Hi, Nikita, This looks good. Minor comments below. On Sep 09, Nikita Malyavin wrote:
revision-id: 982bf06d560 (mariadb-11.6.1-14-g982bf06d560) parent(s): bd616a3733c author: Nikita Malyavin committer: Nikita Malyavin timestamp: 2024-09-07 21:44:13 +0200 message:
MDEV-12320 configurable default authentication plugin for the server
* Add a new cmdline-only variable "default_auth_plugin". * A default plugin is locked at the server init and unlocked at the deinit stages. This means that mysql_native_password and old_password_plugin, when default, are locked/unlocked twice.
doesn't matter, compiled-in plugins are only locked in debug builds, otherwise it's a no-op.
--- a/sql/sys_vars.cc +++ b/sql/sys_vars.cc @@ -4538,6 +4538,14 @@ static Sys_var_plugin Sys_enforce_storage_engine( DEFAULT(&enforced_storage_engine), NO_MUTEX_GUARD, NOT_IN_BINLOG, ON_CHECK(check_has_super));
+extern const char *default_auth_plugin_name; +extern LEX_CSTRING native_password_plugin_name;
Is it ok? The correct type is Lex_ident_plugin.
+static Sys_var_charptr Sys_default_auth_plugin(
there's also Sys_var_lexstring, if you prefer that.
+ "default_auth_plugin", "Default plugin, that will be tried first when authenticating new connections",
reformat the long line, please
+ READ_ONLY GLOBAL_VAR(default_auth_plugin_name), CMD_LINE(OPT_ARG), + DEFAULT(native_password_plugin_name.str), + NO_MUTEX_GUARD, NOT_IN_BINLOG);
--- a/sql/sql_acl.cc +++ b/sql/sql_acl.cc @@ -2543,9 +2542,20 @@ bool acl_init(bool dont_read_acl_tables) old_password_plugin= my_plugin_lock_by_name(0, &old_password_plugin_name, MYSQL_AUTHENTICATION_PLUGIN);
+ Lex_cstring_strlen def_plugin_name(default_auth_plugin_name); + default_auth_plugin= my_plugin_lock_by_name(NULL, &def_plugin_name, + MYSQL_AUTHENTICATION_PLUGIN); + if (!native_password_plugin || !old_password_plugin) DBUG_RETURN(1);
+ if (!default_auth_plugin) + { + sql_print_error("Default plugin %s could not be loaded", + default_auth_plugin_name);
see init_default_storage_engine() in mysqld.cc - it's for --default-storage-engine option. let's use similar wording for consistency: sql_print_error("Unknown/unsupported authentication plugin: %s", default_auth_plugin_name);
+ DBUG_RETURN(1); + } + if (dont_read_acl_tables) { DBUG_RETURN(0); /* purecov: tested */
Regards, Sergei Chief Architect, MariaDB Server and security@mariadb.org