MARIADB_MYSQL_LOCALHOST_GRANTS not to imply MARIADB_MYSQL_LOCALHOST_USER

grooverdan · grooverdan · commit 5c9b0ddb4711 · 2022-02-14T14:58:36.000+11:00
Daniel Rudolf from #409 (review): IMHO a user implies a grant, not necessarily the other way round. Just think of it as if we made the username (mysql) configurable: You can't grant privileges without an user, you need the user first. The only reason we can do this is because the username is hard coded, not because a grant implies its user. Additionally I'm a bit concerned about unexpected behaviour: Just think about an user passing --env MARIADB_MYSQL_LOCALHOST_USER= --env MARIADB_MYSQL_LOCALHOST_GRANTS=USAGE. The user explicitly tells us not to create an user, but the dangling grant overrules this statement. Sure, no human would ever pass this purposely, but users don't necessarily execute commands manually, sometimes the options to pass are computed and/or read from arbitrary sources - which then must all be aware of this tight coupling.
diff --git a/.test/run.sh b/.test/run.sh
@@ -149,7 +149,7 @@ killoff
 
 echo -e "Test: MYSQL_RANDOM_ROOT_PASSWORD, needs to satisify minimium complexity of simple-password-check plugin\n"
 
-runandwait -e MYSQL_RANDOM_ROOT_PASSWORD=1 -e MARIADB_MYSQL_LOCALHOST_GRANTS="RELOAD, PROCESS, LOCK TABLES" "${image}" --plugin-load-add=simple_password_check
+runandwait -e MYSQL_RANDOM_ROOT_PASSWORD=1 -e MARIADB_MYSQL_LOCALHOST_USER=1 -e MARIADB_MYSQL_LOCALHOST_GRANTS="RELOAD, PROCESS, LOCK TABLES" "${image}" --plugin-load-add=simple_password_check
 pass=$(docker logs "$cid" | grep 'GENERATED ROOT PASSWORD' 2>&1)
 # trim up until passwod
 pass=${pass#*GENERATED ROOT PASSWORD: }
diff --git a/10.2/docker-entrypoint.sh b/10.2/docker-entrypoint.sh
@@ -291,7 +291,7 @@ docker_setup_db() {
 	local mysqlAtLocalhost=
 	local mysqlAtLocalhostGrants=
 	# Install mysql@localhost user
-	if [ -n "$MARIADB_MYSQL_LOCALHOST_USER" ] || [ -n "$MARIADB_MYSQL_LOCALHOST_GRANTS" ]; then
+	if [ -n "$MARIADB_MYSQL_LOCALHOST_USER" ]; then
 		local pw=
 		pw="$(pwgen --numerals --capitalize --symbols --remove-chars="'\\" -1 32)"
 		# MDEV-24111 before MariaDB-10.4 cannot create unix_socket user directly auth with simple_password_check
diff --git a/10.3/docker-entrypoint.sh b/10.3/docker-entrypoint.sh
@@ -291,7 +291,7 @@ docker_setup_db() {
 	local mysqlAtLocalhost=
 	local mysqlAtLocalhostGrants=
 	# Install mysql@localhost user
-	if [ -n "$MARIADB_MYSQL_LOCALHOST_USER" ] || [ -n "$MARIADB_MYSQL_LOCALHOST_GRANTS" ]; then
+	if [ -n "$MARIADB_MYSQL_LOCALHOST_USER" ]; then
 		local pw=
 		pw="$(pwgen --numerals --capitalize --symbols --remove-chars="'\\" -1 32)"
 		# MDEV-24111 before MariaDB-10.4 cannot create unix_socket user directly auth with simple_password_check
diff --git a/10.4/docker-entrypoint.sh b/10.4/docker-entrypoint.sh
@@ -291,7 +291,7 @@ docker_setup_db() {
 	local mysqlAtLocalhost=
 	local mysqlAtLocalhostGrants=
 	# Install mysql@localhost user
-	if [ -n "$MARIADB_MYSQL_LOCALHOST_USER" ] || [ -n "$MARIADB_MYSQL_LOCALHOST_GRANTS" ]; then
+	if [ -n "$MARIADB_MYSQL_LOCALHOST_USER" ]; then
 		local pw=
 		pw="$(pwgen --numerals --capitalize --symbols --remove-chars="'\\" -1 32)"
 		# MDEV-24111 before MariaDB-10.4 cannot create unix_socket user directly auth with simple_password_check
diff --git a/10.5/docker-entrypoint.sh b/10.5/docker-entrypoint.sh
@@ -291,7 +291,7 @@ docker_setup_db() {
 	local mysqlAtLocalhost=
 	local mysqlAtLocalhostGrants=
 	# Install mysql@localhost user
-	if [ -n "$MARIADB_MYSQL_LOCALHOST_USER" ] || [ -n "$MARIADB_MYSQL_LOCALHOST_GRANTS" ]; then
+	if [ -n "$MARIADB_MYSQL_LOCALHOST_USER" ]; then
 		local pw=
 		pw="$(pwgen --numerals --capitalize --symbols --remove-chars="'\\" -1 32)"
 		# MDEV-24111 before MariaDB-10.4 cannot create unix_socket user directly auth with simple_password_check
diff --git a/10.6/docker-entrypoint.sh b/10.6/docker-entrypoint.sh
@@ -291,7 +291,7 @@ docker_setup_db() {
 	local mysqlAtLocalhost=
 	local mysqlAtLocalhostGrants=
 	# Install mysql@localhost user
-	if [ -n "$MARIADB_MYSQL_LOCALHOST_USER" ] || [ -n "$MARIADB_MYSQL_LOCALHOST_GRANTS" ]; then
+	if [ -n "$MARIADB_MYSQL_LOCALHOST_USER" ]; then
 		local pw=
 		pw="$(pwgen --numerals --capitalize --symbols --remove-chars="'\\" -1 32)"
 		# MDEV-24111 before MariaDB-10.4 cannot create unix_socket user directly auth with simple_password_check
diff --git a/10.7/docker-entrypoint.sh b/10.7/docker-entrypoint.sh
@@ -291,7 +291,7 @@ docker_setup_db() {
 	local mysqlAtLocalhost=
 	local mysqlAtLocalhostGrants=
 	# Install mysql@localhost user
-	if [ -n "$MARIADB_MYSQL_LOCALHOST_USER" ] || [ -n "$MARIADB_MYSQL_LOCALHOST_GRANTS" ]; then
+	if [ -n "$MARIADB_MYSQL_LOCALHOST_USER" ]; then
 		local pw=
 		pw="$(pwgen --numerals --capitalize --symbols --remove-chars="'\\" -1 32)"
 		# MDEV-24111 before MariaDB-10.4 cannot create unix_socket user directly auth with simple_password_check
diff --git a/10.8/docker-entrypoint.sh b/10.8/docker-entrypoint.sh
@@ -291,7 +291,7 @@ docker_setup_db() {
 	local mysqlAtLocalhost=
 	local mysqlAtLocalhostGrants=
 	# Install mysql@localhost user
-	if [ -n "$MARIADB_MYSQL_LOCALHOST_USER" ] || [ -n "$MARIADB_MYSQL_LOCALHOST_GRANTS" ]; then
+	if [ -n "$MARIADB_MYSQL_LOCALHOST_USER" ]; then
 		local pw=
 		pw="$(pwgen --numerals --capitalize --symbols --remove-chars="'\\" -1 32)"
 		# MDEV-24111 before MariaDB-10.4 cannot create unix_socket user directly auth with simple_password_check
diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
@@ -291,7 +291,7 @@ docker_setup_db() {
 	local mysqlAtLocalhost=
 	local mysqlAtLocalhostGrants=
 	# Install mysql@localhost user
-	if [ -n "$MARIADB_MYSQL_LOCALHOST_USER" ] || [ -n "$MARIADB_MYSQL_LOCALHOST_GRANTS" ]; then
+	if [ -n "$MARIADB_MYSQL_LOCALHOST_USER" ]; then
 		local pw=
 		pw="$(pwgen --numerals --capitalize --symbols --remove-chars="'\\" -1 32)"
 		# MDEV-24111 before MariaDB-10.4 cannot create unix_socket user directly auth with simple_password_check
