[Maria-developers] auth_socket/unix_socket auth plugin naming incompatibility with Percona Server
Hi, I just tested a switch from Percona Server 5.6 to MariaDB 10.0.16 and hit a problem with socket authentication. I had it set up to auth root using the auth_socket plugin, but when I switched to MariaDB I could no longer login as root. I get this error from the client: ERROR 1524 (HY000): Plugin 'auth_socket' is not loaded Anyway, after I bunch of investigation, I found that the plugin used to expose itself as socket_peercred but was renamed due to a conflict and Percona and MariaDB chose different names to fix it. Percona renamed it to auth_socket, matching the actual library filename auth_socket.so and MariaDB chose unix_socket, but keeping the filename auth_socket.so: https://github.com/MariaDB/server/commit/b8b7b4eb6bef26d05257272be02674ae551... https://github.com/percona/percona-server/commit/91a2afcbcba8af28d2f10f80830... This isn't great, but it's made worse because the plugin is successfully loaded in both cases (because the filename is auth_socket.so) and no errors are reported in the logs, but the plugin just exposes itself internally using a different name so reports that auth_socket isn't loaded in MariaDB. I fixed it by starting mysql with skip-grant-tables and running: update mysql.user set plugin='unix_socket' where plugin='auth_socket'; but that alone doesn't work, because MariaDB doesn't know that unix_socket is provided by auth_socket.so: ERROR 1524 (HY000): Plugin 'unix_socket' is not loaded So I then added this to the config file, which fixed it: plugin-load=unix_socket=auth_socket.so Any thoughts on what to do here? Can the plugin be made to recognise both names, so other users don't end up in this situation? I presume there would need to be both auth_socket.so and unix_socket.so. I also presume Percona would need to provide the same, to help those moving from MariaDB to Percona. Thanks, John. -- https://www.brightbox.com
Hi, John! On Feb 19, John Leach wrote:
I just tested a switch from Percona Server 5.6 to MariaDB 10.0.16 and hit a problem with socket authentication.
...
Percona renamed it to auth_socket, matching the actual library filename auth_socket.so and MariaDB chose unix_socket, but keeping the filename auth_socket.so: ... This isn't great, but it's made worse because the plugin is successfully loaded in both cases (because the filename is auth_socket.so) and no errors are reported in the logs, but the plugin just exposes itself internally using a different name so reports that auth_socket isn't loaded in MariaDB.
How do you load the plugin? I suppose it's plugin-load=auth_socket.so because plugin loads successfully even if the name is different?
I fixed it by starting mysql with skip-grant-tables and running:
update mysql.user set plugin='unix_socket' where plugin='auth_socket';
but that alone doesn't work, because MariaDB doesn't know that unix_socket is provided by auth_socket.so:
No, that should've been sufficient. MariaDB knows that unix_socket is provided by auth_socket.so when auth_socket.so is loaded. If auth_socket.so is not loaded, neither MariaDB nor Percona Server will know what plugin is in what .so file. There must be something else you've done besides this update statement.
Any thoughts on what to do here? Can the plugin be made to recognise both names, so other users don't end up in this situation? I presume there would need to be both auth_socket.so and unix_socket.so.
But .so name is the same both in MariaDB and in Percona Server. It's always auth_socket.so, there is no unix_socket.so. A plugin can not have two names, but technically it's possible to have two plugins in the same .so file, they could share all the code and only differ in names. Regards, Sergei
Hi Sergei, thanks for your response! On Thu, 2015-02-19 at 21:38 +0100, Sergei Golubchik wrote:
On Feb 19, John Leach wrote:
I just tested a switch from Percona Server 5.6 to MariaDB 10.0.16 and hit a problem with socket authentication.
...
Percona renamed it to auth_socket, matching the actual library filename auth_socket.so and MariaDB chose unix_socket, but keeping the filename auth_socket.so: ... This isn't great, but it's made worse because the plugin is successfully loaded in both cases (because the filename is auth_socket.so) and no errors are reported in the logs, but the plugin just exposes itself internally using a different name so reports that auth_socket isn't loaded in MariaDB.
How do you load the plugin? I suppose it's plugin-load=auth_socket.so because plugin loads successfully even if the name is different? z
I fixed it by starting mysql with skip-grant-tables and running:
update mysql.user set plugin='unix_socket' where plugin='auth_socket';
but that alone doesn't work, because MariaDB doesn't know that unix_socket is provided by auth_socket.so:
No, that should've been sufficient. MariaDB knows that unix_socket is provided by auth_socket.so when auth_socket.so is loaded.
If auth_socket.so is not loaded, neither MariaDB nor Percona Server will know what plugin is in what .so file.
There must be something else you've done besides this update statement.
Any thoughts on what to do here? Can the plugin be made to recognise both names, so other users don't end up in this situation? I presume there would need to be both auth_socket.so and unix_socket.so.
But .so name is the same both in MariaDB and in Percona Server. It's always auth_socket.so, there is no unix_socket.so.
sorry, my mistake - you are correct. On Percona I am indeed explicitly loading this in the config file using: plugin-load=auth_socket.so If I use this same config line in MariaDB, that is enough to get unix_socket registered. So the problem is only that the symbol differs between projects for the same plugin. Is that something it's worth filing a bug about? Is the aim for Percona/MariaDB to be compatible where possible? Thanks, John.
A plugin can not have two names, but technically it's possible to have two plugins in the same .so file, they could share all the code and only differ in names.
Regards, Sergei
Hi, John! On Feb 19, John Leach wrote:
On Percona I am indeed explicitly loading this in the config file using:
plugin-load=auth_socket.so
If I use this same config line in MariaDB, that is enough to get unix_socket registered.
So the problem is only that the symbol differs between projects for the same plugin.
Is that something it's worth filing a bug about? Is the aim for Percona/MariaDB to be compatible where possible?
Yes, I suppose so. I cannot say who will fix it, though, we or Percona. Generally we avoid having plugin type in the plugin name. XtraDB isn't called "engine_xtradb". One simply writes create table ... engine=xtradb not create table ... engine=engine_xtradb Similarly, authentication plugin names describe authentication method only, for example: create user ... identified via pam create user ... identified via unix_socket and so on.
A plugin can not have two names, but technically it's possible to have two plugins in the same .so file, they could share all the code and only differ in names.
Regards, Sergei
Hi Sergei, On Mon, 2015-02-23 at 14:30 +0100, Sergei Golubchik wrote:
Hi, John!
On Feb 19, John Leach wrote:
On Percona I am indeed explicitly loading this in the config file using:
plugin-load=auth_socket.so
If I use this same config line in MariaDB, that is enough to get unix_socket registered.
So the problem is only that the symbol differs between projects for the same plugin.
Is that something it's worth filing a bug about? Is the aim for Percona/MariaDB to be compatible where possible?
Yes, I suppose so. I cannot say who will fix it, though, we or Percona.
it seems to me that, if the aim is for percona and mariadb to be compatible where possible, both projects now need to support both auth definitions. If that is the aim anyway!
Generally we avoid having plugin type in the plugin name. XtraDB isn't called "engine_xtradb". One simply writes
create table ... engine=xtradb
not
create table ... engine=engine_xtradb
Similarly, authentication plugin names describe authentication method only, for example:
create user ... identified via pam create user ... identified via unix_socket
and so on.
thanks for the clarification. John.
participants (2)
-
John Leach
-
Sergei Golubchik