Change default `mysql_default_authentication_plugin` value
jraddaoui opened this issue · 2 comments
This variable was added to support MySQL 8.0 and PHP 7.2, to be able to set it to mysql_native_password. However, PHP 7.4 now supports caching_sha2_password but the default in here is set to the former:
https://github.com/artefactual-labs/ansible-percona/blob/master/defaults/main.yml#L55
Since AtoM 2.7 will require PHP 7.4 (and I think that was the only use case for this legacy auth. method), we should consider changing the default to caching_sha2_password a more secure authentication method, or just remove it's default as we're checking that the var is defined before using it:
https://github.com/artefactual-labs/ansible-percona/search?q=mysql_default_authentication_plugin
I don't know exactly how this role works upgrading existing instances, but we should consider how this change could affect those instances where we may needed to update existing user passwords:
ALTER USER 'atom'@'localhost' IDENTIFIED WITH caching_sha2_password BY '12345';
For now, we are changing the value in the development playbooks ...
artefactual-labs/am-packbuild#313
artefactual/deploy-pub#132
I need more time to investigate, but in my first try I changed the plugin in an already mysql_native_password configured percona server and after this change I couldn't add/update more users with the role.
Configuring a server from scratch and using mysql_default_authentication_plugin: "mysql_native_password" works fine.
So I think it is a bit dangerous setting caching_sha2_password as default value.