A case in which the MySQL administrator password cannot take effect

This article from the open source community of aikesheng 《 Technology sharing | MySQL For example, setting the administrator password cannot take effect 》 This article introduces a scenario in which the administrator account and password cannot take effect , On the one hand, we can understand what causes this scenario , On the other hand, it is the troubleshooting path for such problems , It is worth learning from , To learn .

Yesterday a customer asked such a question ： He passed the local MySQL The command line connects to the database and finds that the administrator can perform subsequent operations without verifying the password . To find out why , He tried to change the administrator password , Still invalid . For comparison , He also created a new user with a password , adopt MySQL The command line can perform password verification normally .

There are several reasons for such problems ：

1. This user does not have a password .

2. Open... In the configuration file skip-grant-tables Skip Authorization Form .

3. There is clear text in the configuration file password Option to skip the password .

4. The user's authentication plug-in may use auth_socket.

Let's recapitulate this question first .

The phenomenon is as follows ：MySQL Command line client print “hello world” No need to verify the password ,

[email protected]:/home/ytt# mysql -e "select 'hello world'"
+-------------+
| hello world |
+-------------+
| hello world |
+-------------+

After another user verifies the password, the string can be printed normally ,

[email protected]:/home/ytt# mysql -uadmin -e "select 'hello world'"
ERROR 1045 (28000): Access denied for user 'admin'@'localhost' (using password: NO)

[email protected]:/home/ytt# mysql -uadmin -p -e "select 'hello world'"
Enter password: 
+-------------+
| hello world |
+-------------+
| hello world |
+-------------+

Try changing the administrator password , You still do not need to verify the password to execute the command ： It seems that the password change is invalid ,

[email protected]:~# mysql
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 35
Server version: 8.0.29 MySQL Community Server - GPL

...

mysql> alter user [email protected] identified by 'root';
Query OK, 0 rows affected (0.00 sec)

mysql> exit
Bye
[email protected]:/home/ytt# mysql -e "select 'hello world'"
+-------------+
| hello world |
+-------------+
| hello world |
+-------------+

Next, based on the recurrence scenario and the possible causes thought out at the beginning, gradually determine what the problem is .

1. This user does not have a password

This reason can be quickly eliminated . Because it has been executed once alter user Change the password , So it is impossible to have no password .

2. Open... In the configuration file skip-grant-tables Skip Authorization Form

This reason can also be quickly eliminated . If it is because this option is enabled , All users will not be able to verify the password , Not just for the administrator account itself .

3. There is clear text in the configuration file password Option to skip the password

This may be the reason . You can use tools my_print_defaults To print the relevant configuration 、 Or check the configuration file manually [client]、[mysql] And so on password Clear text options . for example ,

[email protected]:/home/ytt# my_print_defaults /etc/mysql/my.cnf client mysql
--password=*****

The result is indeed that password Options , But think about it , A little untenable . If it's for this reason , After changing the password , Why not verify the new password ？ So this possibility is ruled out .

4. The user's authentication plug-in may use auth_socket

This is most likely the reason .

plug-in unit auth_socket stay MySQL The full name of the official website is ：Socket Peer-Credential Pluggable Authentication( Socket peer credentials pluggable Authentication ).

Official document address ：

https://dev.mysql.com/doc/refman/8.0/en/socket-pluggable-authentication.html

After reading the official documentation, you can conclude that the plug-ins auth_socket No password verification is required for local authentication . He has two certification conditions ,

1. The client passes local unix socket The file MySQL Server side .

2. adopt socket The option to SO_PEERCRED To get the OS user name , Subsequent judgment OS Whether the user name is in mysql.user table .

in addition , Want to know more about it socket The option to SO_PEERCRED Please refer to this website ：

https://man7.org/linux/man-pages/man7/unix.7.html

Let's next verify whether the conclusion is correct . Check whether the current login user is [email protected], Definitely ,

[email protected]:/home/ytt# mysql  -e "select user(),current_user()"
   +----------------+----------------+
   | user()         | current_user() |
   +----------------+----------------+
   | [email protected] | [email protected] |
   +----------------+----------------+

Check mysql.user Table record ： Check fields plugin、authentication_string( This field may not be empty ),

mysql> select plugin,authentication_string from mysql.user where user = 'root' ;
   +-------------+-----------------------+
   | plugin      | authentication_string |
   +-------------+-----------------------+
   | auth_socket |                       |
   +-------------+-----------------------+
   1 row in set (0.01 sec)

Confirm that the administrator account plug-in is auth_socket, No wonder changing the password is invalid . Next, change the plug-in to non auth_socket that will do ,

mysql> alter user [email protected] identified with mysql_native_password by 'root';
   Query OK, 0 rows affected (0.04 sec)

Re execution MySQL Command line ： No password normal error , Enter the correct password and execute successfully ,

[email protected]:/home/ytt# mysql -p -e "select 'hello world'"
   ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
   [email protected]:/home/ytt# mysql -proot -e "select 'hello world'"
   mysql: [Warning] Using a password on the command line interface can be insecure.
   +-------------+
   | hello world |
   +-------------+
   | hello world |
   +-------------+

therefore , In general, I encounter MySQL The question is , It is suggested that MySQL System function 、 The internal objects of the database are retrieved instead of directly printing strings , Sometimes it may be helpful to quickly locate the cause of the problem .

MySQL I always feel that many functions and parameters are closely related , When something goes wrong , Many scenarios are related to parameters , More parameters , From the granularity of control , And personalized configuration , It will be more convenient , But at the same time MySQL Refined use puts forward higher requirements . Different databases , Because the angle of standing may be different , Design implementation level , There are still many different understandings .

Recently updated articles ：

《 Huawei matepad It can be a secondary screen of your laptop ？》

《Oracle How to record login information for accessing the database in ？》

《 How does the technical leader bring down a team ？》

《 Some problems encountered recently 》

《Oracle MySQL The solution to all kinds of disputes about open source license 》

Article classification and indexing ：

《 official account 1000 Article classification and index 》