[Maria-discuss] SHOW GRANTS: MySQL vs. MariaDB
Hi all, We have custom logic in place that “suspends” a MySQL user by: - reversing the password hash - replacing the leading “*” with “-” In other words (pseudo-code): my $hash = SELECT password FROM mysql.user WHERE user = 'theuser'; $hash = $hash.replace(/^\*/,"").reverse(); UPDATE mysql.user SET password = "-$hash" WHERE user = 'theuser'; I have noticed that MySQL’s SHOW GRANTS reports these “suspended” password hashes with the leading dash “fixed” to a leading asterisk. MariaDB 10, though, has SHOW GRANTS report the literal contents of mysql.user. Is this behavior by design in MariaDB 10? Is it behavior that we can depend on moving forward? -FG
Hi, Felipe! On Feb 16, Felipe Gasper wrote:
Hi all,
We have custom logic in place that “suspends” a MySQL user by:
- reversing the password hash - replacing the leading “*” with “-”
I have noticed that MySQL’s SHOW GRANTS reports these “suspended” password hashes with the leading dash “fixed” to a leading asterisk. MariaDB 10, though, has SHOW GRANTS report the literal contents of mysql.user.
Right. MySQL converts the password hash to binary on startup. And in SHOW GRANTS it prints the asterisk and the hex value of the binary password hash. MariaDB always prints the original password value, as in the mysql.user table.
Is this behavior by design in MariaDB 10? Is it behavior that we can depend on moving forward?
It was not intentional, but rather a side effect. But now I've added a test to record this behavior, so it won't go away in the future. There was also a bug in this area, but it's a bit difficult to trigger, so most probably you shouldn't care (*). Anyway, I've fixed it in 10.0.17. Regards, Sergei (*) if you're curious. If a user with such a suspended password creates a procedure (which means he needs to keep an open connection from before he was suspended), and he doesn't have execute rights for this procedure - these rights are automatically granted to him. This automatic grant was changing '-' to '*' (because it was restoring password from the binary hash, as MySQL does).
participants (2)
-
Felipe Gasper
-
Sergei Golubchik