Merge pull request #87878 from Izorkin/mariadb-update

mariadb: 10.4.12 -> 10.4.13
2020-06-05 15:15:36 +02:00 · 2020-06-05 15:15:36 +02:00 · 47d4cd2c31
commit 47d4cd2c31
parent e0e9b9fb07 0342862b91
4 changed files with 87 additions and 38 deletions
--- a/nixos/tests/mysql/mysql.nix
+++ b/nixos/tests/mysql/mysql.nix
@ -5,20 +5,34 @@ import ./../make-test-python.nix ({ pkgs, ...} : {
  };

  nodes = {
-    mysql =
+    mysql57 =
      { pkgs, ... }:

      {
+        users.users.testuser = { };
+        users.users.testuser2 = { };
        services.mysql.enable = true;
        services.mysql.initialDatabases = [
-          { name = "testdb"; schema = ./testdb.sql; }
-          { name = "empty_testdb"; }
+          { name = "testdb3"; schema = ./testdb.sql; }
        ];
        # note that using pkgs.writeText here is generally not a good idea,
        # as it will store the password in world-readable /nix/store ;)
        services.mysql.initialScript = pkgs.writeText "mysql-init.sql" ''
-          CREATE USER 'passworduser'@'localhost' IDENTIFIED BY 'password123';
+          CREATE USER 'testuser3'@'localhost' IDENTIFIED BY 'secure';
+          GRANT ALL PRIVILEGES ON testdb3.* TO 'testuser3'@'localhost';
        '';
+        services.mysql.ensureDatabases = [ "testdb" "testdb2" ];
+        services.mysql.ensureUsers = [{
+          name = "testuser";
+          ensurePermissions = {
+            "testdb.*" = "ALL PRIVILEGES";
+          };
+        } {
+          name = "testuser2";
+          ensurePermissions = {
+            "testdb2.*" = "ALL PRIVILEGES";
+          };
+        }];
        services.mysql.package = pkgs.mysql57;
      };

@ -30,16 +44,30 @@ import ./../make-test-python.nix ({ pkgs, ...} : {
        # Kernel panic - not syncing: Out of memory: compulsory panic_on_oom is enabled
        virtualisation.memorySize = 1024;

+        users.users.testuser = { };
+        users.users.testuser2 = { };
        services.mysql.enable = true;
        services.mysql.initialDatabases = [
-          { name = "testdb"; schema = ./testdb.sql; }
-          { name = "empty_testdb"; }
+          { name = "testdb3"; schema = ./testdb.sql; }
        ];
        # note that using pkgs.writeText here is generally not a good idea,
        # as it will store the password in world-readable /nix/store ;)
        services.mysql.initialScript = pkgs.writeText "mysql-init.sql" ''
-          CREATE USER 'passworduser'@'localhost' IDENTIFIED BY 'password123';
+          CREATE USER 'testuser3'@'localhost' IDENTIFIED BY 'secure';
+          GRANT ALL PRIVILEGES ON testdb3.* TO 'testuser3'@'localhost';
        '';
+        services.mysql.ensureDatabases = [ "testdb" "testdb2" ];
+        services.mysql.ensureUsers = [{
+          name = "testuser";
+          ensurePermissions = {
+            "testdb.*" = "ALL PRIVILEGES";
+          };
+        } {
+          name = "testuser2";
+          ensurePermissions = {
+            "testdb2.*" = "ALL PRIVILEGES";
+          };
+        }];
        services.mysql.package = pkgs.mysql80;
      };

@ -81,17 +109,49 @@ import ./../make-test-python.nix ({ pkgs, ...} : {
  testScript = ''
    start_all()

-    mysql.wait_for_unit("mysql")
-    mysql.succeed("echo 'use empty_testdb;' | mysql -u root")
-    mysql.succeed("echo 'use testdb; select * from tests;' | mysql -u root -N | grep 4")
-    # ';' acts as no-op, just check whether login succeeds with the user created from the initialScript
-    mysql.succeed("echo ';' | mysql -u passworduser --password=password123")
+    mysql57.wait_for_unit("mysql")
+    mysql57.succeed(
+        "echo 'use testdb; create table tests (test_id INT, PRIMARY KEY (test_id));' | sudo -u testuser mysql -u testuser"
+    )
+    mysql57.succeed(
+        "echo 'use testdb; insert into tests values (41);' | sudo -u testuser mysql -u testuser"
+    )
+    # Ensure testuser2 is not able to insert into testdb as mysql testuser2
+    mysql57.fail(
+        "echo 'use testdb; insert into tests values (22);' | sudo -u testuser2 mysql -u testuser2"
+    )
+    # Ensure testuser2 is not able to authenticate as mysql testuser
+    mysql57.fail(
+        "echo 'use testdb; insert into tests values (22);' | sudo -u testuser2 mysql -u testuser"
+    )
+    mysql57.succeed(
+        "echo 'use testdb; select test_id from tests;' | sudo -u testuser mysql -u testuser -N | grep 41"
+    )
+    mysql57.succeed(
+        "echo 'use testdb3; select * from tests;' | mysql -u testuser3 --password=secure -N | grep 4"
+    )

    mysql80.wait_for_unit("mysql")
-    mysql80.succeed("echo 'use empty_testdb;' | mysql -u root")
-    mysql80.succeed("echo 'use testdb; select * from tests;' | mysql -u root -N | grep 4")
-    # ';' acts as no-op, just check whether login succeeds with the user created from the initialScript
-    mysql80.succeed("echo ';' | mysql -u passworduser --password=password123")
+    mysql80.succeed(
+        "echo 'use testdb; create table tests (test_id INT, PRIMARY KEY (test_id));' | sudo -u testuser mysql -u testuser"
+    )
+    mysql80.succeed(
+        "echo 'use testdb; insert into tests values (41);' | sudo -u testuser mysql -u testuser"
+    )
+    # Ensure testuser2 is not able to insert into testdb as mysql testuser2
+    mysql80.fail(
+        "echo 'use testdb; insert into tests values (22);' | sudo -u testuser2 mysql -u testuser2"
+    )
+    # Ensure testuser2 is not able to authenticate as mysql testuser
+    mysql80.fail(
+        "echo 'use testdb; insert into tests values (22);' | sudo -u testuser2 mysql -u testuser"
+    )
+    mysql80.succeed(
+        "echo 'use testdb; select test_id from tests;' | sudo -u testuser mysql -u testuser -N | grep 41"
+    )
+    mysql80.succeed(
+        "echo 'use testdb3; select * from tests;' | mysql -u testuser3 --password=secure -N | grep 4"
+    )

    mariadb.wait_for_unit("mysql")
    mariadb.succeed(
--- a/pkgs/servers/sql/mariadb/cmake-disable-auth-pam-testing.patch
+++ b/pkgs/servers/sql/mariadb/cmake-disable-auth-pam-testing.patch
@ -1,12 +0,0 @@
-diff --git a/plugin/auth_pam/CMakeLists.txt b/plugin/auth_pam/CMakeLists.txt
-index a556b870..918a26f9 100644
--- a/plugin/auth_pam/CMakeLists.txt
-+++ b/plugin/auth_pam/CMakeLists.txt
-@@ -22,7 +22,6 @@ IF(HAVE_PAM_APPL_H)
-                    COMPONENT Server)
-   ENDIF()
-   IF(TARGET auth_pam OR TARGET auth_pam_v1)
-    ADD_SUBDIRECTORY(testing)
-     ADD_LIBRARY(pam_user_map MODULE mapper/pam_user_map.c)
-     TARGET_LINK_LIBRARIES(pam_user_map pam)
-     SET_TARGET_PROPERTIES (pam_user_map PROPERTIES PREFIX "")
--- a/pkgs/servers/sql/mariadb/default.nix
+++ b/pkgs/servers/sql/mariadb/default.nix
@ -23,14 +23,14 @@ mariadb = server // {
 };

 common = rec { # attributes common to both builds
-  version = "10.4.12";
+  version = "10.4.13";

  src = fetchurl {
    urls = [
      "https://downloads.mariadb.org/f/mariadb-${version}/source/mariadb-${version}.tar.gz"
      "https://downloads.mariadb.com/MariaDB/mariadb-${version}/source/mariadb-${version}.tar.gz"
    ];
-    sha256 = "0252b9rxxz1ljjv6ni0wwgy14j8qmmdd2sq0a65dslx2ib9y3wgy";
+    sha256 = "1pwibmm52sc04qxp832pc3ylxw9wq90fjc7nxpcyp3yys49bpfs5";
    name   = "mariadb-${version}.tar.gz";
  };

@ -72,6 +72,8 @@ common = rec { # attributes common to both builds
    "-DINSTALL_SUPPORTFILESDIR=share/doc/mysql"
    "-DINSTALL_MYSQLTESTDIR=OFF"
    "-DINSTALL_SQLBENCHDIR=OFF"
+    "-DINSTALL_PAMDIR=share/pam/lib/security"
+    "-DINSTALL_PAMDATADIR=share/pam/etc/security"

    "-DWITH_ZLIB=system"
    "-DWITH_SSL=system"
@ -94,7 +96,7 @@ common = rec { # attributes common to both builds
    rm "$out"/bin/{mariadb_config,mysql_config}
    rm -r $out/include
    rm -r $out/lib/pkgconfig
-    rm -r $out/share/{aclocal,pkgconfig}
+    rm -r $out/share/aclocal
  '';

  enableParallelBuilding = true;
@ -160,10 +162,7 @@ server = stdenv.mkDerivation (common // {
    ++ optional stdenv.hostPlatform.isLinux linux-pam
    ++ optional (!stdenv.hostPlatform.isDarwin) mytopEnv;

-  patches = common.patches ++ [
-    # Disable build unused plugin pam_mariadb_mtr.so. See https://jira.mariadb.org/browse/MDEV-21654
-    ./cmake-disable-auth-pam-testing.patch
-  ] ++ optionals stdenv.hostPlatform.isDarwin [
+  patches = common.patches ++ optionals stdenv.hostPlatform.isDarwin [
    ./cmake-without-plugin-auth-pam.patch
  ];

@ -202,6 +201,9 @@ server = stdenv.mkDerivation (common // {
    chmod +x "$out"/bin/wsrep_sst_common
    rm "$out"/bin/{mariadb-client-test,mariadb-test,mysql_client_test,mysqltest}
    rm -r "$out"/data # Don't need testing data
+    mv "$out"/OFF/suite/plugins/pam/pam_mariadb_mtr.so "$out"/share/pam/lib/security
+    mv "$out"/OFF/suite/plugins/pam/mariadb_mtr "$out"/share/pam/etc/security
+    rm -r "$out"/OFF
  '' + optionalString withStorageMroonga ''
    mv "$out"/share/{groonga,groonga-normalizer-mysql} "$out"/share/doc/mysql
  '' + optionalString (!stdenv.hostPlatform.isDarwin) ''
--- a/pkgs/servers/sql/mariadb/galera/default.nix
+++ b/pkgs/servers/sql/mariadb/galera/default.nix
@ -10,13 +10,13 @@ let

 in stdenv.mkDerivation rec {
  pname = "mariadb-galera";
-  version = "26.4.3";
+  version = "26.4.5";

  src = fetchFromGitHub {
    owner = "codership";
    repo = "galera";
    rev = "release_${version}";
-    sha256 = "1r0b4kxgqrivnwm4hprnpscb16v6l6j8cnvk4i8c64fig1ly8g3j";
+    sha256 = "10sir0hxxglw9jsjrclfgrqm8n5zng6rwj2fgff141x9n9l55w7l";
    fetchSubmodules = true;
  };

@ -48,7 +48,6 @@ in stdenv.mkDerivation rec {
    install -m 444 "LICENSE"                          "$out/$GALERA_LICENSE_DIR/GPLv2"
    install -m 444 "asio/LICENSE_1_0.txt"             "$out/$GALERA_LICENSE_DIR/LICENSE.asio"
    install -m 444 "www.evanjones.ca/LICENSE"         "$out/$GALERA_LICENSE_DIR/LICENSE.crc32c"
-    install -m 444 "chromium/LICENSE"                 "$out/$GALERA_LICENSE_DIR/LICENSE.chromium"
  '';

  meta = with stdenv.lib; {