Password Validation外掛和元件

在MySQL 8.0之前，MySQL使用的是validate_password外掛（plugin）檢測、驗證賬號密碼強度，保障賬號的安全性，而到了MySQL 8.0，引入了伺服器元件（Components）這個特性，validate_password外掛已用伺服器元件重新實現。下面是官方文件的介紹：

Note

In MySQL 8.0, the validate_password plugin was reimplemented as the validate_password component. (For general information about server components, see Section 5.5, “MySQL Server Components”

The plugin form of validate_password is still available but is deprecated and will be removed in a future version of MySQL. MySQL installations that use the plugin should make the transition to using the component instead. See Section 6.4.3.3, “Transitioning to the Password Validation Component”

這篇文章會介紹validate_password外掛和validate_password元件，測試環境為MySQL 8.0.18，如果有其它版本的測試，會在文中進行標明、註釋。

Password Validation安裝外掛

檢查是否安裝了外掛/元件

外掛：

mysql> SELECT PLUGIN_NAME, PLUGIN_LIBRARY, PLUGIN_STATUS, LOAD_OPTION 

 -> FROM INFORMATION_SCHEMA.PLUGINS 

 -> WHERE PLUGIN_NAME = 'validate_password';

Empty set
 
 (0.01 sec)

如果已經安裝了MySQL密碼強度審計外掛:validate_password的話，可以跳過後面的安裝步驟。

元件：

mysql> SELECT * FROM mysql.component;

安裝/啟用外掛

方法1：在引數檔案my.cnf中新增引數。

[mysqld]

plugin-load-add=validate_password.so

#ON/OFF/FORCE/FORCE_PLUS_PERMANENT: 是否使用該外掛(及強制/永久強制使用)

validate-password=FORCE_PLUS_PERMANENT

註釋：外掛庫(plugin library)中的validate_password檔名的字尾名根據平臺不同有所差異。 對於Unix和Unix-like系統而言，它的檔案字尾名是.so，對於Windows系統而言，它的檔案字尾名是.dll。

注意：引數FORCE_PLUS_PERMANENT是為了防止外掛在MySQL執行時的時候被解除安裝，如下所示，當你解除安裝外掛時就會報錯：

mysql> SELECT PLUGIN_NAME, PLUGIN_LIBRARY, PLUGIN_STATUS, LOAD_OPTION 

 -> FROM INFORMATION_SCHEMA.PLUGINS 

 -> WHERE PLUGIN_NAME = 'validate_password';

+-------------------+----------------------+---------------+----------------------+

| PLUGIN_NAME | PLUGIN_LIBRARY | PLUGIN_STATUS | LOAD_OPTION |

+-------------------+----------------------+---------------+----------------------+

| validate_password | validate_password.so | ACTIVE | FORCE_PLUS_PERMANENT |

+-------------------+----------------------+---------------+----------------------+

1 rowinset (0.00 sec)

mysql> UNINSTALL PLUGIN validate_password;

ERROR 1702 (HY000): Plugin 'validate_password'is force_plus_permanent and can not be unloaded

mysql> 

另外，修改引數後必須重啟MySQL服務才能生效。

方法2：執行時命令安裝

mysql> INSTALL PLUGIN validate_password SONAME 'validate_password.so';

Query OK, 0 rows affected, 1 warning (0.11 sec)

注意：此方法也會註冊到元資料，也就是mysql.plugin表中，所以不用擔心MySQL重啟後外掛會失效。

注意：MySQL支援在伺服器啟動和執行時載入外掛。還可以在啟動時控制載入外掛的啟用狀態，並在執行時解除安裝它們。在載入外掛時，可以從INFORMATION_SCHEMA獲得關於外掛的資訊。

方法3：命令啟動時，使用引數。這個其實和方法並無什麼差異。

# /usr/sbin/mysqld start --plugin-load='validate_password.so'

安裝元件

INSTALL COMPONENT 'file://component_validate_password';

檢查確認

外掛：

mysql> SELECT PLUGIN_NAME, PLUGIN_LIBRARY, PLUGIN_STATUS, LOAD_OPTION 

 -> FROM INFORMATION_SCHEMA.PLUGINS 

 -> WHERE PLUGIN_NAME = 'validate_password';

+-------------------+----------------------+---------------+-------------+

| PLUGIN_NAME | PLUGIN_LIBRARY | PLUGIN_STATUS | LOAD_OPTION |

+-------------------+----------------------+---------------+-------------+

| validate_password | validate_password.so | ACTIVE | ON |

+-------------------+----------------------+---------------+-------------+

1 rowinset (0.00 sec)

mysql> 

mysql> select * from mysql.plugin;

+-------------------+----------------------+

| name | dl |

+-------------------+----------------------+

| CLONE | mysql_clone.so |

| validate_password | validate_password.so |

+-------------------+----------------------+

元件：

mysql> SELECT * FROM mysql.component;

+--------------+--------------------+------------------------------------+

| component_id | component_group_id | component_urn |

+--------------+--------------------+------------------------------------+

| 1 | 1 | file://component_validate_password |

+--------------+--------------------+------------------------------------+

1 rowinset (0.00 sec)

如果只安裝了外掛，檢視外掛相關的系統變數，如下所示：

mysql> show variables like'validate_password%';

+--------------------------------------+--------+

| Variable_name | Value |

+--------------------------------------+--------+

| validate_password_check_user_name | ON |

| validate_password_dictionary_file | |

| validate_password_length | 8 |

| validate_password_mixed_case_count | 1 |

| validate_password_number_count | 1 |

| validate_password_policy | MEDIUM |

| validate_password_special_char_count | 1 |

+--------------------------------------+--------+

7 rowsinset (0.00 sec)

mysql>

MySQL 8.0.18上可以同時安裝validate_password外掛和validate_password元件，此時檢視系統變數時，就會出現這種情形（相信有些不知情同學的看到這種情況的時候，會有點懵逼），其實對於MySQL 8，我們只需安裝validate_password元件即可。

關於外掛和元件對應的系統變數說明：

注意：元件和外掛的預設值可能有所不同。例如，MySQL 5.7. validate_password_check_user_name的預設值為OFF。更多詳細具體資訊，建議參考官方文件。

下面我們來看看validate_password外掛和validate_password元件會怎麼影響賬號建立、密碼修改等行為：

The validate_password component implements these capabilities:

· For SQL statements that assign a password supplied as a cleartext value, validate_password checks the password against the current password policy and rejects the password if it is weak (the statement returns an ER_NOT_VALID_PASSWORD error). This applies to the ALTER USER, CREATE USER, and SET PASSWORD statements.

· For CREATE USER statements, validate_password requires that a password be given, and that it satisfies the password policy. This is true even if an account is locked initially because otherwise unlocking the account later would cause it to become accessible without a password that satisfies the policy.

· validate_password implements a VALIDATE_PASSWORD_STRENGTH() SQL function that assesses the strength of potential passwords. This function takes a password argument and returns an integer from 0 (weak) to 100 (strong).

驗證測試：

mysql> createuser test@'192.168.%' identified by'12345678';

ERROR 1819 (HY000): Your password does not satisfy the current policy requirements

mysql> show variables like'validate_password%';

+--------------------------------------+--------+

| Variable_name | Value |

+--------------------------------------+--------+

| validate_password.check_user_name | ON |

| validate_password.dictionary_file | |

| validate_password.length | 8 |

| validate_password.mixed_case_count | 1 |

| validate_password.number_count | 1 |

| validate_password.policy | MEDIUM |

| validate_password.special_char_count | 1 |

+--------------------------------------+--------+

7 rowsinset (0.00 sec)

mysql> setglobal validate_password.policy=LOW; #注意，如果是外掛的話,SQL為set global validate_password_policy=LOW 

Query OK, 0 rows affected (0.00 sec)

mysql> createuser test@'192.168.%' identified by'12345678';

Query OK, 0 rows affected (0.01 sec)

修改密碼驗證安全強度（外掛）

SET GLOBAL validate_password_policy=LOW;

SET GLOBAL validate_password_policy=MEDIUM;

SET GLOBAL validate_password_policy=STRONG;

SET GLOBAL validate_password_policy=0; // For LOW

SET GLOBAL validate_password_policy=1; // For MEDIUM

SET GLOBAL validate_password_policy=2; // For HIGH

修改密碼驗證安全強度（元件）

SET GLOBAL validate_password.policy=LOW;

SET GLOBAL validate_password.policy=MEDIUM;

SET GLOBAL validate_password.policy=STRONG;

SET GLOBAL validate_password.policy = 0; // For LOW

SET GLOBAL validate_password.policy = 1; // For MEDIUM

SET GLOBAL validate_password.policy = 2; // For HIGH

另外，如果你建立密碼是遇到“Your password does not satisfy the current policy requirements”，可以通過函式元件去檢測密碼是否滿足條件： 0-100,當評估在100時就是說明使用上了最基本的規則：大寫+小寫+特殊字元+數字組成的8位以上密碼

mysql> SELECT VALIDATE_PASSWORD_STRENGTH('medium');

+--------------------------------------+

| VALIDATE_PASSWORD_STRENGTH('medium') |

+--------------------------------------+

| 25 |

+--------------------------------------+

1 rowinset (0.00 sec)

mysql> SELECT VALIDATE_PASSWORD_STRENGTH('K354*45jKd5');

+-------------------------------------------+

| VALIDATE_PASSWORD_STRENGTH('K354*45jKd5') |

+-------------------------------------------+

| 100 |

+-------------------------------------------+

1 rowinset (0.00 sec)

注意：如果沒有安裝validate_password元件或外掛的話，那麼這個函式永遠都返回0。 關於密碼複雜度對應的密碼複雜度策略。如下表格所示：

注意：如果想要使用字典過濾弱口令的話，系統變數validate_password.policy必須為STRONG。官方文件介紹如下，一般最多設定密碼策略強度為STRONG，很少啟用字典過濾口令。

The path name of the dictionary file that validate_password uses for checking passwords. This variable is unavailable unless validate_password is installed.

By default, this variable has an empty value and dictionary checks are not performed. For dictionary checks to occur, the variable value must be nonempty. If the file is named as a relative path, it is interpreted relative to the server data directory. File contents should be lowercase, one word per line. Contents are treated as having a character set of utf8. The maximum permitted file size is 1MB.

For the dictionary file to be used during password checking, the password policy must be set to 2 (STRONG); see the description of the validate_password.policy system variable. Assuming that is true, each substring of the password of length 4 up to 100 is compared to the words in the dictionary file. Any match causes the password to be rejected. Comparisons are not case sensitive.

元件/外掛的 Status Variables

如果是外掛的話，是沒有相對應的狀態變數，只有元件有對應的系統變數。

mysql> SHOW STATUS LIKE'validate_password%';

mysql> show status like'validate_pass%';

+-----------------------------------------------+---------------------+

| Variable_name | Value |

+-----------------------------------------------+---------------------+

| validate_password_dictionary_file_last_parsed | 2020-08-13 11:33:47 |

| validate_password_dictionary_file_words_count | 0 |

+-----------------------------------------------+---------------------+

2 rowsinset (0.00 sec)

mysql> 

解除安裝外掛

mysql> UNINSTALL PLUGIN validate_password;

Query OK, 0 rows affected, 1 warning (0.01 sec)

解除安裝元件

mysql> UNINSTALL COMPONENT 'file://component_validate_password';

Query OK, 0 rows affected (0.02 sec)

參考資料：

https://dev.mysql.com/doc/refman/8.0/en/plugin-loading.html

https://dev.mysql.com/doc/refman/8.0/en/validate-password.html

https://dev.mysql.com/doc/refman/8.0/en/validate-password.html

https://dev.mysql.com/doc/refman/8.0/en/uninstall-plugin.html

https://dev.mysql.com/doc/refman/8.0/en/validate-password-options-variables.html

https://dev.mysql.com/doc/refman/8.0/en/encryption-functions.html#function_validate-password-strength