Allow to connect with arbitrary plugin #2143
Conversation
Coverage reportThe coverage rate is The branch rate is
|
…andshake command and calculate it based on selected auth plugin
|
Any update on this MR? |
|
@wellwelwel I'm going to resurrect work on this, hope to make some progress in the coming days. Since mysql v8 and above is widely adopted now, what happens for the majority of clients is this: S: hey, I'm mysql v9.2. I support authentication plugins, prefer connection using caching_sha2_password. Here is my random data to start handshake At least 1 full roundtrip can be easily avoided |
|
we're looking to upgrade our MySQL databases and would love to see this work completed. thanks for your contributions! |
|
Would be great to have an option that doesn't require implementing {
"defaultAuthenticationPlugin": "caching_sha2_password",
"serverPublicKey": "xxxyyy",
"overrideIsSecure": true
} |
WIP
Currently mysql2 driver always tries to connect with mysql_native_password plugin. For the servers supporting PLUGIN_AUTH and configured to use plugins other than mysql_native_password initial connection is usually followed by AUTH_SWITCH_REQUEST packet and additional handshake with another plugin. This PR will allow to use plugins other than
mysql_native_passwordin the initial client hello response. The order of preference on the plugin used during connection is:defaultAuthenticationPluginconfig parameter name, if set ( error if the parameter is set but no standard or user provided plugin under this name )auth_plugin_nameserver hello packet field ( error if plugin not configured )"mysql_native_password"if nodefaultAuthenticationPluginor serverHello.auth_plugin_namerelated issues:
allow to use arbitrary plugin as first auth method #560
Do not enable mysql_clear_password by default #1617
fix dead link https://mysqlserverteam.com/mysql-8-0-4-new-default-authentication-plugin-caching_sha2_password/ to point to https://dev.mysql.com/blog-archive/mysql-8-0-4-new-default-authentication-plugin-caching_sha2_password/
move standardAuthPlugins from auth_switch.js to connection. Make fields lazily loaded via getters. Also have a logic "given plugin name, return plugin instance" in the connection. Make sure it is possible to override standard plugins with custom ones
remove authToken calculation from handshakeResponse. Calculate it in the client_handshake command and pass the token to handshake_response packet
use plugin name from initial server hello packet to initialise plugin. Make it possible to override if defaultAuthenticationPlugin config option set ( mysql server uses default_authentication_plugin name in its config and sys variable - https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html#sysvar_default_authentication_plugin )
Potentially allow defaultAuthenticationPlugin to be a function connection => Promise, but also maybe better to have connection => Promise instead to cover everything - see Add a function to update pool default configurations #1983 (comment)
initialize _authPlugin in the client_handshake command ( also - make sure it is removed on auth / auth switch / change user success )
refactor change_user packet to use code from handshake_response packet
MAJOR VERSION: delete all references to authSwitchHandler and related code ( documentation/en/Authentication-Switch.md, auth_switch.js: warnLegacyAuthSwitch etc )latertests for all 3 scenarios ( auth, auth switch, change user )
tests for explicit default plugin name