MySQL Bugs: #108849: mysqlrouter bootstrap without password not working / incorrectly prompting

Bug #108849	mysqlrouter bootstrap without password not working / incorrectly prompting
Submitted:	21 Oct 2022 17:09	Modified:	3 Nov 2022 18:02
Reporter:	Jay Janssen	Email Updates:
Status:	Verified	Impact on me:	None
Category:	MySQL Router	Severity:	S3 (Non-critical)
Version:	8.0.31	OS:	Any
Assigned to:		CPU Architecture:	Any

Description:
I am having difficulty with mysqlrouter to bootstrap it with a user that has no password and uses certificate authentication.

Given this config user:
```
# mysqlsh -u config --no-password --ssl-mode=VERIFY_CA --ssl-ca=/etc/ods/certs/ca.pem --ssl-key=/etc/ods/certs/config-jaytest-development-001.key --ssl-cert=/etc/ods/certs/config-jaytest-development-001.crt
MySQL Shell 8.0.31

Copyright (c) 2016, 2022, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its affiliates.
Other names may be trademarks of their respective owners.

Type '\help' or '\?' for help; '\quit' to exit.
Creating a session to 'config@localhost?ssl-ca=%2Fetc%2Fods%2Fcerts%2Fca.pem&ssl-cert=%2Fetc%2Fods%2Fcerts%2Fconfig-jaytest-development-001.crt&ssl-key=%2Fetc%2Fods%2Fcerts%2Fconfig-jaytest-development-001.key&ssl-mode=verify_ca'
Fetching schema names for auto-completion... Press ^C to stop.
Your MySQL connection id is 947 (X protocol)
Server version: 8.0.30 MySQL Community Server - GPL
No default schema selected; type \use <schema> to set one.
 MySQL  localhost:33060+ ssl  JS >
```

The mysql router manual states:
```
If the user account has no password (which is insecure and not recommended), or if socket peer-credential authentication is in use (for example, with Unix socket connections), you must explicitly specify in the connection string that no password is being provided and the password prompt is not required. To do this, place a : after the user_name in the string but do not specify a password after it. For example:

mysqlx://user_name:@localhost
```

However, I am getting the prompt:

```
mysqlrouter --ssl-mode=VERIFY_CA --ssl-ca=/etc/ods/certs/ca.pem --ssl-key=/etc/ods/certs/config-jaytest-development-001.key --ssl-cert=/etc/ods/certs/config-jaytest-development-001.crt --bootstrap config:@localhost --account-create if-not-exists --account router --user mysqlrouter
Please enter MySQL password for config:
```

If I try the mysqlx uri like the manual states, I get an error:
```
mysqlrouter --ssl-mode=VERIFY_CA --ssl-ca=/etc/ods/certs/ca.pem --ssl-key=/etc/ods/certs/config-jaytest-development-001.key --ssl-cert=/etc/ods/certs/config-jaytest-development-001.crt --bootstrap mysqlx://config:@localhost --account-create if-not-exists --account router --user mysqlrouter
Error: the bootstrap URI contains a /path, but shouldn't
```

How can I skip requiring a password for the bootstrap user?

How to repeat:
setup a cert user per above with a key/cert and no password.  This grant 

This user was created initially with configure_instance and then altered to remove its password and add SSL auth requirements:

ALTER USER `config`@`%` IDENTIFIED BY '' REQUIRE SUBJECT '.../CN=config@jaytest-development-001' ISSUER '/C=...';

then follow steps above.

Suggested fix:
mysqlrouter should offer a --bootstrap-no-password option or at least honor what the manual states about using 'user:@host'.

Hi,

Thank you for the report.