Se sizze dat it bêste wachtwurd is dat jo net hoege te ûnthâlden. Yn it gefal fan MySQL is dit mooglik troch de plugin en syn ferzje foar MariaDB - .
Beide plugins binne hielendal net nij, se binne in protte besprutsen op dit blog, bygelyks yn it artikel oer . Wylst ik lykwols seach nei wat nij is yn MariaDB 10.4, ûntduts ik dat unix_socket no standert is ynstalleare en ien fan 'e autentikaasjemetoaden is ("ien fan", om't yn MariaDB 10.4 mear as ien plugin beskikber is foar ien brûker foar ferifikaasje, wat wurdt útlein yn it dokumint ).
Lykas ik sei, dit is gjin nijs, en as jo MySQL ynstallearje mei it stipe team Debian Foar .deb-pakketten wurdt in root-brûker oanmakke foar socket-autentikaasje. Dit jildt foar sawol MySQL as MariaDB.
root@app:~# apt-cache show mysql-server-5.7 | grep -i maintainers
Original-Maintainer: Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>
Original-Maintainer: Debian MySQL Maintainers <<a href="mailto:pkg-mysql-maint@lists.alioth.debian.org">pkg-mysql-maint@lists.alioth.debian.org</a>>Mei tassen Debian Foar MySQL wurdt de root-brûker as folget autentisearre:
root@app:~# whoami
root=
root@app:~# mysql
Welcome to the MySQL monitor. Commands end with ; or g.
Your MySQL connection id is 4
Server version: 5.7.27-0ubuntu0.16.04.1 (Ubuntu)
Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.
mysql> select user, host, plugin, authentication_string from mysql.user where user = 'root';
+------+-----------+-------------+-----------------------+
| user | host | plugin | authentication_string |
+------+-----------+-------------+-----------------------+
| root | localhost | auth_socket | |
+------+-----------+-------------+-----------------------+
1 row in set (0.01 sec)Itselde is it gefal mei it .deb-pakket foar MariaDB:
10.0.38-MariaDB-0ubuntu0.16.04.1 Ubuntu 16.04
MariaDB [(none)]> show grants;
+------------------------------------------------------------------------------------------------+
| Grants for root@localhost |
+------------------------------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED VIA unix_socket WITH GRANT OPTION |
| GRANT PROXY ON ''@'%' TO 'root'@'localhost' WITH GRANT OPTION |
+------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)De .deb-pakketten fan it offisjele Percona-repository konfigurearje ek root-brûkersferifikaasje ûnder auth-socket en foar Percona Server. Litte wy in foarbyld jaan mei и Ubuntu 16.04:
root@app:~# whoami
root
root@app:~# mysql
Welcome to the MySQL monitor. Commands end with ; or g.
Your MySQL connection id is 9
Server version: 8.0.16-7 Percona Server (GPL), Release '7', Revision '613e312'
Copyright (c) 2009-2019 Percona LLC and/or its affiliates
Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.
mysql> select user, host, plugin, authentication_string from mysql.user where user ='root';
+------+-----------+-------------+-----------------------+
| user | host | plugin | authentication_string |
+------+-----------+-------------+-----------------------+
| root | localhost | auth_socket | |
+------+-----------+-------------+-----------------------+
1 row in set (0.00 sec)Dus wat is de magy? De plugin kontrolearret dat de brûker Linux komt oerien mei de MySQL-brûker mei de SO_PEERCRED socket-opsje om ynformaasje te sammeljen oer de brûker dy't it kliïntprogramma útfiert. Dêrom kin de plugin allinich brûkt wurde op systemen dy't de SO_PEERCRED-opsje stypje, lykas LinuxDe socket-opsje SO_PEERCRED lit jo de UID bepale fan it proses dat assosjeare is mei de socket. It proses krijt dan de brûkersnamme dy't assosjeare is mei dy UID.
Hjir is in foarbyld mei de brûker "vagrant":
vagrant@mysql1:~$ whoami
vagrant
vagrant@mysql1:~$ mysql
ERROR 1698 (28000): Access denied for user 'vagrant'@'localhost'Sûnt d'r gjin "vagrant" brûker is yn MySQL, wurde wy tagong wegere. Litte wy sa'n brûker meitsje en it nochris besykje:
MariaDB [(none)]> GRANT ALL PRIVILEGES ON *.* TO 'vagrant'@'localhost' IDENTIFIED VIA unix_socket;
Query OK, 0 rows affected (0.00 sec)
vagrant@mysql1:~$ mysql
Welcome to the MariaDB monitor. Commands end with ; or g.
Your MariaDB connection id is 45
Server version: 10.0.38-MariaDB-0ubuntu0.16.04.1 Ubuntu 16.04
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.
MariaDB [(none)]> show grants;
+---------------------------------------------------------------------------------+
| Grants for vagrant@localhost |
+---------------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'vagrant'@'localhost' IDENTIFIED VIA unix_socket |
+---------------------------------------------------------------------------------+
1 row in set (0.00 sec)Happened!
No, hoe sit it mei net-Debian distribúsje wêr't dit net standert wurdt levere? Litte wy Percona Server foar MySQL 8 besykje, ynstalleare op CentOS 7:
mysql> show variables like '%version%comment';
+-----------------+---------------------------------------------------+
| Variable_name | Value |
+-----------------+---------------------------------------------------+
| version_comment | Percona Server (GPL), Release 7, Revision 613e312 |
+-----------------+---------------------------------------------------+
1 row in set (0.01 sec)
mysql> CREATE USER 'percona'@'localhost' IDENTIFIED WITH auth_socket;
ERROR 1524 (HY000): Plugin 'auth_socket' is not loadedBummer. Wat mist der? Plugin net laden:
mysql> pager grep socket
PAGER set to 'grep socket'
mysql> show plugins;
47 rows in set (0.00 sec)Litte wy in plugin tafoegje oan it proses:
mysql> nopager
PAGER set to stdout
mysql> INSTALL PLUGIN auth_socket SONAME 'auth_socket.so';
Query OK, 0 rows affected (0.00 sec)
mysql> pager grep socket; show plugins;
PAGER set to 'grep socket'
| auth_socket | ACTIVE | AUTHENTICATION | auth_socket.so | GPL |
48 rows in set (0.00 sec)No hawwe wy alles wat wy nedich binne. Noch in kear besykje:
mysql> CREATE USER 'percona'@'localhost' IDENTIFIED WITH auth_socket;
Query OK, 0 rows affected (0.01 sec)
mysql> GRANT ALL PRIVILEGES ON *.* TO 'percona'@'localhost';
Query OK, 0 rows affected (0.01 sec)No kinne jo oanmelde mei de brûkersnamme "percona".
[percona@ip-192-168-1-111 ~]$ whoami
percona
[percona@ip-192-168-1-111 ~]$ mysql -upercona
Welcome to the MySQL monitor. Commands end with ; or g.
Your MySQL connection id is 19
Server version: 8.0.16-7 Percona Server (GPL), Release 7, Revision 613e312
Copyright (c) 2009-2019 Percona LLC and/or its affiliates
Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.
mysql> select user, host, plugin, authentication_string from mysql.user where user ='percona';
+---------+-----------+-------------+-----------------------+
| user | host | plugin | authentication_string |
+---------+-----------+-------------+-----------------------+
| percona | localhost | auth_socket | |
+---------+-----------+-------------+-----------------------+
1 row in set (0.00 sec)En it wurke wer!
Fraach: sil it mooglik wêze om yn te loggen op it systeem ûnder deselde percona login, mar as in oare brûker?
[percona@ip-192-168-1-111 ~]$ logout
[root@ip-192-168-1-111 ~]# mysql -upercona
ERROR 1698 (28000): Access denied for user 'percona'@'localhost'Nee, it sil net wurkje.
konklúzje
MySQL is frij fleksibel yn ferskate aspekten, wêrfan ien de autentikaasjemetoade is. Lykas jo kinne sjen fan dit berjocht, kin tagong krije sûnder wachtwurden, basearre op OS-brûkers. Dit kin nuttich wêze yn bepaalde senario's, en ien fan har is by it migrearjen fan RDS / Aurora nei reguliere MySQL mei om noch tagong te krijen, mar sûnder wachtwurden.
Boarne: www.habr.com
