Hi, Nikita,
This looks good. Minor comments below.
On Sep 09, Nikita Malyavin wrote:
revision-id: 982bf06d560 (mariadb-11.6.1-14-g982bf06d560)
parent(s): bd616a3733c
author: Nikita Malyavin
committer: Nikita Malyavin
timestamp: 2024-09-07 21:44:13 +0200
message:
MDEV-12320 configurable default authentication plugin for the server
* Add a new cmdline-only variable "default_auth_plugin".
* A default plugin is locked at the server init and unlocked at the deinit
stages. This means that mysql_native_password and old_password_plugin, when
default, are locked/unlocked twice.
doesn't matter, compiled-in plugins are only locked in debug builds,
otherwise it's a no-op.
--- a/sql/sys_vars.cc
+++ b/sql/sys_vars.cc
@@ -4538,6 +4538,14 @@ static Sys_var_plugin Sys_enforce_storage_engine(
DEFAULT(&enforced_storage_engine), NO_MUTEX_GUARD, NOT_IN_BINLOG,
ON_CHECK(check_has_super));
+extern const char *default_auth_plugin_name;
+extern LEX_CSTRING native_password_plugin_name;
Is it ok? The correct type is Lex_ident_plugin.
+static Sys_var_charptr Sys_default_auth_plugin(
there's also Sys_var_lexstring, if you prefer that.
+ "default_auth_plugin", "Default plugin, that will be tried first when authenticating new connections",
reformat the long line, please
+ READ_ONLY GLOBAL_VAR(default_auth_plugin_name), CMD_LINE(OPT_ARG),
+ DEFAULT(native_password_plugin_name.str),
+ NO_MUTEX_GUARD, NOT_IN_BINLOG);
--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@@ -2543,9 +2542,20 @@ bool acl_init(bool dont_read_acl_tables)
old_password_plugin= my_plugin_lock_by_name(0,
&old_password_plugin_name, MYSQL_AUTHENTICATION_PLUGIN);
+ Lex_cstring_strlen def_plugin_name(default_auth_plugin_name);
+ default_auth_plugin= my_plugin_lock_by_name(NULL, &def_plugin_name,
+ MYSQL_AUTHENTICATION_PLUGIN);
+
if (!native_password_plugin || !old_password_plugin)
DBUG_RETURN(1);
+ if (!default_auth_plugin)
+ {
+ sql_print_error("Default plugin %s could not be loaded",
+ default_auth_plugin_name);
see init_default_storage_engine() in mysqld.cc - it's for
--default-storage-engine option.
let's use similar wording for consistency:
sql_print_error("Unknown/unsupported authentication plugin: %s",
default_auth_plugin_name);
+ DBUG_RETURN(1);
+ }
+
if (dont_read_acl_tables)
{
DBUG_RETURN(0); /* purecov: tested */
Regards,
Sergei
Chief Architect, MariaDB Server
and security@mariadb.org
Sergei Golubchik