[Maria-discuss] Password Complexity Plugin
Hi, I noticed MySQL 5.6 has a validate_password plugin. Since it's open-source, can we add it to MariaDB 5.5. Or is that bad form, a hot potato, etc.? We need the features of this plugin in our environment, and the PAM integration is looking not a good "fit" (though it's working great). (I'm trying to get it to compile in right now, but it's having issues with the includes so far...working on it). Thanks, Adam C. Scott
Hi! On 23 Jan 2015, at 00:03, Adam Scott <adam.c.scott@gmail.com> wrote:
Hi,
I noticed MySQL 5.6 has a validate_password plugin. Since it's open-source, can we add it to MariaDB 5.5. Or is that bad form, a hot potato, etc.?
We need the features of this plugin in our environment, and the PAM integration is looking not a good "fit" (though it's working great).
(I'm trying to get it to compile in right now, but it's having issues with the includes so far...working on it).
So Serg has been working on a validate_password plugin that isn't based on 5.5/5.6 - he's doing it a different way from what I gather See: https://mariadb.atlassian.net/browse/MDEV-5442 The bonus of how its done now, is that it's here: https://mariadb.atlassian.net/browse/MDEV-6431 It is shipping in 10.1.2 (don't use this in production please) -- see https://mariadb.com/kb/en/mariadb/documentation/plugins/simple_password_chec... Do you think that will do for you? An extension to this is tentatively scheduled for 10.2, but this may change if there are enough requests/time to do it -- https://mariadb.atlassian.net/browse/MDEV-6554 -- Colin Charles, Chief Evangelist, MariaDB Corporation blog: http://bytebot.net/blog/| t: +6-012-204-3201 | Skype: colincharles
Serg's a machine! Thanks for getting back. The constraint for us is we are on RHEL SCL which provides us MariaDB 5.5. The extension will get us 90% there for our purposes. For MDEV-6554 you may want to add the ability to prevent 3 or more repeating characters and not match the account id. I'll see if I can't grab the code and get it to compile for 5.5 unless that's in the works maybe? Thanks for getting back to me with the good details. Keep up the good work! Thanks Adam C. Scott On Thu, Jan 22, 2015 at 9:16 AM, Colin Charles <colin@mariadb.org> wrote:
Hi!
On 23 Jan 2015, at 00:03, Adam Scott <adam.c.scott@gmail.com> wrote:
Hi,
I noticed MySQL 5.6 has a validate_password plugin. Since it's open-source, can we add it to MariaDB 5.5. Or is that bad form, a hot potato, etc.?
We need the features of this plugin in our environment, and the PAM integration is looking not a good "fit" (though it's working great).
(I'm trying to get it to compile in right now, but it's having issues with the includes so far...working on it).
So Serg has been working on a validate_password plugin that isn't based on 5.5/5.6 - he's doing it a different way from what I gather
See: https://mariadb.atlassian.net/browse/MDEV-5442
The bonus of how its done now, is that it's here: https://mariadb.atlassian.net/browse/MDEV-6431
It is shipping in 10.1.2 (don't use this in production please) -- see https://mariadb.com/kb/en/mariadb/documentation/plugins/simple_password_chec...
Do you think that will do for you?
An extension to this is tentatively scheduled for 10.2, but this may change if there are enough requests/time to do it -- https://mariadb.atlassian.net/browse/MDEV-6554
-- Colin Charles, Chief Evangelist, MariaDB Corporation blog: http://bytebot.net/blog/| t: +6-012-204-3201 | Skype: colincharles
On 23 Jan 2015, at 00:49, Adam Scott <adam.c.scott@gmail.com> wrote:
I'll see if I can't grab the code and get it to compile for 5.5 unless that's in the works maybe?
this is currently not in the works, so if you try it and it works, do let us know -- Colin Charles, Chief Evangelist, MariaDB Corporation blog: http://bytebot.net/blog/| t: +6-012-204-3201 | Skype: colincharles
It's taken some time, but I have backported the simple_password_check plugin and the password api to MariaDB 5.5 The mysql-test is succeeding on all but the test of the strict_password_validation variable. My question is, should a pure backport include support for strict_password_validation variable ( https://mariadb.com/kb/en/mariadb/server-system-variables/#strict_password_v...) ? I suspect yes, but wanted to ask to start a further discussion: namely if I submit this patch will it be included in future MariaDB 5.5 releases? Thank you, Adam Scott On Thu, Jan 22, 2015 at 10:26 AM, Colin Charles <colin@mariadb.org> wrote:
On 23 Jan 2015, at 00:49, Adam Scott <adam.c.scott@gmail.com> wrote:
I'll see if I can't grab the code and get it to compile for 5.5 unless that's in the works maybe?
this is currently not in the works, so if you try it and it works, do let us know -- Colin Charles, Chief Evangelist, MariaDB Corporation blog: http://bytebot.net/blog/| t: +6-012-204-3201 | Skype: colincharles
Hi, Adam! On Apr 27, Adam Scott wrote:
It's taken some time, but I have backported the simple_password_check plugin and the password api to MariaDB 5.5 The mysql-test is succeeding on all but the test of the strict_password_validation variable.
My question is, should a pure backport include support for strict_password_validation variable ( https://mariadb.com/kb/en/mariadb/server-system-variables/#strict_password_v...) ? I suspect yes, but wanted to ask to start a further discussion: namely if I submit this patch will it be included in future MariaDB 5.5 releases?
I believe it's unlikely. If we wanted this feature in 5.5, it would've been implemented in 5.5 in the first place. But 5.5 is already GA, it was GA for quite a while. We don't add new feature to GA versions, that's why password validation was added to 10.1. I think that if you'll keep your own version of 5.5 + password validation and use that in your environment - it should not require much efforts to maintain. 5.5 code base is very stable at the moment, changes are few and sql_acl.cc almost doesn't change at all. And then you can skip 10.0 and upgrade directly to 10.1 one day :) Regards, Sergei
Thank you Sergei. I kind of expected that. Was hoping though to get it in upstream for our environment (one can dream!). Colin wanted to know if I got it backported, so I did. I'll chalk it up to a good exercise :) It would be nice to get us to MariaDB 10 but we have a big commitment to 5.5 right now. So in this exercise.. : 1) Navigate source code and repos in Git and Bazaar 2) Setup eclipse and cmake to navigate and build MariaDB (I found cscope to be really a powerful tool for getting around code and preferred it over eclipse many times) 3) used gdb to attach and examine values 4) Debug yacc 5) run mysql-test Thank again, Adam On Thu, Apr 30, 2015 at 2:38 AM, Sergei Golubchik <serg@mariadb.org> wrote:
Hi, Adam!
On Apr 27, Adam Scott wrote:
It's taken some time, but I have backported the simple_password_check plugin and the password api to MariaDB 5.5 The mysql-test is succeeding on all but the test of the strict_password_validation variable.
My question is, should a pure backport include support for strict_password_validation variable (
https://mariadb.com/kb/en/mariadb/server-system-variables/#strict_password_v... )
? I suspect yes, but wanted to ask to start a further discussion: namely if I submit this patch will it be included in future MariaDB 5.5 releases?
I believe it's unlikely. If we wanted this feature in 5.5, it would've been implemented in 5.5 in the first place.
But 5.5 is already GA, it was GA for quite a while. We don't add new feature to GA versions, that's why password validation was added to 10.1.
I think that if you'll keep your own version of 5.5 + password validation and use that in your environment - it should not require much efforts to maintain. 5.5 code base is very stable at the moment, changes are few and sql_acl.cc almost doesn't change at all. And then you can skip 10.0 and upgrade directly to 10.1 one day :)
Regards, Sergei
Hi Adam, On Thu, Jan 22, 2015 at 5:03 PM, Adam Scott <adam.c.scott@gmail.com> wrote:
Hi,
I noticed MySQL 5.6 has a validate_password plugin. Since it's open-source, can we add it to MariaDB 5.5. Or is that bad form, a hot potato, etc.?
We need the features of this plugin in our environment, and the PAM integration is looking not a good "fit" (though it's working great).
(I'm trying to get it to compile in right now, but it's having issues with the includes so far...working on it).
While you are at it, perhaps you can checkout some other candidates that rolled out in 10.1.2 : https://mariadb.com/kb/en/mariadb/development/mariadb-internals-documentatio... Best, Nirbhay
Thanks, Adam C. Scott
_______________________________________________ Mailing list: https://launchpad.net/~maria-discuss Post to : maria-discuss@lists.launchpad.net Unsubscribe : https://launchpad.net/~maria-discuss More help : https://help.launchpad.net/ListHelp
participants (4)
-
Adam Scott -
Colin Charles -
Nirbhay Choubey -
Sergei Golubchik