Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[2018.3] Fixes to verify_login in mysql module #50551

Merged
merged 5 commits into from
Nov 26, 2018
Merged

[2018.3] Fixes to verify_login in mysql module #50551

merged 5 commits into from
Nov 26, 2018

Conversation

garethgreenaway
Copy link
Contributor

What does this PR do?

Ensure that verify_login is using the host from the connection_args and not the host associated with the user. Adding a test to ensure user_exists when the passed host is the MySQL wildcard %.

What issues does this PR fix or reference?

#50542

Previous Behavior

When user_exists was called with a wildcard hostname, %, then verify login would fail because it was trying to connect to that as a real hostname.

New Behavior

We should ensure we're using the hostname from connection_args when verifying the login.

Tests written?

Yes

Commits signed with GPG?

Yes

Please review Salt's Contributing Guide for best practices.

See GitHub's page on GPG signing for more information about signing commits with GPG.

@garethgreenaway
Ensure that verify_login is using the host from the connection_args a…
0284323 
…nd not the host associated with the user. Adding a test to ensure user_exists when the passed host is the MySQL wildcard %.
ghost
ghost reviewed Nov 19, 2018
View reviewed changes
Copy link

@ghost ghost left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for taking a look at and fixing my issue..

However, I think there is a problem with the approach here for checking if a user exists. The hostname passed into the user_exists call is supposed to be the client host not the server host. Mysql users are specified by client host so "user1@host1" is different from "user1@host2". Using verify_login to check if "user1@host1" exists won't work because the verify method may be running for a host other than where "user1" intends to connect from. I believe this is why the original code was using a query against the INFORMATION_SCHEMA to determine existence.

@garethgreenaway
Copy link
Contributor Author

@doug-stratoscale the user_exists function is still checking the user table that both the user and host are valid, the host parameter is not used to determine which MySQL host to connect to, that is found in connection_args. The verify_login function is checking that the password is valid for MySQL versions higher than 8.0.11 when the password hashing mechanism changed and can no longer use the PASSWORD function from MySQL.

@ghost
Copy link

ghost commented Nov 19, 2018

@garethgreenaway Thanks for the clarification - I looked at the code again ( :) ) and it makes sense.

@garethgreenaway
Copy link
Contributor Author

@doug-stratoscale No worries! Appreciate the second pair of eyes 😄

@garethgreenaway garethgreenaway requested a review from a team November 20, 2018 22:41
@cachedout cachedout merged commit 26759c2 into saltstack:2018.3 Nov 26, 2018
@Reiner030 Reiner030 mentioned this pull request May 8, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cachedout cachedout cachedout approved these changes

@Ch3LL Ch3LL Awaiting requested review from Ch3LL

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@garethgreenaway @cachedout