Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

*: Support for tidb_sm3_password authentication #36193

Merged
merged 43 commits into from
Sep 8, 2022
Merged

*: Support for tidb_sm3_password authentication #36193

merged 43 commits into from
Sep 8, 2022

Conversation

CbcWestwolf
Copy link
Member

@CbcWestwolf CbcWestwolf commented Jul 13, 2022
edited
Loading

What problem does this PR solve?

Issue Number: close #36192

Problem Summary:

SM3 authentication has not been supported in TiDB yet.

What is changed and how it works?

  1. Implement SM3 authentication as an auth-plugin tidb_sm3_password like caching_sha2_password.
  2. Support builtin function SM3() like SHA1() and SHA2()

Check List

Tests

  • Unit test
  • Integration test
  • Manual test (add detailed scripts or steps below)
  • No code

Side effects

  • Performance regression: Consumes more CPU
  • Performance regression: Consumes more Memory
  • Breaking backward compatibility

Documentation

  • Affects user behaviors
  • Contains syntax changes
  • Contains variable changes
  • Contains experimental features
  • Changes MySQL compatibility

Release note

Please refer to Release Notes Language Style Guide to write a quality release note.

Support tidb_sm3_password authentication and introduce built-in function SM3().

@ti-chi-bot
Copy link
Member

ti-chi-bot commented Jul 13, 2022
edited
Loading

[REVIEW NOTIFICATION]

This pull request has been approved by:

  • bb7133
  • dveeden

To complete the pull request process, please ask the reviewers in the list to review by filling /cc @reviewer in the comment.
After your PR has acquired the required number of LGTMs, you can assign this pull request to the committer in the list by filling /assign @committer in the comment to help you merge this pull request.

The full list of commands accepted by this bot can be found here.

Reviewer can indicate their review by submitting an approval review.
Reviewer can cancel approval by submitting a request changes review.

@ti-chi-bot ti-chi-bot added release-note-none Denotes a PR that doesn't merit a release note. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Jul 13, 2022
@sre-bot
Copy link
Contributor

sre-bot commented Jul 13, 2022
edited
Loading

Code Coverage Details: https://codecov.io/github/pingcap/tidb/commit/9db5b4de43204f3cd9f4bbabe749bc3bc14dfd6d

djshow832
djshow832 reviewed Jul 15, 2022
View reviewed changes
parser/auth/sm3.go Outdated Show resolved Hide resolved
@CbcWestwolf @djshow832
Update parser/auth/sm3.go
3aba797 
Co-authored-by: djshow832 <zhangming@pingcap.com>
@ti-chi-bot ti-chi-bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 15, 2022
@ti-chi-bot ti-chi-bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 15, 2022
@CbcWestwolf CbcWestwolf changed the title [WIP] *: Support for sm3_password authentication *: Support for sm3_password authentication Jul 18, 2022
@CbcWestwolf CbcWestwolf marked this pull request as ready for review July 18, 2022 03:55
@CbcWestwolf CbcWestwolf requested a review from a team as a code owner July 18, 2022 03:55
@ti-chi-bot ti-chi-bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 18, 2022
@CbcWestwolf
Copy link
Member Author

Here is the JDBC PR that supports SM3: pingcap/mysql-connector-j#24

Would a TLS connection with a TLS_SM4_GCM_SM3 or TLS_SM4_CCM_SM3 ciphersuite and client certificates be good alternative to this?

We are required by our customers to support SM3 authentication. If needed, we could enhance the TLS connection in TiDB in the future, which I think is a better way. :-)

@CbcWestwolf
Copy link
Member Author

/run-build

@CbcWestwolf CbcWestwolf changed the title *: Support for sm3_password authentication *: Support for tidb_sm3_password authentication Sep 6, 2022
@CbcWestwolf CbcWestwolf mentioned this pull request Sep 6, 2022
Merged
12 tasks
@dveeden
Copy link
Contributor

dveeden commented Sep 7, 2022

While many MySQL authentication plugins have a client plugin and a server plugin with a matching name, this is not required.

This matters in this case as the caching_sha2_password client plugin can be used to authenticate a user that is defined in the server with tidb_sm3_password.

As a quick-and-dirty test I did this:

diff --git a/server/conn.go b/server/conn.go
index 5fac5f199..a42546992 100644
--- a/server/conn.go
+++ b/server/conn.go
@@ -666,7 +666,8 @@ func (cc *clientConn) readOptionalSSLRequestAndHandshakeResponse(ctx context.Con
 
 	switch resp.AuthPlugin {
 	case mysql.AuthCachingSha2Password:
-		resp.Auth, err = cc.authSha(ctx)
+		resp.Auth, err = cc.authSM3(ctx)
+		// resp.Auth, err = cc.authSha(ctx)
 		if err != nil {
 			return err
 		}
@@ -921,6 +922,9 @@ func (cc *clientConn) checkAuthPlugin(ctx context.Context, resp *handshakeRespon
 	// or if the authentication method send by the server doesn't match the authentication
 	// method send by the client (*authPlugin) then we need to switch the authentication
 	// method to match the one configured for that specific user.
+	if userplugin == mysql.AuthTiDBSM3Password {
+		userplugin = mysql.AuthCachingSha2Password
+	}
 	if (cc.authPlugin != userplugin) || (cc.authPlugin != resp.AuthPlugin) {
 		if resp.Capability&mysql.ClientPluginAuth > 0 {
 			authData, err := cc.authSwitchRequest(ctx, userplugin)

Then as root:

mysql> CREATE USER 'sm3user'@'%' identified with tidb_sm3_password by 'sm3test';
Query OK, 0 rows affected (0.02 sec)

And then:

$  mysql -h 127.0.0.1 -u sm3user -P 4000 -pwrong_pw
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'sm3user'@'127.0.0.1' (using password: YES)

$ mysql -h 127.0.0.1 -u sm3user -P 4000 -psm3test
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 405
Server version: 5.7.25-TiDB-v6.3.0-alpha-196-gffa417617-dirty TiDB Server (Apache License 2.0) Community Edition, MySQL 5.7 compatible

Copyright (c) 2000, 2022, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

This won't work with the fast/cached authentication as defined on https://dev.mysql.com/doc/dev/mysql-server/latest/page_caching_sha2_authentication_exchanges.html

We could also use the cleartext client plugin for this.
https://dev.mysql.com/doc/dev/mysql-server/latest/page_protocol_connection_phase_authentication_methods_clear_text_password.html

The benefit of using tidb_sm3_password as server plugin and caching_sha2_password or mysql_clear_password as client plugin is that this greatly improves compatibility with clients.

dveeden
dveeden requested changes Sep 7, 2022
View reviewed changes
Copy link
Contributor

@dveeden dveeden left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's see if we can use existing client authentication plugins with tidb_sm3_password.

@ti-chi-bot ti-chi-bot removed the status/LGT1 Indicates that a PR has LGTM 1. label Sep 7, 2022
@CbcWestwolf
Copy link
Member Author

Let's see if we can use existing client authentication plugins with tidb_sm3_password.

Done, PTAL :-) After creating a user with tidb_sm3_password, both mysql client and connector-j can access to tidb with a caching_sha2_password.

@ti-chi-bot ti-chi-bot added the status/LGT1 Indicates that a PR has LGTM 1. label Sep 7, 2022
bb7133
bb7133 approved these changes Sep 8, 2022
View reviewed changes
Copy link
Member

@bb7133 bb7133 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ti-chi-bot ti-chi-bot added status/LGT2 Indicates that a PR has LGTM 2. and removed status/LGT1 Indicates that a PR has LGTM 1. labels Sep 8, 2022
@bb7133
Copy link
Member

bb7133 commented Sep 8, 2022

/unhold

@ti-chi-bot ti-chi-bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Sep 8, 2022
@bb7133
Copy link
Member

bb7133 commented Sep 8, 2022

/merge

@ti-chi-bot
Copy link
Member

This pull request has been accepted and is ready to merge.

Commit hash: 9ed13ae

@ti-chi-bot ti-chi-bot added the status/can-merge Indicates a PR has been approved by a committer. label Sep 8, 2022
@ti-chi-bot ti-chi-bot merged commit 1d482db into pingcap:master Sep 8, 2022
@CbcWestwolf CbcWestwolf deleted the support_sm3 branch September 8, 2022 04:11
@sre-bot
Copy link
Contributor

sre-bot commented Sep 8, 2022

TiDB MergeCI notify

🔴 Bad News! [2] CI still failing after this pr merged.
These failed integration tests don't seem to be introduced by the current PR.

CI Name Result Duration Compare with Parent commit
idc-jenkins-ci-tidb/common-test 🔴 failed 2, success 9, total 11 14 min Existing failure
idc-jenkins-ci-tidb/integration-common-test 🔴 failed 1, success 16, total 17 13 min Existing failure
idc-jenkins-ci/integration-cdc-test 🟢 all 37 tests passed 28 min Existing passed
idc-jenkins-ci-tidb/tics-test 🟢 all 1 tests passed 6 min 59 sec Existing passed
idc-jenkins-ci-tidb/sqllogic-test-2 🟢 all 28 tests passed 5 min 1 sec Existing passed
idc-jenkins-ci-tidb/integration-ddl-test 🟢 all 6 tests passed 5 min 1 sec Existing passed
idc-jenkins-ci-tidb/sqllogic-test-1 🟢 all 26 tests passed 4 min 42 sec Existing passed
idc-jenkins-ci-tidb/integration-compatibility-test 🟢 all 1 tests passed 4 min 29 sec Existing passed
idc-jenkins-ci-tidb/mybatis-test 🟢 all 1 tests passed 3 min 21 sec Existing passed
idc-jenkins-ci-tidb/plugin-test 🟢 build success, plugin test success 4min Existing passed

@CbcWestwolf CbcWestwolf mentioned this pull request Sep 18, 2022
Merged
12 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@djshow832 djshow832 djshow832 left review comments

@tiancaiamao tiancaiamao tiancaiamao approved these changes

@dveeden dveeden dveeden approved these changes

@bb7133 bb7133 bb7133 approved these changes

Assignees
No one assigned
Labels
release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. status/can-merge Indicates a PR has been approved by a committer. status/LGT2 Indicates that a PR has LGTM 2.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support for sm3_password authentication.
7 participants
@CbcWestwolf @ti-chi-bot @sre-bot @bb7133 @dveeden @tiancaiamao @djshow832