Bug #97689 option to execute init_connect for all users
Submitted: 19 Nov 2019 14:28 Modified: 27 Nov 2019 8:04
Reporter: Stas Bogachisnsky Email Updates:
Status: Not a Bug Impact on me:
None 
Category:MySQL Server Severity:S4 (Feature request)
Version: OS:Any
Assigned to: CPU Architecture:Any

[19 Nov 2019 14:28] Stas Bogachisnsky
Description:
There is an option to run command on logon to MySQL server - init_connect.
It's not working for users with SUPER permissions.

How to repeat:
Create a code that will be called from init_connect.
Login with a user with SUPER permissions, note that the code was't executed.

Suggested fix:
Out of precaution, the "init_connect" is not executed for users with SUPER permission. My suggestion is to add sysvar that will cause the server to execute "init_connect" for all users. Suggested name is "SUPER_init_connect" with possible values of ON/OFF and default value will be OFF.
It will be added only in My.cnf file, so even if the "init_connect" will fail all connections, the root will be able to set the "SUPER_init_connect" to OFF or remove it from My.cnf file, restart the service and this will revent to current behavior of "init_connect".
[25 Nov 2019 15:10] Sinisa Milivojevic
Hello Mr. Bogachisnsky,

Thank you for your feature request.

However, your request is not clear nor complete.

What Connecter do you have in mind where you want this feature added.

What MySQL version are you using ??? Do note that only 8.0 can get some small new features.

What would be the benefits of having all users be connected through init_connect(). I hope that you are aware of the problems that this might cause. If not, please re-read our code and re-consider.
[26 Nov 2019 7:07] Stas Bogachisnsky
Hello Sinisa Milivojevic,
Thank you for your reply.
Version 8 will be perfect.
The benefit of this will be an option to perform logging/measurements/settings changes for any new connections, enforcing value of sql_log_bin as example. I'm aware of the problems that it can cause if used not carefully, that's why I suggest to add it via configuration file, so in case of need the root/admin user will be able to disable it.
It will be great to have it for same connectors as init_connect implemented for.
Thank you,
Stas.
[26 Nov 2019 13:36] Sinisa Milivojevic
Hi,

I do not think that your feature request is safe enough. Simply, the consequences could be quite hard. And all that you had to do is add one more line in your configuration file.

This feature request will not be implemented as it would lead to many security problems and security bugs.

Not acceptable.
[27 Nov 2019 8:04] Stas Bogachisnsky
Hi Sinisa Milivojevic,
Thank you for the reply. I'd like to clarify my example.
- If I need to control sql_log_bin for users with SUPER permission based on application logic that will be in a stored procedure and based on table data the config file won't work.
- If I need to document sessions similar for what described in this post https://www.fromdual.com/mysql-logon-and-logoff-trigger-for-auditing for SUPER users too.
Thank you,
Stas.
[27 Nov 2019 13:22] Sinisa Milivojevic
Hi,

We simply can not open security doors to our server. Configuration variable or no configuration variable.