MDEV-10112: mysql_secure_installation: use DDL instead of DML for Galera compatibility

kjarir · kjarir · commit 03ab3578e4b8 · 2026-03-10T19:39:23.000+05:30
The script previously used direct DML statements (UPDATE, DELETE, INSERT) on
MyISAM system tables (mysql.global_priv, mysql.db) which are not replicated by
Galera clusters. Running the script on one node would leave other cluster nodes
unsecured.

Replace all such DML with Galera-safe DDL equivalents:

1. set_root_password:
   Before: UPDATE mysql.global_priv SET priv=json_set(...) WHERE User='root'
   After:  ALTER USER ... IDENTIFIED BY '...'
   Uses PREPARE/EXECUTE to handle all root accounts across all hosts.

2. enable unix_socket authentication:
   Before: UPDATE mysql.global_priv SET priv=json_set(...) WHERE User='root'
   After:  INSTALL SONAME 'auth_socket' (ensure plugin is loaded)
           ALTER USER ... IDENTIFIED VIA mysql_native_password USING 'invalid' OR unix_socket
   Uses PREPARE/EXECUTE to handle all root accounts across all hosts.

3. remove_anonymous_users:
   Before: DELETE FROM mysql.global_priv WHERE User=''
   After:  DROP USER IF EXISTS ''@'host1', ''@'host2', ...
   Uses SELECT/GROUP_CONCAT to build the list of anonymous accounts dynamically.
   DROP USER automatically removes all privilege table entries for the dropped
   users, including mysql.db rows.

4. remove_remote_root:
   Before: DELETE FROM mysql.global_priv WHERE User='root' AND Host NOT IN (...)
   After:  DROP USER IF EXISTS 'root'@'remotehost', ...
   Uses SELECT/GROUP_CONCAT to build the list of remote root accounts.

5. remove_test_database privileges:
   Before: DELETE FROM mysql.db WHERE Db='test' OR Db='test\_%'
   After:  REVOKE ALL PRIVILEGES ON test.* FROM non-anonymous users in mysql.db,
           followed by FLUSH PRIVILEGES to purge stale cache entries.
   Anonymous user entries are already cleaned up in step 3, since DROP USER
   automatically removes all mysql.db rows for the dropped user.

All five changes use PREPARE/EXECUTE with GROUP_CONCAT-generated DDL to handle
cases where multiple rows need to be acted on in a single statement.
diff --git a/scripts/mysql_secure_installation.sh b/scripts/mysql_secure_installation.sh
@@ -316,7 +316,7 @@ set_root_password() {
     fi
 
     esc_pass=`basic_single_escape "$password1"`
-    do_query "UPDATE mysql.global_priv SET priv=json_set(priv, '$.plugin', 'mysql_native_password', '$.authentication_string', PASSWORD('$esc_pass')) WHERE User='root';"
+    do_query "SET @str = IFNULL((SELECT GROUP_CONCAT(CONCAT('\'', User, '\'@\'', Host, '\'')) FROM mysql.global_priv WHERE User='root'), 'root@localhost'); SET @str = CONCAT('ALTER USER ', @str, ' IDENTIFIED BY \'$esc_pass\''); PREPARE stmt FROM @str; EXECUTE stmt; DEALLOCATE PREPARE stmt;"
     if [ $? -eq 0 ]; then
 	echo "Password updated successfully!"
 	echo "Reloading privilege tables.."
@@ -336,7 +336,7 @@ set_root_password() {
 }
 
 remove_anonymous_users() {
-    do_query "DELETE FROM mysql.global_priv WHERE User='';"
+    do_query "SET @str = (SELECT IFNULL(CONCAT('DROP USER IF EXISTS ', GROUP_CONCAT(CONCAT('\'', User, '\'@\'', Host, '\''))), '') FROM mysql.global_priv WHERE User=''); SET @str = IF(@str = '', 'DO 1', @str); PREPARE stmt FROM @str; EXECUTE stmt; DEALLOCATE PREPARE stmt;"
     if [ $? -eq 0 ]; then
 	echo " ... Success!"
     else
@@ -348,7 +348,7 @@ remove_anonymous_users() {
 }
 
 remove_remote_root() {
-    do_query "DELETE FROM mysql.global_priv WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');"
+    do_query "SET @str = (SELECT IFNULL(CONCAT('DROP USER IF EXISTS ', GROUP_CONCAT(CONCAT('\'', User, '\'@\'', Host, '\''))), '') FROM mysql.global_priv WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1')); SET @str = IF(@str = '', 'DO 1', @str); PREPARE stmt FROM @str; EXECUTE stmt; DEALLOCATE PREPARE stmt;"
     if [ $? -eq 0 ]; then
 	echo " ... Success!"
     else
@@ -366,12 +366,17 @@ remove_test_database() {
     fi
 
     echo " - Removing privileges on test database..."
-    do_query "DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%'"
+    # REVOKE explicit grants on 'test' from any remaining named users.
+    # Anonymous users (User='') are already removed by remove_anonymous_users()
+    # via DROP USER, which also removes their mysql.db rows automatically.
+    # FLUSH PRIVILEGES below clears any remaining stale cache entries.
+    do_query "SET @str = (SELECT IFNULL(CONCAT('REVOKE ALL PRIVILEGES ON \`test\`.* FROM ', GROUP_CONCAT(CONCAT('\'', User, '\'@\'', Host, '\''))), 'DO 1') FROM mysql.db WHERE Db='test' AND User <> ''); PREPARE stmt FROM @str; EXECUTE stmt; DEALLOCATE PREPARE stmt;"
     if [ $? -eq 0 ]; then
 	echo " ... Success!"
     else
 	echo " ... Failed!  Not critical, keep moving..."
     fi
+    do_query "FLUSH PRIVILEGES;"
 
     return 0
 }
@@ -448,7 +453,8 @@ if [ "$reply" = "n" ]; then
   echo " ... skipping."
 else
   emptypass=0
-  do_query "UPDATE mysql.global_priv SET priv=json_set(priv, '$.password_last_changed', UNIX_TIMESTAMP(), '$.plugin', 'mysql_native_password', '$.authentication_string', 'invalid', '$.auth_or', json_array(json_object(), json_object('plugin', 'unix_socket'))) WHERE User='root';"
+  do_query "INSTALL SONAME 'auth_socket';"
+  do_query "SET @str = IFNULL((SELECT GROUP_CONCAT(CONCAT('\'', User, '\'@\'', Host, '\'')) FROM mysql.global_priv WHERE User='root'), 'root@localhost'); SET @str = CONCAT('ALTER USER ', @str, ' IDENTIFIED VIA mysql_native_password USING \'invalid\' OR unix_socket'); PREPARE stmt FROM @str; EXECUTE stmt; DEALLOCATE PREPARE stmt;"
   if [ $? -eq 0 ]; then
    echo "Enabled successfully!"
    echo "Reloading privilege tables.."
