Skip to content

Commit 8a1cfee

Browse files
committed
Bug #13586336: SRVGEN - HIBISCUS: ISSUE DEPRECATION WARNING FOR
LEGACY AUTHENTICATION METHOD Added warnings as follows : 1) Make the server option secure_auth ON per default and issue a warning stating that legacy passwords are deprecated if it is ever overridden. 2) Issue a deprecation warning if a new user account ever is created or otherwise configured to use the mysql_old_password plugin. 3) When upgrading an old system, issue deprecation warnings if an old password hash digest is found in the password field. Added tests for the new warnings and updated existing tests to either set secure_auth back to FALSE or adjust the result where this is not possible.
1 parent d75575e commit 8a1cfee

15 files changed

+199
-9
lines changed

mysql-test/r/change_user.result

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,10 @@
1+
SET GLOBAL secure_auth = OFF;
2+
Warnings:
3+
Warning 1287 'pre-4.1 password hash' is deprecated and will be removed in a future release. Please use post-4.1 password hash instead
14
grant select on test.* to test_nopw;
25
grant select on test.* to test_oldpw identified by password "09301740536db389";
6+
Warnings:
7+
Warning 1287 'pre-4.1 password hash' is deprecated and will be removed in a future release. Please use post-4.1 password hash instead
38
grant select on test.* to test_newpw identified by "newpw";
49
select user(), current_user(), database();
510
user() current_user() database()
@@ -82,3 +87,4 @@ IS_USED_LOCK('bug31418')
8287
NULL
8388
FLUSH STATUS;
8489
Value of com_select did not change
90+
SET GLOBAL secure_auth = DEFAULT;

mysql-test/r/connect.result

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -79,12 +79,17 @@ connect(localhost,test,zorro,test2,MASTER_PORT,MASTER_SOCKET);
7979
ERROR 28000: Access denied for user 'test'@'localhost' (using password: YES)
8080
connect(localhost,test,zorro,test,MASTER_PORT,MASTER_SOCKET);
8181
ERROR 28000: Access denied for user 'test'@'localhost' (using password: YES)
82+
SET GLOBAL secure_auth = OFF;
83+
Warnings:
84+
Warning 1287 'pre-4.1 password hash' is deprecated and will be removed in a future release. Please use post-4.1 password hash instead
8285
update mysql.user set password=old_password("gambling2") where user=_binary"test";
8386
flush privileges;
8487
set password="";
8588
set password='gambling3';
8689
ERROR HY000: Password hash should be a 41-digit hexadecimal number
8790
set password=old_password('gambling3');
91+
Warnings:
92+
Warning 1287 'pre-4.1 password hash' is deprecated and will be removed in a future release. Please use post-4.1 password hash instead
8893
show tables;
8994
Tables_in_mysql
9095
columns_priv
@@ -128,6 +133,7 @@ connect(localhost,test,zorro,test,MASTER_PORT,MASTER_SOCKET);
128133
ERROR 28000: Access denied for user 'test'@'localhost' (using password: YES)
129134
delete from mysql.user where user=_binary"test";
130135
flush privileges;
136+
SET GLOBAL secure_auth = DEFAULT;
131137
create table t1 (id integer not null auto_increment primary key);
132138
create temporary table t2(id integer not null auto_increment primary key);
133139
set @id := 1;
@@ -236,3 +242,32 @@ SET GLOBAL event_scheduler = OFF;
236242
# ------------------------------------------------------------------
237243
# -- End of 5.1 tests
238244
# ------------------------------------------------------------------
245+
#
246+
# Bug #13586336 : SRVGEN - HIBISCUS: ISSUE DEPRECATION WARNING FOR
247+
# LEGACY AUTHENTICATION METHOD
248+
#
249+
#Expect 1
250+
SELECT @@global.secure_auth;
251+
@@global.secure_auth
252+
1
253+
SET old_passwords=true;
254+
#Expect deprecation warning
255+
CREATE USER old_pwd@localhost IDENTIFIED BY 'aha';
256+
Warnings:
257+
Warning 1287 'pre-4.1 password hash' is deprecated and will be removed in a future release. Please use post-4.1 password hash instead
258+
#Expect deprecation warning
259+
SET PASSWORD FOR old_pwd@localhost = OLD_PASSWORD('aha2');
260+
Warnings:
261+
Warning 1287 'pre-4.1 password hash' is deprecated and will be removed in a future release. Please use post-4.1 password hash instead
262+
#Expect deprecation warning
263+
GRANT SELECT on test.* TO old_gpwd@localhost
264+
IDENTIFIED BY 'aha3';
265+
Warnings:
266+
Warning 1287 'pre-4.1 password hash' is deprecated and will be removed in a future release. Please use post-4.1 password hash instead
267+
#Expected normal flush, no warnings
268+
FLUSH PRIVILEGES;
269+
DROP USER old_pwd@localhost, old_gpwd@localhost;
270+
SET old_passwords=default;
271+
# ------------------------------------------------------------------
272+
# -- End of 5.6 tests
273+
# ------------------------------------------------------------------

mysql-test/r/mysql_upgrade.result

Lines changed: 43 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -312,5 +312,48 @@ mysql.time_zone_name OK
312312
mysql.time_zone_transition OK
313313
mysql.time_zone_transition_type OK
314314
mysql.user OK
315+
#
316+
# Bug# 13586336: issue deprecation warning
317+
# for legacy authentication method
318+
#
319+
CREATE USER 'bug13586336'@'localhost';
320+
SET PASSWORD FOR 'bug13586336'@'localhost' = OLD_PASSWORD('a');
321+
Warnings:
322+
Warning 1287 'pre-4.1 password hash' is deprecated and will be removed in a future release. Please use post-4.1 password hash instead
323+
Run mysql_upgrade with all privileges on a user
324+
Warning: Using a password on the command line interface can be insecure.
325+
Warning: Using a password on the command line interface can be insecure.
326+
mtr.global_suppressions OK
327+
mtr.test_suppressions OK
328+
mysql.columns_priv OK
329+
mysql.db OK
330+
mysql.event OK
331+
mysql.func OK
332+
mysql.general_log OK
333+
mysql.help_category OK
334+
mysql.help_keyword OK
335+
mysql.help_relation OK
336+
mysql.help_topic OK
337+
mysql.host OK
338+
mysql.innodb_index_stats OK
339+
mysql.innodb_table_stats OK
340+
mysql.ndb_binlog_index OK
341+
mysql.plugin OK
342+
mysql.proc OK
343+
mysql.procs_priv OK
344+
mysql.proxies_priv OK
345+
mysql.servers OK
346+
mysql.slave_master_info OK
347+
mysql.slave_relay_log_info OK
348+
mysql.slave_worker_info OK
349+
mysql.slow_log OK
350+
mysql.tables_priv OK
351+
mysql.time_zone OK
352+
mysql.time_zone_leap_second OK
353+
mysql.time_zone_name OK
354+
mysql.time_zone_transition OK
355+
mysql.time_zone_transition_type OK
356+
mysql.user OK
357+
DROP USER 'bug13586336'@'localhost';
315358

316359
End of tests

mysql-test/r/mysqld--help-notwin.result

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -712,6 +712,7 @@ The following options may be given as the first argument:
712712
write privileges to the mysql.user table.
713713
--secure-auth Disallow authentication for accounts that have old
714714
(pre-4.1) passwords
715+
(Defaults to on; use --skip-secure-auth to disable.)
715716
--secure-file-priv=name
716717
Limit LOAD DATA, SELECT ... OUTFILE, and LOAD_FILE() to
717718
files within specified directory
@@ -1083,7 +1084,7 @@ report-password (No default value)
10831084
report-port 3306
10841085
report-user (No default value)
10851086
safe-user-create FALSE
1086-
secure-auth FALSE
1087+
secure-auth TRUE
10871088
secure-file-priv (No default value)
10881089
server-id 0
10891090
show-slave-auth-info FALSE

mysql-test/r/mysqld--help-win.result

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -712,6 +712,7 @@ The following options may be given as the first argument:
712712
write privileges to the mysql.user table.
713713
--secure-auth Disallow authentication for accounts that have old
714714
(pre-4.1) passwords
715+
(Defaults to on; use --skip-secure-auth to disable.)
715716
--secure-file-priv=name
716717
Limit LOAD DATA, SELECT ... OUTFILE, and LOAD_FILE() to
717718
files within specified directory
@@ -1091,7 +1092,7 @@ report-password (No default value)
10911092
report-port 3306
10921093
report-user (No default value)
10931094
safe-user-create FALSE
1094-
secure-auth FALSE
1095+
secure-auth TRUE
10951096
secure-file-priv (No default value)
10961097
server-id 0
10971098
shared-memory FALSE

mysql-test/suite/sys_vars/r/old_passwords_func.result

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,11 @@ CREATE USER 'userNewPass2'@'localhost' IDENTIFIED BY 'pass2';
88
SET GLOBAL old_passwords = TRUE;
99
SET SESSION old_passwords = TRUE;
1010
CREATE USER 'userOldPass'@'localhost' IDENTIFIED BY 'pass3';
11+
Warnings:
12+
Warning 1287 'pre-4.1 password hash' is deprecated and will be removed in a future release. Please use post-4.1 password hash instead
1113
SET GLOBAL secure_auth = FALSE;
14+
Warnings:
15+
Warning 1287 'pre-4.1 password hash' is deprecated and will be removed in a future release. Please use post-4.1 password hash instead
1216
** Connecting con1 using username 'userNewPass1' **
1317
SELECT CURRENT_USER();
1418
CURRENT_USER()

mysql-test/suite/sys_vars/r/secure_auth_basic.result

Lines changed: 13 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,19 +1,21 @@
11
SET @global_start_value = @@global.secure_auth;
22
SELECT @global_start_value;
33
@global_start_value
4-
0
4+
1
55
'#--------------------FN_DYNVARS_143_01------------------------#'
6-
SET @@global.secure_auth = 1;
6+
SET @@global.secure_auth = 0;
7+
Warnings:
8+
Warning 1287 'pre-4.1 password hash' is deprecated and will be removed in a future release. Please use post-4.1 password hash instead
79
SET @@global.secure_auth = DEFAULT;
810
SELECT @@global.secure_auth;
911
@@global.secure_auth
10-
0
12+
1
1113
'#---------------------FN_DYNVARS_143_02-------------------------#'
1214
SET secure_auth = 1;
1315
ERROR HY000: Variable 'secure_auth' is a GLOBAL variable and should be set with SET GLOBAL
1416
SELECT @@secure_auth;
1517
@@secure_auth
16-
0
18+
1
1719
SELECT global.secure_auth;
1820
ERROR 42S02: Unknown table 'global' in field list
1921
SET global secure_auth = 1;
@@ -22,6 +24,8 @@ SELECT @@global.secure_auth;
2224
1
2325
'#--------------------FN_DYNVARS_143_03------------------------#'
2426
SET @@global.secure_auth = 0;
27+
Warnings:
28+
Warning 1287 'pre-4.1 password hash' is deprecated and will be removed in a future release. Please use post-4.1 password hash instead
2529
SELECT @@global.secure_auth;
2630
@@global.secure_auth
2731
0
@@ -83,6 +87,8 @@ VARIABLE_VALUE
8387
ON
8488
'#---------------------FN_DYNVARS_143_08-------------------------#'
8589
SET @@global.secure_auth = OFF;
90+
Warnings:
91+
Warning 1287 'pre-4.1 password hash' is deprecated and will be removed in a future release. Please use post-4.1 password hash instead
8692
SELECT @@global.secure_auth;
8793
@@global.secure_auth
8894
0
@@ -96,10 +102,12 @@ SELECT @@global.secure_auth;
96102
@@global.secure_auth
97103
1
98104
SET @@global.secure_auth = FALSE;
105+
Warnings:
106+
Warning 1287 'pre-4.1 password hash' is deprecated and will be removed in a future release. Please use post-4.1 password hash instead
99107
SELECT @@global.secure_auth;
100108
@@global.secure_auth
101109
0
102110
SET @@global.secure_auth = @global_start_value;
103111
SELECT @@global.secure_auth;
104112
@@global.secure_auth
105-
0
113+
1

mysql-test/suite/sys_vars/r/secure_auth_func.result

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,10 +8,14 @@ SELECT @@GLOBAL.secure_auth;
88
1 / ON Expected
99
'#--------------------FN_DYNVARS_144_02-------------------------#'
1010
SET GLOBAL secure_auth = OFF;
11+
Warnings:
12+
Warning 1287 'pre-4.1 password hash' is deprecated and will be removed in a future release. Please use post-4.1 password hash instead
1113
CREATE USER 'testUser'@'localhost' IDENTIFIED BY 'newpass';
1214
** Connecting con_user1 using testUser **
1315
** Connection default**
1416
SET PASSWORD FOR 'testUser'@'localhost' = OLD_PASSWORD('newpass');
17+
Warnings:
18+
Warning 1287 'pre-4.1 password hash' is deprecated and will be removed in a future release. Please use post-4.1 password hash instead
1519
** Connecting con_user2 using testUser **
1620
** Connection default**
1721
'#--------------------FN_DYNVARS_144_03-------------------------#'
@@ -20,6 +24,8 @@ SET PASSWORD FOR 'testUser'@'localhost' = PASSWORD('newpass');
2024
** Connecting con_user3 using testUser **
2125
** Connection default **
2226
SET PASSWORD FOR 'testUser'@'localhost' = OLD_PASSWORD('newpass');
27+
Warnings:
28+
Warning 1287 'pre-4.1 password hash' is deprecated and will be removed in a future release. Please use post-4.1 password hash instead
2329
** Connecting con_user4 using testUser **
2430
ERROR HY000: Server is running in --secure-auth mode, but 'testUser'@'localhost' has a password in the old format; please change the password to the new format
2531
Expected error "Server is in secure auth mode"

mysql-test/suite/sys_vars/t/secure_auth_basic.test

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -42,7 +42,7 @@ SELECT @global_start_value;
4242
# Display the DEFAULT value of secure_auth #
4343
########################################################################
4444

45-
SET @@global.secure_auth = 1;
45+
SET @@global.secure_auth = 0;
4646
SET @@global.secure_auth = DEFAULT;
4747
SELECT @@global.secure_auth;
4848

mysql-test/t/change_user.test

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@
22
# functional change user tests
33
#
44

5+
SET GLOBAL secure_auth = OFF;
56
grant select on test.* to test_nopw;
67
grant select on test.* to test_oldpw identified by password "09301740536db389";
78
grant select on test.* to test_newpw identified by "newpw";
@@ -122,3 +123,5 @@ if ($after != $before){
122123
die The value of com_select changed during change_user;
123124
}
124125
echo Value of com_select did not change;
126+
127+
SET GLOBAL secure_auth = DEFAULT;

0 commit comments

Comments
 (0)