Percona Toolkit moved to https://jira.percona.com/projects/PT

pt-show-grants does not support IDENTIFIED WITH for authentication plugins

Bug #1289703 reported by monty solomon on 2014-03-08

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	Percona Toolkit moved to https://jira.percona.com/projects/PT	In Progress	Undecided	Frank Cizmich

Bug Description

mysql> CREATE USER test_user IDENTIFIED WITH auth_pam AS 'mysql';
Query OK, 0 rows affected (0.00 sec)

mysql> GRANT ALL ON test.* TO test_user;
Query OK, 0 rows affected (0.02 sec)

The information about the authentication plugin is missing from the output.

$ pt-show-grants -uroot --ask | grep test_user
-- Grants for 'test_user'@'%'
GRANT ALL PRIVILEGES ON `test`.* TO 'test_user'@'%';
GRANT USAGE ON *.* TO 'test_user'@'%';

mysql> SELECT * FROM mysql.user WHERE User='test_user'\G
*************************** 1. row ***************************
                  Host: %
                  User: test_user
              Password:
           Select_priv: N
           Insert_priv: N
           Update_priv: N
           Delete_priv: N
           Create_priv: N
             Drop_priv: N
           Reload_priv: N
         Shutdown_priv: N
          Process_priv: N
             File_priv: N
            Grant_priv: N
       References_priv: N
            Index_priv: N
            Alter_priv: N
          Show_db_priv: N
            Super_priv: N
Create_tmp_table_priv: N
      Lock_tables_priv: N
          Execute_priv: N
       Repl_slave_priv: N
      Repl_client_priv: N
      Create_view_priv: N
        Show_view_priv: N
   Create_routine_priv: N
    Alter_routine_priv: N
      Create_user_priv: N
            Event_priv: N
          Trigger_priv: N
Create_tablespace_priv: N
              ssl_type:
            ssl_cipher:
           x509_issuer:
          x509_subject:
         max_questions: 0
           max_updates: 0
       max_connections: 0
  max_user_connections: 0
                plugin: auth_pam
authentication_string: mysql
1 row in set (0.00 sec)

Tags:

Revision history for this message

monty solomon (monty+launchpad) wrote on 2014-03-08:

5.5.35-33.0-log Percona Server (GPL), Release rel33.0, Revision 611

pt-show-grants 2.2.7

Revision history for this message

Jericho Rivera (jericho-rivera) wrote on 2014-03-10:

Thank you monty for the detailed report.

I can confirm getting the same results as described above using pt-show-grants 2.2.7 and 2.1.9 on Percona Server 5.6.15

Changed in percona-toolkit:
status:	New → Confirmed

Frank Cizmich (frank-cizmich) on 2014-05-05

Changed in percona-toolkit:
status:	Confirmed → In Progress
assignee:	nobody → Frank Cizmich (frank-cizmich)

Revision history for this message

Frank Cizmich (frank-cizmich) wrote on 2014-05-07:

Shows plugin based authenticaton info where relevant Edit (71.3 KiB, text/plain)

It seems this is a feature missing in MySQL itself.
I've prepared a fix that required some hoop jumping.
Please feel free to test it and post results.
Thanks!

Frank Cizmich (frank-cizmich) on 2014-05-21

tags:

added: pt-show-grants

Revision history for this message

monty solomon (monty+launchpad) wrote on 2014-07-13:

diffs of the output from current (2.2.9) and test

2c2
< -- Dumped from server Localhost via UNIX socket, MySQL 5.5.38-35.2-log at 2014-07-13 18:05:44
---
> -- Dumped from server Localhost via UNIX socket, MySQL 5.5.38-35.2-log at 2014-07-13 18:05:35
79c79
< GRANT USAGE ON *.* TO 'monty'@'%';
---
> GRANT USAGE ON *.* TO 'monty'@'%' IDENTIFIED WITH auth_pam AS 'mysql';
81c81
< GRANT USAGE ON *.* TO 'monty'@'localhost';
---
> GRANT USAGE ON *.* TO 'monty'@'localhost' IDENTIFIED WITH auth_pam AS 'mysql';

Revision history for this message

Frank Cizmich (frank-cizmich) wrote on 2014-08-14:

pt-show-grants-identified-with-auth-plugin.patch Edit (71.3 KiB, text/plain)

added as patch

Revision history for this message

monty solomon (monty+launchpad) wrote on 2014-11-28:

What is the plan for the patch?

Will it be rolled out in a released version?

Revision history for this message

monty solomon (monty+launchpad) wrote on 2015-08-17:

Will the fix be included in 2.2.15?

Revision history for this message

Frank Cizmich (frank-cizmich) wrote on 2015-08-19:

It's not planned for 2.2.15
Mainly because it's an awkward workaround and I'm concerned it risks compatibility.
This should really be a MySQL issue.

Revision history for this message

monty solomon (monty+launchpad) wrote on 2016-04-08:

What are the plans to add this support to percona toolkit?

Revision history for this message

Frank Cizmich (frank-cizmich) wrote on 2016-04-08:

#10

I can't give a hard answer right now but it should be noted mysql 5.7 changed it's "show grants" output. This was addressed in latest release of pt-show-grants. With the latest policy this point becomes moot. Which is good for 5.7 adopters but, granted, still leaves earlier versions uncovered for this particular issue.

Revision history for this message

Shahriyar Rzayev (rzayev-sehriyar) wrote on 2018-01-24:

#11

Percona now uses JIRA for bug reports so this bug report is migrated to: https://jira.percona.com/browse/PT-1212