From 4678369f956c16ea8013768a97f833bedf2e221d Mon Sep 17 00:00:00 2001 From: Mihmet Akpinar Date: Thu, 28 Dec 2023 13:55:30 +0100 Subject: [PATCH 01/18] Add ability to use hex hash with caching_sha2_password plugin --- lib/puppet/functions/mysql/password.rb | 4 ++-- lib/puppet/provider/mysql_user/mysql.rb | 13 +++++++++++-- 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/lib/puppet/functions/mysql/password.rb b/lib/puppet/functions/mysql/password.rb index 5fb5941d3..e31b9688a 100644 --- a/lib/puppet/functions/mysql/password.rb +++ b/lib/puppet/functions/mysql/password.rb @@ -19,10 +19,10 @@ return_type 'Variant[String, Sensitive[String]]' end - def password(password, sensitive = false) + def password(password, sensitive = false) # rubocop:disable Style/OptionalBooleanParameter password = password.unwrap if password.is_a?(Puppet::Pops::Types::PSensitiveType::Sensitive) - result_string = if %r{\*[A-F0-9]{40}$}.match?(password) + result_string = if %r{\*[A-F0-9]{40}$}.match?(password) or %r{0x[A-F0-9]+$}.match?(password) password elsif password.empty? '' diff --git a/lib/puppet/provider/mysql_user/mysql.rb b/lib/puppet/provider/mysql_user/mysql.rb index a381d6898..a6abbff02 100644 --- a/lib/puppet/provider/mysql_user/mysql.rb +++ b/lib/puppet/provider/mysql_user/mysql.rb @@ -23,6 +23,11 @@ def self.instances # rubocop:enable Layout/LineLength @max_user_connections, @max_connections_per_hour, @max_queries_per_hour, @max_updates_per_hour, ssl_type, ssl_cipher, x509_issuer, x509_subject, @password, @plugin, @authentication_string = mysql_caller(query, 'regular').chomp.split(%r{\t}) + + if @plugin == 'caching_sha2_password' + @password = mysql_caller("SELECT CONCAT('0x',HEX('#{@password}'))", 'regular').chomp + end + @tls_options = parse_tls_options(ssl_type, ssl_cipher, x509_issuer, x509_subject) if (newer_than('mariadb' => '10.1.21') && (@plugin == 'ed25519' || @plugin == 'mysql_native_password')) || (newer_than('mariadb' => '10.2.16') && older_than('mariadb' => '10.2.19')) || @@ -76,6 +81,8 @@ def create if !plugin.nil? if password_hash.nil? self.class.mysql_caller("CREATE USER '#{merged_name}' IDENTIFIED WITH '#{plugin}'", 'system') + elsif plugin.eql? "caching_sha2_password" + self.class.mysql_caller("CREATE USER '#{merged_name}' IDENTIFIED WITH '#{plugin}' AS X'#{password_hash[2..-1]}'", 'system') else self.class.mysql_caller("CREATE USER '#{merged_name}' IDENTIFIED WITH '#{plugin}' AS '#{password_hash}'", 'system') end @@ -159,9 +166,11 @@ def password_hash=(string) end self.class.mysql_caller(sql, 'system') elsif !mysqld_version.nil? && newer_than('mysql' => '5.7.6', 'percona' => '5.7.6', 'mariadb' => '10.2.0') - raise ArgumentError, _('Only mysql_native_password (*ABCD...XXX) hashes are supported.') unless %r{^\*|^$}.match?(string) + raise ArgumentError, _('Only mysql_native_password (*ABCD...XXX) or caching_sha2_password (0x1234ABC...XXX) hashes are supported.') unless %r{^\*|^$}.match?(string) || %r{0x[A-F0-9]+$}.match?(string) - self.class.mysql_caller("ALTER USER #{merged_name} IDENTIFIED WITH mysql_native_password AS '#{string}'", 'system') + sql = "ALTER USER #{merged_name} IDENTIFIED WITH" + plugin == 'caching_sha2_password' ? sql += " '#{plugin}' AS X'#{@resource[:password_hash][2..-1]}'" : sql += " 'mysql_native_password' AS '#{@resource[:password_hash]}'" + self.class.mysql_caller(sql, 'system') else # default ... if mysqld_version does not work self.class.mysql_caller("SET PASSWORD FOR #{merged_name} = '#{string}'", 'system') From 6175dbc005c2a6ee9362c9130c0ffe497dc48662 Mon Sep 17 00:00:00 2001 From: Mihmet Akpinar Date: Thu, 28 Dec 2023 14:12:39 +0100 Subject: [PATCH 02/18] Add ability to use hex hash with caching_sha2_password plugin --- lib/puppet/functions/mysql/password.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/puppet/functions/mysql/password.rb b/lib/puppet/functions/mysql/password.rb index e31b9688a..a865305eb 100644 --- a/lib/puppet/functions/mysql/password.rb +++ b/lib/puppet/functions/mysql/password.rb @@ -19,7 +19,7 @@ return_type 'Variant[String, Sensitive[String]]' end - def password(password, sensitive = false) # rubocop:disable Style/OptionalBooleanParameter + def password(password, sensitive = false) password = password.unwrap if password.is_a?(Puppet::Pops::Types::PSensitiveType::Sensitive) result_string = if %r{\*[A-F0-9]{40}$}.match?(password) or %r{0x[A-F0-9]+$}.match?(password) From f037858253155c96b93af1f987c221885a3ea02b Mon Sep 17 00:00:00 2001 From: Mihmet Akpinar Date: Fri, 12 Jan 2024 09:49:04 +0100 Subject: [PATCH 03/18] Fix Issue where single quote is generated in authentication string --- lib/puppet/provider/mysql_user/mysql.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/puppet/provider/mysql_user/mysql.rb b/lib/puppet/provider/mysql_user/mysql.rb index a6abbff02..b54f6369d 100644 --- a/lib/puppet/provider/mysql_user/mysql.rb +++ b/lib/puppet/provider/mysql_user/mysql.rb @@ -25,6 +25,8 @@ def self.instances x509_issuer, x509_subject, @password, @plugin, @authentication_string = mysql_caller(query, 'regular').chomp.split(%r{\t}) if @plugin == 'caching_sha2_password' + # Escaping all single quotes to prevent errors when password generated it + @password = @password.gsub("'"){"\\'"} @password = mysql_caller("SELECT CONCAT('0x',HEX('#{@password}'))", 'regular').chomp end From b331987f55eddc813d30ad56dacb8f65c87eb315 Mon Sep 17 00:00:00 2001 From: Mihmet Akpinar Date: Fri, 12 Jan 2024 09:50:16 +0100 Subject: [PATCH 04/18] Fix Issue where user couldnt change plugin --- lib/puppet/provider/mysql_user/mysql.rb | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/lib/puppet/provider/mysql_user/mysql.rb b/lib/puppet/provider/mysql_user/mysql.rb index b54f6369d..6fcc044c0 100644 --- a/lib/puppet/provider/mysql_user/mysql.rb +++ b/lib/puppet/provider/mysql_user/mysql.rb @@ -235,7 +235,11 @@ def plugin=(string) end elsif newer_than('mysql' => '5.7.6', 'percona' => '5.7.6', 'mariadb' => '10.2.0') sql = "ALTER USER #{merged_name} IDENTIFIED WITH '#{string}'" - sql += " AS '#{@resource[:password_hash]}'" if string == 'mysql_native_password' + if string == 'mysql_native_password' + sql += " AS '#{@resource[:password_hash]}'" + elsif string == 'caching_sha2_password' + sql += " AS X'#{password_hash[2..-1]}'" + end else # See https://bugs.mysql.com/bug.php?id=67449 sql = "UPDATE mysql.user SET plugin = '#{string}'" From d1a12083488469ed5cb32816db17fc06382d4bce Mon Sep 17 00:00:00 2001 From: Mihmet Akpinar Date: Tue, 23 Jan 2024 08:27:00 +0100 Subject: [PATCH 05/18] change existing users from native to caching without deleting user first --- lib/puppet/provider/mysql_user/mysql.rb | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/lib/puppet/provider/mysql_user/mysql.rb b/lib/puppet/provider/mysql_user/mysql.rb index 6fcc044c0..a04f93052 100644 --- a/lib/puppet/provider/mysql_user/mysql.rb +++ b/lib/puppet/provider/mysql_user/mysql.rb @@ -169,9 +169,12 @@ def password_hash=(string) self.class.mysql_caller(sql, 'system') elsif !mysqld_version.nil? && newer_than('mysql' => '5.7.6', 'percona' => '5.7.6', 'mariadb' => '10.2.0') raise ArgumentError, _('Only mysql_native_password (*ABCD...XXX) or caching_sha2_password (0x1234ABC...XXX) hashes are supported.') unless %r{^\*|^$}.match?(string) || %r{0x[A-F0-9]+$}.match?(string) - sql = "ALTER USER #{merged_name} IDENTIFIED WITH" - plugin == 'caching_sha2_password' ? sql += " '#{plugin}' AS X'#{@resource[:password_hash][2..-1]}'" : sql += " 'mysql_native_password' AS '#{@resource[:password_hash]}'" + if plugin == 'caching_sha2_password' + sql += " 'caching_sha2_password' AS X'#{string[2..-1]}'" + else + sql += " 'mysql_native_password' AS '#{string}'" + end self.class.mysql_caller(sql, 'system') else # default ... if mysqld_version does not work @@ -238,7 +241,7 @@ def plugin=(string) if string == 'mysql_native_password' sql += " AS '#{@resource[:password_hash]}'" elsif string == 'caching_sha2_password' - sql += " AS X'#{password_hash[2..-1]}'" + sql += " AS X'#{@resource[:password_hash][2..-1]}'" end else # See https://bugs.mysql.com/bug.php?id=67449 From 83a7ca2e2c7561117fa3df92c81b0634e0497413 Mon Sep 17 00:00:00 2001 From: Mihmet Akpinar Date: Fri, 23 Feb 2024 15:57:11 +0100 Subject: [PATCH 06/18] rubocop linting --- lib/puppet/functions/mysql/password.rb | 2 +- lib/puppet/provider/mysql_user/mysql.rb | 14 ++++++++------ 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/lib/puppet/functions/mysql/password.rb b/lib/puppet/functions/mysql/password.rb index a865305eb..c094bfa08 100644 --- a/lib/puppet/functions/mysql/password.rb +++ b/lib/puppet/functions/mysql/password.rb @@ -22,7 +22,7 @@ def password(password, sensitive = false) password = password.unwrap if password.is_a?(Puppet::Pops::Types::PSensitiveType::Sensitive) - result_string = if %r{\*[A-F0-9]{40}$}.match?(password) or %r{0x[A-F0-9]+$}.match?(password) + result_string = if %r{\*[A-F0-9]{40}$}.match?(password) || %r{0x[A-F0-9]+$}.match?(password) password elsif password.empty? '' diff --git a/lib/puppet/provider/mysql_user/mysql.rb b/lib/puppet/provider/mysql_user/mysql.rb index a04f93052..4d1fa1eea 100644 --- a/lib/puppet/provider/mysql_user/mysql.rb +++ b/lib/puppet/provider/mysql_user/mysql.rb @@ -23,10 +23,10 @@ def self.instances # rubocop:enable Layout/LineLength @max_user_connections, @max_connections_per_hour, @max_queries_per_hour, @max_updates_per_hour, ssl_type, ssl_cipher, x509_issuer, x509_subject, @password, @plugin, @authentication_string = mysql_caller(query, 'regular').chomp.split(%r{\t}) - + if @plugin == 'caching_sha2_password' # Escaping all single quotes to prevent errors when password generated it - @password = @password.gsub("'"){"\\'"} + @password = @password.gsub("'") { "\\'" } @password = mysql_caller("SELECT CONCAT('0x',HEX('#{@password}'))", 'regular').chomp end @@ -83,7 +83,7 @@ def create if !plugin.nil? if password_hash.nil? self.class.mysql_caller("CREATE USER '#{merged_name}' IDENTIFIED WITH '#{plugin}'", 'system') - elsif plugin.eql? "caching_sha2_password" + elsif plugin.eql? 'caching_sha2_password' self.class.mysql_caller("CREATE USER '#{merged_name}' IDENTIFIED WITH '#{plugin}' AS X'#{password_hash[2..-1]}'", 'system') else self.class.mysql_caller("CREATE USER '#{merged_name}' IDENTIFIED WITH '#{plugin}' AS '#{password_hash}'", 'system') @@ -168,12 +168,14 @@ def password_hash=(string) end self.class.mysql_caller(sql, 'system') elsif !mysqld_version.nil? && newer_than('mysql' => '5.7.6', 'percona' => '5.7.6', 'mariadb' => '10.2.0') - raise ArgumentError, _('Only mysql_native_password (*ABCD...XXX) or caching_sha2_password (0x1234ABC...XXX) hashes are supported.') unless %r{^\*|^$}.match?(string) || %r{0x[A-F0-9]+$}.match?(string) + raise ArgumentError, _('Only mysql_native_password (*ABCD...XXX) or caching_sha2_password (0x1234ABC...XXX) hashes are supported.') unless + %r{^\*|^$}.match?(string) || %r{0x[A-F0-9]+$}.match?(string) + sql = "ALTER USER #{merged_name} IDENTIFIED WITH" if plugin == 'caching_sha2_password' - sql += " 'caching_sha2_password' AS X'#{string[2..-1]}'" + sql << " 'caching_sha2_password' AS X'#{string[2..-1]}'" else - sql += " 'mysql_native_password' AS '#{string}'" + sql << " 'mysql_native_password' AS '#{string}'" end self.class.mysql_caller(sql, 'system') else From 2c54c1123a0e197dd71329336524ea6d30894107 Mon Sep 17 00:00:00 2001 From: Mihmet Akpinar Date: Mon, 26 Feb 2024 07:37:02 +0100 Subject: [PATCH 07/18] support changing the user's authentication plugin for databases --- manifests/db.pp | 35 ++++++++++++++++++++--------------- 1 file changed, 20 insertions(+), 15 deletions(-) diff --git a/manifests/db.pp b/manifests/db.pp index 98f051c05..4cee10de4 100644 --- a/manifests/db.pp +++ b/manifests/db.pp @@ -5,6 +5,7 @@ # mysql::db { 'mydb': # user => 'myuser', # password => 'mypass', +# plugin => 'caching_sha2_password', # host => 'localhost', # grant => ['SELECT', 'UPDATE'], # } @@ -19,6 +20,8 @@ # The user for the database you're creating. # @param password # The password for $user for the database you're creating. +# @param plugin +# The authentication plugin for $user for the database you're creating. Defaults to 'mysql_native_password'. # @param tls_options # The tls_options for $user for the database you're creating. # @param dbname @@ -47,21 +50,22 @@ # Specify the path in which mysql has been installed if done in the non-standard bin/sbin path. # define mysql::db ( - String[1] $user, - Variant[String, Sensitive[String]] $password, - Optional[Array[String[1]]] $tls_options = undef, - String $dbname = $name, - String[1] $charset = 'utf8', - String[1] $collate = 'utf8_general_ci', - String[1] $host = 'localhost', - Variant[String[1], Array[String[1]]] $grant = 'ALL', - Optional[Variant[String[1], Array[String[1]]]] $grant_options = undef, - Optional[Array] $sql = undef, - Boolean $enforce_sql = false, - Enum['absent', 'present'] $ensure = 'present', - Integer $import_timeout = 300, - Enum['cat', 'zcat', 'bzcat'] $import_cat_cmd = 'cat', - Optional[String] $mysql_exec_path = undef, + String[1] $user, + Variant[String, Sensitive[String]] $password, + String[1] $plugin ='mysql_native_password', + Optional[Array[String[1]]] $tls_options = undef, + String $dbname = $name, + String[1] $charset = 'utf8', + String[1] $collate = 'utf8_general_ci', + String[1] $host = 'localhost', + Variant[String[1], Array[String[1]]] $grant = 'ALL', + Optional[Variant[String[1], Array[String[1]]]] $grant_options = undef, + Optional[Array] $sql = undef, + Boolean $enforce_sql = false, + Enum['absent', 'present'] $ensure = 'present', + Integer $import_timeout = 300, + Enum['cat', 'zcat', 'bzcat'] $import_cat_cmd = 'cat', + Optional[String] $mysql_exec_path = undef, ) { include 'mysql::client' @@ -103,6 +107,7 @@ $user_resource = { ensure => $ensure, password_hash => Deferred('mysql::password', [$password]), + plugin => $plugin, tls_options => $tls_options, } ensure_resource('mysql_user', "${user}@${host}", $user_resource) From e4ab1d34fadf4e11b2b5a4a9589b0d1de590735e Mon Sep 17 00:00:00 2001 From: Mihmet Akpinar Date: Mon, 26 Feb 2024 07:39:29 +0100 Subject: [PATCH 08/18] linting --- manifests/db.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/db.pp b/manifests/db.pp index 4cee10de4..a9a5c5788 100644 --- a/manifests/db.pp +++ b/manifests/db.pp @@ -52,7 +52,7 @@ define mysql::db ( String[1] $user, Variant[String, Sensitive[String]] $password, - String[1] $plugin ='mysql_native_password', + String[1] $plugin = 'mysql_native_password', Optional[Array[String[1]]] $tls_options = undef, String $dbname = $name, String[1] $charset = 'utf8', From 15b683c88040044d527b4600c4d4e804b1b74589 Mon Sep 17 00:00:00 2001 From: Mihmet Akpinar Date: Mon, 26 Feb 2024 09:46:32 +0100 Subject: [PATCH 09/18] revert indent and fix linting --- lib/puppet/provider/mysql_user/mysql.rb | 6 ++--- manifests/db.pp | 32 ++++++++++++------------- 2 files changed, 19 insertions(+), 19 deletions(-) diff --git a/lib/puppet/provider/mysql_user/mysql.rb b/lib/puppet/provider/mysql_user/mysql.rb index 4d1fa1eea..fe8c3b701 100644 --- a/lib/puppet/provider/mysql_user/mysql.rb +++ b/lib/puppet/provider/mysql_user/mysql.rb @@ -172,10 +172,10 @@ def password_hash=(string) %r{^\*|^$}.match?(string) || %r{0x[A-F0-9]+$}.match?(string) sql = "ALTER USER #{merged_name} IDENTIFIED WITH" - if plugin == 'caching_sha2_password' - sql << " 'caching_sha2_password' AS X'#{string[2..-1]}'" + sql << if plugin == 'caching_sha2_password' + " 'caching_sha2_password' AS X'#{string[2..-1]}'" else - sql << " 'mysql_native_password' AS '#{string}'" + " 'mysql_native_password' AS '#{string}'" end self.class.mysql_caller(sql, 'system') else diff --git a/manifests/db.pp b/manifests/db.pp index a9a5c5788..c6b6dd6ca 100644 --- a/manifests/db.pp +++ b/manifests/db.pp @@ -50,22 +50,22 @@ # Specify the path in which mysql has been installed if done in the non-standard bin/sbin path. # define mysql::db ( - String[1] $user, - Variant[String, Sensitive[String]] $password, - String[1] $plugin = 'mysql_native_password', - Optional[Array[String[1]]] $tls_options = undef, - String $dbname = $name, - String[1] $charset = 'utf8', - String[1] $collate = 'utf8_general_ci', - String[1] $host = 'localhost', - Variant[String[1], Array[String[1]]] $grant = 'ALL', - Optional[Variant[String[1], Array[String[1]]]] $grant_options = undef, - Optional[Array] $sql = undef, - Boolean $enforce_sql = false, - Enum['absent', 'present'] $ensure = 'present', - Integer $import_timeout = 300, - Enum['cat', 'zcat', 'bzcat'] $import_cat_cmd = 'cat', - Optional[String] $mysql_exec_path = undef, + String[1] $user, + Variant[String, Sensitive[String]] $password, + String[1] $plugin = 'mysql_native_password', + Optional[Array[String[1]]] $tls_options = undef, + String $dbname = $name, + String[1] $charset = 'utf8', + String[1] $collate = 'utf8_general_ci', + String[1] $host = 'localhost', + Variant[String[1], Array[String[1]]] $grant = 'ALL', + Optional[Variant[String[1], Array[String[1]]]] $grant_options = undef, + Optional[Array] $sql = undef, + Boolean $enforce_sql = false, + Enum['absent', 'present'] $ensure = 'present', + Integer $import_timeout = 300, + Enum['cat', 'zcat', 'bzcat'] $import_cat_cmd = 'cat', + Optional[String] $mysql_exec_path = undef, ) { include 'mysql::client' From e77a44cc69b865bcff4642b99deed797dcd7028a Mon Sep 17 00:00:00 2001 From: Mihmet Akpinar Date: Mon, 26 Feb 2024 14:21:07 +0100 Subject: [PATCH 10/18] linting --- lib/puppet/provider/mysql_user/mysql.rb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/lib/puppet/provider/mysql_user/mysql.rb b/lib/puppet/provider/mysql_user/mysql.rb index fe8c3b701..417b1f3fb 100644 --- a/lib/puppet/provider/mysql_user/mysql.rb +++ b/lib/puppet/provider/mysql_user/mysql.rb @@ -173,10 +173,10 @@ def password_hash=(string) sql = "ALTER USER #{merged_name} IDENTIFIED WITH" sql << if plugin == 'caching_sha2_password' - " 'caching_sha2_password' AS X'#{string[2..-1]}'" - else - " 'mysql_native_password' AS '#{string}'" - end + " 'caching_sha2_password' AS X'#{string[2..-1]}'" + else + " 'mysql_native_password' AS '#{string}'" + end self.class.mysql_caller(sql, 'system') else # default ... if mysqld_version does not work From 183415eb4de48dcb60d5e801e31ac106f3bbd66e Mon Sep 17 00:00:00 2001 From: Mihmet Akpinar Date: Wed, 28 Feb 2024 07:47:12 +0100 Subject: [PATCH 11/18] fix frozen string error --- lib/puppet/provider/mysql_user/mysql.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/puppet/provider/mysql_user/mysql.rb b/lib/puppet/provider/mysql_user/mysql.rb index 417b1f3fb..99a06abba 100644 --- a/lib/puppet/provider/mysql_user/mysql.rb +++ b/lib/puppet/provider/mysql_user/mysql.rb @@ -172,10 +172,10 @@ def password_hash=(string) %r{^\*|^$}.match?(string) || %r{0x[A-F0-9]+$}.match?(string) sql = "ALTER USER #{merged_name} IDENTIFIED WITH" - sql << if plugin == 'caching_sha2_password' - " 'caching_sha2_password' AS X'#{string[2..-1]}'" + sql += if plugin == 'caching_sha2_password' + " caching_sha2_password AS X'#{string[2..-1]}'" else - " 'mysql_native_password' AS '#{string}'" + " mysql_native_password AS '#{string}'" end self.class.mysql_caller(sql, 'system') else From 099de1099aa9c72856919bd16b014d4945d4b555 Mon Sep 17 00:00:00 2001 From: Mihmet Akpinar Date: Wed, 28 Feb 2024 14:25:31 +0100 Subject: [PATCH 12/18] Specify root_plugin for root user in mysql --- manifests/server.pp | 3 +++ manifests/server/root_password.pp | 1 + 2 files changed, 4 insertions(+) diff --git a/manifests/server.pp b/manifests/server.pp index 8748e33bc..f5461ee16 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -56,6 +56,8 @@ # `create_root_my_cnf` are assumed to be false --- that is, the MySQL root user and `/root/.my.cnf` are not created. # Password changes are supported; however, the old password must be set in `/root/.my.cnf`. Effectively, Puppet uses the old # password, configured in `/root/my.cnf`, to set the new password in MySQL, and then updates `/root/.my.cnf` with the new password. +# @param root_plugin +# Specifies which plugin the root user should use. Defaults to 'mysql_native_password'. # @param service_enabled # Specifies whether the service should be enabled. Valid values are `true`, `false`. Defaults to `true`. # @param service_manage @@ -114,6 +116,7 @@ Optional[String[1]] $mycnf_owner = undef, Optional[String[1]] $mycnf_group = undef, Variant[String, Sensitive[String]] $root_password = 'UNSET', + String[1] $root_plugin = 'mysql_native_password', Variant[Boolean, String[1]] $service_enabled = true, Variant[Boolean, String[1]] $service_manage = true, String[1] $service_name = $mysql::params::server_service_name, diff --git a/manifests/server/root_password.pp b/manifests/server/root_password.pp index 91b047626..df4bd5062 100644 --- a/manifests/server/root_password.pp +++ b/manifests/server/root_password.pp @@ -33,6 +33,7 @@ mysql_user { 'root@localhost': ensure => present, password_hash => Deferred('mysql::password', [$mysql::server::root_password]), + plugin => $mysql::server::root_plugin, require => Exec['remove install pass'], } } From 6bf4aa4bfb2feb32716b3d5e7ffa6d093c37dfb5 Mon Sep 17 00:00:00 2001 From: Mihmet Akpinar Date: Wed, 28 Feb 2024 15:08:13 +0100 Subject: [PATCH 13/18] revert root_login --- manifests/server.pp | 3 --- manifests/server/root_password.pp | 1 - 2 files changed, 4 deletions(-) diff --git a/manifests/server.pp b/manifests/server.pp index f5461ee16..8748e33bc 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -56,8 +56,6 @@ # `create_root_my_cnf` are assumed to be false --- that is, the MySQL root user and `/root/.my.cnf` are not created. # Password changes are supported; however, the old password must be set in `/root/.my.cnf`. Effectively, Puppet uses the old # password, configured in `/root/my.cnf`, to set the new password in MySQL, and then updates `/root/.my.cnf` with the new password. -# @param root_plugin -# Specifies which plugin the root user should use. Defaults to 'mysql_native_password'. # @param service_enabled # Specifies whether the service should be enabled. Valid values are `true`, `false`. Defaults to `true`. # @param service_manage @@ -116,7 +114,6 @@ Optional[String[1]] $mycnf_owner = undef, Optional[String[1]] $mycnf_group = undef, Variant[String, Sensitive[String]] $root_password = 'UNSET', - String[1] $root_plugin = 'mysql_native_password', Variant[Boolean, String[1]] $service_enabled = true, Variant[Boolean, String[1]] $service_manage = true, String[1] $service_name = $mysql::params::server_service_name, diff --git a/manifests/server/root_password.pp b/manifests/server/root_password.pp index df4bd5062..91b047626 100644 --- a/manifests/server/root_password.pp +++ b/manifests/server/root_password.pp @@ -33,7 +33,6 @@ mysql_user { 'root@localhost': ensure => present, password_hash => Deferred('mysql::password', [$mysql::server::root_password]), - plugin => $mysql::server::root_plugin, require => Exec['remove install pass'], } } From 20f6fa1ee7ac19d22e8a3d6525576319859be67f Mon Sep 17 00:00:00 2001 From: Mihmet Akpinar Date: Wed, 6 Mar 2024 08:17:12 +0100 Subject: [PATCH 14/18] set plugin to undef for db user to fix acceptance tests --- manifests/db.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/db.pp b/manifests/db.pp index c6b6dd6ca..318f6fb53 100644 --- a/manifests/db.pp +++ b/manifests/db.pp @@ -52,7 +52,7 @@ define mysql::db ( String[1] $user, Variant[String, Sensitive[String]] $password, - String[1] $plugin = 'mysql_native_password', + Optional[String[1]] $plugin = undef, Optional[Array[String[1]]] $tls_options = undef, String $dbname = $name, String[1] $charset = 'utf8', From 9d1bb5f202829eb7cd00b84fd08f289b1135654a Mon Sep 17 00:00:00 2001 From: Mihmet Akpinar Date: Mon, 15 Apr 2024 07:41:42 +0200 Subject: [PATCH 15/18] call ruby instead of mysql to generate hex string and replace regex with more explicit one --- lib/puppet/functions/mysql/password.rb | 2 +- lib/puppet/provider/mysql_user/mysql.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/puppet/functions/mysql/password.rb b/lib/puppet/functions/mysql/password.rb index c094bfa08..8d9ccbbb3 100644 --- a/lib/puppet/functions/mysql/password.rb +++ b/lib/puppet/functions/mysql/password.rb @@ -22,7 +22,7 @@ def password(password, sensitive = false) password = password.unwrap if password.is_a?(Puppet::Pops::Types::PSensitiveType::Sensitive) - result_string = if %r{\*[A-F0-9]{40}$}.match?(password) || %r{0x[A-F0-9]+$}.match?(password) + result_string = if %r{\*[A-F0-9]{40}$}.match?(password) || %r{0x24412430303524[A-F0-9]{63}$}.match?(password) password elsif password.empty? '' diff --git a/lib/puppet/provider/mysql_user/mysql.rb b/lib/puppet/provider/mysql_user/mysql.rb index 99a06abba..185191164 100644 --- a/lib/puppet/provider/mysql_user/mysql.rb +++ b/lib/puppet/provider/mysql_user/mysql.rb @@ -27,7 +27,7 @@ def self.instances if @plugin == 'caching_sha2_password' # Escaping all single quotes to prevent errors when password generated it @password = @password.gsub("'") { "\\'" } - @password = mysql_caller("SELECT CONCAT('0x',HEX('#{@password}'))", 'regular').chomp + @password = '0x' + @password.each_byte.map { |b| b.to_s(16) }.join end @tls_options = parse_tls_options(ssl_type, ssl_cipher, x509_issuer, x509_subject) From 27a7925cc74d5fbfd0a3c4f22369640527247e57 Mon Sep 17 00:00:00 2001 From: "Mihmet Akpinar [CHECK24]" <139950630+C24-AK@users.noreply.github.com> Date: Wed, 27 Nov 2024 10:08:52 +0100 Subject: [PATCH 16/18] Update lib/puppet/functions/mysql/password.rb Co-authored-by: Ben Ford --- lib/puppet/functions/mysql/password.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/puppet/functions/mysql/password.rb b/lib/puppet/functions/mysql/password.rb index 8d9ccbbb3..877fc6faa 100644 --- a/lib/puppet/functions/mysql/password.rb +++ b/lib/puppet/functions/mysql/password.rb @@ -22,6 +22,7 @@ def password(password, sensitive = false) password = password.unwrap if password.is_a?(Puppet::Pops::Types::PSensitiveType::Sensitive) + # This magic string is the hex encoded form of `$A$005${SALT}{SHA DIGEST}`, matching MySQL's expected format result_string = if %r{\*[A-F0-9]{40}$}.match?(password) || %r{0x24412430303524[A-F0-9]{63}$}.match?(password) password elsif password.empty? From 8741c66c36f526709d1b582e2865d61a87f38395 Mon Sep 17 00:00:00 2001 From: "Mihmet Akpinar [CHECK24]" <139950630+C24-AK@users.noreply.github.com> Date: Wed, 27 Nov 2024 10:09:23 +0100 Subject: [PATCH 17/18] Update lib/puppet/provider/mysql_user/mysql.rb Co-authored-by: Gregoire Menuel --- lib/puppet/provider/mysql_user/mysql.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/puppet/provider/mysql_user/mysql.rb b/lib/puppet/provider/mysql_user/mysql.rb index 185191164..4492e26a1 100644 --- a/lib/puppet/provider/mysql_user/mysql.rb +++ b/lib/puppet/provider/mysql_user/mysql.rb @@ -27,7 +27,7 @@ def self.instances if @plugin == 'caching_sha2_password' # Escaping all single quotes to prevent errors when password generated it @password = @password.gsub("'") { "\\'" } - @password = '0x' + @password.each_byte.map { |b| b.to_s(16) }.join + @password = '0x' + @password.each_byte.map { |b| '%02X' % b.to_i }.join end @tls_options = parse_tls_options(ssl_type, ssl_cipher, x509_issuer, x509_subject) From 7eb97b7c6fa40614cad61a28e11a5257e7ab4720 Mon Sep 17 00:00:00 2001 From: "Mihmet Akpinar [CHECK24]" <139950630+C24-AK@users.noreply.github.com> Date: Wed, 2 Apr 2025 11:24:46 +0200 Subject: [PATCH 18/18] Update lib/puppet/provider/mysql_user/mysql.rb Co-authored-by: renzBeltran24 --- lib/puppet/provider/mysql_user/mysql.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/puppet/provider/mysql_user/mysql.rb b/lib/puppet/provider/mysql_user/mysql.rb index 80da74af1..81ef9e954 100644 --- a/lib/puppet/provider/mysql_user/mysql.rb +++ b/lib/puppet/provider/mysql_user/mysql.rb @@ -28,7 +28,7 @@ def self.instances if @plugin == 'caching_sha2_password' # Escaping all single quotes to prevent errors when password generated it @password = @password.gsub("'") { "\\'" } - @password = '0x' + @password.each_byte.map { |b| '%02X' % b.to_i }.join + @password = mysql_caller("SELECT CONCAT('0x',HEX('#{@password}'))", 'regular').chomp end @tls_options = parse_tls_options(ssl_type, ssl_cipher, x509_issuer, x509_subject)