MDEV-10112: mysql_secure_installation: use DDL instead of DML for Galera compatibility

The script previously used direct DML statements (UPDATE, DELETE, INSERT) on
MyISAM system tables (mysql.global_priv, mysql.db) which are not replicated by
Galera clusters. Running the script on one node would leave other cluster nodes
unsecured.

Replace all such DML with Galera-safe DDL equivalents:

1. set_root_password:
   Before: UPDATE mysql.global_priv SET priv=json_set(...) WHERE User='root'
   After:  ALTER USER ... IDENTIFIED BY '...'
   Uses PREPARE/EXECUTE to handle all root accounts across all hosts.

2. enable unix_socket authentication:
   Before: UPDATE mysql.global_priv SET priv=json_set(...) WHERE User='root'
   After:  INSTALL SONAME 'auth_socket' (ensure plugin is loaded)
           ALTER USER ... IDENTIFIED VIA mysql_native_password USING 'invalid' OR unix_socket
   Uses PREPARE/EXECUTE to handle all root accounts across all hosts.

3. remove_anonymous_users:
   Before: DELETE FROM mysql.global_priv WHERE User=''
   After:  DROP USER IF EXISTS ''@'host1', ''@'host2', ...
   Uses SELECT/GROUP_CONCAT to build the list of anonymous accounts dynamically.
   DROP USER automatically removes all privilege table entries for the dropped
   users, including mysql.db rows.

4. remove_remote_root:
   Before: DELETE FROM mysql.global_priv WHERE User='root' AND Host NOT IN (...)
   After:  DROP USER IF EXISTS 'root'@'remotehost', ...
   Uses SELECT/GROUP_CONCAT to build the list of remote root accounts.

5. remove_test_database privileges:
   Before: DELETE FROM mysql.db WHERE Db='test' OR Db='test\_%'
   After:  REVOKE ALL PRIVILEGES ON test.* FROM non-anonymous users in mysql.db,
           followed by FLUSH PRIVILEGES to purge stale cache entries.
   Anonymous user entries are already cleaned up in step 3, since DROP USER
   automatically removes all mysql.db rows for the dropped user.

All five changes use PREPARE/EXECUTE with GROUP_CONCAT-generated DDL to handle
cases where multiple rows need to be acted on in a single statement.

Also added:
- MTR test case 'main.mysql_secure_installation' to verify the script works
  as expected and that the new DDL statements are correctly generated and
  executed.
- Support in 'mariadb-test-run.pl' to locate the 'mysql_secure_installation'
  script during tests.

Author: kjarir

mysql-test/main/mysql_secure_installation.result

@@ -0,0 +1,96 @@
+SELECT user, host FROM mysql.global_priv
+WHERE user NOT IN ('mariadb.sys')
+ORDER BY user, host;
+user	host
+root	127.0.0.1
+root	::1
+root	HOSTNAME
+root	localhost
+SHOW DATABASES;
+Database
+information_schema
+mtr
+mysql
+performance_schema
+sys
+test
+BINDIR/scripts/mysql_secure_installation: Deprecated program name. It will be removed in a future release, use 'mariadb-secure-installation' instead
+print: BINDIR/extra/my_print_defaults
+
+NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
+      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!
+
+In order to log into MariaDB to secure it, we'll need the current
+password for the root user. If you've just installed MariaDB, and
+haven't set the root password yet, you should just press enter here.
+
+stty: stdin isn't a terminal
+Enter current password for root (enter for none): 
+stty: stdin isn't a terminal
+OK, successfully used password, moving on...
+
+Setting the root password or using the unix_socket ensures that nobody
+can log into the MariaDB root user without the proper authorisation.
+
+Enable unix_socket authentication? [Y/n]  ... skipping.
+
+Set root password? [Y/n]  ... skipping.
+
+By default, a MariaDB installation has an anonymous user, allowing anyone
+to log into MariaDB without having to have a user account created for
+them.  This is intended only for testing, and to make the installation
+go a bit smoother.  You should remove them before moving into a
+production environment.
+
+Remove anonymous users? [Y/n]  ... Success!
+
+Normally, root should only be allowed to connect from 'localhost'.  This
+ensures that someone cannot guess at the root password from the network.
+
+Disallow root login remotely? [Y/n]  ... Success!
+
+By default, MariaDB comes with a database named 'test' that anyone can
+access.  This is also intended only for testing, and should be removed
+before moving into a production environment.
+
+Remove test database and access to it? [Y/n]  - Dropping test database...
+ ... Success!
+ - Removing privileges on test database...
+ ... Success!
+
+Reloading the privilege tables will ensure that all changes made so far
+will take effect immediately.
+
+Reload privilege tables now? [Y/n]  ... Success!
+
+Cleaning up...
+
+All done!  If you've completed all of the above steps, your MariaDB
+installation should now be secure.
+
+Thanks for using MariaDB!
+# Verify: anonymous users removed
+SELECT user, host FROM mysql.global_priv WHERE user = '' ORDER BY host;
+user	host
+# Verify: only local root accounts remain
+SELECT user, host FROM mysql.global_priv
+WHERE user = 'root' ORDER BY host;
+user	host
+root	127.0.0.1
+root	::1
+root	localhost
+# Verify: test database removed
+SHOW DATABASES;
+Database
+information_schema
+mtr
+mysql
+performance_schema
+sys
+# Verify: no test DB privileges remain in mysql.db
+SELECT user, host, db FROM mysql.db
+WHERE db = 'test' OR db LIKE 'test\\_%'
+  ORDER BY user, host, db;
+user	host	db
+# Kill the server
+# restart

mysql-test/main/mysql_secure_installation.test

@@ -0,0 +1,97 @@
+# MDEV-10112: mysql_secure_installation should use DDL (GRANT, REVOKE, etc)
+#             instead of DML for Galera compatibility
+#
+# This test verifies that mysql_secure_installation works correctly
+# after being converted from DML (UPDATE/DELETE on system tables) to
+# DDL (ALTER USER, DROP USER, REVOKE, etc).
+
+--source include/not_windows.inc
+--source include/not_embedded.inc
+
+# Capture hostname for use in --replace_result (it varies per machine)
+--let $hostname= `SELECT LOWER(@@hostname)`
+
+#
+# Record initial state: verify root accounts and databases exist before
+# running the script.
+#
+--replace_result $hostname HOSTNAME
+SELECT user, host FROM mysql.global_priv
+  WHERE user NOT IN ('mariadb.sys')
+  ORDER BY user, host;
+SHOW DATABASES;
+
+#
+# Scripted answers for mysql_secure_installation (current 11.4 prompt order):
+#
+#   1. Enter current password for root (enter for none):  -> (empty, just press enter)
+#   2. Enable unix_socket authentication? [Y/n]           -> n  (skip to simplify test)
+#   3. Set root password? [Y/n]                           -> n  (skip: changing root
+#                                                            password would lock us out)
+#   4. Remove anonymous users? [Y/n]                      -> Y
+#   5. Disallow root login remotely? [Y/n]                -> Y
+#   6. Remove test database and access to it? [Y/n]       -> Y
+#   7. Reload privilege tables now? [Y/n]                 -> Y
+#
+--write_file $MYSQLTEST_VARDIR/tmp/mysql_secure_installation_input.txt
+
+n
+n
+Y
+Y
+Y
+Y
+EOF
+
+# --basedir is needed so the script can find my_print_defaults and mariadb
+# from the build tree (extra/ and client/ directories).
+--replace_result $MYSQL_BINDIR BINDIR
+--exec $MYSQL_SECURE_INSTALLATION --basedir=$MYSQL_BINDIR -S $MASTER_MYSOCK < $MYSQLTEST_VARDIR/tmp/mysql_secure_installation_input.txt 2>&1
+
+--remove_file $MYSQLTEST_VARDIR/tmp/mysql_secure_installation_input.txt
+
+#
+# Verify the results of the DDL-based secure installation:
+#
+# 1. Anonymous users should be removed (DROP USER used instead of DELETE)
+# 2. test database should be dropped
+# 3. Remote root accounts should be removed (DROP USER used instead of DELETE)
+# 4. No test DB privileges remain (REVOKE used instead of DELETE FROM mysql.db)
+#
+
+--echo # Verify: anonymous users removed
+SELECT user, host FROM mysql.global_priv WHERE user = '' ORDER BY host;
+
+--echo # Verify: only local root accounts remain
+SELECT user, host FROM mysql.global_priv
+  WHERE user = 'root' ORDER BY host;
+
+--echo # Verify: test database removed
+SHOW DATABASES;
+
+--echo # Verify: no test DB privileges remain in mysql.db
+SELECT user, host, db FROM mysql.db
+  WHERE db = 'test' OR db LIKE 'test\\_%'
+  ORDER BY user, host, db;
+
+#
+# Clean up: restore the original datadir so subsequent tests are unaffected.
+# This approach (kill server, replace datadir, restart) is adapted from
+# commit 8977ad6 -- the previous attempt at this MDEV.
+#
+--let MYSQLD_DATADIR= `select @@datadir`
+--source include/kill_mysqld.inc
+--rmdir $MYSQLD_DATADIR
+
+perl;
+use lib "lib";
+use My::Handles { suppress_init_messages => 1 };
+use My::File::Path;
+my $install_db_dir = ($ENV{MTR_PARALLEL} == 1) ?
+  "$ENV{'MYSQLTEST_VARDIR'}/install.db" :
+  "$ENV{'MYSQLTEST_VARDIR'}/../install.db";
+copytree($install_db_dir, $ENV{'MYSQLD_DATADIR'});
+EOF
+
+--let $restart_parameters= $old_restart_parameters
+--source include/start_mysqld.inc

mysql-test/mariadb-test-run.pl

@@ -2312,6 +2312,17 @@ sub environment_setup {
     $ENV{'MYSQLHOTCOPY'}= $mysqlhotcopy;
   }
 
+  # ----------------------------------------------------
+  # mysql_secure_installation
+  # ----------------------------------------------------
+  my $mysql_secure_installation=
+    mtr_pl_maybe_exists("$bindir/scripts/mysql_secure_installation") ||
+    mtr_pl_maybe_exists("$path_client_bindir/mysql_secure_installation");
+  if ($mysql_secure_installation)
+  {
+    $ENV{'MYSQL_SECURE_INSTALLATION'}= $mysql_secure_installation;
+  }
+
   # ----------------------------------------------------
   # perror
   # ----------------------------------------------------

scripts/mysql_secure_installation.sh

@@ -167,10 +167,10 @@ then
     cannot_find_file my_print_defaults $basedir/bin $basedir/extra
     exit 1
   fi
-  mysql_command=`find_in_basedir mariadb bin`
+  mysql_command=`find_in_basedir mariadb bin client`
   if test -z "$mysql_command"
   then
-      cannot_find_file mariadb $basedir/bin
+      cannot_find_file mariadb $basedir/bin $basedir/client
       exit 1
   fi
 else
@@ -316,7 +316,7 @@ set_root_password() {
     fi
 
     esc_pass=`basic_single_escape "$password1"`
-    do_query "UPDATE mysql.global_priv SET priv=json_set(priv, '$.plugin', 'mysql_native_password', '$.authentication_string', PASSWORD('$esc_pass')) WHERE User='root';"
+    do_query "SET @str = IFNULL((SELECT GROUP_CONCAT(CONCAT('\'', User, '\'@\'', Host, '\'')) FROM mysql.global_priv WHERE User='root'), 'root@localhost'); SET @str = CONCAT('ALTER USER ', @str, ' IDENTIFIED BY \'$esc_pass\''); PREPARE stmt FROM @str; EXECUTE stmt; DEALLOCATE PREPARE stmt;"
     if [ $? -eq 0 ]; then
 	echo "Password updated successfully!"
 	echo "Reloading privilege tables.."
@@ -336,7 +336,7 @@ set_root_password() {
 }
 
 remove_anonymous_users() {
-    do_query "DELETE FROM mysql.global_priv WHERE User='';"
+    do_query "SET @str = (SELECT IFNULL(CONCAT('DROP USER IF EXISTS ', GROUP_CONCAT(CONCAT('\'', User, '\'@\'', Host, '\''))), '') FROM mysql.global_priv WHERE User=''); SET @str = IF(@str = '', 'DO 1', @str); PREPARE stmt FROM @str; EXECUTE stmt; DEALLOCATE PREPARE stmt;"
     if [ $? -eq 0 ]; then
 	echo " ... Success!"
     else
@@ -348,7 +348,7 @@ remove_anonymous_users() {
 }
 
 remove_remote_root() {
-    do_query "DELETE FROM mysql.global_priv WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');"
+    do_query "SET @str = (SELECT IFNULL(CONCAT('DROP USER IF EXISTS ', GROUP_CONCAT(CONCAT('\'', User, '\'@\'', Host, '\''))), '') FROM mysql.global_priv WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1')); SET @str = IF(@str = '', 'DO 1', @str); PREPARE stmt FROM @str; EXECUTE stmt; DEALLOCATE PREPARE stmt;"
     if [ $? -eq 0 ]; then
 	echo " ... Success!"
     else
@@ -366,12 +366,17 @@ remove_test_database() {
     fi
 
     echo " - Removing privileges on test database..."
-    do_query "DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%'"
+    # REVOKE explicit grants on 'test' from any remaining named users.
+    # Anonymous users (User='') are already removed by remove_anonymous_users()
+    # via DROP USER, which also removes their mysql.db rows automatically.
+    # FLUSH PRIVILEGES below clears any remaining stale cache entries.
+    do_query "SET @str = (SELECT IFNULL(CONCAT('REVOKE ALL PRIVILEGES ON \`test\`.* FROM ', GROUP_CONCAT(CONCAT('\'', User, '\'@\'', Host, '\''))), 'DO 1') FROM mysql.db WHERE Db='test' AND User <> ''); PREPARE stmt FROM @str; EXECUTE stmt; DEALLOCATE PREPARE stmt;"
     if [ $? -eq 0 ]; then
 	echo " ... Success!"
     else
 	echo " ... Failed!  Not critical, keep moving..."
     fi
+    do_query "FLUSH PRIVILEGES;"
 
     return 0
 }
@@ -448,7 +453,8 @@ if [ "$reply" = "n" ]; then
   echo " ... skipping."
 else
   emptypass=0
-  do_query "UPDATE mysql.global_priv SET priv=json_set(priv, '$.password_last_changed', UNIX_TIMESTAMP(), '$.plugin', 'mysql_native_password', '$.authentication_string', 'invalid', '$.auth_or', json_array(json_object(), json_object('plugin', 'unix_socket'))) WHERE User='root';"
+  do_query "INSTALL SONAME 'auth_socket';"
+  do_query "SET @str = IFNULL((SELECT GROUP_CONCAT(CONCAT('\'', User, '\'@\'', Host, '\'')) FROM mysql.global_priv WHERE User='root'), 'root@localhost'); SET @str = CONCAT('ALTER USER ', @str, ' IDENTIFIED VIA mysql_native_password USING \'invalid\' OR unix_socket'); PREPARE stmt FROM @str; EXECUTE stmt; DEALLOCATE PREPARE stmt;"
   if [ $? -eq 0 ]; then
    echo "Enabled successfully!"
    echo "Reloading privilege tables.."