-
Notifications
You must be signed in to change notification settings - Fork 5.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
privilege, session, server: consistently map user login to identity (#30204) #30450
privilege, session, server: consistently map user login to identity (#30204) #30450
Conversation
Signed-off-by: ti-srebot <ti-srebot@pingcap.com>
[REVIEW NOTIFICATION] This pull request has been approved by:
To complete the pull request process, please ask the reviewers in the list to review by filling The full list of commands accepted by this bot can be found here. Reviewer can indicate their review by submitting an approval review. |
/run-all-tests |
@morgo you're already a collaborator in bot's repo. |
The merge for this was unfortunately complicated. There are a lot of changes in master that are related, so I had to merge some in that were not in the PR on master. |
case mysql.AuthCachingSha2Password: | ||
resp.Auth, err = cc.authSha(ctx) | ||
if err != nil { | ||
return err | ||
} | ||
case mysql.AuthNativePassword: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is intentional. It was removed from master, I believe because this is handled in cc.checkAuthPlugin
instead. The code could be cleaned up slightly, but that's for another PR.
if cc.ctx == nil { | ||
err := cc.openSession() | ||
if err != nil { | ||
return err | ||
} | ||
} | ||
userplugin, err := cc.ctx.AuthPluginForUser(&auth.UserIdentity{Username: cc.user, Hostname: cc.peerHost}) | ||
_, err := cc.checkAuthPlugin(ctx, resp) | ||
if err != nil { | ||
return err | ||
} | ||
if userplugin != mysql.AuthNativePassword && userplugin != "" { | ||
return errNotSupportedAuthMode | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These changes are also based on master, and checkAuthPlugin
does these checks.
/run-check_dev |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tested with https://github.com/dveeden/tidb_client_test:
TiDB Client Test
Connected to:
Release Version: v5.3.0-4-g635c0bab4
Edition: Community
Git Commit Hash: 635c0bab4eb54a801b0f3f12577b8b25bb0e5431
Git Branch: release-5.3-7fc6ebbda4dd
UTC Build Time: 2021-12-20 15:04:40
GoVersion: go1.16.11
Race Enabled: false
TiKV Min Version: v3.0.0-60965b006877ca7234adaced7890d7b029ed1306
Check Table Before Drop: false
Clients:
/home/dvaneeden/opt/mysql/5.1.73/bin/mysql
/home/dvaneeden/opt/mysql/5.7.31/bin/mysql
/home/dvaneeden/opt/mysql/5.7.36/bin/mysql
/home/dvaneeden/opt/mysql/8.0.22/bin/mysql
/home/dvaneeden/opt/mysql/8.0.25/bin/mysql
/home/dvaneeden/opt/mysql/8.0.26/bin/mysql
/home/dvaneeden/opt/mysql/8.0.27/bin/mysql
-----------------------------------------------
Testing with mysql_native_password as default authentication plugin
Testing /home/dvaneeden/opt/mysql/5.1.73/bin/mysql: success=8, failures=0
Testing /home/dvaneeden/opt/mysql/5.7.31/bin/mysql: success=8, failures=0
Testing /home/dvaneeden/opt/mysql/5.7.36/bin/mysql: success=8, failures=0
Testing /home/dvaneeden/opt/mysql/8.0.22/bin/mysql: success=8, failures=0
Testing /home/dvaneeden/opt/mysql/8.0.25/bin/mysql: success=8, failures=0
Testing /home/dvaneeden/opt/mysql/8.0.26/bin/mysql: success=8, failures=0
Testing /home/dvaneeden/opt/mysql/8.0.27/bin/mysql: success=8, failures=0
Testing with caching_sha2_password as default authentication plugin
Testing /home/dvaneeden/opt/mysql/5.1.73/bin/mysql: success=8, failures=0
Testing /home/dvaneeden/opt/mysql/5.7.31/bin/mysql: success=8, failures=0
Testing /home/dvaneeden/opt/mysql/5.7.36/bin/mysql: success=8, failures=0
Testing /home/dvaneeden/opt/mysql/8.0.22/bin/mysql: success=8, failures=0
Testing /home/dvaneeden/opt/mysql/8.0.25/bin/mysql: success=8, failures=0
Testing /home/dvaneeden/opt/mysql/8.0.26/bin/mysql: success=8, failures=0
Testing /home/dvaneeden/opt/mysql/8.0.27/bin/mysql: success=8, failures=0
/run-check_dev |
Hi @morgo , v5.3 is about to release a new version in a few days, maybe we can continue to merge this pr. Thanks! |
Yes, it must be merged. It is release blocking according to our criteria. |
/run-check_dev |
/run-mysql-test tidb-test=pr/1583 |
/run-mysql-test tidb-test=pr/1583 |
The mysql-test itself seems to be broken. I've tested the changes locally in mysql-test and it passed. |
/run-mysql-test tidb-test=pr/1583 |
/rebuild |
1 similar comment
/rebuild |
/run-mysql-test |
/run-mysql-test tidb-test=pr/1583 |
/merge |
This pull request has been accepted and is ready to merge. Commit hash: 635c0ba
|
/run-mysql-test tidb-test=pr/1583 |
/rebuild |
cherry-pick #30204 to release-5.3
You can switch your code base to this Pull Request by using git-extras:
# In tidb repo: git pr https://github.com/pingcap/tidb/pull/30450
After apply modifications, you can push your change to this PR via:
What problem does this PR solve?
Problem Summary:
TiDB server uses different rules to map a user to an identity depending on the code area. This cleans up how identity is mapped using a consistent function:
MatchIdentity()
.What is changed and how it works?
Check List
Tests
Side effects
The rules might be slightly different in the event that there are two 'root' users with different hosts (not a common practice, but it's possible users are doing this). This PR follows more consistent behavior with MySQL.
Documentation
Release note