TiDB does not reject connection for mismatched user when using auth_socket plugin #54031
Description
Bug Report
Please answer these questions before submitting your issue. Thanks!
1. Minimal reproduce step (Required)
- Create a new user with
auth_socketplugin:
CREATE USER 'u1'@'localhost' IDENTIFIED WITH auth_socket;- connect TiDB with MySQL client (my current system user is
wangchao)
$ whoami
wangchao
$ mysql --comments -uu1 -S/tmp/tidb-4001.sock
2. What did you expect to see? (Required)
The connection should be rejected because the current system user and TiDB user are not the same:
$ mysql --comments -uu1 -S/tmp/tidb-4001.sock
ERROR 1045 (28000): Access denied for user 'u1'@'localhost' (using password: NO)
See descriptions in MySQL doc :
The socket plugin checks whether the socket user name (the operating system user name) matches the MySQL user name specified by the client program to the server. If the names do not match, the plugin checks whether the socket user name matches the name specified in the authentication_string column of the mysql.user system table row. If a match is found, the plugin permits the connection.
3. What did you see instead (Required)
However, it succeed in TiDB
> whoami
wangchao
> mysql --comments -uu1 -S/tmp/tidb-4001.sock
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2097162
Server version: 8.0.11-TiDB-None TiDB Server (Apache License 2.0) Community Edition, MySQL 8.0 compatible
Copyright (c) 2000, 2024, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> select current_user();
+----------------+
| current_user() |
+----------------+
| u1@localhost |
+----------------+
1 row in set (0.00 sec)
4. What is your TiDB version? (Required)
This is introduced by #37052 and seems to affect 6.5 and the subsequent versions