update

CbcWestwolf · CbcWestwolf · commit 61a65b0ff569 · 2024-10-21T16:12:35.000+08:00
diff --git a/pkg/executor/simple.go b/pkg/executor/simple.go
@@ -1740,10 +1740,6 @@ func (e *SimpleExec) executeAlterUser(ctx context.Context, s *ast.AlterUserStmt)
 	if _, err := sqlExecutor.ExecuteInternal(ctx, "BEGIN PESSIMISTIC"); err != nil {
 		return err
 	}
-	defaultAuthPlugin, err := e.Ctx().GetSessionVars().GlobalVarsAccessor.GetGlobalSysVar(variable.DefaultAuthPlugin)
-	if err != nil {
-		return err
-	}
 
 	for _, spec := range s.Specs {
 		user := e.Ctx().GetSessionVars().User
@@ -1799,7 +1795,7 @@ func (e *SimpleExec) executeAlterUser(ctx context.Context, s *ast.AlterUserStmt)
 			RequireAuthTokenOptions
 		)
 		authTokenOptionHandler := noNeedAuthTokenOptions
-		currentAuthPlugin, err := privilege.GetPrivilegeManager(e.Ctx()).GetAuthPlugin(spec.User.Username, spec.User.Hostname, defaultAuthPlugin)
+		currentAuthPlugin, err := privilege.GetPrivilegeManager(e.Ctx()).GetAuthPlugin(spec.User.Username, spec.User.Hostname)
 		if err != nil {
 			return err
 		}
@@ -2510,11 +2506,7 @@ func (e *SimpleExec) executeSetPwd(ctx context.Context, s *ast.SetPwdStmt) error
 		disableSandboxMode = true
 	}
 
-	defaultAuthPlugin, err := e.Ctx().GetSessionVars().GlobalVarsAccessor.GetGlobalSysVar(variable.DefaultAuthPlugin)
-	if err != nil {
-		return err
-	}
-	authplugin, err := privilege.GetPrivilegeManager(e.Ctx()).GetAuthPlugin(u, h, defaultAuthPlugin)
+	authplugin, err := privilege.GetPrivilegeManager(e.Ctx()).GetAuthPlugin(u, h)
 	if err != nil {
 		return err
 	}
diff --git a/pkg/privilege/privilege.go b/pkg/privilege/privilege.go
@@ -116,10 +116,10 @@ type Manager interface {
 	IsDynamicPrivilege(privNameInUpper string) bool
 
 	// GetAuthPluginForConnection gets the authentication plugin used in connection establishment.
-	GetAuthPluginForConnection(user, host, defaultAuthPlugin string) (string, error)
+	GetAuthPluginForConnection(user, host string) (string, error)
 
 	// GetAuthPlugin gets the authentication plugin for the account identified by the user and host
-	GetAuthPlugin(user, host, defaultAuthPlugin string) (string, error)
+	GetAuthPlugin(user, host string) (string, error)
 }
 
 const key keyType = 0
diff --git a/pkg/privilege/privileges/cache.go b/pkg/privilege/privileges/cache.go
@@ -285,8 +285,6 @@ type MySQLPrivilege struct {
 	ColumnsPriv   []columnsPrivRecord
 	DefaultRoles  []defaultRoleRecord
 	RoleGraph     map[string]roleGraphEdgesTable
-
-	defaultAuthPlugin string
 }
 
 // FindAllUserEffectiveRoles is used to find all effective roles grant to this user.
@@ -399,9 +397,7 @@ func (p *MySQLPrivilege) LoadAll(ctx sessionctx.Context) error {
 		}
 		logutil.BgLogger().Warn("mysql.role_edges missing")
 	}
-
-	p.defaultAuthPlugin, err = ctx.GetSessionVars().GlobalVarsAccessor.GetGlobalSysVar(variable.DefaultAuthPlugin)
-	return err
+	return nil
 }
 
 func noSuchTable(err error) bool {
@@ -669,7 +665,7 @@ func (p *MySQLPrivilege) decodeUserTableRow(row chunk.Row, fs []*resolve.ResultF
 			if row.GetString(i) != "" {
 				value.AuthPlugin = row.GetString(i)
 			} else {
-				value.AuthPlugin = p.defaultAuthPlugin
+				value.AuthPlugin = mysql.AuthNativePassword
 			}
 		case f.ColumnAsName.L == "token_issuer":
 			value.AuthTokenIssuer = row.GetString(i)
diff --git a/pkg/privilege/privileges/privileges.go b/pkg/privilege/privileges/privileges.go
@@ -328,9 +328,9 @@ func (p *UserPrivileges) GetEncodedPassword(user, host string) string {
 }
 
 // GetAuthPluginForConnection gets the authentication plugin used in connection establishment.
-func (p *UserPrivileges) GetAuthPluginForConnection(user, host, defaultAuthPlugin string) (string, error) {
+func (p *UserPrivileges) GetAuthPluginForConnection(user, host string) (string, error) {
 	if SkipWithGrant {
-		return defaultAuthPlugin, nil
+		return mysql.AuthNativePassword, nil
 	}
 
 	mysqlPriv := p.Handle.Get()
@@ -359,9 +359,9 @@ func (p *UserPrivileges) GetAuthPluginForConnection(user, host, defaultAuthPlugi
 }
 
 // GetAuthPlugin gets the authentication plugin for the account identified by the user and host
-func (p *UserPrivileges) GetAuthPlugin(user, host, defaultAuthPlugin string) (string, error) {
+func (p *UserPrivileges) GetAuthPlugin(user, host string) (string, error) {
 	if SkipWithGrant {
-		return defaultAuthPlugin, nil
+		return mysql.AuthNativePassword, nil
 	}
 	mysqlPriv := p.Handle.Get()
 	record := mysqlPriv.connectionVerification(user, host)
diff --git a/pkg/server/conn.go b/pkg/server/conn.go
@@ -853,12 +853,8 @@ func (cc *clientConn) checkAuthPlugin(ctx context.Context, resp *handshake.Respo
 	if err != nil {
 		return nil, servererr.ErrAccessDenied.FastGenByArgs(cc.user, host, hasPassword)
 	}
-	defaultAuthPlugin, err := cc.ctx.GetSessionVars().GlobalVarsAccessor.GetGlobalSysVar(variable.DefaultAuthPlugin)
-	if err != nil {
-		return nil, err
-	}
 	// Get the plugin for the identity.
-	userplugin, err := cc.ctx.AuthPluginForUser(identity, defaultAuthPlugin)
+	userplugin, err := cc.ctx.AuthPluginForUser(identity)
 	if err != nil {
 		logutil.Logger(ctx).Warn("Failed to get authentication method for user",
 			zap.String("user", cc.user), zap.String("host", host))
diff --git a/pkg/session/session.go b/pkg/session/session.go
@@ -2706,10 +2706,10 @@ func (s *session) GetBuildPBCtx() *planctx.BuildPBContext {
 	return bctx.(*planctx.BuildPBContext)
 }
 
-func (s *session) AuthPluginForUser(user *auth.UserIdentity, defaultAuthPlugin string) (string, error) {
+func (s *session) AuthPluginForUser(user *auth.UserIdentity) (string, error) {
 	pm := privilege.GetPrivilegeManager(s)
 
-	authplugin, err := pm.GetAuthPluginForConnection(user.Username, user.Hostname, defaultAuthPlugin)
+	authplugin, err := pm.GetAuthPluginForConnection(user.Username, user.Hostname)
 	if err != nil {
 		return "", err
 	}
diff --git a/pkg/session/types/sesson_interface.go b/pkg/session/types/sesson_interface.go
@@ -71,7 +71,7 @@ type Session interface {
 	Close()
 	Auth(user *auth.UserIdentity, auth, salt []byte, authConn conn.AuthConn) error
 	AuthWithoutVerification(user *auth.UserIdentity) bool
-	AuthPluginForUser(user *auth.UserIdentity, defaultAuthPlugin string) (string, error)
+	AuthPluginForUser(user *auth.UserIdentity) (string, error)
 	MatchIdentity(username, remoteHost string) (*auth.UserIdentity, error)
 	// Return the information of the txn current running
 	TxnInfo() *txninfo.TxnInfo
diff --git a/tests/integrationtest/r/executor/simple.result b/tests/integrationtest/r/executor/simple.result
@@ -456,12 +456,19 @@ id
 set autocommit = default;
 set global default_authentication_plugin = 'caching_sha2_password';
 create user default_sha256_user;
+create role default_sha256_role;
 show create user default_sha256_user;
 CREATE USER for default_sha256_user@%
 CREATE USER 'default_sha256_user'@'%' IDENTIFIED WITH 'caching_sha2_password' AS '' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY DEFAULT PASSWORD REUSE INTERVAL DEFAULT
 select plugin from mysql.user where user = 'default_sha256_user';
 plugin
 caching_sha2_password
+show create user default_sha256_role;
+CREATE USER for default_sha256_role@%
+CREATE USER 'default_sha256_role'@'%' IDENTIFIED WITH 'caching_sha2_password' AS '' REQUIRE NONE PASSWORD EXPIRE ACCOUNT LOCK PASSWORD HISTORY DEFAULT PASSWORD REUSE INTERVAL DEFAULT
+select plugin from mysql.user where user = 'default_sha256_role';
+plugin
+caching_sha2_password
 alter user default_sha256_user identified with 'tidb_sm3_password';
 show create user default_sha256_user;
 CREATE USER for default_sha256_user@%
@@ -484,4 +491,5 @@ select plugin from mysql.user where user = 'default_sha256_user';
 plugin
 authentication_ldap_sasl
 drop user default_sha256_user;
+drop user default_sha256_role;
 set global default_authentication_plugin = default;
diff --git a/tests/integrationtest/t/executor/simple.test b/tests/integrationtest/t/executor/simple.test
@@ -493,8 +493,11 @@ set autocommit = default;
 connection default;
 set global default_authentication_plugin = 'caching_sha2_password';
 create user default_sha256_user;
+create role default_sha256_role;
 show create user default_sha256_user;
 select plugin from mysql.user where user = 'default_sha256_user';
+show create user default_sha256_role;
+select plugin from mysql.user where user = 'default_sha256_role';
 
 alter user default_sha256_user identified with 'tidb_sm3_password';
 show create user default_sha256_user;
@@ -509,4 +512,5 @@ show create user default_sha256_user;
 select plugin from mysql.user where user = 'default_sha256_user';
 
 drop user default_sha256_user;
+drop user default_sha256_role;
 set global default_authentication_plugin = default;

Original file line number	Diff line number	Diff line change
`@@ -1740,10 +1740,6 @@ func (e SimpleExec) executeAlterUser(ctx context.Context, s ast.AlterUserStmt)`
`1740`	`1740`	`if _, err := sqlExecutor.ExecuteInternal(ctx, "BEGIN PESSIMISTIC"); err != nil {`
`1741`	`1741`	`return err`
`1742`	`1742`	`}`
`1743`		`- defaultAuthPlugin, err := e.Ctx().GetSessionVars().GlobalVarsAccessor.GetGlobalSysVar(variable.DefaultAuthPlugin)`
`1744`		`- if err != nil {`
`1745`		`- return err`
`1746`		`- }`
`1747`	`1743`
`1748`	`1744`	`for _, spec := range s.Specs {`
`1749`	`1745`	`user := e.Ctx().GetSessionVars().User`
`@@ -1799,7 +1795,7 @@ func (e SimpleExec) executeAlterUser(ctx context.Context, s ast.AlterUserStmt)`
`1799`	`1795`	`RequireAuthTokenOptions`
`1800`	`1796`	`)`
`1801`	`1797`	`authTokenOptionHandler := noNeedAuthTokenOptions`
`1802`		`- currentAuthPlugin, err := privilege.GetPrivilegeManager(e.Ctx()).GetAuthPlugin(spec.User.Username, spec.User.Hostname, defaultAuthPlugin)`
	`1798`	`+ currentAuthPlugin, err := privilege.GetPrivilegeManager(e.Ctx()).GetAuthPlugin(spec.User.Username, spec.User.Hostname)`
`1803`	`1799`	`if err != nil {`
`1804`	`1800`	`return err`
`1805`	`1801`	`}`
`@@ -2510,11 +2506,7 @@ func (e SimpleExec) executeSetPwd(ctx context.Context, s ast.SetPwdStmt) error`
`2510`	`2506`	`disableSandboxMode = true`
`2511`	`2507`	`}`
`2512`	`2508`
`2513`		`- defaultAuthPlugin, err := e.Ctx().GetSessionVars().GlobalVarsAccessor.GetGlobalSysVar(variable.DefaultAuthPlugin)`
`2514`		`- if err != nil {`
`2515`		`- return err`
`2516`		`- }`
`2517`		`- authplugin, err := privilege.GetPrivilegeManager(e.Ctx()).GetAuthPlugin(u, h, defaultAuthPlugin)`
	`2509`	`+ authplugin, err := privilege.GetPrivilegeManager(e.Ctx()).GetAuthPlugin(u, h)`
`2518`	`2510`	`if err != nil {`
`2519`	`2511`	`return err`
`2520`	`2512`	`}`
Original file line number	Diff line number	Diff line change
`@@ -285,8 +285,6 @@ type MySQLPrivilege struct {`
`285`	`285`	`ColumnsPriv []columnsPrivRecord`
`286`	`286`	`DefaultRoles []defaultRoleRecord`
`287`	`287`	`RoleGraph map[string]roleGraphEdgesTable`
`288`		`-`
`289`		`- defaultAuthPlugin string`
`290`	`288`	`}`
`291`	`289`
`292`	`290`	`// FindAllUserEffectiveRoles is used to find all effective roles grant to this user.`
`@@ -399,9 +397,7 @@ func (p *MySQLPrivilege) LoadAll(ctx sessionctx.Context) error {`
`399`	`397`	`}`
`400`	`398`	`logutil.BgLogger().Warn("mysql.role_edges missing")`
`401`	`399`	`}`
`402`		`-`
`403`		`- p.defaultAuthPlugin, err = ctx.GetSessionVars().GlobalVarsAccessor.GetGlobalSysVar(variable.DefaultAuthPlugin)`
`404`		`- return err`
	`400`	`+ return nil`
`405`	`401`	`}`
`406`	`402`
`407`	`403`	`func noSuchTable(err error) bool {`
`@@ -669,7 +665,7 @@ func (p MySQLPrivilege) decodeUserTableRow(row chunk.Row, fs []resolve.ResultF`
`669`	`665`	`if row.GetString(i) != "" {`
`670`	`666`	`value.AuthPlugin = row.GetString(i)`
`671`	`667`	`} else {`
`672`		`- value.AuthPlugin = p.defaultAuthPlugin`
	`668`	`+ value.AuthPlugin = mysql.AuthNativePassword`
`673`	`669`	`}`
`674`	`670`	`case f.ColumnAsName.L == "token_issuer":`
`675`	`671`	`value.AuthTokenIssuer = row.GetString(i)`
Original file line number	Diff line number	Diff line change
`@@ -328,9 +328,9 @@ func (p *UserPrivileges) GetEncodedPassword(user, host string) string {`
`328`	`328`	`}`
`329`	`329`
`330`	`330`	`// GetAuthPluginForConnection gets the authentication plugin used in connection establishment.`
`331`		`-func (p *UserPrivileges) GetAuthPluginForConnection(user, host, defaultAuthPlugin string) (string, error) {`
	`331`	`+func (p *UserPrivileges) GetAuthPluginForConnection(user, host string) (string, error) {`
`332`	`332`	`if SkipWithGrant {`
`333`		`- return defaultAuthPlugin, nil`
	`333`	`+ return mysql.AuthNativePassword, nil`
`334`	`334`	`}`
`335`	`335`
`336`	`336`	`mysqlPriv := p.Handle.Get()`
`@@ -359,9 +359,9 @@ func (p *UserPrivileges) GetAuthPluginForConnection(user, host, defaultAuthPlugi`
`359`	`359`	`}`
`360`	`360`
`361`	`361`	`// GetAuthPlugin gets the authentication plugin for the account identified by the user and host`
`362`		`-func (p *UserPrivileges) GetAuthPlugin(user, host, defaultAuthPlugin string) (string, error) {`
	`362`	`+func (p *UserPrivileges) GetAuthPlugin(user, host string) (string, error) {`
`363`	`363`	`if SkipWithGrant {`
`364`		`- return defaultAuthPlugin, nil`
	`364`	`+ return mysql.AuthNativePassword, nil`
`365`	`365`	`}`
`366`	`366`	`mysqlPriv := p.Handle.Get()`
`367`	`367`	`record := mysqlPriv.connectionVerification(user, host)`
Original file line number	Diff line number	Diff line change
`@@ -2706,10 +2706,10 @@ func (s session) GetBuildPBCtx() planctx.BuildPBContext {`
`2706`	`2706`	`return bctx.(*planctx.BuildPBContext)`
`2707`	`2707`	`}`
`2708`	`2708`
`2709`		`-func (s session) AuthPluginForUser(user auth.UserIdentity, defaultAuthPlugin string) (string, error) {`
	`2709`	`+func (s session) AuthPluginForUser(user auth.UserIdentity) (string, error) {`
`2710`	`2710`	`pm := privilege.GetPrivilegeManager(s)`
`2711`	`2711`
`2712`		`- authplugin, err := pm.GetAuthPluginForConnection(user.Username, user.Hostname, defaultAuthPlugin)`
	`2712`	`+ authplugin, err := pm.GetAuthPluginForConnection(user.Username, user.Hostname)`
`2713`	`2713`	`if err != nil {`
`2714`	`2714`	`return "", err`
`2715`	`2715`	`}`