_changed": [0-9]*/password_last_changed": #/
eval $my_select2;
--horizontal_results
connection testuser1;
--vertical_results
eval $my_select1;
--replace_regex /password_last_changed": [0-9]*/password_last_changed": 0/
--replace_regex /password_last_changed": [0-9]*/password_last_changed": #/
eval $my_select2;
--horizontal_results
eval $my_show;
@ -233,7 +233,7 @@ CREATE TABLE db_datadict.tb_56 ( c1 TEXT );
USE db_datadict;
--vertical_results
eval $my_select1;
--replace_regex /password_last_changed": [0-9]*/password_last_changed": 0/
--replace_regex /password_last_changed": [0-9]*/password_last_changed": #/
eval $my_select2;
--horizontal_results
eval $my_show;
@ -248,7 +248,7 @@ connection default;
REVOKE ALL PRIVILEGES, GRANT OPTION FROM 'testuser1'@'localhost';
--vertical_results
eval $my_select1;
--replace_regex /password_last_changed": [0-9]*/password_last_changed": 0/
--replace_regex /password_last_changed": [0-9]*/password_last_changed": #/
eval $my_select2;
--horizontal_results

3
mysql-test/suite/plugins/r/multiauth.result
View File

@ -123,8 +123,7 @@ json_detailed(priv)
{
}
],
"password_last_changed": 0,
"password_lifetime": -1
"password_last_changed": #
}
select password,plugin,authentication_string from mysql.user where user='mysqltest1';
Password plugin authentication_string

2
mysql-test/suite/plugins/t/multiauth.test
View File

@ -130,7 +130,7 @@ drop user mysqltest1;
#
create user mysqltest1 identified via ed25519 as password("good") OR unix_socket OR mysql_native_password as password("works");
show grants for mysqltest1;
--replace_regex /password_last_changed": [0-9]*/password_last_changed": 0/
--replace_regex /password_last_changed": [0-9]*/password_last_changed": #/
select json_detailed(priv) from mysql.global_priv where user='mysqltest1';
select password,plugin,authentication_string from mysql.user where user='mysqltest1';
flush privileges;

0
mysql-test/main/rpl_expired_pass.result → mysql-test/suite/rpl/r/password_expiration.result
View File

1
mysql-test/main/rpl_expired_pass.test → mysql-test/suite/rpl/t/password_expiration.test
View File

@ -4,6 +4,7 @@
#
--source include/not_embedded.inc
--source include/have_binlog_format_mixed.inc
--source include/master-slave.inc
--connection slave

2
mysql-test/suite/sys_vars/r/sysvars_server_embedded.result
View File

@ -718,7 +718,7 @@ GLOBAL_VALUE 0
GLOBAL_VALUE_ORIGIN COMPILE-TIME
DEFAULT_VALUE 0
VARIABLE_SCOPE GLOBAL
VARIABLE_TYPE BIGINT UNSIGNED
VARIABLE_TYPE INT UNSIGNED
VARIABLE_COMMENT This defines the global password expiration policy. 0 means automatic password expiration is disabled. If the value is a positive integer N, the passwords must be changed every N days. This behavior can be overriden using the password expiration options in ALTER USER.
NUMERIC_MIN_VALUE 0
NUMERIC_MAX_VALUE 4294967295

2
mysql-test/suite/sys_vars/r/sysvars_server_notembedded.result
View File

@ -732,7 +732,7 @@ GLOBAL_VALUE 0
GLOBAL_VALUE_ORIGIN COMPILE-TIME
DEFAULT_VALUE 0
VARIABLE_SCOPE GLOBAL
VARIABLE_TYPE BIGINT UNSIGNED
VARIABLE_TYPE INT UNSIGNED
VARIABLE_COMMENT This defines the global password expiration policy. 0 means automatic password expiration is disabled. If the value is a positive integer N, the passwords must be changed every N days. This behavior can be overriden using the password expiration options in ALTER USER.
NUMERIC_MIN_VALUE 0
NUMERIC_MAX_VALUE 4294967295

2
sql/mysqld.cc
View File

@ -511,7 +511,7 @@ ulong feature_files_opened_with_delayed_keys= 0, feature_check_constraint= 0;
ulonglong denied_connections;
my_decimal decimal_zero;
long opt_secure_timestamp;
ulong default_password_lifetime;
uint default_password_lifetime;
my_bool disconnect_on_expired_password;
/*

2
sql/mysqld.h
View File

@ -310,7 +310,7 @@ extern my_bool encrypt_tmp_disk_tables, encrypt_tmp_files;
extern ulong encryption_algorithm;
extern const char *encryption_algorithm_names[];
extern long opt_secure_timestamp;
extern ulong default_password_lifetime;
extern uint default_password_lifetime;
extern my_bool disconnect_on_expired_password;
enum secure_timestamp { SECTIME_NO, SECTIME_SUPER, SECTIME_REPL, SECTIME_YES };

173
sql/sql_acl.cc
View File

@ -647,8 +647,7 @@ static ACL_USER *find_user_wild(const char *host, const char *user, const char *
static ACL_ROLE *find_acl_role(const char *user);
static ROLE_GRANT_PAIR *find_role_grant_pair(const LEX_CSTRING *u, const LEX_CSTRING *h, const LEX_CSTRING *r);
static ACL_USER_BASE *find_acl_user_base(const char *user, const char *host);
static bool update_user_table_password(THD *, const User_table&,
ACL_USER*);
static bool update_user_table_password(THD *, const User_table&, const ACL_USER&);
static bool acl_load(THD *thd, const Grant_tables& grant_tables);
static inline void get_grantor(THD *thd, char* grantor);
static bool add_role_user_mapping(const char *uname, const char *hname, const char *rname);
@ -873,7 +872,7 @@ class User_table: public Grant_table_base
virtual bool get_password_expired () const = 0;
virtual int set_password_expired (bool x) const = 0;
virtual my_time_t get_password_last_changed () const = 0;
virtual int set_password_last_changed (const my_time_t &x) const = 0;
virtual int set_password_last_changed (my_time_t x) const = 0;
virtual longlong get_password_lifetime () const = 0;
virtual int set_password_lifetime (longlong x) const = 0;
@ -1165,7 +1164,6 @@ class User_table_tabular: public User_table
if (Field *f= get_field(field_num, MYSQL_TYPE_ENUM))
return f->store(x+1, 0);
return 1;
}
my_time_t get_password_last_changed () const
@ -1173,17 +1171,15 @@ class User_table_tabular: public User_table
ulong unused_dec;
if (Field *f= get_field(end_priv_columns + 11, MYSQL_TYPE_TIMESTAMP2))
return f->get_timestamp(&unused_dec);
return 0;
}
int set_password_last_changed (const my_time_t &x) const
int set_password_last_changed (my_time_t x) const
{
if (Field *f= get_field(end_priv_columns + 11, MYSQL_TYPE_TIMESTAMP2))
{
f->set_notnull();
return f->store_timestamp(x, 0);
}
return 1;
}
longlong get_password_lifetime () const
@ -1192,10 +1188,8 @@ class User_table_tabular: public User_table
{
if (f->is_null())
return -1;
return f->val_int();
}
return 0;
}
int set_password_lifetime (longlong x) const
@ -1210,7 +1204,6 @@ class User_table_tabular: public User_table
f->set_notnull();
return f->store(x, 0);
}
return 1;
}
@ -1511,33 +1504,19 @@ class User_table_json: public User_table
{ return set_bool_value("account_locked", x); }
my_time_t get_password_last_changed () const
{ return static_cast<my_time_t>(get_int_value("password_last_changed")); }
int set_password_last_changed (const my_time_t &x) const
int set_password_last_changed (my_time_t x) const
{ return set_int_value("password_last_changed", static_cast<longlong>(x)); }
int set_password_lifetime (longlong x) const
{ return set_int_value("password_lifetime", x); }
longlong get_password_lifetime () const
{
size_t value_len;
const char *value_start;
const char *key= "password_lifetime";
if (get_value(key, JSV_NUMBER, &value_start, &value_len))
return -1;
return get_int_value(key);
}
{ return get_int_value("password_lifetime", -1); }
/*
password_last_changed=0 means the password is manually expired.
In MySQL 5.7+ this state is described using the password_expired column
in mysql.user
*/
bool get_password_expired () const
{
size_t value_len;
const char *value_start;
const char *key= "password_last_changed";
if (get_value(key, JSV_NUMBER, &value_start, &value_len))
return false;
return get_password_last_changed() == 0;
}
{ return get_int_value("password_last_changed", -1) == 0; }
int set_password_expired (bool x) const
{ return x ? set_password_last_changed(0) : 0; }
@ -1581,13 +1560,13 @@ class User_table_json: public User_table
return NULL;
return strmake_root(root, ptr, len);
}
longlong get_int_value(const char *key) const
longlong get_int_value(const char *key, longlong def_val= 0) const
{
int err;
size_t value_len;
const char *value_start;
if (get_value(key, JSV_NUMBER, &value_start, &value_len))
return 0;
return def_val;
const char *value_end= value_start + value_len;
return my_strtoll10(value_start, (char**)&value_end, &err);
}
@ -3156,6 +3135,8 @@ static int acl_user_update(THD *thd, ACL_USER *acl_user, uint nauth,
update_hostname(&acl_user->host, safe_strdup_root(&acl_memroot, combo.host.str));
acl_user->hostname_length= combo.host.length;
acl_user->sort= get_sort(2, acl_user->host.hostname, acl_user->user.str);
acl_user->password_last_changed= thd->query_start();
acl_user->password_lifetime= -1;
my_init_dynamic_array(&acl_user->role_grants, sizeof(ACL_USER *),
0, 8, MYF(0));
}
@ -3201,6 +3182,31 @@ static int acl_user_update(THD *thd, ACL_USER *acl_user, uint nauth,
}
if (options.account_locked != ACCOUNTLOCK_UNSPECIFIED)
acl_user->account_locked= options.account_locked == ACCOUNTLOCK_LOCKED;
/* Unexpire the user password */
if (nauth)
{
acl_user->password_expired= false;
acl_user->password_last_changed= thd->query_start();;
}
switch (options.password_expire) {
case PASSWORD_EXPIRE_UNSPECIFIED:
break;
case PASSWORD_EXPIRE_NOW:
acl_user->password_expired= true;
break;
case PASSWORD_EXPIRE_NEVER:
acl_user->password_lifetime= 0;
break;
case PASSWORD_EXPIRE_DEFAULT:
acl_user->password_lifetime= -1;
break;
case PASSWORD_EXPIRE_INTERVAL:
acl_user->password_lifetime= options.num_expiration_days;
break;
}
return 0;
}
@ -3767,7 +3773,16 @@ bool change_password(THD *thd, LEX_USER *user)
goto end;
}
if (update_user_table_password(thd, tables.user_table(), acl_user))
/* Update the acl password expired state of user */
acl_user->password_last_changed= thd->query_start();
acl_user->password_expired= false;
/* If user is the connected user, reset the password expired field on sctx
and allow the user to exit sandbox mode */
if (thd->security_ctx->is_priv_user(user->user.str, user->host.str))
thd->security_ctx->password_expired= false;
if (update_user_table_password(thd, tables.user_table(), *acl_user))
goto end;
acl_cache->clear(1); // Clear locked hostname cache
@ -4211,7 +4226,7 @@ bool hostname_requires_resolving(const char *hostname)
*/
static bool update_user_table_password(THD *thd, const User_table& user_table,
ACL_USER *user)
const ACL_USER &user)
{
char user_key[MAX_KEY_LENGTH];
int error;
@ -4219,8 +4234,8 @@ static bool update_user_table_password(THD *thd, const User_table& user_table,
TABLE *table= user_table.table();
table->use_all_columns();
user_table.set_host(user->host.hostname, user->hostname_length);
user_table.set_user(user->user.str, user->user.length);
user_table.set_host(user.host.hostname, user.hostname_length);
user_table.set_user(user.user.str, user.user.length);
key_copy((uchar *) user_key, table->record[0], table->key_info,
table->key_info->key_length);
@ -4234,7 +4249,7 @@ static bool update_user_table_password(THD *thd, const User_table& user_table,
}
store_record(table, record[1]);
if (user_table.set_auth(*user))
if (user_table.set_auth(user))
{
my_error(ER_COL_COUNT_DOESNT_MATCH_PLEASE_UPDATE, MYF(0),
user_table.name().str, 3, user_table.num_fields(),
@ -4242,10 +4257,8 @@ static bool update_user_table_password(THD *thd, const User_table& user_table,
DBUG_RETURN(1);
}
/* Update the persistent password expired state of user */
user_table.set_password_expired(false);
my_time_t now= thd->query_start();
int rv= user_table.set_password_last_changed(now);
user_table.set_password_expired(user.password_expired);
user_table.set_password_last_changed(user.password_last_changed);
if (unlikely(error= table->file->ha_update_row(table->record[1],
table->record[0])) &&
@ -4255,16 +4268,6 @@ static bool update_user_table_password(THD *thd, const User_table& user_table,
DBUG_RETURN(1);
}
/* Update the acl password expired state of user */
if (!rv)
user->password_last_changed= now;
user->password_expired= false;
/* If user is the connected user, reset the password expired field on sctx
and allow the user to exit sandbox mode */
if (thd->security_ctx->is_priv_user(user->user.str, user->host.hostname))
thd->security_ctx->password_expired= false;
DBUG_RETURN(0);
}
@ -4368,9 +4371,9 @@ static int replace_user_table(THD *thd, const User_table &user_table,
combo->auth= &auth_no_password;
old_row_exists = 0;
restore_record(table,s->default_values);
user_table.set_host(combo->host.str,combo->host.length);
user_table.set_user(combo->user.str,combo->user.length);
restore_record(table, s->default_values);
user_table.set_host(combo->host.str, combo->host.length);
user_table.set_user(combo->user.str, combo->user.length);
}
else
{
@ -4482,44 +4485,12 @@ static int replace_user_table(THD *thd, const User_table &user_table,
if (lex->account_options.account_locked != ACCOUNTLOCK_UNSPECIFIED)
user_table.set_account_locked(new_acl_user.account_locked);
my_time_t now= thd->query_start();
if (!old_row_exists)
if (nauth)
user_table.set_password_last_changed(new_acl_user.password_last_changed);
if (lex->account_options.password_expire != PASSWORD_EXPIRE_UNSPECIFIED)
{
if (!user_table.set_password_last_changed(now))
new_acl_user.password_last_changed= now;
if (!user_table.set_password_lifetime(-1))
new_acl_user.password_lifetime= -1;
}
/* Unexpire the user password */
if (combo->is_changing_password)
{
user_table.set_password_expired(false);
new_acl_user.password_expired= false;
if (user_table.set_password_last_changed(now))
new_acl_user.password_last_changed= now;
}
switch (lex->account_options.password_expire) {
case PASSWORD_EXPIRE_UNSPECIFIED:
break;
case PASSWORD_EXPIRE_NOW:
user_table.set_password_expired(true);
new_acl_user.password_expired= true;
break;
case PASSWORD_EXPIRE_NEVER:
if (!user_table.set_password_lifetime(0))
new_acl_user.password_lifetime= 0;
break;
case PASSWORD_EXPIRE_DEFAULT:
if (!user_table.set_password_lifetime(-1))
new_acl_user.password_lifetime= -1;
break;
case PASSWORD_EXPIRE_INTERVAL:
longlong interval= lex->account_options.num_expiration_days;
if (!user_table.set_password_lifetime(interval))
new_acl_user.password_lifetime= interval;
break;
user_table.set_password_lifetime(new_acl_user.password_lifetime);
user_table.set_password_expired(new_acl_user.password_expired);
}
}
@ -8984,9 +8955,7 @@ bool mysql_show_create_user(THD *thd, LEX_USER *lex_user)
else if (acl_user->password_lifetime > 0)
{
result.append(STRING_WITH_LEN(" PASSWORD EXPIRE INTERVAL "));
char days[MAX_BIGINT_WIDTH + 1];
my_snprintf(days, sizeof(days), "%lu", acl_user->password_lifetime);
result.append(days);
result.append_longlong(acl_user->password_lifetime);
result.append(STRING_WITH_LEN(" DAY"));
}
@ -13627,14 +13596,14 @@ static void handle_password_errors(const char *user, const char *hostname, PASSW
#endif
}
bool check_password_lifetime(THD *thd, const ACL_USER *acl_user)
static bool check_password_lifetime(THD *thd, const ACL_USER &acl_user)
{
/* the password should never expire */
if (!acl_user->password_lifetime)
if (!acl_user.password_lifetime)
return false;
longlong interval= acl_user->password_lifetime;
if (acl_user->password_lifetime < 0)
longlong interval= acl_user.password_lifetime;
if (interval < 0)
{
interval= default_password_lifetime;
@ -13644,12 +13613,8 @@ bool check_password_lifetime(THD *thd, const ACL_USER *acl_user)
}
thd->set_time();
longlong interval_sec= 3600 * 24 * interval;
/* this helps test set a testable password lifetime in seconds not days */
DBUG_EXECUTE_IF("password_expiration_interval_sec", { interval_sec= interval; });
if (thd->query_start() - acl_user->password_last_changed > interval_sec)
if ((thd->query_start() - acl_user.password_last_changed)/3600/24 >= interval)
return true;
return false;
@ -13878,18 +13843,18 @@ bool acl_authenticate(THD *thd, uint com_change_user_pkt_len)
bool client_can_handle_exp_pass= thd->client_capabilities &
CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS;
bool password_lifetime_due= check_password_lifetime(thd, acl_user);
bool password_expired= acl_user->password_expired ||
check_password_lifetime(thd, *acl_user);
if (!client_can_handle_exp_pass && disconnect_on_expired_password &&
(acl_user->password_expired || password_lifetime_due))
password_expired)
{
status_var_increment(denied_connections);
my_error(ER_MUST_CHANGE_PASSWORD_LOGIN, MYF(0));
DBUG_RETURN(1);
}
sctx->password_expired= acl_user->password_expired ||
password_lifetime_due;
sctx->password_expired= password_expired;
/*
Don't allow the user to connect if he has done too many queries.

10
sql/sql_lex.h
View File

@ -2955,14 +2955,14 @@ public:
enum account_lock_type
{
ACCOUNTLOCK_UNSPECIFIED,
ACCOUNTLOCK_UNSPECIFIED= 0,
ACCOUNTLOCK_LOCKED,
ACCOUNTLOCK_UNLOCKED
};
enum password_exp_type
{
PASSWORD_EXPIRE_UNSPECIFIED,
PASSWORD_EXPIRE_UNSPECIFIED= 0,
PASSWORD_EXPIRE_NOW,
PASSWORD_EXPIRE_NEVER,
PASSWORD_EXPIRE_DEFAULT,
@ -2971,11 +2971,7 @@ enum password_exp_type
struct Account_options: public USER_RESOURCES
{
Account_options()
: account_locked(ACCOUNTLOCK_UNSPECIFIED)
, password_expire(PASSWORD_EXPIRE_UNSPECIFIED)
, num_expiration_days(0)
{ }
Account_options() { }
void reset()
{

16
sql/sql_yacc.yy
View File

@ -8061,17 +8061,9 @@ opt_password_expiration:
}
| PASSWORD_SYM EXPIRE_SYM INTERVAL_SYM NUM DAY_SYM
{
int error;
longlong interval= my_strtoll10($4.str, (char**) 0, &error);
if (!interval)
{
char num[MAX_BIGINT_WIDTH + 1];
my_snprintf(num, sizeof(num), "%lu", interval);
my_yyabort_error((ER_WRONG_VALUE, MYF(0), "DAY", num));
}
Lex->account_options.password_expire= PASSWORD_EXPIRE_INTERVAL;
Lex->account_options.num_expiration_days= interval;
if (!(Lex->account_options.num_expiration_days= atoi($4.str)))
my_yyabort_error((ER_WRONG_VALUE, MYF(0), "DAY", $4.str));
}
;
@ -17300,25 +17292,21 @@ grant_user:
$$= $1;
$1->auth= new (thd->mem_root) USER_AUTH();
$1->auth->pwtext= $4;
$1->is_changing_password= true;
}
| user IDENTIFIED_SYM BY PASSWORD_SYM TEXT_STRING
{
$$= $1;
$1->auth= new (thd->mem_root) USER_AUTH();
$1->auth->auth_str= $5;
$1->is_changing_password= true;
}
| user IDENTIFIED_SYM via_or_with auth_expression
{
$$= $1;
$1->auth= $4;
$1->is_changing_password= false;
}
| user_or_role
{
$$= $1;
$1->is_changing_password= false;
}
;

16
sql/sql_yacc_ora.yy
View File

@ -8091,17 +8091,9 @@ opt_password_expiration:
}
| PASSWORD_SYM EXPIRE_SYM INTERVAL_SYM NUM DAY_SYM
{
int error;
longlong interval= my_strtoll10($4.str, (char**) 0, &error);
if (!interval)
{
char num[MAX_BIGINT_WIDTH + 1];
my_snprintf(num, sizeof(num), "%lu", interval);
my_yyabort_error((ER_WRONG_VALUE, MYF(0), "DAY", num));
}
Lex->account_options.password_expire= PASSWORD_EXPIRE_INTERVAL;
Lex->account_options.num_expiration_days= interval;
if (!(Lex->account_options.num_expiration_days= atoi($4.str)))
my_yyabort_error((ER_WRONG_VALUE, MYF(0), "DAY", $4.str));
}
;
@ -17438,25 +17430,21 @@ grant_user:
$$= $1;
$1->auth= new (thd->mem_root) USER_AUTH();
$1->auth->pwtext= $4;
$1->is_changing_password= true;
}
| user IDENTIFIED_SYM BY PASSWORD_SYM TEXT_STRING
{
$$= $1;
$1->auth= new (thd->mem_root) USER_AUTH();
$1->auth->auth_str= $5;
$1->is_changing_password= true;
}
| user IDENTIFIED_SYM via_or_with auth_expression
{
$$= $1;
$1->auth= $4;
$1->is_changing_password= false;
}
| user_or_role
{
$$= $1;
$1->is_changing_password= false;
}
;

1
sql/structs.h
View File

@ -255,7 +255,6 @@ struct AUTHID
struct LEX_USER: public AUTHID
{
USER_AUTH *auth;
bool is_changing_password;
bool has_auth()
{
return auth && (auth->plugin.length || auth->auth_str.length || auth->pwtext.length);

2
sql/sys_vars.cc
View File

@ -1517,7 +1517,7 @@ static Sys_var_ulong Sys_max_connections(
DEFAULT(MAX_CONNECTIONS_DEFAULT), BLOCK_SIZE(1), NO_MUTEX_GUARD,
NOT_IN_BINLOG, ON_CHECK(0), ON_UPDATE(fix_max_connections));
static Sys_var_ulong Sys_default_password_lifetime(
static Sys_var_uint Sys_default_password_lifetime(
"default_password_lifetime",
"This defines the global password expiration policy. 0 means "
"automatic password expiration is disabled. If the value is a "

Write Preview
Loading…
Cancel
Save