Bug #80480 Validate Password Plugin throws error if installed in my.cnf
Submitted: 23 Feb 2016 13:41 Modified: 23 Feb 2016 16:27
Reporter: Kevin Markwardt Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: Connection Handling Severity:S3 (Non-critical)
Version:5.7.11 OS:CentOS (7.2)
Assigned to: CPU Architecture:Any
Tags: mysql_secure_installation password plugin

[23 Feb 2016 13:41] Kevin Markwardt
Description:
If you run already have the validate password plugin installed via the my.cnf, and you run mysql_secure_installation and choose yes to use the validate password, it will throw an error 

"The password validation plugin is not available. Proceeding with the further steps without the plugin."

I believe the error is getting thrown because the plugin is already installed, so the answer to the question doesn't matter.  I have validated that answering the question with yes and getting the error or answering the question with no, the password you try and set will still be validated.

How to repeat:
1. Configure the validate password plugin in my.cnf using the option

plugin-load=validate_password.so

2. Restart mysql to ensure the plugin is installed on the server startup.
3. Run mysql_secure_installation, and when it prompts you if you wish to use the VALIDATE PASSWORD PLUGIN, if you choose yes it will throw the error.

"The password validation plugin is not available. Proceeding with the further steps without the plugin."

Even though the plugin is already installed and working.

Suggested fix:
I would suggest that the mysql_secure_installation check to see if the plugin is installed.  If it is installed then it can just make a note that the plugin is installed and continue with the rest of the process.  

I believe this should be possible as mysql_secure_installation does an authentication check in order to run, but I am unsure of what level of privileges are required to perform the check.  If that isn't possible, is there any other way to check if the plugin is installed or throw a more accurate error, that the plugin is already installed?
[23 Feb 2016 15:21] Sinisa Milivojevic
Hi !!

Mysql_secure_installation does not have to be run with latest 5.7, as it is fully secured. However, there should be no problems if that script is run on 5.7. No problems and no errors.

Hence, this bug is fully verified.
[23 Feb 2016 16:24] Kevin Markwardt
Thanks for the update.  The concern comes around if a potential client, is using the validate password plugin for new account creations and hasn't secured their mysql server when it was installed.   We will want to run the command mysql_secure_installation to fully lock it down just in case it hasn't been done in the past.
[23 Feb 2016 16:27] Kevin Markwardt
Ah sorry I misunderstood originally.  Didn't realize that it wasn't necessary to run with 5.7.  Thanks for informing me.