Bug #59662 | MySQL Server 5.5 wants to change the auth plugin to the same plugin | ||
---|---|---|---|
Submitted: | 21 Jan 2011 16:00 | Modified: | 2 Feb 2011 15:36 |
Reporter: | Andrey Hristov | Email Updates: | |
Status: | Verified | Impact on me: | |
Category: | MySQL Server: Pluggable Authentication | Severity: | S3 (Non-critical) |
Version: | 5.5, 5.6.2 | OS: | Any |
Assigned to: | Georgi Kodinov | CPU Architecture: | Any |
[21 Jan 2011 16:00]
Andrey Hristov
[22 Jan 2011 9:26]
Sveta Smirnova
Thank you for the report. Verified as described.
[2 Feb 2011 15:36]
Georgi Kodinov
Prior to the pluggable authentication implementation the server was perfectly capable of checking the user details internally based on the user id and the password supplied with the COM_CHANGE_USER request. This resulted into client just sending an COM_CHANGE_USER and getting an OK. However pluggable authentication changes this by introducing additional parties to the authentication process : the client and the server authentication plugins. These work in concert and produce result based on a single well defined interaction sequence. Hence the information in COM_CHANGE_USER is not guaranteed to be enough to authenticate the user anymore without further interaction with the client. Thus the server needs to initiate a full authentication cycle to be able to involve the client and the server plugins in an appropriate context every time it needs to authenticate a user. The only tool available to get the client to participate in this cycle is to ask for a plugin change. Thus the client that claims to support pluggable authentication is guaranteed to get a change plugin request after each COM_CHANGE_USER. Note that the server will stay compatible with pre-pluggable authentication clients and will just check the user details locally and will return the same OK/fail packet an old server would return. This is done by creating a special case inside the server for pre-pluggable authentication clients. COM_CHANGE_USER is often used with the same user name for its side effect (in addition to checking the user credentials): to reset the connection state. Since now checking the credentials is more involving than just single server-side check I think we need to create a special RPC to reset the connection without the need to re-authenticate again. We can call this e.g. COM_RESET_CONNECTION. Or better have a server-side function that does that through COM_QUERY if possible. With the above in mind I'm changing this bug's attributes to feature request.