MDEV-34311: Alter USER should reset all account limit counters

This commit introduces a reset of password errors counter on any alter user command for the altered user. This is done so as to not require a complete privilege system reload.

MDEV-34311: Alter USER should reset all account limit counters
This commit introduces a reset of password errors counter on any alter user command for the altered user. This is done so as to not require a complete privilege system reload.
63823391 · Vicențiu Ciorbaru · Vicențiu-Marian Ciorbaru · 2d8d8139 · 63823391 · 63823391
Commit 63823391 authored Jun 16, 2024 by Vicențiu Ciorbaru Committed by Vicențiu-Marian Ciorbaru Jun 19, 2024
4 changed files
--- a/mysql-test/main/max_password_errors.result
+++ b/mysql-test/main/max_password_errors.result
@@ -9,10 +9,10 @@ connect  con1, localhost, u, bad_pass;
 ERROR 28000: Access denied for user 'u'@'localhost' (using password: YES)
 connect(localhost,u,good_pass,test,MASTER_PORT,MASTER_SOCKET);
 connect con1, localhost, u, good_pass;
-ERROR HY000: User is blocked because of too many credential errors; unblock with 'FLUSH PRIVILEGES'
+ERROR HY000: User is blocked because of too many credential errors; unblock with 'ALTER USER / FLUSH PRIVILEGES'
 connect(localhost,u,bad_pass,test,MASTER_PORT,MASTER_SOCKET);
 connect con1, localhost, u, bad_pass;
-ERROR HY000: User is blocked because of too many credential errors; unblock with 'FLUSH PRIVILEGES'
+ERROR HY000: User is blocked because of too many credential errors; unblock with 'ALTER USER / FLUSH PRIVILEGES'
 FLUSH PRIVILEGES;
 connect  con1, localhost, u, good_pass;
 disconnect con1;
@@ -27,7 +27,7 @@ ERROR 28000: Access denied for user 'u'@'localhost' (using password: YES)
 connect  con1, localhost, u, good_pass;
 ERROR 28000: Access denied for user 'u'@'localhost' (using password: YES)
 ERROR 28000: Access denied for user 'u'@'localhost' (using password: YES)
-ERROR HY000: User is blocked because of too many credential errors; unblock with 'FLUSH PRIVILEGES'
+ERROR HY000: User is blocked because of too many credential errors; unblock with 'ALTER USER / FLUSH PRIVILEGES'
 disconnect con1;
 connection default;
 FLUSH PRIVILEGES;
@@ -40,6 +40,21 @@ ERROR 28000: Access denied for user 'root'@'localhost' (using password: YES)
 connect  con1, localhost, u, good_pass;
 disconnect con1;
 connection default;
+connect(localhost,u,bad_password,test,MASTER_PORT,MASTER_SOCKET);
+connect con1, localhost, u, bad_password;
+ERROR 28000: Access denied for user 'u'@'localhost' (using password: YES)
+connect(localhost,u,bad_password,test,MASTER_PORT,MASTER_SOCKET);
+connect con1, localhost, u, bad_password;
+ERROR 28000: Access denied for user 'u'@'localhost' (using password: YES)
+connect(localhost,u,good_pass,test,MASTER_PORT,MASTER_SOCKET);
+connect con1, localhost, u, good_pass;
+ERROR HY000: User is blocked because of too many credential errors; unblock with 'ALTER USER / FLUSH PRIVILEGES'
+ALTER USER u ACCOUNT UNLOCK;
+connect(localhost,u,bad_password,test,MASTER_PORT,MASTER_SOCKET);
+connect con1, localhost, u, bad_password;
+ERROR 28000: Access denied for user 'u'@'localhost' (using password: YES)
+connect con1, localhost, u, good_pass;
+disconnect con1;
+connection default;
 DROP USER u;
-FLUSH PRIVILEGES;
 set global max_password_errors=@old_max_password_errors;
--- a/mysql-test/main/max_password_errors.test
+++ b/mysql-test/main/max_password_errors.test
@@ -59,6 +59,28 @@ connect (con1, localhost, root, bad_pass);
 connect (con1, localhost, u, good_pass);
 disconnect con1;
 connection default;
+
+# Block u again
+--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
+error ER_ACCESS_DENIED_ERROR;
+connect(con1, localhost, u, bad_password);
+--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
+error ER_ACCESS_DENIED_ERROR;
+connect(con1, localhost, u, bad_password);
+--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
+error ER_USER_IS_BLOCKED;
+connect(con1, localhost, u, good_pass);
+
+# Unblock foo
+ALTER USER u ACCOUNT UNLOCK;
+
+--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
+error ER_ACCESS_DENIED_ERROR;
+connect(con1, localhost, u, bad_password);
+
+connect(con1, localhost, u, good_pass);
+disconnect con1;
+connection default;
+
 DROP USER u;
-FLUSH PRIVILEGES;
-set global max_password_errors=@old_max_password_errors;
\ No newline at end of file
+set global max_password_errors=@old_max_password_errors;
--- a/sql/share/errmsg-utf8.txt
+++ b/sql/share/errmsg-utf8.txt
@@ -9922,9 +9922,9 @@ ER_BACKUP_UNKNOWN_STAGE
        eng "Unknown backup stage: '%s'. Stage should be one of START, FLUSH, BLOCK_DDL, BLOCK_COMMIT or END"
        spa "Fase de respaldo desconocida: '%s'. La fase debería de ser una de START, FLUSH, BLOCK_DDL, BLOCK_COMMIT o END"
 ER_USER_IS_BLOCKED
-        chi "由于凭证错误太多，用户被阻止;用'FLUSH PRIVILEGES'解锁"
-        eng "User is blocked because of too many credential errors; unblock with 'FLUSH PRIVILEGES'"
-        spa "El usuario está bloqueado a causa de demasiados errores de credenciales; desbloquee mediante 'FLUSH PRIVILEGES'"
+        chi "由于凭证错误太多，用户被阻止;用'ALTER USER / FLUSH PRIVILEGES'解锁"
+        eng "User is blocked because of too many credential errors; unblock with 'ALTER USER / FLUSH PRIVILEGES'"
+        spa "El usuario está bloqueado a causa de demasiados errores de credenciales; desbloquee mediante 'ALTER USER / FLUSH PRIVILEGES'"
 ER_ACCOUNT_HAS_BEEN_LOCKED
        chi "访问拒绝，此帐户已锁定"
        eng "Access denied, this account is locked"

--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@@ -263,7 +263,7 @@ class ACL_USER :public ACL_USER_BASE,
    PASSWD_ERROR_INCREMENT
  };

-  inline void update_password_errors(PASSWD_ERROR_ACTION action)
+  void update_password_errors(PASSWD_ERROR_ACTION action)
  {
    switch (action)
    {
@@ -3560,6 +3560,9 @@ static int acl_user_update(THD *thd, ACL_USER *acl_user, uint nauth,
    break;
  }

+  // Any alter user resets password_errors;
+  acl_user->update_password_errors(ACL_USER::PASSWD_ERROR_CLEAR);
+
  return 0;
 }