Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://mariadb.com/docs/server/security/user-account-management/authentication-from-mariadb-10-4 below:

Authentication from MariaDB 10.4 | MariaDB Documentation

• MariaDB Server Documentation
• Quickstart Guides
• Server Usage
• Server Management
• Security
• Architecture
• Clients & Utilities
• HA & Performance
• Reference
  • SQL Structure
  • SQL Statements
  • SQL Functions
  • Data Types
  • Plugins
  • System Tables
  • Error Codes
    • MariaDB Error Code Reference
    • Operating System Error Codes
    • MariaDB Error Codes 1000 to 1099
    • MariaDB Error Codes 1100 to 1199
    • MariaDB Error Codes 1200 to 1299
    • MariaDB Error Codes 1300 to 1399
    • MariaDB Error Codes 1400 to 1499
      • Error 1400: XAER_OUTSIDE: Some work is done outside global transaction
      • Error 1401: XAER_RMERR: Fatal error occurred in the transaction branch - check your data for consist
      • Error 1402: XA_RBROLLBACK: Transaction branch was rolled back
      • Error 1403: There is no such grant defined for user on host on routine
      • Error 1404: Failed to grant EXECUTE and ALTER ROUTINE privileges
      • Error 1405: Failed to revoke all privileges to dropped routine
      • Error 1406: Data too long for column at row
      • Error 1407: Bad SQLSTATE
      • Error 1408: ready for connections. Version: socket: port:
      • Error 1409: Can't load value from file with fixed size rows to variable
      • Error 1410: You are not allowed to create a user with GRANT
      • Error 1411: Incorrect value for function
      • Error 1412: Table definition has changed, please retry transaction
      • Error 1413: Duplicate handler declared in the same block
      • Error 1414: OUT or INOUT argument for routine is not a variable or NEW pseudo-variable in BEFORE tri
      • Error 1415: Not allowed to return a result set from
      • Error 1416: Cannot get geometry object from data you send to the GEOMETRY field
      • Error 1417: A routine failed and has neither NO SQL nor READS SQL DATA in its declaration
      • Error 1418: This function has none of DETERMINISTIC, NO SQL, or READS SQL DATA in its declaration an
      • Error 1419: You do not have the SUPER privilege and binary logging is enabled
      • Error 1420: You can't execute a prepared statement which has an open cursor associated with it
      • Error 1421: The statement has no open cursor
      • Error 1422: Explicit or implicit commit is not allowed in stored function or trigger
      • Error 1423: Field of view underlying table doesn't have a default value
      • Error 1424: Recursive stored functions and triggers are not allowed.
      • Error 1425: Too big scale specified for column
      • Error 1426: Too big precision specified for column
      • Error 1427: For float(M,D, double(M,D or decimal(M,D, M must be >= D
      • Error 1428: You can't combine write-locking of system tables with other tables or lock types
      • Error 1429: Unable to connect to foreign data source
      • Error 1430: There was a problem processing the query on the foreign data source
      • Error 1431: The foreign data source you are trying to reference does not exist
      • Error 1432: Can't create federated table. The data source connection string is not in the correct fo
      • Error 1433: The data source connection string is not in the correct format
      • Error 1434: Can't create federated table. Foreign data src error
      • Error 1435: Trigger in wrong schema
      • Error 1436: Thread stack overrun
      • Error 1437: Routine body is too long
      • Error 1438: Cannot drop default keycache
      • Error 1439: Display width out of range for column
      • Error 1440: XAER_DUPID: The XID already exists
      • Error 1441: Datetime function: field overflow
      • Error 1442: Can't update table in stored function/trigger because it is already used by statement wh
      • Error 1443: The definition of table prevents operation on table
      • Error 1444: The prepared statement contains a stored routine call that refers to that same statement
      • Error 1445: Not allowed to set autocommit from a stored function or trigger
      • Error 1446: Definer is not fully qualified
      • Error 1447: View has no definer information (old table format)
      • Error 1448: You need the SUPER privilege for creation view with definer
      • Error 1449: The user specified as a definer does not exist
      • Error 1450: Changing schema from is not allowed.
      • Error 1451: Cannot delete or update a parent row: a foreign key constraint fails
      • Error 1452: Cannot add or update a child row: a foreign key constraint fails
      • Error 1453: Variable must be quoted with ..., or renamed
      • Error 1454: No definer attribute for trigger
      • Error 1455: has an old format, you should re-create the object(s)
      • Error 1456: Recursive limit (as set by the max_sp_recursion_depth variable) was exceeded for routine
      • Error 1457: Failed to load routine
      • Error 1458: Incorrect routine name
      • Error 1459: Table upgrade required. Please do "REPAIR TABLE" or dump/reload to fix it!
      • Error 1460: AGGREGATE is not supported for stored functions
      • Error 1461: Can't create more than max_prepared_stmt_count statements
      • Error 1462: contains view recursion
      • Error 1463: Non-grouping field is used in clause
      • Error 1464: The used table type doesn't support SPATIAL indexes
      • Error 1465: Triggers can not be created on system tables
      • Error 1466: Leading spaces are removed from name
      • Error 1467: Failed to read auto-increment value from storage engine
      • Error 1468: user name
      • Error 1469: host name
      • Error 1470: String is too long for (should be no longer than )
      • Error 1471: The target table of the is not insertable-into
      • Error 1472: Table is differently defined or of non-MyISAM type or doesn't exist
      • Error 1473: Too high level of nesting for select
      • Error 1474: Name has become ''
      • Error 1475: First character of the FIELDS TERMINATED string is ambiguous
      • Error 1476: The foreign server you are trying to create already exists
      • Error 1477: The foreign server name you are trying to reference does not exist. Data source error
      • Error 1478: Table storage engine does not support the create option
      • Error 1479: Syntax error: PARTITIONING requires definition of VALUES for each partition
      • Error 1480: Only PARTITIONING can use VALUES in partition definition
      • Error 1481: MAXVALUE can only be used in last partition definition
      • Error 1482: Subpartitions can only be hash partitions and by key
      • Error 1483: Must define subpartitions on all partitions if on one partition
      • Error 1484: Wrong number of partitions defined, mismatch with previous setting
      • Error 1485: Wrong number of subpartitions defined, mismatch with previous setting
      • Error 1486: Constant/Random expression in (sub)partitioning function is not allowed
      • Error 1487: Expression in RANGE/LIST VALUES must be constant
      • Error 1488: Field in list of fields for partition function not found in table
      • Error 1489: List of fields is only allowed in KEY partitions
      • Error 1490: The partition info in the frm file is not consistent with what can be written into the f
      • Error 1491: The function returns the wrong type
      • Error 1492: For partitions each partition must be defined
      • Error 1493: VALUES LESS THAN value must be strictly increasing for each partition
      • Error 1494: VALUES value must be of same type as partition function
      • Error 1495: Multiple definition of same constant in list partitioning
      • Error 1496: Partitioning can not be used stand-alone in query
      • Error 1497: The mix of handlers in the partitions is not allowed in this version of MariaDB
      • Error 1498: For the partitioned engine it is necessary to define all
      • Error 1499: Too many partitions (including subpartitions) were defined
    • MariaDB Error Codes 1500 to 1599
    • MariaDB Error Codes 1600 to 1699
    • MariaDB Error Codes 1700 to 1799
    • MariaDB Error Codes 1800 to 1899
    • MariaDB Error Codes 1900 to 1999
    • MariaDB Error Codes 3000 to 3099
    • MariaDB Error Codes 4000 to 4099
    • MariaDB Error Codes 4100 to 4199
      • Error 4100: Field reference can't be used in table value constructor
      • Error 4101: Numeric datatype is required for function
      • Error 4102: Argument to the function is not a constant for a partition
      • Error 4103: Argument to the function does not belong to the range [0,1]
      • Error 4104: function only accepts arguments that can be converted to numerical types
      • Error 4105: Aggregate specific instruction (FETCH GROUP NEXT ROW) used in a wrong context
      • Error 4106: Aggregate specific instruction(FETCH GROUP NEXT ROW) missing from the aggregate function
      • Error 4107: Limit only accepts integer values
      • Error 4108: Invisible column must have a default value
      • Error 4109: Rows matched: Changed: Inserted: Warnings:
      • Error 4110: must be of type for system-versioned table
      • Error 4111: Transaction-precise system versioning for is not supported
      • Error 4112: You should never see it
      • Error 4113: Wrong partitioning type, expected type
      • Error 4114: Versioned table last HISTORY partition is out of, need more HISTORY partitions
      • Error 4115: Maybe missing parameters
      • Error 4116: Can only drop oldest partitions when rotating by INTERVAL
      • Error 4117: You should never see it
      • Error 4118: Partition contains non-historical data
      • Error 4119: Not allowed for system-versioned. Change @@system_versioning_alter_history to proceed wi
      • Error 4120: Not allowed for system-versioned. Change to/from native system versioning engine is not
      • Error 4121: SYSTEM_TIME range selector is not allowed
      • Error 4122: Conflicting FOR SYSTEM_TIME clauses in WITH RECURSIVE
      • Error 4123: Table must have at least one versioned column
      • Error 4124: Table is not system-versioned
      • Error 4125: Wrong parameters for: missing
      • Error 4126: PERIOD FOR SYSTEM_TIME must use columns
      • Error 4127: Wrong parameters for partitioned: wrong value for
      • Error 4128: Wrong partitions for: must have at least one HISTORY and exactly one last CURRENT
      • Error 4129: TRX_ID not found in mysql.transaction_registry
      • Error 4130: Can not change system versioning field
      • Error 4131: Can not DROP SYSTEM VERSIONING for table partitioned BY SYSTEM_TIME
      • Error 4132: System-versioned tables in the database are not supported
      • Error 4133: Transaction registry is disabled
      • Error 4134: Duplicate ROW column
      • Error 4135: Table is already system-versioned
      • Error 4136: You should never see it
      • Error 4137: System-versioned tables do not support
      • Error 4138: Transaction-precise system-versioned tables do not support partitioning by ROW START or
      • Error 4139: The index file for table is full
      • Error 4140: The column cannot be changed more than once in a single UPDATE statement
      • Error 4141: Row with no elements is not allowed in table value constructor in this context
      • Error 4142: SYSTEM_TIME partitions in table does not support historical query
      • Error 4143: index does not support this operation
      • Error 4144: Changing table options requires the table to be rebuilt
      • Error 4145: Can't execute the command as you have a BACKUP STAGE active
      • Error 4146: You must start backup with "BACKUP STAGE START"
      • Error 4147: Backup stage is same or before current backup stage
      • Error 4148: Backup stage failed
      • Error 4149: Unknown backup stage: Stage should be one of START, FLUSH, BLOCK_DDL, BLOCK_COMMIT or EN
      • Error 4150: User is blocked because of too many credential errors; unblock with 'FLUSH PRIVILEGES'
      • Error 4151: Access denied, this account is locked
      • Error 4152: Application-time period table cannot be temporary
      • Error 4153: Fields of PERIOD FOR have different types
      • Error 4154: Cannot specify more than one application-time period
      • Error 4155: Period field cannot be
      • Error 4156: Period is not found in table
      • Error 4157: Column used in period specified in update SET list
      • Error 4158: Can't DROP CONSTRAINT. Use DROP PERIOD for this
      • Error 4159: Specified key part was too long; max key part length is
      • Error 4160: Comment for database is too long
      • Error 4161: Unknown data type
      • Error 4162: Operator does not exists
      • Error 4163: Table history row start is later than row end
      • Error 4164: STARTS is later than query time, first history partition may exceed INTERVAL value
      • Error 4165: DDL-statement is forbidden as table storage engine does not support Galera replication
      • Error 4166: The used command is not allowed because the MariaDB server or client has disabled the lo
      • Error 4167: No secure transports are configured, unable to set --require_secure_transport=ON
      • Error 4168: Slave SQL thread ignored the '%s' because table is shared
      • Error 4169: AUTO_INCREMENT column cannot be used in the UNIQUE index
      • Error 4170: Key cannot explicitly include column
      • Error 4171: Key cannot have WITHOUT OVERLAPS
      • Error 4172: is not allowed in this context
      • Error 4173: Engine does not support rollback. Changes where commited during rollback call
      • Error 4174: A primary key cannot be marked as IGNORE
      • Error 4175: SKIP LOCKED makes this statement unsafe
      • Error 4176: Field can't be set for JSON_TABLE
      • Error 4177: Every table function must have an alias
      • Error 4178: Can't store an array or an object in the scalar column of JSON_TABLE
      • Error 4179: Can't store multiple matches of the path in the column of JSON_TABLE
      • Error 4180: FETCH ... WITH TIES requires ORDER BY clause to be present
      • Error 4181: Dropped orphan trigger, originally created for table
      • Error 4182: Storage engine is disabled
      • Error 4183: SFORMAT error
      • Error 4184: Convert partition is not supported for subpartitioned table
      • Error 4185: MariaDB tried to use the %s, but its provider plugin is not loaded
      • Error 4186: Failed to parse histogram for table at offset
      • Error 4187: OUT or INOUT argument for function is not allowed here
      • Error 4188: Replicated query table can not be temporary
      • Error 4189: Versioned table: adding HISTORY partition(s) failed
      • Error 4190: is implicitly changing the value of from to
      • Error 4191: CHANGE MASTER TO option is missing requirement
      • Error 4192: Slave log event execution was interrupted (slave_max_statement_time exceeded)
      • Error 4193: Invalid value for keyword
      • Error 4194: keyword is not supported
      • Error 4195: Variable schema is not supported
      • Error 4196: Pseudo thread id should not be modified by the client as it will be overwritten
      • Error 4197: Wrong number of columns
      • Error 4198: Sequence tables cannot have any keys
      • Error 4199: Sequence tables cannot have any constraints
    • MariaDB Error Codes 4200 to 4299
  • Client/Server Protocol

1. Security
2. User Account Management

MariaDB 10.4 introduced a number of changes to the authentication process, intended to make things easier and more intuitive. Those changes aren't available in earlier versions of MariaDB.

For Windows, see Authentication Plugin - GSSAPI.

There are four new main features in 10.4 relating to authentication:

• It is possible to use more than one authentication plugin for each user account. For example, this can be useful to slowly migrate users to the more secure ed25519 authentication plugin over time, while allowing the old mysql_native_password authentication plugin as an alternative for the transitional period.

• The root@localhost user account created by mariadb-install-db is created with the ability to use two authentication plugins.

  • First, it is configured to try to use the unix_socket authentication plugin. This allows the root@localhost user to login without a password via the local Unix socket file defined by the socket system variable, as long as the login is attempted from a process owned by the operating system root user account.

  • Second, if authentication fails with the unix_socket authentication plugin, then it is configured to try to use the mysql_native_password authentication plugin. However, an invalid password is initially set, so in order to authenticate this way, a password must be set with SET PASSWORD.

  • However, just using the unix_socket authentication plugin may be fine for many users, and it is very secure. You may want to try going without password authentication to see how well it works for you. Remember, the best way to keep your password safe is not to have one!

• All user accounts, passwords, and global privileges are now stored in the mysql.global_priv table. The mysql.user table still exists and has exactly the same set of columns as before, but it’s now a view that references the mysql.global_priv table. Tools that analyze the mysql.user table should continue to work as before. From MariaDB 10.4.13, the dedicated mariadb.sys user is created as the definer of this view. Previously root was the definer, which resulted in privilege problems when this username was changed.

As a result of the above changes, the open-for-everyone all-powerful root account is finally gone. And installation scripts will no longer demand that you “PLEASE REMEMBER TO SET A PASSWORD FOR THE MariaDB root USER !”, because the root account is securely created automatically.

Two all-powerful accounts are created by default — root and the OS user that owns the data directory, typically mysql. They are created as:

CREATE USER root@localhost IDENTIFIED VIA unix_socket 
    OR mysql_native_password USING 'invalid'
CREATE USER mysql@localhost IDENTIFIED VIA unix_socket 
    OR mysql_native_password USING 'invalid'

Using unix_socket means that if you are the system root user, you can login as root@locahost without a password. This technique was pioneered by Otto Kekäläinen in Debian MariaDB packages and has been successfully used in Debian since as early as MariaDB 10.0.

It is based on a simple fact that asking the system root for a password adds no extra security — root has full access to all the data files and all process memory anyway. But not asking for a password means, there is no root password to forget (no need for the numerous tutorials on “how to reset MariaDB root password”). And if you want to script some tedious database work, there is no need to store the root password in plain text for the script to use (no need for debian-sys-maint user).

Still, some users may wish to log in as MariaDB root without using sudo. Hence the old authentication method — conventional MariaDB password — is still available. By default it is disabled (“invalid” is not a valid password hash), but one can set the password with a usual SET PASSWORD statement. And still retain the password-less access via sudo.

If you install MariaDB locally (say from a tarball), you would not want to use sudo to be able to login. This is why MariaDB creates a second all-powerful user with the same name as a system user that owns the data directory. In local (not system-wide) installations, this will be the user who installed MariaDB — they automatically get convenient password-less root-like access, because they can access all the data files anyway.

Even if MariaDB is installed system-wide, you may not want to run your database maintenance scripts as system root — now you can run them as system mysql user. And you will know that they will never destroy your entire system, even if you make a typo in a shell script.

However, seasoned MariaDB DBAs who are used to the old ways do need to make some changes. See the examples below for common tasks.

After installing MariaDB system-wide the first thing you’ve got used to doing is logging in into the unprotected root account and protecting it, that is, setting the root password:

$ sudo dnf install MariaDB-server
$ mariadb -uroot
...
MariaDB> set password = password("XH4VmT3_jt");

This is not only unnecessary now, it will simply not work — there is no unprotected root account. To login as root use

$ sudo dnf install MariaDB-server
$ sudo mariadb

Note that it implies you are connecting via the unix socket, not tcp. If you happen to have protocol=tcp in a system-wide /etc/my.cnf file, use sudo mariadb --protocol=socket.

After installing MariaDB locally you’ve also used to connect to the unprotected root account using mariadb -uroot. This will not work either, simply use mariadb without specifying a username.

If you've forgotten your root password, no problem — you can still connect using sudo and change the password. And if you've also removed unix_socket authentication, to restore access do as follows:

• restart MariaDB with --skip-grant-tables

• login into the unprotected server

• run FLUSH PRIVILEGES (note, before 10.4 this would’ve been the last step, not anymore). This disables --skip-grant-tables and allows you to change the stored authentication method

• run SET PASSWORD FOR root@localhost to change the root password.

To view inside privilege tables, the old mysql.user table still exists. You can select from it as before, although you cannot update it anymore. It doesn’t show alternative authentication plugins and this was one of the reasons for switching to the mysql.global_priv table — complex authentication rules did not fit into rigid structure of a relational table. You can select from the new table, for example:

SELECT CONCAT(user, '@', host, ' => ', json_detailed(priv)) FROM mysql.global_priv;

If you don't want the root@localhost user account created by mariadb-install-db to use unix_socket authentication by default, then there are a few ways to revert to the previous mysql_native_password authentication method for this user account.

One way to revert to the previous mysql_native_password authentication method for the root@localhost user account is to execute mariadb-install-db with a special option. If mariadb-install-db is executed while --auth-root-authentication-method=normal is specified, then it will create the default user accounts using the default behavior of MariaDB 10.3 and before.

This means that the root@localhost user account will use mysql_native_password authentication by default. There are some other differences as well. See mariadb-install-db: User Accounts Created by Default for more information.

For example, the option can be set on the command-line while running mariadb-install-db:

mariadb-install-db --user=mysql --datadir=/var/lib/mysql --auth-root-authentication-method=normal

The option can also be set in an option file in an option group supported by mariadb-install-db. For example:

[mysql_install_db]
auth_root_authentication_method=normal

If the option is set in an option file and if mariadb-install-db is executed, then mariadb-install-db will read this option from the option file, and it will automatically set this option.

If you have already installed MariaDB, and if the root@localhost user account is already using unix_socket authentication, then you can revert to the old mysql_native_password authentication method for the user account by executing the following:

ALTER USER root@localhost IDENTIFIED VIA mysql_native_password 
     USING PASSWORD("verysecret")

_{This page is licensed: CC BY-SA / Gnu FDL}

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4