Add caching sha2 password support. #173
Conversation
Replaced `community.proxysql_galera_hostgroups` with the correct namespace `community.proxysql.proxysql_galera_hostgroups`. This ensures compatibility with the updated module structure and prevents potential misconfigurations.
…mysql_users` Introduced the ability to create MySQL users with the `caching_sha2_password` plugin in `proxysql_mysql_users`. Added relevant integration test cases to validate create, delete, and check-mode operations with this plugin. Updated existing tests to include encryption method handling for consistency.
| # =========================================== | ||
| # proxysql module specific support methods. | ||
| # | ||
|
|
||
|
|
||
| def _mysql_native_password(cleartext_password): | ||
| # Imported code from @Aohzan | ||
| # community.mysql/plugins/module_utils/implementations/mysql/hash.py |
There was a problem hiding this comment.
I'm note sure if we should maintain a copy of community.mysql here, or if we just should make community.mysql become a required dependency of community.proxysql.
Both comes distributed along with the ansible package itself.
And I guess, users that are using community.proxysql, are also using community.mysql for their backends, because the database users at both ends must be the same.
Any thoughts of this @ngoralski @Andersson007?
There was a problem hiding this comment.
My first PR was as link to community.mysql as i've the same though that you.
@Andersson007 suggested me to do an import.
There was a problem hiding this comment.
Ref:
- Caching sha2 password #172 (review)
- https://github.com/ansible-collections/community.proxysql/pull/169/files#diff-ffe2c627e81d78fe206f983187cc06f954b59eb6b6f10d2ce2ba05ecc3410a83R179
As long as there is only one mysql collection, that covers all mysql derivates, I would prefer to add community.mysql as a dependency.
Once it get's devided (oracle mysql, mariadb, percona?) it may make sense to keep and maintain a copy here.
Depencendies between collections are not unusual. E.g. community.aws requires amazon.aws.
What do you think @Andersson007?
SUMMARY
Add support for caching_sha2_password encryption for MySQL users
Use the native function mysql_sha256_password_hash from ansible_collections.community.mysql.plugins.module_utils.implementations.mysql.hash
Extended the encryption methods to include caching_sha2_password, making it the default option. Updated password handling to incorporate a salt parameter for more secure encryption. This improves compatibility with modern MySQL authentication methods
#164
ISSUE TYPE
COMPONENT NAME
proxysql_mysql_users.py
ADDITIONAL INFORMATION
As for now Mysql recommend to use sha256 password, and storing as clear text or sha1 are no more recommended, we have to use caching_sha2_password method.
mysql_native_password remain the default method, until version 2.0 that will force usage of caching_sha2_password.
As suggested the sha2 encryption is now copied from community.mysql
Thanks for the work @Aohzan
community.mysql/plugins/module_utils/implementations/mysql/hash.py