From 125e172a2bdfbf4e8c9700db4a353e67424b1352 Mon Sep 17 00:00:00 2001 From: Vladislav Vaintroub Date: Fri, 20 May 2022 16:32:35 +0200 Subject: MDEV-26715 Windows/installer - allow passwordless login for root Allow passwordless login in addition to usual login with password, when creating 'root' user during install. The effect of that change is that "local administrators" group are allowed to connect as root user. This is done via gssapi authentication plugin. Clients that are not aware of gssapi client plugin, can still login with password credentials. --- plugin/auth_gssapi/CMakeLists.txt | 12 ++++++++---- plugin/auth_gssapi/mysql-test/auth_gssapi/basic.result | 4 ---- plugin/auth_gssapi/mysql-test/auth_gssapi/basic.test | 5 ----- plugin/auth_gssapi/mysql-test/auth_gssapi/groups.result | 4 ---- plugin/auth_gssapi/mysql-test/auth_gssapi/groups.test | 7 ++----- plugin/auth_gssapi/mysql-test/auth_gssapi/multiauth.result | 4 ---- plugin/auth_gssapi/mysql-test/auth_gssapi/multiauth.test | 4 ---- plugin/auth_gssapi/mysql-test/auth_gssapi/suite.opt | 2 +- plugin/auth_gssapi/mysql-test/auth_gssapi/suite.pm | 3 ++- plugin/auth_gssapi/server_plugin.cc | 2 +- 10 files changed, 14 insertions(+), 33 deletions(-) (limited to 'plugin') diff --git a/plugin/auth_gssapi/CMakeLists.txt b/plugin/auth_gssapi/CMakeLists.txt index 8c82d335ab2..f84f0aafb65 100644 --- a/plugin/auth_gssapi/CMakeLists.txt +++ b/plugin/auth_gssapi/CMakeLists.txt @@ -46,11 +46,15 @@ ELSE() ENDIF() ENDIF () - +IF(WIN32) + SET(AUTH_GSSAPI_DEFAULT DEFAULT) +ELSE() + SET(AUTH_GSSAPI_DEFAULT) +ENDIF() MYSQL_ADD_PLUGIN(auth_gssapi server_plugin.cc ${GSSAPI_SERVER} ${GSSAPI_ERRMSG} - LINK_LIBRARIES ${GSSAPI_LIBS} - COMPONENT gssapi-server - MODULE_ONLY) + LINK_LIBRARIES ${GSSAPI_LIBS} + ${AUTH_GSSAPI_DEFAULT} + COMPONENT gssapi-server) # disabled in favor of libmariadb/plugins/auth/auth_gssapi_client.c # diff --git a/plugin/auth_gssapi/mysql-test/auth_gssapi/basic.result b/plugin/auth_gssapi/mysql-test/auth_gssapi/basic.result index b7cf3d8e488..09be092d879 100644 --- a/plugin/auth_gssapi/mysql-test/auth_gssapi/basic.result +++ b/plugin/auth_gssapi/mysql-test/auth_gssapi/basic.result @@ -1,6 +1,3 @@ -INSTALL SONAME 'auth_gssapi'; -Warnings: -Note 1105 SSPI: using principal name 'localhost', mech 'Negotiate' CREATE USER 'GSSAPI_SHORTNAME' IDENTIFIED WITH gssapi; connect con1,localhost,$GSSAPI_SHORTNAME,,; SELECT USER(),CURRENT_USER(); @@ -23,4 +20,3 @@ DROP USER usr1; CREATE USER nosuchuser IDENTIFIED WITH gssapi AS 'nosuchuser@EXAMPLE.COM'; ERROR 28000: GSSAPI name mismatch, requested 'nosuchuser@EXAMPLE.COM', actual name 'GSSAPI_FULLNAME' DROP USER nosuchuser; -UNINSTALL SONAME 'auth_gssapi'; diff --git a/plugin/auth_gssapi/mysql-test/auth_gssapi/basic.test b/plugin/auth_gssapi/mysql-test/auth_gssapi/basic.test index 2307aa3934a..dc242e3a9cb 100644 --- a/plugin/auth_gssapi/mysql-test/auth_gssapi/basic.test +++ b/plugin/auth_gssapi/mysql-test/auth_gssapi/basic.test @@ -1,6 +1,3 @@ ---replace_regex /name '[^']+'/name 'localhost'/ -INSTALL SONAME 'auth_gssapi'; - # # CREATE USER without 'AS' clause # @@ -42,5 +39,3 @@ CREATE USER nosuchuser IDENTIFIED WITH gssapi AS 'nosuchuser@EXAMPLE.COM'; connect (con1,localhost,nosuchuser,,); --enable_query_log DROP USER nosuchuser; - -UNINSTALL SONAME 'auth_gssapi'; \ No newline at end of file diff --git a/plugin/auth_gssapi/mysql-test/auth_gssapi/groups.result b/plugin/auth_gssapi/mysql-test/auth_gssapi/groups.result index 10b3eb3e9d6..38244eca35b 100644 --- a/plugin/auth_gssapi/mysql-test/auth_gssapi/groups.result +++ b/plugin/auth_gssapi/mysql-test/auth_gssapi/groups.result @@ -1,6 +1,3 @@ -INSTALL SONAME 'auth_gssapi'; -Warnings: -Note 1105 SSPI: using principal name 'localhost', mech 'Negotiate' CREATE USER 'nosuchgroup' IDENTIFIED WITH gssapi AS 'GROUP:nosuchgroup'; connect(localhost,nosuchuser,,test,MASTER_MYPORT,MASTER_MYSOCK); connect con1,localhost,nosuchuser,,; @@ -41,4 +38,3 @@ connect con1,localhost,me_sid,,; disconnect con1; connection default; DROP USER me_sid; -UNINSTALL SONAME 'auth_gssapi'; diff --git a/plugin/auth_gssapi/mysql-test/auth_gssapi/groups.test b/plugin/auth_gssapi/mysql-test/auth_gssapi/groups.test index 1c72ad9cc23..647e02043f2 100644 --- a/plugin/auth_gssapi/mysql-test/auth_gssapi/groups.test +++ b/plugin/auth_gssapi/mysql-test/auth_gssapi/groups.test @@ -1,6 +1,6 @@ source include/windows.inc; --replace_regex /name '[^']+'/name 'localhost'/ -INSTALL SONAME 'auth_gssapi'; + # Invalid group name @@ -67,7 +67,4 @@ replace_result $MASTER_MYSOCK MASTER_MYSOCK $MASTER_MYPORT MASTER_MYPORT; connect (con1,localhost,me_sid,,); disconnect con1; connection default; -DROP USER me_sid; - - -UNINSTALL SONAME 'auth_gssapi'; \ No newline at end of file +DROP USER me_sid; \ No newline at end of file diff --git a/plugin/auth_gssapi/mysql-test/auth_gssapi/multiauth.result b/plugin/auth_gssapi/mysql-test/auth_gssapi/multiauth.result index c65eb7a8634..41d2707398b 100644 --- a/plugin/auth_gssapi/mysql-test/auth_gssapi/multiauth.result +++ b/plugin/auth_gssapi/mysql-test/auth_gssapi/multiauth.result @@ -1,6 +1,3 @@ -INSTALL SONAME 'auth_gssapi'; -Warnings: -Note 1105 SSPI: using principal name 'localhost', mech 'Negotiate' CREATE USER 'nosuchuser' IDENTIFIED WITH gssapi OR mysql_native_password as password("good"); connect(localhost,nosuchuser,,test,MASTER_MYPORT,MASTER_MYSOCK); connect con1,localhost,nosuchuser,,; @@ -31,4 +28,3 @@ GSSAPI_SHORTNAME@localhost GSSAPI_SHORTNAME@% disconnect con1; connection default; DROP USER 'GSSAPI_SHORTNAME'; -UNINSTALL SONAME 'auth_gssapi'; diff --git a/plugin/auth_gssapi/mysql-test/auth_gssapi/multiauth.test b/plugin/auth_gssapi/mysql-test/auth_gssapi/multiauth.test index 10e1e80907e..0257946b786 100644 --- a/plugin/auth_gssapi/mysql-test/auth_gssapi/multiauth.test +++ b/plugin/auth_gssapi/mysql-test/auth_gssapi/multiauth.test @@ -1,6 +1,3 @@ ---replace_regex /name '[^']+'/name 'localhost'/ -INSTALL SONAME 'auth_gssapi'; - # gssapi,password CREATE USER 'nosuchuser' IDENTIFIED WITH gssapi OR mysql_native_password as password("good"); replace_result $MASTER_MYSOCK MASTER_MYSOCK $MASTER_MYPORT MASTER_MYPORT; @@ -33,4 +30,3 @@ connection default; replace_result $GSSAPI_SHORTNAME GSSAPI_SHORTNAME; eval DROP USER '$GSSAPI_SHORTNAME'; -UNINSTALL SONAME 'auth_gssapi'; diff --git a/plugin/auth_gssapi/mysql-test/auth_gssapi/suite.opt b/plugin/auth_gssapi/mysql-test/auth_gssapi/suite.opt index 3077d70c9c3..c9a5d522600 100644 --- a/plugin/auth_gssapi/mysql-test/auth_gssapi/suite.opt +++ b/plugin/auth_gssapi/mysql-test/auth_gssapi/suite.opt @@ -1 +1 @@ ---loose-gssapi-keytab-path=$GSSAPI_KEYTAB_PATH --loose-gssapi-principal-name=$GSSAPI_PRINCIPAL_NAME +--loose-gssapi=ON --loose-gssapi-keytab-path=$GSSAPI_KEYTAB_PATH --loose-gssapi-principal-name=$GSSAPI_PRINCIPAL_NAME --plugin-load-add=$AUTH_GSSAPI_SO diff --git a/plugin/auth_gssapi/mysql-test/auth_gssapi/suite.pm b/plugin/auth_gssapi/mysql-test/auth_gssapi/suite.pm index e77ba05cb5c..af13b76e74c 100644 --- a/plugin/auth_gssapi/mysql-test/auth_gssapi/suite.pm +++ b/plugin/auth_gssapi/mysql-test/auth_gssapi/suite.pm @@ -1,8 +1,9 @@ + package My::Suite::AuthGSSAPI; @ISA = qw(My::Suite); -return "No AUTH_GSSAPI plugin" unless $ENV{AUTH_GSSAPI_SO}; +return "No AUTH_GSSAPI plugin" unless ($ENV{AUTH_GSSAPI_SO} or $::mysqld_variables{gssapi} eq "ON"); return "Not run for embedded server" if $::opt_embedded_server; diff --git a/plugin/auth_gssapi/server_plugin.cc b/plugin/auth_gssapi/server_plugin.cc index eeca4607ece..c45452cee8e 100644 --- a/plugin/auth_gssapi/server_plugin.cc +++ b/plugin/auth_gssapi/server_plugin.cc @@ -141,7 +141,7 @@ static struct st_mysql_auth server_handler= { gssapi_auth, NULL, NULL }; -maria_declare_plugin(gssapi_server) +maria_declare_plugin(auth_gssapi) { MYSQL_AUTHENTICATION_PLUGIN, &server_handler, -- cgit v1.2.1