Hi Stefan, all!
On 05.12.2016 20:21, Stefan wrote:
> More than 1 year later this bug is still there. Really, really annoying.
> I just spent hours to troubleshoot this because usually you first do SET
> ... and then FLUSH PRIVILEGES when running with --skip.... But here you
> have to do the opposite: First run FLUSH PRIVILEGES, then SET...
> otherwise the thing will complain that its running in
> --skip-whatever-mode. Please, dear Galera RPM packagers, fix this and
> remove your MySQL root password from the binary installation.
TTBOMK, there is no MySQL root password in a mysql-wsrep installation.
When we only consider packages built by Oracle or Codership, you have to
differ between two cases:
1) MySQL from 5.7, or 5.6 in a RPM package;
2) MySQl before 5.6, or 5.6 in non-RPM.
(I cannot comment on packages from other builders.)
Case 2 should be simple: There is no root password handling.
Case 1 is more complicated: In order to have security by default, Oracle
changed the code (5.6 RPM: the install script, 5.7: the server) so that
a random root password will be set on installation (5.6 RPM) / on first
server start (5.7).
All this applies to new installations only, not to upgrades.
In Oracle's 5.6 RPMs, this random password was then written to a file in
root's home directory; in 5.7, it is written to the error log.
In both 5.6 and 5.7, this password is immediately declared as "expired",
and the consequence is that the MySQL server will only accept a password
change as the next statement, nothing else.
All this can be handled without using "--skip-grant-tables":
1) Grep the random root password from the appropriate file.
2) Use it to connect as root.
3) As your first statement, call
ALTER USER user() IDENTIFIED BY 'your-individual-password';
4) From now on (and already in this session), work normally.
Complication is increased by the "password validation plugin" in 5.7. By
default, the password must contain at least one lowercase letter, one
uppercase, one digit, and one special character, and must be at least
eight characters long. Other passwords will be rejected, and such "alter
user" commands will fail.
So Oracle strengthens the "security by default", and I expect this to
continue.
AIUI, Codership does not deviate from Oracle unless absolutely
necessary, so the Codership binaries based on MySQL 5.7 (and the
Codership RPMs based on 5.6) follow the same policies.
As a consequence, this part of the installation and setup does not
differ between a stand-alone server from an Oracle package and a Galera
Cluster node from a Codership package.
HTH,
Jörg
--
Joerg Bruehe, Senior MySQL Support Engineer,
joerg....@fromdual.com
FromDual GmbH, Rebenweg 6, CH - 8610 Uster; phone
+41 44 500 58 26
Geschäftsführer: Oliver Sennhauser
Handelsregister-Eintrag: CH-020.4.044.539-3