Bug#36808636 System accounts are not converted to non legacy auth plugin during upgrade

Krzysztof Horszczaruk · Krzysztof Horszczaruk · commit 8fae60d3fd7a · 2024-11-07T09:45:06.000+01:00
modify scripts/mysql_system_tables_fix.sql script (UPDATE mysql.user statement)
  add MTR test

Change-Id: I172a9957ae35a15713d0fda266aecd380572e47a
diff --git a/mysql-test/r/bug36808636_auth_upgrade.result b/mysql-test/r/bug36808636_auth_upgrade.result
@@ -0,0 +1,34 @@
+#
+# Bug#36808636 System accounts are not converted to non legacy auth plugin during upgrade
+#
+
+# prep a'la 5.7 system accounts
+UPDATE mysql.user SET plugin='mysql_native_password', authentication_string='*THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE' WHERE user='mysql.sys';
+UPDATE mysql.user SET plugin='mysql_native_password', authentication_string='*THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE' WHERE user='mysql.session';
+
+# check sys-accounts use mysql_native_password
+# expected: mysql_native_password   *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE  Y
+SELECT user,plugin,authentication_string,account_locked FROM mysql.user WHERE USER='mysql.sys';
+user	plugin	authentication_string	account_locked
+mysql.sys	mysql_native_password	*THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE	Y
+SELECT user,plugin,authentication_string,account_locked FROM mysql.user WHERE USER='mysql.session';
+user	plugin	authentication_string	account_locked
+mysql.session	mysql_native_password	*THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE	Y
+
+# restart the server and enforce the upgrade
+# restart:--upgrade=FORCE --log-error=MYSQLD_LOG
+
+# check for ERROR pattern in server log
+# expected: pattern not found
+Pattern "\[ERROR\]" not found
+
+# check sys-accounts are upgraded to caching_sha2_password
+# expected: caching_sha2_password   $A$005$THISISACOMBINATIONOFINVALIDSALTANDPASSWORDTHATMUSTNEVERBRBEUSED  Y
+SELECT user,plugin,authentication_string,account_locked FROM mysql.user WHERE USER='mysql.sys';
+user	plugin	authentication_string	account_locked
+mysql.sys	caching_sha2_password	$A$005$THISISACOMBINATIONOFINVALIDSALTANDPASSWORDTHATMUSTNEVERBRBEUSED	Y
+SELECT user,plugin,authentication_string,account_locked FROM mysql.user WHERE USER='mysql.session';
+user	plugin	authentication_string	account_locked
+mysql.session	caching_sha2_password	$A$005$THISISACOMBINATIONOFINVALIDSALTANDPASSWORDTHATMUSTNEVERBRBEUSED	Y
+
+# End of tests
diff --git a/mysql-test/t/bug36808636_auth_upgrade.test b/mysql-test/t/bug36808636_auth_upgrade.test
@@ -0,0 +1,52 @@
+#
+# Bug#36808636 System accounts are not converted to non legacy auth plugin during upgrade
+#
+
+--echo #
+--echo # Bug#36808636 System accounts are not converted to non legacy auth plugin during upgrade
+--echo #
+
+# prep a'la 5.7 system accounts
+--echo
+--echo # prep a'la 5.7 system accounts
+UPDATE mysql.user SET plugin='mysql_native_password', authentication_string='*THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE' WHERE user='mysql.sys';
+UPDATE mysql.user SET plugin='mysql_native_password', authentication_string='*THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE' WHERE user='mysql.session';
+
+# check sys-accounts use mysql_native_password
+--echo
+--echo # check sys-accounts use mysql_native_password
+--echo # expected: mysql_native_password   *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE  Y
+SELECT user,plugin,authentication_string,account_locked FROM mysql.user WHERE USER='mysql.sys';
+SELECT user,plugin,authentication_string,account_locked FROM mysql.user WHERE USER='mysql.session';
+
+--let $MYSQLD_LOG= $MYSQLTEST_VARDIR/log/mysql_upgrade_test.log
+
+# restart the server and enforce the upgrade
+--echo
+--echo # restart the server and enforce the upgrade
+--replace_result $MYSQLD_LOG MYSQLD_LOG
+--let $restart_parameters = restart:--upgrade=FORCE --log-error=$MYSQLD_LOG
+--let $wait_counter= 10000
+--source include/restart_mysqld.inc
+
+# check for [ERROR] pattern in server log
+--echo
+--echo # check for ERROR pattern in server log
+--echo # expected: pattern not found
+--let SEARCH_FILE= $MYSQLD_LOG
+--let SEARCH_PATTERN= \[ERROR\]
+--source include/search_pattern.inc
+
+# clean log
+--remove_file $MYSQLD_LOG
+
+# check sys-accounts are upgraded to cahcing_sha2_password
+--echo
+--echo # check sys-accounts are upgraded to caching_sha2_password
+--echo # expected: caching_sha2_password   \$A\$005\$THISISACOMBINATIONOFINVALIDSALTANDPASSWORDTHATMUSTNEVERBRBEUSED  Y
+SELECT user,plugin,authentication_string,account_locked FROM mysql.user WHERE USER='mysql.sys';
+SELECT user,plugin,authentication_string,account_locked FROM mysql.user WHERE USER='mysql.session';
+
+# end of test, no cleanup needed
+--echo
+--echo # End of tests
diff --git a/scripts/mysql_system_tables_fix.sql b/scripts/mysql_system_tables_fix.sql
@@ -1626,3 +1626,9 @@ FROM mysql.user WHERE Reload_priv = 'Y' AND @hadFlushPrivilegesPriv = 0;
 
 -- SET_USER_ID is removed dynamic privilege, revoke all grants of it.
 DELETE FROM global_grants WHERE PRIV = 'SET_USER_ID';
+
+-- Bug#36808636 System accounts are not converted to non legacy auth plugin during upgrade
+-- Convert authentication of 'mysql.sys' and 'mysql.sessioon' users
+-- from mysql_native_password into caching_sha2_password.
+UPDATE mysql.user SET plugin='caching_sha2_password', authentication_string='$A$005$THISISACOMBINATIONOFINVALIDSALTANDPASSWORDTHATMUSTNEVERBRBEUSED' WHERE user='mysql.sys';
+UPDATE mysql.user SET plugin='caching_sha2_password', authentication_string='$A$005$THISISACOMBINATIONOFINVALIDSALTANDPASSWORDTHATMUSTNEVERBRBEUSED' WHERE user='mysql.session';
