Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Change default mysql_default_authentication_plugin value #61

Open
jraddaoui opened this issue Jun 9, 2021 · 2 comments
Open

Change default mysql_default_authentication_plugin value #61

jraddaoui opened this issue Jun 9, 2021 · 2 comments
Assignees

Comments

@jraddaoui
Copy link
Member

jraddaoui commented Jun 9, 2021

This variable was added to support MySQL 8.0 and PHP 7.2, to be able to set it to mysql_native_password. However, PHP 7.4 now supports caching_sha2_password but the default in here is set to the former:

https://github.com/artefactual-labs/ansible-percona/blob/master/defaults/main.yml#L55

Since AtoM 2.7 will require PHP 7.4 (and I think that was the only use case for this legacy auth. method), we should consider changing the default to caching_sha2_password a more secure authentication method, or just remove it's default as we're checking that the var is defined before using it:

https://github.com/artefactual-labs/ansible-percona/search?q=mysql_default_authentication_plugin

I don't know exactly how this role works upgrading existing instances, but we should consider how this change could affect those instances where we may needed to update existing user passwords:

ALTER USER 'atom'@'localhost' IDENTIFIED WITH caching_sha2_password BY '12345';

@jraddaoui
Copy link
Member Author

For now, we are changing the value in the development playbooks ...

artefactual-labs/am-packbuild#313
artefactual/deploy-pub#132

@mamedin
Copy link
Contributor

mamedin commented Aug 27, 2021

I need more time to investigate, but in my first try I changed the plugin in an already mysql_native_password configured percona server and after this change I couldn't add/update more users with the role.

Configuring a server from scratch and using mysql_default_authentication_plugin: "mysql_native_password" works fine.

So I think it is a bit dangerous setting caching_sha2_password as default value.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants