Sida loo Isticmaalo MySQL La'aanteed Furaha (iyo Khatarta Amniga)

Waxay yiraahdeen erayga sirta ah ee ugu fiican waa kan aadan u baahnayn inaad xasuusato. Xaaladda MySQL tani waa suurtogal iyada oo loo mahadcelinayo plugin auth_socket iyo nooca loogu talagalay MariaDB - unix_socket.

Labadan plugins gabi ahaanba ma aha kuwo cusub; wax badan ayaa laga sheegay iyaga isla blog-kan, tusaale ahaan maqaalka ku saabsan sida loo beddelo furaha sirta ah ee MySQL 5.7 iyadoo la isticmaalayo auth_socket plugin. Si kastaba ha noqotee, markaan eegayo waxa ku cusub MariaDB 10.4, waxaan ogaaday in unix_socket hadda lagu rakibay si default ah waana mid ka mid ah hababka xaqiijinta ("mid ka mid ah", sababtoo ah MariaDB 10.4 in ka badan hal plugin ayaa diyaar u ah hal isticmaale si loo xaqiijiyo, kaas oo ayaa lagu sharaxay dukumeentiga "Aqoonsiga" ee ka yimid MariaDB 10.04).

Sida aan idhi, tani maaha war, iyo marka la rakibo MySQL iyadoo la adeegsanayo xirmooyinka .deb ee ay taageerayaan kooxda Debian, isticmaalaha xididka ayaa loo sameeyay aqoonsiga godka. Tani waa run labadaba MySQL iyo MariaDB.

root@app:~# apt-cache show mysql-server-5.7 | grep -i maintainers
Original-Maintainer: Debian MySQL Maintainers <[email protected]>
Original-Maintainer: Debian MySQL Maintainers <<a href="mailto:[email protected]">[email protected]</a>>

Xirmooyinka Debian ee MySQL, xididka isticmaalaha waxaa loo xaqiijiyaa sida soo socota:

root@app:~# whoami
root=
root@app:~# mysql
Welcome to the MySQL monitor.  Commands end with ; or g.
Your MySQL connection id is 4
Server version: 5.7.27-0ubuntu0.16.04.1 (Ubuntu)

Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.

mysql> select user, host, plugin, authentication_string from mysql.user where user = 'root';
+------+-----------+-------------+-----------------------+
| user | host      | plugin | authentication_string |
+------+-----------+-------------+-----------------------+
| root | localhost | auth_socket |                       |
+------+-----------+-------------+-----------------------+
1 row in set (0.01 sec)

Isla sidaas oo kale waa kiiska xirmada .deb ee MariaDB:

10.0.38-MariaDB-0ubuntu0.16.04.1 Ubuntu 16.04

MariaDB [(none)]> show grants;
+------------------------------------------------------------------------------------------------+
| Grants for root@localhost                                                                      |
+------------------------------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED VIA unix_socket WITH GRANT OPTION |
| GRANT PROXY ON ''@'%' TO 'root'@'localhost' WITH GRANT OPTION                                  |
+------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)

Xirmooyinka .deb ee ka yimid kaydka rasmiga ah ee Percona sidoo kale waxay dejiyaan aqoonsiga isticmaalaha xididka ee hoosta-socket-ka iyo Server Percona. Aan tusaale u soo qaadano Server Percona ee MySQL 8.0.16-7 iyo Ubuntu 16.04:

root@app:~# whoami
root
root@app:~# mysql
Welcome to the MySQL monitor.  Commands end with ; or g.
Your MySQL connection id is 9
Server version: 8.0.16-7 Percona Server (GPL), Release '7', Revision '613e312'

Copyright (c) 2009-2019 Percona LLC and/or its affiliates
Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.

mysql> select user, host, plugin, authentication_string from mysql.user where user ='root';
+------+-----------+-------------+-----------------------+
| user | host      | plugin | authentication_string |
+------+-----------+-------------+-----------------------+
| root | localhost | auth_socket |                       |
+------+-----------+-------------+-----------------------+
1 row in set (0.00 sec)

Haddaba waa maxay sixirku? Plugin-ku waxa uu hubinayaa in isticmaalaha Linux uu la mid yahay isticmaalaha MySQL isaga oo isticmaalaya SO_PEERCRED socket option si uu u ururiyo macluumaadka ku saabsan isticmaalaha ku socda barnaamijka macmiilka. Markaa, plugin-ka waxa kaliya loo isticmaali karaa nidaamyada taageera xulashada SO_PEERCRED, sida Linux. Xulashada godka SO_PEERCRED waxay kuu ogolaanaysaa inaad ogaato uid ee nidaamka la xidhiidha godka. Kadibna wuxuu hore u helay magaca isticmaalaha ee la xidhiidha uid-kan.

Waa kuwan tusaale isticmaalaha "vagrant":

vagrant@mysql1:~$ whoami
vagrant
vagrant@mysql1:~$ mysql
ERROR 1698 (28000): Access denied for user 'vagrant'@'localhost'

Mar haddii aanu jirin isticmaale “vagrant” ah MySQL, waa naloo diiday gelitaanka Aan abuurno isticmaale oo kale oo aan isku dayno mar kale:

MariaDB [(none)]> GRANT ALL PRIVILEGES ON *.* TO 'vagrant'@'localhost' IDENTIFIED VIA unix_socket;
Query OK, 0 rows affected (0.00 sec)

vagrant@mysql1:~$ mysql
Welcome to the MariaDB monitor.  Commands end with ; or g.
Your MariaDB connection id is 45
Server version: 10.0.38-MariaDB-0ubuntu0.16.04.1 Ubuntu 16.04
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.

MariaDB [(none)]> show grants;
+---------------------------------------------------------------------------------+
| Grants for vagrant@localhost                                                    |
+---------------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'vagrant'@'localhost' IDENTIFIED VIA unix_socket |
+---------------------------------------------------------------------------------+
1 row in set (0.00 sec)

dhacay!

Hagaag, ka waran qaybinta aan Debian-ka ahayn halka tan aan si caadi ah loo bixin? Aynu isku dayno Server Percona ee MySQL 8 ee lagu rakibay CentOS 7:

mysql> show variables like '%version%comment';
+-----------------+---------------------------------------------------+
| Variable_name   | Value                                   |
+-----------------+---------------------------------------------------+
| version_comment | Percona Server (GPL), Release 7, Revision 613e312 |
+-----------------+---------------------------------------------------+
1 row in set (0.01 sec)

mysql> CREATE USER 'percona'@'localhost' IDENTIFIED WITH auth_socket;
ERROR 1524 (HY000): Plugin 'auth_socket' is not loaded

Bummer Maxaa ka maqnaa? Plugin lama rarin:

mysql> pager grep socket
PAGER set to 'grep socket'
mysql> show plugins;
47 rows in set (0.00 sec)

Aan ku darno plugin habka:

mysql> nopager
PAGER set to stdout
mysql> INSTALL PLUGIN auth_socket SONAME 'auth_socket.so';
Query OK, 0 rows affected (0.00 sec)

mysql> pager grep socket; show plugins;
PAGER set to 'grep socket'
| auth_socket                     | ACTIVE | AUTHENTICATION | auth_socket.so | GPL     |
48 rows in set (0.00 sec)

Hadda waxaan haysanaa wax kasta oo aan u baahanahay. Aan mar kale isku dayno:

mysql> CREATE USER 'percona'@'localhost' IDENTIFIED WITH auth_socket;
Query OK, 0 rows affected (0.01 sec)
mysql> GRANT ALL PRIVILEGES ON *.* TO 'percona'@'localhost';
Query OK, 0 rows affected (0.01 sec)

Hadda waxaad ku soo gali kartaa magaca isticmaalaha "percona".

[percona@ip-192-168-1-111 ~]$ whoami
percona
[percona@ip-192-168-1-111 ~]$ mysql -upercona
Welcome to the MySQL monitor.  Commands end with ; or g.
Your MySQL connection id is 19
Server version: 8.0.16-7 Percona Server (GPL), Release 7, Revision 613e312

Copyright (c) 2009-2019 Percona LLC and/or its affiliates
Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.

mysql> select user, host, plugin, authentication_string from mysql.user where user ='percona';
+---------+-----------+-------------+-----------------------+
| user    | host   | plugin   | authentication_string |
+---------+-----------+-------------+-----------------------+
| percona | localhost | auth_socket |                       |
+---------+-----------+-------------+-----------------------+
1 row in set (0.00 sec)

Oo haddana way shaqeysay!

Su'aal: suurtagal ma noqon doontaa in lagu soo galo nidaamka isla isla percona login, laakiin isticmaale kale ahaan?

[percona@ip-192-168-1-111 ~]$ logout
[root@ip-192-168-1-111 ~]# mysql -upercona
ERROR 1698 (28000): Access denied for user 'percona'@'localhost'

Maya, ma shaqayn doonto.

gunaanad

MySQL waa mid aad u dabacsan dhowr dhinac, mid ka mid ah waa habka xaqiijinta. Sida aad ka arki karto qoraalkan, gelitaanka waxaa lagu heli karaa furaha sirta ah, iyadoo loo eegayo isticmaalayaasha OS. Tani waxay faa'iido u yeelan kartaa xaaladaha qaarkood, mid ka mid ahna waa markaad ka soo guureyso RDS/Aurora una guureyso MySQL caadiga ah IAM xogta xogtasi aad wali u gasho, laakiin la'aanteed furaha sirta ah.

Source: www.habr.com