Ularning aytishicha, eng yaxshi parol eslab qolish shart emas. MySQL holatida bu plagin tufayli mumkin va uning MariaDB uchun versiyasi - .
Ushbu plaginlarning ikkalasi ham yangi emas; ular haqida o'sha blogda ko'p aytilgan, masalan, maqolada . Biroq, MariaDB 10.4 da yangiliklarni o‘rganar ekanman, unix_socket endi sukut bo‘yicha o‘rnatilganligini va autentifikatsiya usullaridan biri (“biri”, chunki MariaDB 10.4 da autentifikatsiya qilish uchun bitta foydalanuvchi uchun bir nechta plaginlar mavjud ekanligini aniqladim. hujjatda tushuntirilgan ).
Aytganimdek, bu yangilik emas va MySQL-ni Debian jamoasi tomonidan qo'llab-quvvatlanadigan .deb paketlari yordamida o'rnatishda rozetka autentifikatsiyasi uchun root foydalanuvchi yaratiladi. Bu MySQL va MariaDB uchun ham amal qiladi.
root@app:~# apt-cache show mysql-server-5.7 | grep -i maintainers
Original-Maintainer: Debian MySQL Maintainers <[email protected]>
Original-Maintainer: Debian MySQL Maintainers <<a href="mailto:[email protected]">[email protected]</a>>MySQL uchun Debian paketlari bilan root foydalanuvchisi quyidagicha autentifikatsiya qilinadi:
root@app:~# whoami
root=
root@app:~# mysql
Welcome to the MySQL monitor. Commands end with ; or g.
Your MySQL connection id is 4
Server version: 5.7.27-0ubuntu0.16.04.1 (Ubuntu)
Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.
mysql> select user, host, plugin, authentication_string from mysql.user where user = 'root';
+------+-----------+-------------+-----------------------+
| user | host | plugin | authentication_string |
+------+-----------+-------------+-----------------------+
| root | localhost | auth_socket | |
+------+-----------+-------------+-----------------------+
1 row in set (0.01 sec)MariaDB uchun .deb paketi bilan ham xuddi shunday:
10.0.38-MariaDB-0ubuntu0.16.04.1 Ubuntu 16.04
MariaDB [(none)]> show grants;
+------------------------------------------------------------------------------------------------+
| Grants for root@localhost |
+------------------------------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED VIA unix_socket WITH GRANT OPTION |
| GRANT PROXY ON ''@'%' TO 'root'@'localhost' WITH GRANT OPTION |
+------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)Rasmiy Percona omboridagi .deb paketlari auth-rozetkasi ostida va Percona Server uchun root foydalanuvchi autentifikatsiyasini ham sozlaydi. bilan misol keltiraylik va Ubuntu 16.04:
root@app:~# whoami
root
root@app:~# mysql
Welcome to the MySQL monitor. Commands end with ; or g.
Your MySQL connection id is 9
Server version: 8.0.16-7 Percona Server (GPL), Release '7', Revision '613e312'
Copyright (c) 2009-2019 Percona LLC and/or its affiliates
Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.
mysql> select user, host, plugin, authentication_string from mysql.user where user ='root';
+------+-----------+-------------+-----------------------+
| user | host | plugin | authentication_string |
+------+-----------+-------------+-----------------------+
| root | localhost | auth_socket | |
+------+-----------+-------------+-----------------------+
1 row in set (0.00 sec)Xo'sh, sehr nima? Plagin mijoz dasturini ishga tushiruvchi foydalanuvchi haqida ma'lumot to'plash uchun SO_PEERCRED soket opsiyasi yordamida Linux foydalanuvchisi MySQL foydalanuvchisiga mos kelishini tekshiradi. Shunday qilib, plagin faqat Linux kabi SO_PEERCRED variantini qo'llab-quvvatlaydigan tizimlarda ishlatilishi mumkin. SO_PEERCRED rozetkasi opsiyasi rozetka bilan bog'langan jarayonning uidini topishga imkon beradi. Va keyin u allaqachon ushbu uid bilan bog'langan foydalanuvchi nomini oladi.
“Vagrant” foydalanuvchisi bilan bir misol:
vagrant@mysql1:~$ whoami
vagrant
vagrant@mysql1:~$ mysql
ERROR 1698 (28000): Access denied for user 'vagrant'@'localhost'MySQL-da "vagrant" foydalanuvchi yo'qligi sababli, bizga kirish taqiqlanadi. Keling, shunday foydalanuvchi yaratib, qaytadan urinib ko'raylik:
MariaDB [(none)]> GRANT ALL PRIVILEGES ON *.* TO 'vagrant'@'localhost' IDENTIFIED VIA unix_socket;
Query OK, 0 rows affected (0.00 sec)
vagrant@mysql1:~$ mysql
Welcome to the MariaDB monitor. Commands end with ; or g.
Your MariaDB connection id is 45
Server version: 10.0.38-MariaDB-0ubuntu0.16.04.1 Ubuntu 16.04
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.
MariaDB [(none)]> show grants;
+---------------------------------------------------------------------------------+
| Grants for vagrant@localhost |
+---------------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'vagrant'@'localhost' IDENTIFIED VIA unix_socket |
+---------------------------------------------------------------------------------+
1 row in set (0.00 sec)Bo'ldi!
Xo'sh, bu sukut bo'yicha ta'minlanmagan Debian bo'lmagan tarqatish haqida nima deyish mumkin? Keling, CentOS 8 da o'rnatilgan MySQL 7 uchun Percona Serverni sinab ko'raylik:
mysql> show variables like '%version%comment';
+-----------------+---------------------------------------------------+
| Variable_name | Value |
+-----------------+---------------------------------------------------+
| version_comment | Percona Server (GPL), Release 7, Revision 613e312 |
+-----------------+---------------------------------------------------+
1 row in set (0.01 sec)
mysql> CREATE USER 'percona'@'localhost' IDENTIFIED WITH auth_socket;
ERROR 1524 (HY000): Plugin 'auth_socket' is not loadedBummer. Nima etishmayotgan edi? Plagin yuklanmagan:
mysql> pager grep socket
PAGER set to 'grep socket'
mysql> show plugins;
47 rows in set (0.00 sec)Jarayonga plagin qo'shamiz:
mysql> nopager
PAGER set to stdout
mysql> INSTALL PLUGIN auth_socket SONAME 'auth_socket.so';
Query OK, 0 rows affected (0.00 sec)
mysql> pager grep socket; show plugins;
PAGER set to 'grep socket'
| auth_socket | ACTIVE | AUTHENTICATION | auth_socket.so | GPL |
48 rows in set (0.00 sec)Endi bizda kerak bo'lgan hamma narsa bor. Yana urinib ko'ramiz:
mysql> CREATE USER 'percona'@'localhost' IDENTIFIED WITH auth_socket;
Query OK, 0 rows affected (0.01 sec)
mysql> GRANT ALL PRIVILEGES ON *.* TO 'percona'@'localhost';
Query OK, 0 rows affected (0.01 sec)Endi “percona” foydalanuvchi nomidan foydalanib tizimga kirishingiz mumkin.
[percona@ip-192-168-1-111 ~]$ whoami
percona
[percona@ip-192-168-1-111 ~]$ mysql -upercona
Welcome to the MySQL monitor. Commands end with ; or g.
Your MySQL connection id is 19
Server version: 8.0.16-7 Percona Server (GPL), Release 7, Revision 613e312
Copyright (c) 2009-2019 Percona LLC and/or its affiliates
Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.
mysql> select user, host, plugin, authentication_string from mysql.user where user ='percona';
+---------+-----------+-------------+-----------------------+
| user | host | plugin | authentication_string |
+---------+-----------+-------------+-----------------------+
| percona | localhost | auth_socket | |
+---------+-----------+-------------+-----------------------+
1 row in set (0.00 sec)Va yana ishladi!
Savol: Tizimga bir xil percona login ostida, lekin boshqa foydalanuvchi sifatida kirish mumkinmi?
[percona@ip-192-168-1-111 ~]$ logout
[root@ip-192-168-1-111 ~]# mysql -upercona
ERROR 1698 (28000): Access denied for user 'percona'@'localhost'Yo‘q, ishlamaydi.
xulosa
MySQL bir necha jihatlarda juda moslashuvchan, ulardan biri autentifikatsiya usulidir. Ushbu postdan ko'rinib turibdiki, kirishni OS foydalanuvchilari asosida parollarsiz olish mumkin. Bu muayyan stsenariylarda foydali bo'lishi mumkin va ulardan biri RDS/Aurora-dan oddiy MySQL-ga o'tishda. Hali ham kirish uchun, lekin parollarsiz.
Manba: www.habr.com