The news that the latest MySQL 8.0.4 RC (release candidate) is available is indeed exciting. Unfortunately for users of the auth_socket plugin, dangers lie in wait!
Back in November 2015, I reported Failure of auth_socket authentication with sha256_password as default. This prevents users that identify with the auth_socket plugin from logging in after SHA256 authentication has been made the default authentication method. With the news that in MySQL 8.0.4 RC the default_authentication_plugin is changed to caching_sha2_password, I was keen to find out if they addressed this bug.
The source code for the test was downloaded from dev.mysql.com and compiled using the release options. A few options were disabled to reduce build time, as well as setting the path prefixes and ensuring that we use my local OpenSSL libraries:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
version="$(basename $(pwd))"; prefix="/home/ceri/opt/mysql/${version}"; cmake . -DBUILD_CONFIG=mysql_release \ -DCMAKE_INSTALL_PREFIX:PATH="${prefix}" \ -DMYSQL_DATADIR:PATH="${prefix}/data" \ -DWITH_SSL:STRING=system \ -DWITH_ARCHIVE_STORAGE_ENGINE:BOOL=OFF \ -DWITH_EMBEDDED_SERVER:BOOL=OFF \ -DWITH_EXTRA_CHARSETS:STRING="" \ -DWITH_FEDERATED_STORAGE_ENGINE:BOOL=OFF \ -DWITH_BLACKHOLE_STORAGE_ENGINE:BOOL=OFF \ -DWITH_BOOST="./$(find boost/ -maxdepth 1 -type d -not -name boost)" |
After completing the build and build tests, MySQL Sandbox was used to create a test instance using the low_level_make_sandbox command for some extra control. Afterward, it is necessary to restore the default_authentication_plugin because it changed to mysql_native_password during the installation process:
|
1 2 3 4 |
$ low_level_make_sandbox -d mysql-8.0.4-rc --datadir_from=script \ -b ~/opt/mysql/mysql-8.0.4-rc -i 8.0 -P 20804 $ sed -Ei 's/^(default_authentication_plugin=mysql_native_password)/#\1/' my.sandbox.cnf |
After starting the instance, I then created the quick test case. This installs the auth_socket plugin and creates a user that will use it to identify themselves:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
mysql [localhost] {root} ((none)) > show global variables like 'default_authentication_plugin'; +-------------------------------+-----------------------+ | Variable_name | Value | +-------------------------------+-----------------------+ | default_authentication_plugin | caching_sha2_password | +-------------------------------+-----------------------+ 1 row in set (0.00 sec) mysql [localhost] {root} ((none)) > install plugin auth_socket soname 'auth_socket.so'; Query OK, 0 rows affected (0.02 sec) mysql [localhost] {root} ((none)) > create user ceri@localhost identified with auth_socket; Query OK, 0 rows affected (0.04 sec) mysql [localhost] {root} ((none)) > grant all on *.* to ceri@localhost; Query OK, 0 rows affected (0.03 sec) |
Sadly, a familiar outcome greeted me when trying to connect via this new user – although interestingly, a new error message!
|
1 2 |
$ ./use -uceri ERROR 2000 (HY000): Unknown MySQL error |
We can see the expected error message by connecting using a 5.7 client (a handshake error):
|
1 2 |
$ ~/opt/mysql/mysql_5.7.20/bin/mysql --defaults-file=./my.sandbox.cnf -uceri ERROR 2012 (HY000): Error in server handshake |
While there are lots of great improvements and new features in MySQL 8.0.4 RC, any systems that are using the auth_socket plugin will need to ensure that they force default_authentication_plugin=mysql_native_password – at least for now.
Please note that MySQL Sandbox 3.2.16 has an option ” –keep_auth_plugin”, which will prevent changing the default plugin during installation.
Thanks for adding that in!