Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add do command to update the authentication plugin of MySQL users #1097

Open
wants to merge 7 commits into
base: release
Choose a base branch
from

Conversation

Danyal-Faheem
Copy link
Contributor

@Danyal-Faheem Danyal-Faheem commented Jul 18, 2024

closes #1095

This PR is a continuation of the issue mentioned in #1089.

  • Add a do command to update the authentication plugin of MySQL users from mysql_native_password to caching_sha2_password.
  • The command requires a username and password to function. The password can be provided as a CLI option with the --password option or interactively. The command can also be run non-interactively with the --non-interactive option as it might prompt for some confirmations otherwise.

The commands necessary to update a native installation of tutor would be:

tutor local do update-mysql-authentication-plugin $(tutor config printvalue OPENEDX_MYSQL_USERNAME) --password=$(tutor config printvalue OPENEDX_MYSQL_PASSWORD) --non-interactive
tutor local do update-mysql-authentication-plugin $(tutor config printvalue MYSQL_ROOT_USERNAME) --password=$(tutor config printvalue MYSQL_ROOT_PASSWORD) --non-interactive

@Danyal-Faheem Danyal-Faheem self-assigned this Jul 18, 2024
@@ -43,6 +43,39 @@ def upgrade_from_nutmeg(context: click.Context, config: Config) -> None:
)


def get_mysql_change_authentication_plugin_query(config: Config) -> str:
"""Helper function to generate queries depending on the loaded plugins"""
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the docstring can be upgraded to highlight what is done by default and what is done based on plugin's availability.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated.

# We need to first revert MySQL back to v8.1 to build the data dictionary on it
# And also to update the authentication plugin as it is disabled on v8.4
message = f"""Automatic release upgrade is unsupported in Kubernetes. If you are upgrading from Olive or an earlier release to Redwood, you
should upgrade the authentication plugin of your users. To upgrade, run something similar to:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of saying run something similar, we should add the exact commands the user should run.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These are the exact commands that the user should run. I've updated the wording in the message.

@DawoudSheraz DawoudSheraz requested a review from regisb July 30, 2024 07:27
@@ -43,6 +43,46 @@ def upgrade_from_nutmeg(context: click.Context, config: Config) -> None:
)


def get_mysql_change_authentication_plugin_query(config: Config) -> str:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wondering if we should have an override/additional param provided by user to only upgrade a particular plugin's database. Lets say they have upgraded the default already and do not have plugins enabled. Once plugins are enabled, they will be re-doing the migration for default.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I was also thinking that we could add a --users option with comma separated name of users to the do command. This way, users can also choose to upgrade their choice of databases.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've added a --users option as well.

) -> str:
return f"ALTER USER '{username}'@'{host}' IDENTIFIED with caching_sha2_password BY '{password}';"

host = "%"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why is the host set to %?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The host for users created by Tutor is always set to '%'. The users created by MySQL itself uses the 'localhost' host.

@Danyal-Faheem Danyal-Faheem force-pushed the danyalfaheem/mysql-authentication-plugin-change branch 3 times, most recently from adaa02d to 820cebe Compare August 21, 2024 13:25
@Danyal-Faheem Danyal-Faheem force-pushed the danyalfaheem/mysql-authentication-plugin-change branch from ef6022d to 4d0042c Compare August 30, 2024 14:37
@@ -44,7 +44,11 @@ services:
--character-set-server=utf8mb4
--collation-server=utf8mb4_unicode_ci
--binlog-expire-logs-seconds=259200
# We only require this option for MySQL 8.4 and above
# Breaks MySQL for previous versions as this option does not exist on versions earlier than 8.4
{% if DOCKER_IMAGE_MYSQL.split(':')[-1] == "latest" or (DOCKER_IMAGE_MYSQL.split(':')[-1].split('.') | map('int') | list >= '8.4.0'.split('.') | map('int') | list) -%}
Copy link
Contributor

@DawoudSheraz DawoudSheraz Sep 4, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: we can set DOCKER_IMAGE_MYSQL.split(':')[-1] to a variable and use that in comparison. It will make the code readable.

docs/local.rst Outdated

tutor local do update_mysql_authentication_plugin --users=discovery,ecommerce

Do note that if you are updating a specific user, there should be corresponding entries in the configuration for the mysql username and password for that user. For example, if you are trying to update the user ``myuser``, the following case sensitive entries need to be present in the configuration::
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this paragraph can be reworded to focus that for any particular user, the command expects the configuration settings in a certain format. Then, the myuser examples can be added afterwards/

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've updated this paragraph.

Copy link
Contributor

@DawoudSheraz DawoudSheraz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While testing, I came across the following error

Error: Username or Password for User mfe not found in config. Please make sure that the following entries are present in the configuration:
MFE_MYSQL_USERNAME
MFE_MYSQL_PASSWORD

The current code raises the exception if config is not found. It is iterating on all the plugins. Not all plugins would have DB users. Instead of raising, we can log warning and continue.

@Danyal-Faheem Danyal-Faheem changed the title fix: update authentication plugin of MySQL users in v8.4 feat: add do command to update the authentication plugin of MySQL users Sep 9, 2024
@Faraz32123
Copy link
Contributor

Hello @regisb, can u have a look at it for it's final iteration?

tutor/fmt.py Outdated
@@ -46,6 +46,14 @@ def alert(text: str) -> str:
return click.style("⚠️ " + text, fg="yellow", bold=True)


def warning(text: str) -> str:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's the purpose of warning when we already have alert?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alert prints to standard error and this seemed like a situation where we just wanted to display a warning rather than an error.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's keep an alert. We don't want to write to stdout because it might mangle output from other commands, such as tutor config printvalue/printroot. And if we write to stderr than we are better off just using alert.

tutor/templates/local/docker-compose.yml Outdated Show resolved Hide resolved
@@ -315,6 +317,49 @@ def sqlshell(args: list[str]) -> t.Iterable[tuple[str, str]]:
yield ("lms", command)


@click.command(context_settings={"ignore_unknown_options": True})
@click.option(
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should not be an option, but an argument, because it's mandatory. The command signature should not be:

 tutor local do update_mysql_authentication_plugin --users=regis,danyal

but:

tutor local do update_mysql_authentication_plugin regis danyal

Moreover, we should be able to update all users with users=all:

tutor local do update_mysql_authentication_plugin all

tutor/commands/jobs.py Outdated Show resolved Hide resolved
fmt.echo_info(
f"Authentication plugin of user {username} will be updated to caching_sha2_password"
)
return f"ALTER USER '{username}'@'{host}' IDENTIFIED with caching_sha2_password BY '{password}';"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This function is extremely confusing, and there are many ways in which it can fail. In order to improve it, I'd like to understand if it's possible to automatically detect all mysql users that were created with the legacy authentication plugin?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The only way to do that would be to get the output of a MySQL query inside tutor codebase. I am not aware of any method that we can use to get the output of a command run inside a container inside the tutor codebase.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assuming we could get the output of a mysql query in tutor, what would be that query?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Something similar to this:

select user from mysql.user where plugin='mysql_native_password' and host='%';

We need to limit the host to '%' as Tutor uses that host value by default.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey Regis, any thoughts on how we should proceed with this?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure. basically, we need to perform all tasks inside a single templated bash script -- including the mysql --user... part. This bash script can be templated, such that we don't have to pass config values to the script-generating function. I'm sorry I don't have time to think about this more...

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So maybe something similar to a stored procedure? Something akin to what we did in #1079?

We could get the names of all the users and update them inside that procedure. Although, I'd have to look into how we would manage passwords then.

@Danyal-Faheem Danyal-Faheem marked this pull request as draft October 28, 2024 15:03
@Danyal-Faheem Danyal-Faheem force-pushed the danyalfaheem/mysql-authentication-plugin-change branch 2 times, most recently from 458c6de to 98d6753 Compare November 29, 2024 15:09
@Danyal-Faheem Danyal-Faheem marked this pull request as ready for review November 29, 2024 15:11
Copy link
Contributor

@DawoudSheraz DawoudSheraz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: once merged and rebase to sumac, we can add a "warning" in upgrade that users should do the auth plugin updates to ensure future upgrades of MySQL do not break their systems.

@DawoudSheraz DawoudSheraz requested a review from regisb December 6, 2024 14:08
user_uppercase = user.upper()
if not (
f"{user_uppercase}_MYSQL_USERNAME" in config
and f"{user_uppercase}_MYSQL_PASSWORD" in config
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks very fragile. We can't rely on the arbitrary naming of some configuration settings to auto-detect user names.

Copy link
Contributor Author

@Danyal-Faheem Danyal-Faheem Dec 13, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We found that this was a convention used across the plugins, but I can understand your position here. However, we still need the exact username and password to perform this operation. Therefore, I propose that we can provide an option to provide the exact username and password. Something similar to:

tutor local do update-mysql-authentication-plugin discovery ecommerce --usernames discovery-username,ecommerce-username --passwords discovery-password,ecommerce-password

This isn't very intuitive but since this would be a one time operation, maybe it is fine? Another con I see here is that users will have to have passwords out in the open for headless scripts unless they utilize environment variables.

I am open to any suggestions you might have.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @regisb, pinging you again for your thoughts on this.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's go with a mandatory username CLI argument. When the --password=... option is not provided, it should be interactively set. (see how the createuser command handles password definition) It's not a big deal if passwords are printed in stdout.

Then, we should instruct users to migrate their accounts with:

tutor local do update-mysql-authentication-plugin \
    --password="$(tutor config printvalueOPENEDX_MYSQL_PASSWORD)"\
    $(tutor config printvalue OPENEDX_MYSQL_USERNAME)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good. However, I have one concern. This basically limits us to updating one user at a time. If a user has 5-6 plugins enabled, this would become quite hectic as the MySQL root user and Open edX mysql user would require 2 separate commands by themselves along, not to mention for each plugin as well.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree, but I think it's OK, because this command will only have to be run once for every mysql user.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've updated the command to reflect the changes as you mentioned.

I've also moved some code to the newly created jobs_utils file as the jobs.py file was getting too bloated.

@Danyal-Faheem Danyal-Faheem force-pushed the danyalfaheem/mysql-authentication-plugin-change branch 2 times, most recently from 62633a0 to 9735201 Compare January 15, 2025 15:24
@Danyal-Faheem Danyal-Faheem changed the base branch from main to release January 15, 2025 15:26
docs/local.rst Outdated Show resolved Hide resolved
docs/local.rst Outdated Show resolved Hide resolved
docs/local.rst Outdated Show resolved Hide resolved

This issue can occur when Tutor is upgraded from v15 (Olive) or earlier to v18 (Redwood) because the users created in Tutor v15 utilize the mysql_native_password authentication plugin by default. This plugin has been deprecated as of MySQL v8.4.0 which is the default MySQL server used in Tutor v18.

The handy :ref:`update-mysql-authentication-plugin <update_mysql_authentication_plugin>` do command in tutor can be used to fix this issue.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is the command that should be run for a vanilla installation?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've added the two commands necessary for a vanilla installation in the troubleshooting section as well

tutor/commands/jobs.py Outdated Show resolved Hide resolved
)
return

conventional_password_key = f"{user.upper()}_MYSQL_PASSWORD"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This part about automatically loading password from config should be removed. In particular, with the current implementation, a warning will be printed even after user inputs a password.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Regarding this,

The warnings will only be printed if the password entered by a user does not match the conventional format that tutor expects or if the value in config of the conventional key does not match the one entered by the user. This is just done to make sure no one accidentally updates the password of their mysql users and is left wondering why their platform doesn't work now.

There is also an option of using the command non-interactively.

Do you still think we should remove this? I understand its not intuitive at all but I added it just in case someone doesn't accidentally update their passwords.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I think we should remove this, as it will cause more confusion than resolve anything. If the password is incorrect, the command will fail, right? (which is good)

Copy link
Contributor Author

@Danyal-Faheem Danyal-Faheem Jan 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the password is incorrect, the command will fail, right? (which is good)

Unfortunately, it wont fail. Instead, mysql will just update the password of the user to the incorrectly entered password and then the platform will be unable to connect because the password has been updated. This was my main motivation for adding these checks.

It only throws a warning if the username is incorrect, which makes sense cause then the user wouldn't exist anyway.

Copy link
Contributor

@regisb regisb Jan 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, I understand. Here's what I suggest:

  1. Get rid of the interactive option, remove the corresponding warning.
  2. Remove prompt=True in the password option definition.
  3. In the command definition, build a dict of known username/passwords:
known_mysql_credentials = {}
for k, v in [("OPENEDX_MYSQL_USERNAME", "OPENEDX_MYSQL_PASSWORD"), ("NOTES_MYSQL_USERNAME", "NOTES_MYSQL_PASSWORD"), ...]:
    if username := config.get(k):
        known_mysql_credentials[username] = config[v]
if not password:
    password = known_mysql_credentials.get(username)
if not password:
    # prompt for password

In other words, the password is automatically detected if it matches a known username. Optionally, we can build known_mysql_credentials from a new filter.

  1. Change the documentation to tell users to run:

    tutor local do update-mysql-authentication-plugin $(tutor config printvalue OPENEDX_MYSQL_USERNAME)
    tutor local do update-mysql-authentication-plugin $(tutor config printvalue NOTES_MYSQL_USERNAME)
    ...
    

Would that work?

Sorry about the back and forth on this feature. I'm aware that this PR has been open for 6+ months, and I'm eager to merge it.


mysql_command = (
"mysql --user={{ MYSQL_ROOT_USERNAME }} --password={{ MYSQL_ROOT_PASSWORD }} --host={{ MYSQL_HOST }} --port={{ MYSQL_PORT }} --database={{ OPENEDX_MYSQL_DATABASE }} --show-warnings "
+ shlex.join(["-e", query])
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the following will be more robust:

 yield ("lms", shlex.join([
    "mysql",
    "--user={{ MYSQL_ROOT_USERNAME }}",
    "--password={{ MYSQL_ROOT_PASSWORD }}",
    "--host={{ MYSQL_HOST }}",
    "--port={{ MYSQL_PORT }}",
    "--database={{ OPENEDX_MYSQL_DATABASE }}",
    "--show-warnings",
    "-e",
    query,
]))

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This certainly looks better. I've updated the original one to this.

- `get_mysql_change_charset_query`: Generates MySQL queries to upgrade the charset and collation of columns, tables, and databases.
- `set_theme_template`: Generates the necessary commands to set a theme on a specific domain in openedx.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's not adopt the habit of documenting the functions at the top of the file. Can you please move the function short descriptions to the function docstrings? (in triple quotes)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did it as @DawoudSheraz requested me to add file docstrings. But, I guess we're not following that convention for now. So, I've removed the file docstring in favor of function docstrings.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Status: In review
Development

Successfully merging this pull request may close these issues.

Add instructions/do command to switch mysql user auth to caching_sha2_password
5 participants