privileges: Upgrade stored password format to Compatible with MySQL. #3292
Conversation
Password stored in mysql.user of TIDB is the format of SHA1(pwd), which is not compatible with MySQL. Different password format will cause user migrate data from MySQL login failed on TIDB.
|
@tiancaiamao PTAL Please test updating an exist cluster with this branch. |
bootstrap.go
Outdated
| @@ -376,6 +381,13 @@ func upgradeToVer9(s Session) { | |||
| s.Execute("UPDATE mysql.user SET Trigger_priv='Y'") | |||
| } | |||
|
|
|||
| func upgradeToVer10(s Session) { | |||
| _, err := s.Execute("UPDATE mysql.user SET `password` = old_password_upgrade(`password`)") | |||
There was a problem hiding this comment.
I don't think we need introduce the old_password_upgrade builtin function.
This is not a standard MySQL function, define it as a local function or put it to util package is enough, no need to implement as builtin.
There was a problem hiding this comment.
if use local function, password can not be updated in one UPDATE statement, we should fetch rows from mysql.user and update each rows.
There was a problem hiding this comment.
You can begin; select; update; commit
There was a problem hiding this comment.
ok, i'll try that way
expression/builtin_encryption.go
Outdated
| } | ||
|
|
||
| // eval evals an upgrade from old password format stored in TIDB to MySQL format | ||
| func (b *builtinOldPasswordUpgradeSig) eval(row []types.Datum) (d types.Datum, err error) { |
There was a problem hiding this comment.
You can put it to util package, or bootstarp.go in which it's used.
expression/builtin_encryption.go
Outdated
|
|
||
| hash2 := util.Sha1Hash(hash1) | ||
| d.SetString(fmt.Sprintf("*%X", hash2)) | ||
| log.Infof("old password: %v new password:%v", pass, fmt.Sprintf("*%X", hash2)) |
There was a problem hiding this comment.
Don't do that, this log will leak user's information!
| log.Errorf("User [%s] password from SystemDB not like a sha1sum", user) | ||
| return false | ||
| } | ||
|
|
||
| // empty password | ||
| if len(pwd) == 0 && len(auth) == 0 { |
There was a problem hiding this comment.
When will len(auth) == 0 ?
There was a problem hiding this comment.
when password is empty
| return true | ||
| } | ||
|
|
||
| if len(pwd) == 0 || len(auth) == 0 { |
There was a problem hiding this comment.
Is there any test cover this change ?
There was a problem hiding this comment.
no test cover this
There was a problem hiding this comment.
add test case done
util/auth.go
Outdated
|
|
||
| "github.com/juju/errors" | ||
| ) | ||
|
|
||
| // CalcPassword is the algorithm convert hashed password to auth string. | ||
| // See https://dev.mysql.com/doc/internals/en/secure-password-authentication.html | ||
| // SHA1( password ) XOR SHA1( "20-bytes random data from server" <concat> SHA1( SHA1( password ) ) ) | ||
| func CalcPassword(scramble, sha1pwd []byte) []byte { | ||
| if len(sha1pwd) == 0 { |
There was a problem hiding this comment.
why remove this check?
There was a problem hiding this comment.
in ConnectionVerification have handled this situation
| // token = scrambleHash XOR stage1Hash | ||
| for i := range scramble { | ||
| scramble[i] ^= sha1pwd[i] |
There was a problem hiding this comment.
I'm confused with this function and the added auth parameter, could you explain it a bit ?
There was a problem hiding this comment.
I transfer the check logic from mysql source code, you can find the logic in function check_scramble in the file sql/password.c.
There was a problem hiding this comment.
The new authentication is performed in following manner:
SERVER: public_seed=create_random_string()
send(public_seed)
CLIENT: recv(public_seed)
hash_stage1=sha1("password")
hash_stage2=sha1(hash_stage1)
reply=xor(hash_stage1, sha1(public_seed,hash_stage2)
// this three steps are done in scramble()
send(reply)
SERVER: recv(reply)
hash_stage1=xor(reply, sha1(public_seed,hash_stage2))
candidate_hash2=sha1(hash_stage1)
check(candidate_hash2==hash_stage2)
// this three steps are done in check_scramble()
We need to update the comment;
And CalcPassword is actually check_scramble now? Maybe we need chose a better function name for it.
There was a problem hiding this comment.
change the function name to CheckScramble
Password stored in mysql.user of TIDB is the format of SHA1(pwd), which is not compatible with MySQL. Different password format will cause user migrate data from MySQL login failed on TIDB.
bootstrap.go
Outdated
| @@ -382,9 +383,37 @@ func upgradeToVer9(s Session) { | |||
| } | |||
|
|
|||
| func upgradeToVer10(s Session) { | |||
| _, err := s.Execute("UPDATE mysql.user SET `password` = old_password_upgrade(`password`)") | |||
| sql := "SELECT user, host, password FROM mysql.user WHERE password != ''" | |||
There was a problem hiding this comment.
Do we need select for update? @shenli
bootstrap.go
Outdated
| } | ||
|
|
||
| for _, sql := range sqls { | ||
| mustExecute(s, sql) | ||
| } |
There was a problem hiding this comment.
mustExecute(s, "commit")
util/auth.go
Outdated
| if err != nil { | ||
| return nil, errors.Trace(err) | ||
| } | ||
| return x, nil | ||
| } | ||
|
|
||
| // OldPasswordUpgrade upgrade password to MySQL compatible format | ||
| func OldPasswordUpgrade(pass string) (string, error) { |
There was a problem hiding this comment.
Is there any test that cover this new added function?
There was a problem hiding this comment.
Add test case done
| return true | ||
| } | ||
|
|
||
| if len(pwd) == 0 || len(auth) == 0 { |
There was a problem hiding this comment.
add test case done
util/auth.go
Outdated
| // candidate_hash2=sha1(hash_stage1) | ||
| // check(candidate_hash2==hash_stage2) | ||
| // // this three steps are done in check_scramble() | ||
| func CheckScramble(scramble, hpwd, auth []byte) []byte { |
There was a problem hiding this comment.
Check inside it and let this function return bool, CheckXXX return []byte is strange.
| for _, sql := range sqls { | ||
| mustExecute(s, sql) | ||
| } | ||
|
|
There was a problem hiding this comment.
Add updateBootstrapVer(s) here.
This upgrade is not reentrant, right? So it must be success/fail along with bootstrap version change.
Rest LGTM
PTAL @shenli
There was a problem hiding this comment.
Add updateBootstrapVer(s) in upgradeToVer11 is not a good choice,
cause updateBootstrapVer update tidb to currentBootstrapVersion instead of Version11,
we should update to version11, so i'd like to add the following code:
sql := fmt.Sprintf(`INSERT INTO %s.%s VALUES ("%s", "%d", "TiDB bootstrap version.") ON DUPLICATE KEY UPDATE VARIABLE_VALUE="%d"`,
mysql.SystemDB, mysql.TiDBTable, tidbServerVersionVar, version11, version11)
mustExecute(s, sql)
|
@tiancaiamao what's wrong with the check:
last for long time this status... |
|
LGTM |
XuHuaiyu
added
status/LGT1
|
PTAL @shenli |
|
@shenli PTAL |
util/auth.go
Outdated
| // candidate_hash2=sha1(hash_stage1) | ||
| // check(candidate_hash2==hash_stage2) | ||
| // // this three steps are done in check_scramble() | ||
| func CheckScramble(scramble, hpwd, auth []byte) bool { |
There was a problem hiding this comment.
Rename to CheckScrambledPassword is more clear.
And I think the first argument should be salt instead of scramble.
There was a problem hiding this comment.
Yes, i will modify it.
bootstrap.go
Outdated
| user := row.Data[0].GetString() | ||
| host := row.Data[1].GetString() | ||
| pass := row.Data[2].GetString() | ||
| newpass, err := util.OldPasswordUpgrade(pass) |
There was a problem hiding this comment.
I think move OldPasswordUpgrade implementation here is better, because this function is only used here and nowhere else.
There was a problem hiding this comment.
i think leave this function in util will make bootstrap concise although it is just used in bootstrap.
There was a problem hiding this comment.
Semantically upgrade operation doesn't belong to util.
I think this need to be considered with higher priority.
There was a problem hiding this comment.
ok, i will move the function to bootstrap.
Password stored in mysql.user of TIDB is the format of SHA1(pwd), which is not compatible with MySQL. Different password format will cause user migrate data from MySQL login failed on TIDB.
|
LGTM |
bootstrap.go
Outdated
| return | ||
| } | ||
| r := rs[0] | ||
| sqls := make([]string, 1) |
There was a problem hiding this comment.
sqls := make([]string, 0, 1)
|
Good job! Thanks for your contribution! @louishust |
Password stored in mysql.user of TIDB is the format of SHA1(pwd),
which is not compatible with MySQL.
Different password format will cause user migrate data from MySQL
login failed on TIDB.