Closed Zardozz closed 1 month ago
While a native password plugin was one of the drivers for this request, there are many other plugins listed in the docs https://dev.mysql.com/doc/refman/8.0/en/authentication-plugins.html and I thought it might be useful to be able to select others as well.
As far as I can tell, the mysql-community-server-minimal-8.4
package that we install doesn't include many auth plugins. There are authentication_*.so
files, but they seem to be for client, not server.
docker run -it --rm mysql:8.4 bash
bash-5.1# ls -l /usr/lib64/mysql/plugin/
total 19016
-rwxr-xr-x 1 root root 31016 Apr 10 08:21 adt_null.so
-rwxr-xr-x 1 root root 15752 Apr 10 08:21 auth_socket.so
-rwxr-xr-x 1 root root 6659264 Apr 10 08:21 authentication_kerberos_client.so
-rwxr-xr-x 1 root root 70552 Apr 10 08:21 authentication_ldap_sasl_client.so
-rwxr-xr-x 1 root root 173472 Apr 10 08:21 authentication_oci_client.so
-rwxr-xr-x 1 root root 6638904 Apr 10 08:21 authentication_webauthn_client.so
-rwxr-xr-x 1 root root 24592 Apr 10 08:21 component_audit_api_message_emit.so
...
We don't currently want to add more env vars as the entrypoint script is already very complex. If you need more complex user setup, then a .sql
or .sh
script in /docker-entrypoint-initdb.d/
is the best answer.
When using the MYSQL_USER, MYSQL_PASSWORD Environment Variables to cause the docker-entrypoint.sh script to setup an initial database user, you cannot specify which auth_plugin to use and thus the user is setup with the default auth_plugin (caching_sha2_password) which might not be suitable for your use.
The user creation command as defined in https://dev.mysql.com/doc/refman/8.0/en/create-user.html allows you to specify the auth_plugin to use when creating a user.
Thus I suggest that docker_setup_db() of docker-entrypoint.sh script check for an additional Environment Variable like MYSQL_PASSWORD_PLUGIN
And then
docker_process_sql --database=mysql <<<"CREATE USER '$MYSQL_USER'@'%' IDENTIFIED WITH '$MYSQL_PASSWORD_PLUGIN' BY '$MYSQL_PASSWORD' ;"
Then you could use other plugins like "mysql_native_password" if required