WL#7726, adding mysql_no_login authentication plugin, backported to 5.6

Todd Farmer · Todd Farmer · commit 137e9155bb43 · 2015-01-13T14:15:43.000-07:00
from trunk.

Reviewed-by: Georgi Kodinov
Reviewed-by: Kristofer Petterson
Reviewed-by: Harin Vadodaria
RB: 5336
diff --git a/mysql-test/include/have_mysql_no_login_plugin.inc b/mysql-test/include/have_mysql_no_login_plugin.inc
@@ -0,0 +1,21 @@
+#
+# Check if server has support for loading plugins
+#
+if (`SELECT @@have_dynamic_loading != 'YES'`) {
+  --skip mysql_no_login requires dynamic loading
+}
+
+#
+# Check if the variable MYSQL_NO_LOGIN is set
+#
+if (!$MYSQL_NO_LOGIN) {
+  --skip mysql_no_login requires the environment variable \$MYSQL_NO_LOGIN to be set (normally done by mtr)
+}
+
+#
+# Check if --plugin-dir was setup for mysql_no_login
+#
+if (`SELECT CONCAT('--plugin-dir=', REPLACE(@@plugin_dir, '\\\\', '/')) != '$MYSQL_NO_LOGIN_OPT/'`) {
+  --skip mysql_no_login requires that --plugin-dir is set to the mysql_no_login dir (either the .opt file does not contain \$MYSQL_NO_LOGIN_OPT or another plugin is in use)
+}
+
diff --git a/mysql-test/include/plugin.defs b/mysql-test/include/plugin.defs
@@ -45,3 +45,4 @@ libdaemon_example  plugin/daemon_example DAEMONEXAMPLE
 libmemcached       plugin/innodb_memcached/daemon_memcached DAEMON_MEMCACHED daemon_memcached
 innodb_engine      plugin/innodb_memcached/innodb_memcache INNODB_ENGINE
 validate_password  plugin/password_validation VALIDATE_PASSWORD validate_password
+mysql_no_login     plugin/mysql_no_login      MYSQL_NO_LOGIN    mysql_no_login
diff --git a/mysql-test/suite/auth_sec/r/mysql_no_login.result b/mysql-test/suite/auth_sec/r/mysql_no_login.result
@@ -0,0 +1,43 @@
+INSTALL PLUGIN mysql_no_login SONAME 'mysql_no_login.so';
+SELECT PLUGIN_NAME, PLUGIN_STATUS, PLUGIN_TYPE, PLUGIN_DESCRIPTION
+FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_NAME LIKE 'mysql_no_login';
+PLUGIN_NAME	mysql_no_login
+PLUGIN_STATUS	ACTIVE
+PLUGIN_TYPE	AUTHENTICATION
+PLUGIN_DESCRIPTION	No login authentication plugin
+Creating users noauth, otheruser
+Creating view, procedure, function
+# Connect as otheruser - should succeed.
+user()	current_user()	@@proxy_user
+otheruser@localhost	otheruser@localhost	NULL
+a
+2
+noauthdb.f1()
+5
+# Attempt to access underlying tables directly using otheruser - should fail.
+# Connect as noauth - should fail.
+#try to set password of this plugin user with password function - should warn
+SET PASSWORD FOR noauth@localhost = password('');
+Warnings:
+Note	1699	SET PASSWORD has no significance for users authenticating via plugins
+#try to set password of this plugin user with password hash - should warn
+grant all on *.* to noauth@localhost identified by password '*94BDCEBE19083CE2A1F959FD02F964C7AF4CFC29';
+Warnings:
+Warning	1699	SET PASSWORD has no significance for users authenticating via plugins
+#try to expire password of this plugin user - should warn
+alter user noauth@localhost password expire;
+ERROR HY000: Operation ALTER USER failed for 'noauth'@'localhost'
+#uninstall plugin and try to login with this plugin user - should return error
+uninstall plugin mysql_no_login;
+# Connect as noauth - should fail.
+INSTALL PLUGIN mysql_no_login SONAME 'mysql_no_login.so';
+Creating users noauth, otheruser
+Creating view, procedure, function
+# Connect as otheruser - should succeed.
+user()	current_user()	@@proxy_user
+otheruser@localhost	otheruser@localhost	NULL
+a
+2
+noauthdb.f1()
+5
+# Attempt to access underlying tables directly using otheruser - should fail.
diff --git a/mysql-test/suite/auth_sec/t/mysql_no_login-master.opt b/mysql-test/suite/auth_sec/t/mysql_no_login-master.opt
@@ -0,0 +1 @@
+$MYSQL_NO_LOGIN_OPT
diff --git a/mysql-test/suite/auth_sec/t/mysql_no_login.test b/mysql-test/suite/auth_sec/t/mysql_no_login.test
@@ -0,0 +1,127 @@
+#
+# Testing MYSQL_NO_LOGIN authentication plugin.
+#
+--source include/have_mysql_no_login_plugin.inc
+
+--replace_regex /\.dll/.so/
+eval INSTALL PLUGIN mysql_no_login SONAME '$MYSQL_NO_LOGIN';
+
+query_vertical SELECT PLUGIN_NAME, PLUGIN_STATUS, PLUGIN_TYPE, PLUGIN_DESCRIPTION
+  FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_NAME LIKE 'mysql_no_login';
+
+--disable_query_log
+CREATE DATABASE noauthdb;
+CREATE TABLE noauthdb.t1 (a INT);
+CREATE TABLE noauthdb.t2 (a INT);
+INSERT INTO noauthdb.t1 VALUES (1), (2);
+INSERT INTO noauthdb.t2 VALUES (3), (4);
+
+--echo Creating users noauth, otheruser
+CREATE USER noauth@localhost IDENTIFIED WITH 'mysql_no_login';
+CREATE USER otheruser@localhost;
+GRANT SELECT, UPDATE, INSERT ON noauthdb.* TO noauth@localhost;
+
+--echo Creating view, procedure, function
+CREATE DEFINER = noauth@localhost SQL SECURITY DEFINER VIEW noauthdb.v1 AS SELECT * FROM noauthdb.t1 WHERE a % 2 = 0;
+CREATE DEFINER = noauth@localhost PROCEDURE noauthdb.p1 () CONTAINS SQL SQL SECURITY DEFINER UPDATE noauthdb.t2 SET a = 5 WHERE a = 3;
+delimiter //;
+CREATE DEFINER = noauth@localhost FUNCTION noauthdb.f1() RETURNS INT CONTAINS SQL SQL SECURITY DEFINER
+BEGIN
+DECLARE outp INT DEFAULT NULL;
+SELECT MAX(a) INTO outp FROM noauthdb.t2;
+RETURN outp;
+END//
+delimiter ;//
+
+GRANT SELECT ON noauthdb.v1 TO otheruser@localhost;
+GRANT EXECUTE ON noauthdb.* TO otheruser@localhost;
+GRANT EXECUTE ON noauthdb.* TO noauth@localhost;
+
+--enable_query_log
+
+--echo # Connect as otheruser - should succeed.
+--exec $MYSQL --user=otheruser -e "select user(), current_user(), @@proxy_user; SELECT * FROM noauthdb.v1; CALL noauthdb.p1(); SELECT noauthdb.f1();"
+
+--echo # Attempt to access underlying tables directly using otheruser - should fail.
+--error 1, ER_TABLEACCESS_DENIED_ERROR
+--exec $MYSQL --user=otheruser   -e "SELECT * FROM noauthdb.t1;"
+
+--echo # Connect as noauth - should fail.
+--error 1, ER_ACCESS_DENIED_ERROR
+--exec $MYSQL --user=noauth   -e "select user(), current_user(), @@proxy_user"
+
+--echo #try to set password of this plugin user with password function - should warn
+SET PASSWORD FOR noauth@localhost = password('');
+
+--echo #try to set password of this plugin user with password hash - should warn
+grant all on *.* to noauth@localhost identified by password '*94BDCEBE19083CE2A1F959FD02F964C7AF4CFC29';
+
+--echo #try to expire password of this plugin user - should warn
+--error ER_CANNOT_USER
+alter user noauth@localhost password expire;
+
+--echo #uninstall plugin and try to login with this plugin user - should return error
+uninstall plugin mysql_no_login;
+--echo # Connect as noauth - should fail.
+--error 1, ER_PLUGIN_IS_NOT_LOADED
+--exec $MYSQL --user=noauth  -e "select user(), current_user(), @@proxy_user"
+
+# Cleanup
+--disable_query_log
+
+DROP DATABASE noauthdb;
+DROP USER noauth@localhost;
+DROP USER otheruser@localhost;
+
+--enable_query_log
+##proxy related scenario
+--replace_regex /\.dll/.so/
+eval INSTALL PLUGIN mysql_no_login SONAME '$MYSQL_NO_LOGIN';
+--disable_query_log
+CREATE DATABASE noauthdb;
+CREATE TABLE noauthdb.t1 (a INT);
+CREATE TABLE noauthdb.t2 (a INT);
+INSERT INTO noauthdb.t1 VALUES (1), (2);
+INSERT INTO noauthdb.t2 VALUES (3), (4);
+
+--echo Creating users noauth, otheruser
+CREATE USER noauth@localhost IDENTIFIED WITH 'mysql_no_login';
+CREATE USER otheruser@localhost;
+GRANT PROXY ON 'noauth'@'localhost' TO 'otheruser'@'localhost';
+GRANT SELECT, UPDATE, INSERT ON noauthdb.* TO noauth@localhost;
+
+--echo Creating view, procedure, function
+CREATE DEFINER = noauth@localhost SQL SECURITY DEFINER VIEW noauthdb.v1 AS SELECT * FROM noauthdb.t1 WHERE a % 2 = 0;
+CREATE DEFINER = noauth@localhost PROCEDURE noauthdb.p1 () CONTAINS SQL SQL SECURITY DEFINER UPDATE noauthdb.t2 SET a = 5 WHERE a = 3;
+delimiter //;
+CREATE DEFINER = noauth@localhost FUNCTION noauthdb.f1() RETURNS INT CONTAINS SQL SQL SECURITY DEFINER
+BEGIN
+DECLARE outp INT DEFAULT NULL;
+SELECT MAX(a) INTO outp FROM noauthdb.t2;
+RETURN outp;
+END//
+delimiter ;//
+
+GRANT SELECT ON noauthdb.v1 TO otheruser@localhost;
+GRANT EXECUTE ON noauthdb.* TO otheruser@localhost;
+GRANT EXECUTE ON noauthdb.* TO noauth@localhost;
+
+--enable_query_log
+
+--echo # Connect as otheruser - should succeed.
+--exec $MYSQL --user=otheruser -e "select user(), current_user(), @@proxy_user; SELECT * FROM noauthdb.v1; CALL noauthdb.p1(); SELECT noauthdb.f1();"
+
+--echo # Attempt to access underlying tables directly using otheruser - should fail.
+--error 1, ER_TABLEACCESS_DENIED_ERROR
+--exec $MYSQL --user=otheruser   -e "SELECT * FROM noauthdb.t1;"
+
+# Cleanup
+ --disable_query_log
+
+ DROP DATABASE noauthdb;
+ DROP USER noauth@localhost;
+ DROP USER otheruser@localhost;
+
+ #UNINSTALL PLUGIN mysql_no_auth;
+ --enable_query_log
+--exit
diff --git a/plugin/auth/CMakeLists.txt b/plugin/auth/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2010, 2015 Oracle and/or its affiliates. All rights reserved.
 # 
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License as
@@ -27,6 +27,9 @@ MYSQL_ADD_PLUGIN(qa_auth_server qa_auth_server.c
 
 MYSQL_ADD_PLUGIN(qa_auth_client qa_auth_client.c 
   MODULE_ONLY)
+  
+MYSQL_ADD_PLUGIN(mysql_no_login mysql_no_login.c 
+  MODULE_ONLY)
 
 CHECK_CXX_SOURCE_COMPILES(
 "#ifndef _GNU_SOURCE
diff --git a/plugin/auth/mysql_no_login.c b/plugin/auth/mysql_no_login.c
@@ -0,0 +1,64 @@
+/*  Copyright (c) 2014, 2015 Oracle and/or its affiliates. All rights reserved.
+
+    This program is free software; you can redistribute it and/or
+    modify it under the terms of the GNU General Public License as
+    published by the Free Software Foundation; version 2 of the
+    License.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
+
+/**
+  @file
+
+  mysql_no_login authentication plugin.
+
+  This plugin exists to support system user accounts, which
+  cannot be accessed externally.  This is useful for privileged
+  stored programs, views and events.  Such objects can be created
+  with DEFINER = [sys account] SQL SECURITY DEFINER.
+*/
+
+#include <my_global.h>
+#include <mysql/plugin_auth.h>
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+static int mysql_no_login(
+    MYSQL_PLUGIN_VIO *vio __attribute__((unused)),
+    MYSQL_SERVER_AUTH_INFO *info __attribute__((unused)))
+{
+  return CR_ERROR;
+}
+
+static struct st_mysql_auth mysql_no_login_handler=
+{
+  MYSQL_AUTHENTICATION_INTERFACE_VERSION,
+  0,
+  mysql_no_login
+};
+
+mysql_declare_plugin(mysql_no_login)
+{
+  MYSQL_AUTHENTICATION_PLUGIN,                  /* type constant    */
+  &mysql_no_login_handler,                      /* type descriptor  */
+  "mysql_no_login",                             /* Name             */
+  "Todd Farmer",                                /* Author           */
+  "No login authentication plugin",             /* Description      */
+  PLUGIN_LICENSE_GPL,                           /* License          */
+  NULL,                                         /* Init function    */
+  NULL,                                         /* Deinit function  */
+  0x0100,                                       /* Version (1.0)    */
+  NULL,                                         /* status variables */
+  NULL,                                         /* system variables */
+  NULL,                                         /* config options   */
+  0,                                            /* flags            */
+}
+mysql_declare_plugin_end;
