ProHoster > Блог > Gudanarwa > Yadda ake Amfani da MySQL Ba tare da Kalmar wucewa ba (da Hadarin Tsaro)

Yadda ake Amfani da MySQL Ba tare da Kalmar wucewa ba (da Hadarin Tsaro)

Yadda ake Amfani da MySQL Ba tare da Kalmar wucewa ba (da Hadarin Tsaro)

Suna cewa mafi kyawun kalmar sirri shine wanda ba dole ba ne ka tuna. A cikin yanayin MySQL, wannan yana yiwuwa godiya ga plugin auth_socket da sigar sa don MariaDB - unix_socket.

Duk waɗannan plugins ɗin ba sababbi ba ne; an faɗi abubuwa da yawa game da su a cikin wannan rukunin yanar gizon, misali a cikin labarin game da yadda ake canza kalmomin shiga a cikin MySQL 5.7 ta amfani da plugin auth_socket. Koyaya, yayin duban menene sabo a cikin MariaDB 10.4, na gano cewa yanzu an shigar da unix_socket ta tsohuwa kuma yana ɗaya daga cikin hanyoyin tantancewa (“ɗayan”, saboda a cikin MariaDB 10.4 fiye da plugin ɗin yana samuwa ga mai amfani ɗaya don tabbatarwa, wanda ya kasance daga cikin hanyoyin tabbatarwa. an yi bayani a cikin takardar "Tabbaci" daga MariaDB 10.04).

Kamar yadda na fada, wannan ba labari bane, kuma lokacin shigar da MySQL ta amfani da fakitin .deb da ƙungiyar Debian ke goyan bayan, an ƙirƙiri tushen mai amfani don tabbatar da soket. Wannan gaskiya ne ga duka MySQL da MariaDB.

root@app:~# apt-cache show mysql-server-5.7 | grep -i maintainers
Original-Maintainer: Debian MySQL Maintainers <[email protected]>
Original-Maintainer: Debian MySQL Maintainers <<a href="mailto:[email protected]">[email protected]</a>>

Tare da fakitin Debian don MySQL, tushen mai amfani yana inganta kamar haka:

root@app:~# whoami
root=
root@app:~# mysql
Welcome to the MySQL monitor.  Commands end with ; or g.
Your MySQL connection id is 4
Server version: 5.7.27-0ubuntu0.16.04.1 (Ubuntu)

Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.

mysql> select user, host, plugin, authentication_string from mysql.user where user = 'root';
+------+-----------+-------------+-----------------------+
| user | host      | plugin | authentication_string |
+------+-----------+-------------+-----------------------+
| root | localhost | auth_socket |                       |
+------+-----------+-------------+-----------------------+
1 row in set (0.01 sec)

Haka lamarin yake tare da kunshin .deb na MariaDB:

10.0.38-MariaDB-0ubuntu0.16.04.1 Ubuntu 16.04

MariaDB [(none)]> show grants;
+------------------------------------------------------------------------------------------------+
| Grants for root@localhost                                                                      |
+------------------------------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED VIA unix_socket WITH GRANT OPTION |
| GRANT PROXY ON ''@'%' TO 'root'@'localhost' WITH GRANT OPTION                                  |
+------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)

Fakitin .deb daga ma'ajin Percona na hukuma kuma suna saita ingantaccen tushen mai amfani a ƙarƙashin soket-socket da na Percona Server. Bari mu ba da misali da Percona Server don MySQL 8.0.16-7 da Ubuntu 16.04:

root@app:~# whoami
root
root@app:~# mysql
Welcome to the MySQL monitor.  Commands end with ; or g.
Your MySQL connection id is 9
Server version: 8.0.16-7 Percona Server (GPL), Release '7', Revision '613e312'

Copyright (c) 2009-2019 Percona LLC and/or its affiliates
Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.

mysql> select user, host, plugin, authentication_string from mysql.user where user ='root';
+------+-----------+-------------+-----------------------+
| user | host      | plugin | authentication_string |
+------+-----------+-------------+-----------------------+
| root | localhost | auth_socket |                       |
+------+-----------+-------------+-----------------------+
1 row in set (0.00 sec)

To menene sihirin? Plugin yana bincika cewa mai amfani da Linux ya dace da mai amfani da MySQL ta amfani da zaɓin soket na SO_PEERCRED don tattara bayanai game da mai amfani da ke gudanar da shirin abokin ciniki. Don haka, za a iya amfani da plugin ɗin akan tsarin da ke goyan bayan zaɓi na SO_PEERCRED, kamar Linux. Zaɓin soket na SO_PEERCRED yana ba ku damar gano uid ɗin tsarin da ke da alaƙa da soket. Sannan ya riga ya karɓi sunan mai amfani da ke da alaƙa da wannan uid.

Anan ga misali tare da mai amfani da “vagrant”:

vagrant@mysql1:~$ whoami
vagrant
vagrant@mysql1:~$ mysql
ERROR 1698 (28000): Access denied for user 'vagrant'@'localhost'

Tun da babu wani "mai amfani" a cikin MySQL, an hana mu shiga. Bari mu ƙirƙiri irin wannan mai amfani kuma mu sake gwadawa:

MariaDB [(none)]> GRANT ALL PRIVILEGES ON *.* TO 'vagrant'@'localhost' IDENTIFIED VIA unix_socket;
Query OK, 0 rows affected (0.00 sec)

vagrant@mysql1:~$ mysql
Welcome to the MariaDB monitor.  Commands end with ; or g.
Your MariaDB connection id is 45
Server version: 10.0.38-MariaDB-0ubuntu0.16.04.1 Ubuntu 16.04
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.

MariaDB [(none)]> show grants;
+---------------------------------------------------------------------------------+
| Grants for vagrant@localhost                                                    |
+---------------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'vagrant'@'localhost' IDENTIFIED VIA unix_socket |
+---------------------------------------------------------------------------------+
1 row in set (0.00 sec)

Ya faru!

To, menene game da rarrabawar da ba Debian ba inda ba a samar da wannan ta tsohuwa ba? Bari mu gwada Percona Server don MySQL 8 wanda aka shigar akan CentOS 7:

mysql> show variables like '%version%comment';
+-----------------+---------------------------------------------------+
| Variable_name   | Value                                   |
+-----------------+---------------------------------------------------+
| version_comment | Percona Server (GPL), Release 7, Revision 613e312 |
+-----------------+---------------------------------------------------+
1 row in set (0.01 sec)

mysql> CREATE USER 'percona'@'localhost' IDENTIFIED WITH auth_socket;
ERROR 1524 (HY000): Plugin 'auth_socket' is not loaded

Bummer. Menene ya ɓace? Plugin ba a loda shi ba:

mysql> pager grep socket
PAGER set to 'grep socket'
mysql> show plugins;
47 rows in set (0.00 sec)

Bari mu ƙara plugin zuwa tsari:

mysql> nopager
PAGER set to stdout
mysql> INSTALL PLUGIN auth_socket SONAME 'auth_socket.so';
Query OK, 0 rows affected (0.00 sec)

mysql> pager grep socket; show plugins;
PAGER set to 'grep socket'
| auth_socket                     | ACTIVE | AUTHENTICATION | auth_socket.so | GPL     |
48 rows in set (0.00 sec)

Yanzu muna da duk abin da muke bukata. Mu sake gwadawa:

mysql> CREATE USER 'percona'@'localhost' IDENTIFIED WITH auth_socket;
Query OK, 0 rows affected (0.01 sec)
mysql> GRANT ALL PRIVILEGES ON *.* TO 'percona'@'localhost';
Query OK, 0 rows affected (0.01 sec)

Yanzu zaku iya shiga ta amfani da sunan mai amfani "percona".

[percona@ip-192-168-1-111 ~]$ whoami
percona
[percona@ip-192-168-1-111 ~]$ mysql -upercona
Welcome to the MySQL monitor.  Commands end with ; or g.
Your MySQL connection id is 19
Server version: 8.0.16-7 Percona Server (GPL), Release 7, Revision 613e312

Copyright (c) 2009-2019 Percona LLC and/or its affiliates
Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.

mysql> select user, host, plugin, authentication_string from mysql.user where user ='percona';
+---------+-----------+-------------+-----------------------+
| user    | host   | plugin   | authentication_string |
+---------+-----------+-------------+-----------------------+
| percona | localhost | auth_socket |                       |
+---------+-----------+-------------+-----------------------+
1 row in set (0.00 sec)

Kuma ya sake yin aiki!

Tambaya: Shin zai yiwu a shiga cikin tsarin a ƙarƙashin login percona iri ɗaya, amma a matsayin mai amfani na daban?

[percona@ip-192-168-1-111 ~]$ logout
[root@ip-192-168-1-111 ~]# mysql -upercona
ERROR 1698 (28000): Access denied for user 'percona'@'localhost'

A'a, ba zai yi aiki ba.

ƙarshe

MySQL yana da sauƙin sassauƙa ta fuskoki da yawa, ɗayansu shine hanyar tantancewa. Kamar yadda kake gani daga wannan sakon, ana iya samun damar shiga ba tare da kalmomin shiga ba, dangane da masu amfani da OS. Wannan na iya zama da amfani a wasu yanayi, kuma ɗayansu shine lokacin ƙaura daga RDS/Aurora zuwa MySQL na yau da kullun ta amfani da IAM database Tantance kalmar sirridon har yanzu samun damar shiga, amma ba tare da kalmomin shiga ba.

source: www.habr.com

Add a comment