BUG#36004507 Summarize/group Router accouts

Marek Młynarski · Marek Młynarski · commit 37c268201890 · 2023-11-25T11:50:17.000+01:00
This commit separates from "deprecatedAuthMethod", a new check "deprecatedRouterAuthMethod".
In Upgrade Checker deprecatedAuthMethod will list all user accounts on MySQL Server that have deprecated authentication methods. If MySQL Router does not have a set user account (--account) it will generate one with default authentication method (if --account-create is not set to "never"). This lead to listing many mysql_router* users in deprecatedAuthMethod without a proper explenation why is this happening. From version 8.0.20 this can be fixed by AdminAPI, setuing up a dedicated user account.
New check "deprecatedRouterAuthMethod" filters out those accounts in a seperate list, explains what they are, and points to documentation that can help fix it.

Change-Id: I111380cec68e8867b56039698727a87175bfad73
diff --git a/modules/util/upgrade_check.cc b/modules/util/upgrade_check.cc
@@ -2081,7 +2081,8 @@ class Deprecated_auth_method_check : public Sql_upgrade_check {
             std::vector<std::string>{
                 "SELECT CONCAT(user, '@', host), plugin FROM "
                 "mysql.user WHERE plugin IN (" +
-                deprecated_auth_funcs::get_auth_list() + ");"},
+                deprecated_auth_funcs::get_auth_list() +
+                ") AND user NOT LIKE 'mysql_router%';"},
             Upgrade_issue::WARNING),
         m_target_version(target_ver) {
     m_advice =
@@ -2178,6 +2179,39 @@ bool UNUSED_VARIABLE(register_get_deprecated_default_auth_check) =
         Upgrade_check::Target::SYSTEM_VARIABLES, "8.0.0", "8.1.0", "8.2.0");
 }
 
+std::unique_ptr<Sql_upgrade_check>
+Sql_upgrade_check::get_deprecated_router_auth_method_check(
+    const Upgrade_check::Upgrade_info &info) {
+  return std::make_unique<Sql_upgrade_check>(
+      "deprecatedRouterAuthMethod",
+      "Check for deprecated or invalid authentication methods in use by MySQL "
+      "Router internal accounts.",
+      std::vector<std::string>{
+          "SELECT CONCAT(user, '@', host), ' - router user "
+          "with deprecated authentication method.' FROM "
+          "mysql.user WHERE plugin IN (" +
+          deprecated_auth_funcs::get_auth_list() +
+          ") AND user LIKE 'mysql_router%';"},
+      info.target_version >= Version(8, 4, 0) ? Upgrade_issue::ERROR
+                                              : Upgrade_issue::WARNING,
+      "The following accounts are MySQL Router accounts that use a deprecated "
+      "authentication method.\n"
+      "Those accounts are automatically created at bootstrap time when the "
+      "Router is not instructed to use an existing account. Please upgrade "
+      "MySQL Router to the latest version to ensure deprecated authentication "
+      "methods are no longer used.\n"
+      "Since version 8.0.19 it's also possible to instruct MySQL Router to use "
+      "a dedicated account. That account can be created using the AdminAPI.");
+}
+
+namespace {
+bool UNUSED_VARIABLE(register_get_deprecated_router_auth_method_check) =
+    Upgrade_check::register_check(
+        &Sql_upgrade_check::get_deprecated_router_auth_method_check,
+        Upgrade_check::Target::AUTHENTICATION_PLUGINS, "8.0.0", "8.1.0",
+        "8.2.0");
+}
+
 Upgrade_check_config::Upgrade_check_config(const Upgrade_check_options &options)
     : m_output_format(options.output_format) {
   m_upgrade_info.target_version = options.get_target_version();
diff --git a/modules/util/upgrade_check.h b/modules/util/upgrade_check.h
@@ -227,6 +227,9 @@ class Sql_upgrade_check : public Upgrade_check {
   get_invalid_engine_foreign_key_check();
   static std::unique_ptr<Sql_upgrade_check> get_deprecated_auth_method_check(
       const Upgrade_check::Upgrade_info &info);
+  static std::unique_ptr<Sql_upgrade_check>
+  get_deprecated_router_auth_method_check(
+      const Upgrade_check::Upgrade_info &info);
   static std::unique_ptr<Sql_upgrade_check> get_deprecated_default_auth_check(
       const Upgrade_check::Upgrade_info &info);
 
diff --git a/res/upgrade_checker/upgrade_checker.msg b/res/upgrade_checker/upgrade_checker.msg
@@ -458,3 +458,19 @@ https://dev.mysql.com/doc/refman/8.0/en/mysql-nutshell.html#mysql-nutshell-remov
 
 * deprecatedDefaultAuth.docLink
 
+* deprecatedRouterAuthMethod.title
+# Check for deprecated or invalid authentication methods in use by MySQL Router internal accounts.
+
+* deprecatedRouterAuthMethod.description
+# Warning: The following accounts are MySQL Router accounts that use a deprecated authentication
+# method.\n
+# Those accounts are automatically created at bootstrap time when the Router is not instructed to
+# use an existing account. Please upgrade MySQL Router to the latest version to ensure deprecated
+# authentication methods are no longer used.\n
+# Since version 8.0.19 it's also possible to instruct MySQL Router to use a dedicated account. That
+# account can be created using the AdminAPI.
+
+* deprecatedRouterAuthMethod.docLink
+https://dev.mysql.com/doc/mysql-shell/en/configuring-router-user.html\n
+https://dev.mysql.com/doc/mysql-router/en/mysqlrouter.html#option_mysqlrouter_account
+
diff --git a/unittest/modules/upgrade_check_t.cc b/unittest/modules/upgrade_check_t.cc
@@ -2141,6 +2141,108 @@ TEST_F(MySQL_upgrade_check_test, deprecated_auth_method_check_fido) {
   ASSERT_NO_THROW(session->execute("drop schema if exists test;"));
 }
 
+namespace {
+std::string local_usr(const std::string &user) { return user + "@localhost"; }
+
+void drop_user(std::shared_ptr<mysqlshdk::db::ISession> session,
+               const std::string &user) {
+  ASSERT_NO_THROW(
+      session->execute("drop user if exists '" + user + "'@'localhost';"));
+}
+
+void add_user(std::shared_ptr<mysqlshdk::db::ISession> session,
+              const std::string &user, const std::string &plugin) {
+  ASSERT_NO_THROW(session->execute("create user '" + user +
+                                   "'@'localhost' identified with "
+                                   "'" +
+                                   plugin + "';"));
+}
+}  // namespace
+
+TEST_F(MySQL_upgrade_check_test, deprecated_router_auth_method_check) {
+  bool authentication_fido_installed = is_plugin_loaded("authentication_fido");
+  bool uninstall_authentication_fido = false;
+  if (!authentication_fido_installed) {
+    authentication_fido_installed = install_plugin("authentication_fido");
+    if (!authentication_fido_installed) {
+      SKIP_TEST(
+          "This test requires loaded authentication_fido MySQL Server plugin.");
+    } else {
+      uninstall_authentication_fido = true;
+    }
+  }
+
+  const std::string k_usr_sha = "user_sha_auth2";
+  const std::string k_usr_native = "usr_native_auth2";
+  const std::string k_usr_fido = "user_fido_auth2";
+  const std::string k_router_user1 = "mysql_router1_79mwl0xo1ep5";
+  const std::string k_router_user2 = "mysql_router335_cb43tc6945rz";
+
+  const std::string k_auth_sha = "sha256_password";
+  const std::string k_auth_native = "mysql_native_password";
+  const std::string k_auth_fido = "authentication_fido";
+
+  shcore::Scoped_callback cleanup([this, uninstall_authentication_fido,
+                                   &k_usr_sha, &k_usr_native, &k_usr_fido,
+                                   &k_router_user1, &k_router_user2]() {
+    drop_user(session, k_usr_sha);
+    drop_user(session, k_usr_native);
+    drop_user(session, k_usr_fido);
+    drop_user(session, k_router_user1);
+    drop_user(session, k_router_user2);
+    if (uninstall_authentication_fido) {
+      uninstall_plugin("authentication_fido");
+    }
+  });
+
+  PrepareTestDatabase("test");
+
+  Upgrade_check::Upgrade_info temp_info;
+  temp_info.target_version = Version(8, 4, 0);
+  auto check =
+      Sql_upgrade_check::get_deprecated_router_auth_method_check(temp_info);
+
+  EXPECT_ISSUES(check.get(), 0);
+
+  add_user(session, k_usr_sha, k_auth_sha);
+  add_user(session, k_usr_native, k_auth_native);
+  add_user(session, k_usr_fido, k_auth_fido);
+
+  EXPECT_ISSUES(check.get(), 0);
+
+  add_user(session, k_router_user1, k_auth_native);
+  add_user(session, k_router_user2, k_auth_sha);
+
+  EXPECT_ISSUES(check.get(), 2);
+
+  EXPECT_EQ(issues[0].schema, local_usr(k_router_user1));
+  EXPECT_EQ(issues[0].level, Upgrade_issue::Level::ERROR);
+  EXPECT_EQ(issues[0].description,
+            " - router user with deprecated authentication method.");
+
+  EXPECT_EQ(issues[1].schema, local_usr(k_router_user2));
+  EXPECT_EQ(issues[1].level, Upgrade_issue::Level::ERROR);
+  EXPECT_EQ(issues[1].description,
+            " - router user with deprecated authentication method.");
+
+  temp_info.target_version = Version(8, 2, 0);
+  check = Sql_upgrade_check::get_deprecated_router_auth_method_check(temp_info);
+
+  EXPECT_ISSUES(check.get(), 2);
+
+  EXPECT_EQ(issues[0].schema, local_usr(k_router_user1));
+  EXPECT_EQ(issues[0].level, Upgrade_issue::Level::WARNING);
+  EXPECT_EQ(issues[0].description,
+            " - router user with deprecated authentication method.");
+
+  EXPECT_EQ(issues[1].schema, local_usr(k_router_user2));
+  EXPECT_EQ(issues[1].level, Upgrade_issue::Level::WARNING);
+  EXPECT_EQ(issues[1].description,
+            " - router user with deprecated authentication method.");
+
+  ASSERT_NO_THROW(session->execute("drop schema if exists test;"));
+}
+
 namespace dep_def_auth_check {
 void set_authentication_policy(std::shared_ptr<mysqlshdk::db::ISession> session,
                                const std::string &val) {
