-
Notifications
You must be signed in to change notification settings - Fork 89
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to set plugin_auth_string
to an empty unexpired password
#564
Comments
Hi @TimWolla, Thank your for opening the issue. I want to understand your use case. Why creating an empty password? Is it really necessary? |
Your wording is a little misleading, but yes: We're handing out short-lived X.509 certificates to our application and the application uses this certificate to authenticate to various services, including MySQL. Thus the connection to MySQL is not being performed without any authentication, having the certificate (or rather: access to the certificate's private key) is the authentication. In fact I'd argue this kind of authentication is much stronger than using passwords. |
@TimWolla thanks you for the clarification. Indeed what you're doing to authenticate your clients to the database seems secure and cool. Are you using a product to handle the certificate rotation or it's all in house? I know we can improve the handling of plugin_auth_string by a lot. But as a work around, will it works if you use the |
We're using an in-house solution here.
I'm afraid I'm unable to easily test this and completely unable to run this in production. We're running MySQL 8 as the database and it deprecated |
@TimWolla I see. I read that mysql_native_password is not installed at all since MySQL 8.1. So a PR is definitely worse it. Do you have time to contribute? We can help you getting started if you wish to contribute to the collection. |
SUMMARY
I'm unable to configure
caching_sha2_password
together with an empty password to leverage TLS client certificate authentication.ISSUE TYPE
COMPONENT NAME
mysql_user
ANSIBLE VERSION
COLLECTION VERSION
CONFIGURATION
OS / ENVIRONMENT
Ansible running on Ubuntu 20.04 with a Debian Bullseye (11) target running MySQL 8.
STEPS TO REPRODUCE
EXPECTED RESULTS
I expected the MySQL user to be created with an empty and unexpired password and TLS requirements.
ACTUAL RESULTS
The user was created with an expired password:
This is due to a semantic difference between:
and
The former will configure the password to be expired, whereas the latter will not. Both will clear the
authentication_string
.Example:
I suppose the following line might need to check for
is not None
or something like that:community.mysql/plugins/module_utils/user.py
Line 311 in 9439282
The text was updated successfully, but these errors were encountered: