Bug #105264 Report plugin API versions if there is a mismatch and document API changes
Submitted: 19 Oct 2021 18:23 Modified: 21 Oct 2021 15:38
Reporter: Simon Mudd (OCA) Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: Pluggable Authentication Severity:S4 (Feature request)
Version:8.0.27 OS:Any
Assigned to: CPU Architecture:Any
Tags: authentication, document API versions, PAM

[19 Oct 2021 18:23] Simon Mudd 
Description:
Seen when starting 8.0.27:

2021-10-19T13:06:07.956263Z 0 [ERROR] [MY-010901] [Server] Can't open shared library 'auth_pam_compat.so' (errno: 0 API version for AUTHENTICATION plugin is too different).

This worked previously on MySQL 8.0.26 GA.

https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-27.html does not mention any incompatible changes but it looks like the improvements to authentication have triggered a plugin API change which is incompatible with 8.0.26 and earlier.

PAM authentication code was built from Percona server's PAM authentication module using the plugin interface provided by MySQL.

I am aware that this usage may be unusual but it is very helpful if interfaces change (and plugins are designed in theory to provide an interface for "external code" to plug in to the base server code) for this to be documented.

How to repeat:
See above.

Suggested fix:
* Report the server and plugin API versions to clarify which version the plugin and the server are running.
* As plugins are external visible interfaces to MySQL please document if they change in the MySQL release notes
* If they change additionally consider providing the previous interface if this is technically possible for a few minor versions, marking it as clearly deprecated, but allowing users to use MySQL software (and bug/security fixes) in the latest version and have time to migrate to the new API.
[20 Oct 2021 11:37] MySQL Verification Team 
reason for bumping the version was:
https://github.com/mysql/mysql-server/commit/291957dddd5d1800dc7aead2e3721a52f97c9278

WL#14183: Support for MFA(multi factor authentication) and fido autheā€¦ 

I suppose the error message could include the min required version and what was found.  Although the API versions don't have any relevance to the MySQL Version, not sure what good it would be in an error message.  Release notes could indicate the API version was bumped up.
[21 Oct 2021 8:30] Georgi Kodinov 
Posted by developer:
 
Unfortunately there's no way to keep multiple versions of the plugin APIs operational. This is possible with the component API which I strongly suggest you consider looking into. I also do not think it's useful to be displaying plugin API versions and I sincerely doubt you are using just published plugin APIs and not server symbols in your plugins. 

All that is left from this bug is the request to document changes to plugin APIs. Thus converting into a docs bug.
[21 Oct 2021 15:38] Simon Mudd 
https://dev.mysql.com/worklog/task/?id=2761 (WL#2761: MySQL plugin interface) is quite an interesting read.

- Potentially you could have created a new interface.
- Potentially the server side handler knows the client API version so could maintain an interface the client can understand.  In practice with the MySQL plugin interface that may be possible.
- A breaking change such as this one, even if not intentional seems to imply that you don't believe users use your plugin interfaces for their own code. Many users may not or have no interest or desire to do that but this is a vaguely public interface and not considering potential existing users is impolite.

Oracle provides Critical Patch Update notifications with their new version and such changes make it impossible to apply the updates if they are considered worth following so that is doubly unhelpful.

e.g. https://www.oracle.com/security-alerts/cpuoct2021.html#AppendixMSQL

So yes technically it's a documentation bug which is trivial to fix, but in practice this is a security update impediment if such interfaces are actually being used.