Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

privilege, session, server: consistently map user login to identity (#30204) #30450

Merged
merged 3 commits into from
Feb 21, 2022

Conversation

ti-srebot
Copy link
Contributor

@ti-srebot ti-srebot commented Dec 6, 2021

cherry-pick #30204 to release-5.3
You can switch your code base to this Pull Request by using git-extras:

# In tidb repo:
git pr https://github.com/pingcap/tidb/pull/30450

After apply modifications, you can push your change to this PR via:

git push git@github.com:ti-srebot/tidb.git pr/30450:release-5.3-7fc6ebbda4dd

What problem does this PR solve?

Problem Summary:

TiDB server uses different rules to map a user to an identity depending on the code area. This cleans up how identity is mapped using a consistent function: MatchIdentity().

What is changed and how it works?

Check List

Tests

  • Unit test
  • Integration test
  • Manual test (add detailed scripts or steps below)
  • No code

Side effects

  • Performance regression: Consumes more CPU
  • Performance regression: Consumes more Memory
  • Breaking backward compatibility
    The rules might be slightly different in the event that there are two 'root' users with different hosts (not a common practice, but it's possible users are doing this). This PR follows more consistent behavior with MySQL.

Documentation

  • Affects user behaviors
  • Contains syntax changes
  • Contains variable changes
  • Contains experimental features
  • Changes MySQL compatibility

Release note

The TiDB server now maps a user to an entry in the mysql.user table more consistently.

Signed-off-by: ti-srebot <ti-srebot@pingcap.com>
@ti-chi-bot
Copy link
Member

ti-chi-bot commented Dec 6, 2021

[REVIEW NOTIFICATION]

This pull request has been approved by:

  • dveeden
  • tiancaiamao

To complete the pull request process, please ask the reviewers in the list to review by filling /cc @reviewer in the comment.
After your PR has acquired the required number of LGTMs, you can assign this pull request to the committer in the list by filling /assign @committer in the comment to help you merge this pull request.

The full list of commands accepted by this bot can be found here.

Reviewer can indicate their review by submitting an approval review.
Reviewer can cancel approval by submitting a request changes review.

@ti-srebot
Copy link
Contributor Author

/run-all-tests

@ti-chi-bot ti-chi-bot added do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. release-note Denotes a PR that will be considered when it comes time to generate release notes. labels Dec 6, 2021
@ti-chi-bot ti-chi-bot removed the do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. label Dec 6, 2021
@ti-srebot ti-srebot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. type/5.3-cherry-pick labels Dec 6, 2021
@ti-srebot
Copy link
Contributor Author

@morgo you're already a collaborator in bot's repo.

@morgo
Copy link
Contributor

morgo commented Dec 7, 2021

The merge for this was unfortunately complicated. There are a lot of changes in master that are related, so I had to merge some in that were not in the PR on master.

Comment on lines 724 to 725
case mysql.AuthCachingSha2Password:
resp.Auth, err = cc.authSha(ctx)
if err != nil {
return err
}
case mysql.AuthNativePassword:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is intentional. It was removed from master, I believe because this is handled in cc.checkAuthPlugin instead. The code could be cleaned up slightly, but that's for another PR.

Comment on lines -732 to -744
if cc.ctx == nil {
err := cc.openSession()
if err != nil {
return err
}
}
userplugin, err := cc.ctx.AuthPluginForUser(&auth.UserIdentity{Username: cc.user, Hostname: cc.peerHost})
_, err := cc.checkAuthPlugin(ctx, resp)
if err != nil {
return err
}
if userplugin != mysql.AuthNativePassword && userplugin != "" {
return errNotSupportedAuthMode
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These changes are also based on master, and checkAuthPlugin does these checks.

@dveeden
Copy link
Contributor

dveeden commented Dec 17, 2021

/run-check_dev

Copy link
Contributor

@dveeden dveeden left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested with https://github.com/dveeden/tidb_client_test:

TiDB Client Test
Connected to:
	Release Version: v5.3.0-4-g635c0bab4
	Edition: Community
	Git Commit Hash: 635c0bab4eb54a801b0f3f12577b8b25bb0e5431
	Git Branch: release-5.3-7fc6ebbda4dd
	UTC Build Time: 2021-12-20 15:04:40
	GoVersion: go1.16.11
	Race Enabled: false
	TiKV Min Version: v3.0.0-60965b006877ca7234adaced7890d7b029ed1306
	Check Table Before Drop: false
Clients:
	/home/dvaneeden/opt/mysql/5.1.73/bin/mysql
	/home/dvaneeden/opt/mysql/5.7.31/bin/mysql
	/home/dvaneeden/opt/mysql/5.7.36/bin/mysql
	/home/dvaneeden/opt/mysql/8.0.22/bin/mysql
	/home/dvaneeden/opt/mysql/8.0.25/bin/mysql
	/home/dvaneeden/opt/mysql/8.0.26/bin/mysql
	/home/dvaneeden/opt/mysql/8.0.27/bin/mysql
-----------------------------------------------
Testing with mysql_native_password as default authentication plugin
Testing /home/dvaneeden/opt/mysql/5.1.73/bin/mysql: success=8, failures=0
Testing /home/dvaneeden/opt/mysql/5.7.31/bin/mysql: success=8, failures=0
Testing /home/dvaneeden/opt/mysql/5.7.36/bin/mysql: success=8, failures=0
Testing /home/dvaneeden/opt/mysql/8.0.22/bin/mysql: success=8, failures=0
Testing /home/dvaneeden/opt/mysql/8.0.25/bin/mysql: success=8, failures=0
Testing /home/dvaneeden/opt/mysql/8.0.26/bin/mysql: success=8, failures=0
Testing /home/dvaneeden/opt/mysql/8.0.27/bin/mysql: success=8, failures=0
Testing with caching_sha2_password as default authentication plugin
Testing /home/dvaneeden/opt/mysql/5.1.73/bin/mysql: success=8, failures=0
Testing /home/dvaneeden/opt/mysql/5.7.31/bin/mysql: success=8, failures=0
Testing /home/dvaneeden/opt/mysql/5.7.36/bin/mysql: success=8, failures=0
Testing /home/dvaneeden/opt/mysql/8.0.22/bin/mysql: success=8, failures=0
Testing /home/dvaneeden/opt/mysql/8.0.25/bin/mysql: success=8, failures=0
Testing /home/dvaneeden/opt/mysql/8.0.26/bin/mysql: success=8, failures=0
Testing /home/dvaneeden/opt/mysql/8.0.27/bin/mysql: success=8, failures=0

@ti-chi-bot ti-chi-bot added the status/LGT1 Indicates that a PR has LGTM 1. label Dec 20, 2021
@guo-shaoge
Copy link
Collaborator

/run-check_dev
/run-mysql-test

@guo-shaoge
Copy link
Collaborator

Hi @morgo , v5.3 is about to release a new version in a few days, maybe we can continue to merge this pr. Thanks!

@morgo
Copy link
Contributor

morgo commented Feb 15, 2022

Hi @morgo , v5.3 is about to release a new version in a few days, maybe we can continue to merge this pr. Thanks!

Yes, it must be merged. It is release blocking according to our criteria.

@morgo
Copy link
Contributor

morgo commented Feb 15, 2022

/run-check_dev
/run-mysql-test

@ti-chi-bot ti-chi-bot added status/LGT2 Indicates that a PR has LGTM 2. and removed status/LGT1 Indicates that a PR has LGTM 1. labels Feb 16, 2022
@zhouqiang-cl zhouqiang-cl added the cherry-pick-approved Cherry pick PR approved by release team. label Feb 16, 2022
@morgo
Copy link
Contributor

morgo commented Feb 18, 2022

/run-mysql-test tidb-test=pr/1583

@morgo
Copy link
Contributor

morgo commented Feb 19, 2022

/run-mysql-test tidb-test=pr/1583

@morgo
Copy link
Contributor

morgo commented Feb 19, 2022

The mysql-test itself seems to be broken. I've tested the changes locally in mysql-test and it passed.

@morgo
Copy link
Contributor

morgo commented Feb 19, 2022

/run-mysql-test tidb-test=pr/1583

@purelind
Copy link
Contributor

/rebuild

1 similar comment
@s3nt3
Copy link
Contributor

s3nt3 commented Feb 21, 2022

/rebuild

@purelind
Copy link
Contributor

/run-mysql-test

@purelind
Copy link
Contributor

/run-mysql-test tidb-test=pr/1583

@guo-shaoge
Copy link
Collaborator

/merge

@ti-chi-bot
Copy link
Member

This pull request has been accepted and is ready to merge.

Commit hash: 635c0ba

@ti-chi-bot ti-chi-bot added the status/can-merge Indicates a PR has been approved by a committer. label Feb 21, 2022
@s3nt3
Copy link
Contributor

s3nt3 commented Feb 21, 2022

/run-mysql-test tidb-test=pr/1583

@s3nt3
Copy link
Contributor

s3nt3 commented Feb 21, 2022

/rebuild

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
cherry-pick-approved Cherry pick PR approved by release team. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. status/can-merge Indicates a PR has been approved by a committer. status/LGT2 Indicates that a PR has LGTM 2. type/5.3-cherry-pick
Projects
None yet
Development

Successfully merging this pull request may close these issues.

9 participants