Bug #87845 Initialization of root password doesn't adhere to validation plugin policy
Submitted: 22 Sep 2017 17:49 Modified: 25 Sep 2017 13:07
Reporter: J. Alexander Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: Command-line Clients Severity:S2 (Serious)
Version:5.7.5+, 5.7.19 OS:Any
Assigned to: CPU Architecture:Any

[22 Sep 2017 17:49] J. Alexander 
Description:
Random root password generation step for initialization will fail with error 1819 ("Your password does not satisfy the current policy requirements") if the password validation plugin is enabled and 'validate_password_length' > 12 characters.

How to repeat:
Enable the Password Validation Plugin with 'validate_password_length' set to a value > 12 characters and run the initialization process to generate a random root password.

Suggested fix:
Check if the Password Validation Plugin is enabled and adjust the root password generation process to adhere to the 'validate_password_*' configuration settings.
[25 Sep 2017 13:07] MySQL Verification Team 
Hello J. Alexander,

Thank you for the report.

Thanks,
Umesh
[25 Sep 2017 13:08] MySQL Verification Team 
-- 5.7.19

[umshastr@hod03]/export/umesh/server/binaries/Trunk/87827/mysql-5.7.19: rm -rf 87827 && bin/mysqld  --initialize --basedir=$PWD --datadir=$PWD/87827 --plugin-load-add=validate_password.so --validate_password_length=15 

2017-09-23T05:58:06.362926Z 0 [Warning] TIMESTAMP with implicit DEFAULT value is deprecated. Please use --explicit_defaults_for_timestamp server option (see documentation for more details).
2017-09-23T05:58:06.814020Z 0 [Warning] InnoDB: New log files created, LSN=45790
2017-09-23T05:58:06.884784Z 0 [Warning] InnoDB: Creating foreign key constraint system tables.
2017-09-23T05:58:06.938987Z 0 [Warning] No existing UUID has been found, so we assume that this is the first time that this server has been started. Generating a new UUID: 2ba1f158-a024-11e7-a9d9-0010e05f3e06.
2017-09-23T05:58:06.939514Z 0 [Warning] Gtid table is not ready to be used. Table 'mysql.gtid_executed' cannot be opened.
2017-09-23T05:58:06.940192Z 1 [Note] A temporary password is generated for root@localhost: py2H<_6!:.ji
2017-09-23T05:58:07.092842Z 1 [ERROR] 1819  Your password does not satisfy the current policy requirements
2017-09-23T05:58:07.092979Z 0 [ERROR] Aborting
[26 Sep 2017 9:31] Hugo Dubois 
Hello,

I have the same issue with the initialize-insecure option:

2017-09-26T11:27:31.414121+01:00 1 [Note] Creating the system database
2017-09-26T11:27:31.414142+01:00 1 [Warning] root@localhost is created with an empty password ! Please consider switching off the --initialize-insecure option.
2017-09-26T11:27:31.414347+01:00 1 [Note] Creating the system tables
2017-09-26T11:27:31.577606+01:00 1 [Note] Filling in the system tables, part 1
2017-09-26T11:27:31.578334+01:00 1 [ERROR] 1819  Your password does not satisfy the current policy requirements
2017-09-26T11:27:31.578347+01:00 1 [Note] Bootstrapping complete
2017-09-26T11:27:31.578431+01:00 0 [ERROR] Aborting

I think you should not check password policy at the bootstrap operation
[14 Oct 12:27] Georgi Kodinov 
Posted by developer:
 
The password generated by --initialize is 12 characters long. And this is a compile time limitation. 
It's generated by the server and not by the password validation component. 
Note also that the password is marked as expired and needs to be changed. 

And, finally, --initialize is not supposed to be run with any plugins or components loaded. Note that in later versions the password validation plugin is migrated to a component and the external to the server components are not initialized during --initialize.  

I'd stronlgy suggest to document and use the workarounds.

But, nevertheless, the password length and shape control for generated password (both during --initialize and by CREATE USER) is a valid feature request.