Open descrepes opened 8 years ago
You're kidding, right? :-) This feature could be a considered a serious security issue.
Can you provide a rationale? otherwise we will close this.
Just as the mysql show grants
or select password from mysql.user\G
do.
It returns the hash password of the user. Not the password itself.
The main reason is that i'm writing a puppet resource for influxdb. The user have 2 properties that can be updated. Password and admin (grant should be another type/provider).
The idea is to declare an influxdb user like so:
influxdb_user { 'foo':
ensure => present,
isadmin => false,
password => $foo_pass
}
$foo_pass
is a puppet variable encrypted in hiera eyaml.
While puppet is prefetching, it list all the users and fetch all attributes of each user.
During this prefetch, if we want puppet to be able to update the password (and not set it during each puppet run), we need to compare it.
The idea is to compare the hash of the password provided in the declared resource to the hash password retrieve by the SHOW USERS
(for example).
Regards
I didn't know MySQL exposed that information -- I did realise you were talking about the hash, but hashes can be cracked, so exposing them unnecessarily is always something to avoid.
We would need to make sure only the admin could do this, if we decide to support it.
Yes, only hashes. And of course only admin authenticated users should be allowed to retrieve that information :)
I've ran into the same issue while building an Ansible module.
Currently, I can't determine whether the user's state has changed (and act upon those changes further down the provisioning road), because I cannot compare the password hash before and after SET PASSWORD
execution...
As a workaround, I am connecting with the given credentials and query something [1]. If the connection errors with "authentication failure", then the password needs to be updated. This feels hackish.
Footnote 1. This is a bit tricky, as all SHOW
statements will error out with "requires admin privileges" (if the given user is not an admin). There is also no such thing like a SELECT 1
statement, as it needs a FROM
clause which in turn needs a database name (which usually isn't available in this state in the provisioning process).
@dmke, at last using Python bindings, there's SELECT 1
equivalent:
>>> client.switch_user('admin', 'admin')
>>> client.query(";")
[]
>>> client.switch_user('invalid', 'invalid')
>>> client.query(";")
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python2.7/site-packages/influxdb/client.py", line 394, in query
expected_response_code=expected_response_code
File "/usr/lib/python2.7/site-packages/influxdb/client.py", line 271, in request
raise InfluxDBClientError(response.content, response.status_code)
influxdb.exceptions.InfluxDBClientError: 401: {"error":"authorization failed"}
Hi,
Displaying the hash password of users with the "SHOW USERS" could be very usefull :)
Regards