search

docker-library / mysql

Docker Official Image packaging for MySQL Community Server
https://dev.mysql.com/
GNU General Public License v2.0
2.42k stars 2.18k forks source link

Cannot configure mysql auth_plugin to use when using MYSQL_PASSWORD environment variable #1039

Closed Zardozz closed 1 month ago

Zardozz commented 3 months ago

When using the MYSQL_USER, MYSQL_PASSWORD Environment Variables to cause the docker-entrypoint.sh script to setup an initial database user, you cannot specify which auth_plugin to use and thus the user is setup with the default auth_plugin (caching_sha2_password) which might not be suitable for your use.

The user creation command as defined in https://dev.mysql.com/doc/refman/8.0/en/create-user.html allows you to specify the auth_plugin to use when creating a user.

Thus I suggest that docker_setup_db() of docker-entrypoint.sh script check for an additional Environment Variable like MYSQL_PASSWORD_PLUGIN

And then docker_process_sql --database=mysql <<<"CREATE USER '$MYSQL_USER'@'%' IDENTIFIED WITH '$MYSQL_PASSWORD_PLUGIN' BY '$MYSQL_PASSWORD' ;"

Then you could use other plugins like "mysql_native_password" if required

LaurentGoderre commented 1 month ago

1048 has more details on this

Zardozz commented 1 month ago

While a native password plugin was one of the drivers for this request, there are many other plugins listed in the docs https://dev.mysql.com/doc/refman/8.0/en/authentication-plugins.html and I thought it might be useful to be able to select others as well.

yosifkit commented 1 month ago

As far as I can tell, the mysql-community-server-minimal-8.4 package that we install doesn't include many auth plugins. There are authentication_*.so files, but they seem to be for client, not server.

docker run -it --rm mysql:8.4 bash
bash-5.1# ls -l /usr/lib64/mysql/plugin/
total 19016
-rwxr-xr-x 1 root root   31016 Apr 10 08:21 adt_null.so
-rwxr-xr-x 1 root root   15752 Apr 10 08:21 auth_socket.so
-rwxr-xr-x 1 root root 6659264 Apr 10 08:21 authentication_kerberos_client.so
-rwxr-xr-x 1 root root   70552 Apr 10 08:21 authentication_ldap_sasl_client.so
-rwxr-xr-x 1 root root  173472 Apr 10 08:21 authentication_oci_client.so
-rwxr-xr-x 1 root root 6638904 Apr 10 08:21 authentication_webauthn_client.so
-rwxr-xr-x 1 root root   24592 Apr 10 08:21 component_audit_api_message_emit.so
...

We don't currently want to add more env vars as the entrypoint script is already very complex. If you need more complex user setup, then a .sql or .sh script in /docker-entrypoint-initdb.d/ is the best answer.