mysql.user表的數(shù)據(jù)準(zhǔn)確性問(wèn)題
2024-08-20 14:27 瀟湘隱者 閱讀(173) 評(píng)論(0) 收藏 舉報(bào)mysql.user這個(gè)系統(tǒng)表中有些字段的數(shù)據(jù)是不準(zhǔn)確的(或者說(shuō)是不一定準(zhǔn)確,這樣表達(dá)更嚴(yán)謹(jǐn)一點(diǎn))。這是一個(gè)讓人頭疼的問(wèn)題,下面簡(jiǎn)單述說(shuō)一下問(wèn)題,主要是mysql.user表中的password_lifetime,password_reuse_history,password_reuse_time這幾個(gè)字段的數(shù)據(jù)都不一定準(zhǔn)確。
下面簡(jiǎn)單演示一下,當(dāng)前測(cè)試環(huán)境為MySQL 8.0.35。
mysql> show global variables like 'default_password_lifetime';
+---------------------------+-------+
| Variable_name | Value |
+---------------------------+-------+
| default_password_lifetime | 180 |
+---------------------------+-------+
1 row in set (0.00 sec)
mysql> show global variables like 'password_history';
+------------------+-------+
| Variable_name | Value |
+------------------+-------+
| password_history | 6 |
+------------------+-------+
1 row in set (0.01 sec)
mysql> show global variables like 'password_reuse_interval';
+-------------------------+-------+
| Variable_name | Value |
+-------------------------+-------+
| password_reuse_interval | 365 |
+-------------------------+-------+
1 row in set (0.00 sec)
mysql>
此時(shí),如果我創(chuàng)建一個(gè)用戶(hù)test,如下所示,你會(huì)看到password_lifetime值為null,password_reuse_history的值為null,這個(gè)值明顯不正確,是不是Bug呢?
mysql> CREATE USER `test`@`192.168.7.10%` IDENTIFIED BY 'Kjdh#234289dj';
Query OK, 0 rows affected (0.03 sec)
mysql> select user
-> ,host
-> ,account_locked
-> ,password_last_changed
-> ,password_expired
-> ,password_lifetime
-> ,plugin
-> ,password_reuse_history
-> ,Password_reuse_time
-> from mysql.user
-> where user='test'\G
*************************** 1. row ***************************
user: test
host: 192.168.7.10%
account_locked: N
password_last_changed: 2024-08-20 11:05:39
password_expired: N
password_lifetime: NULL
plugin: caching_sha2_password
password_reuse_history: NULL
Password_reuse_time: NULL
1 row in set (0.01 sec)
mysql>
搜索相關(guān)資料時(shí),發(fā)現(xiàn)已經(jīng)有人反饋這個(gè)問(wèn)題了,Bug #112128 The parameters such as MySQL password_history does not take effect[1] 但是官方的解釋是這是一個(gè)"正常現(xiàn)象",它不是一個(gè)Bug,具體解釋如下所示:
The way it works is as follows:
1. There is the global system variable default_password_lifetime that specifies the policy for all accounts that are set to use the default password lifetime. This is done by ALTER USER PASSWORD EXPIRE DEFAULT. In the system table (not that it matters, but still) this stores a NULL. The NULL value is used as a flag that the account in question does not have a special per user password lifetime. The special per-user password lifetime is set via ALTER USER PASSWORD EXPIRE NEVER (which sets the column to 0) or ALTER USER PASSWORD EXPIRE INTERVAL N DAY (which sets the column to N).
As a consequence all password lifetimes for all users that do not have a specific password lifetime set will follow the value of the global variable.
And if you store a specific password lifefile for a user account it will "detach" itself from the global variable's value and will be pegged to whatever you've set for it. Until you reset it back to the default of course.
簡(jiǎn)單翻譯如下:
它的工作原理如下:
有一個(gè)全局系統(tǒng)變量 default_password_lifetime,它指定了所有使用默認(rèn)密碼生命周期的帳戶(hù)的策略。這是通過(guò) ALTER USER PASSWORD EXPIRE DEFAULT命令完成的。在系統(tǒng)表中(這并不重要,但還是說(shuō)一下),它存儲(chǔ)了一個(gè) NULL 值。NULL 值被用作一個(gè)標(biāo)志,表示相關(guān)的帳戶(hù)沒(méi)有特別的用戶(hù)密碼生命周期。 每個(gè)用戶(hù)的特殊的密碼生命周期是通過(guò) ALTER USER PASSWORD EXPIRE NEVER(這將列設(shè)置為 0)或 ALTER USER PASSWORD EXPIRE INTERVAL N DAY(這將列設(shè)置為 N)來(lái)設(shè)置的。 因此,所有沒(méi)有設(shè)置特定/特殊密碼生命周期的用戶(hù)的所有密碼生命周期都將遵循全局變量的值。 如果你為一個(gè)用戶(hù)帳戶(hù)存儲(chǔ)了一個(gè)特定的密碼生命周期,它將“脫離”全局變量的值,并被固定為你為它設(shè)置的任何值。當(dāng)然,除非你將其重置回默認(rèn)值。
搜索資料的過(guò)程,發(fā)現(xiàn)反饋這種現(xiàn)象("bug")的還不止一個(gè),另外一個(gè)鏈接也是反饋了同樣的問(wèn)題,Bug #89349 password_lifetime set to Null for user after changing default_password_lifetime[2]
這里簡(jiǎn)單說(shuō)明一下,就是mysql.user中,password_lifetime值為null,表示它使用全局系統(tǒng)變量的值,如果你為某個(gè)用戶(hù)指定了 特殊的密碼過(guò)期時(shí)間,那么mysql.user的password_lifetime字段才會(huì)存儲(chǔ)特定的密碼過(guò)期時(shí)間。也就是說(shuō)如果我們創(chuàng)建用戶(hù)的時(shí)候指定密碼過(guò)期時(shí)間,或者使用SQL語(yǔ)句指定用戶(hù)的密碼過(guò)期時(shí)間,此時(shí)mysql.user中的password_lifetime等字段值就是正確的。如下所示
mysql> ALTER USER 'test'@'192.168.7.10%' PASSWORD EXPIRE INTERVAL 60 DAY;
Query OK, 0 rows affected (0.01 sec)
mysql> select user
-> ,host
-> ,account_locked
-> ,password_last_changed
-> ,password_expired
-> ,password_lifetime
-> ,plugin
-> ,password_reuse_history
-> ,Password_reuse_time
-> from mysql.user
-> where user='test'\G
*************************** 1. row ***************************
user: test
host: 192.168.7.10%
account_locked: N
password_last_changed: 2024-08-20 11:05:39
password_expired: N
password_lifetime: 60
plugin: caching_sha2_password
password_reuse_history: NULL
Password_reuse_time: NULL
1 row in set (0.00 sec)
mysql> CREATE USER test1@'%' IDENTIFIED BY 'Kjdh#234289dj'
-> PASSWORD EXPIRE INTERVAL 20 DAY
-> PASSWORD HISTORY 30
-> PASSWORD REUSE INTERVAL 60 DAY;
Query OK, 0 rows affected (0.03 sec)
mysql> select user
-> ,host
-> ,account_locked
-> ,password_last_changed
-> ,password_expired
-> ,password_lifetime
-> ,plugin
-> ,password_reuse_history
-> ,Password_reuse_time
-> from mysql.user
-> where user='test1'\G
*************************** 1. row ***************************
user: test1
host: %
account_locked: N
password_last_changed: 2024-08-20 11:57:18
password_expired: N
password_lifetime: 20
plugin: caching_sha2_password
password_reuse_history: 30
Password_reuse_time: 60
1 row in set (0.00 sec)
mysql>
總結(jié)
雖然官方的這種邏輯處理也沒(méi)有什么大問(wèn)題,但是不能準(zhǔn)確的反映用戶(hù)密碼過(guò)期時(shí)間,讓普通用戶(hù)也挺困惑的。為什么不能統(tǒng)一致呢?
1: https://bugs.mysql.com/bug.php?id=112128
[2]2: https://bugs.mysql.com/bug.php?id=89349
浙公網(wǎng)安備 33010602011771號(hào)