MDEV-10112: mysql_secure_installation: use DDL instead of DML for Galera compatibility

The script previously used direct DML statements (UPDATE, DELETE, INSERT) on
MyISAM system tables (mysql.global_priv, mysql.db) which are not replicated by
Galera clusters. Running the script on one node would leave other cluster nodes
unsecured.

Replace all such DML with Galera-safe DDL equivalents:

1. set_root_password:
   Before: UPDATE mysql.global_priv SET priv=json_set(...) WHERE User='root'
   After:  ALTER USER ... IDENTIFIED BY '...'
   Uses PREPARE/EXECUTE to handle all root accounts across all hosts.

2. enable unix_socket authentication:
   Before: UPDATE mysql.global_priv SET priv=json_set(...) WHERE User='root'
   After:  INSTALL SONAME 'auth_socket' (ensure plugin is loaded)
           ALTER USER ... IDENTIFIED VIA mysql_native_password USING 'invalid' OR unix_socket
   Uses PREPARE/EXECUTE to handle all root accounts across all hosts.

3. remove_anonymous_users:
   Before: DELETE FROM mysql.global_priv WHERE User=''
   After:  DROP USER IF EXISTS ''@'host1', ''@'host2', ...
   Uses SELECT/GROUP_CONCAT to build the list of anonymous accounts dynamically.
   DROP USER automatically removes all privilege table entries for the dropped
   users, including mysql.db rows.

4. remove_remote_root:
   Before: DELETE FROM mysql.global_priv WHERE User='root' AND Host NOT IN (...)
   After:  DROP USER IF EXISTS 'root'@'remotehost', ...
   Uses SELECT/GROUP_CONCAT to build the list of remote root accounts.

5. remove_test_database privileges:
   Before: DELETE FROM mysql.db WHERE Db='test' OR Db='test\_%'
   After:  REVOKE ALL PRIVILEGES ON test.* FROM non-anonymous users in mysql.db,
           followed by FLUSH PRIVILEGES to purge stale cache entries.
   Anonymous user entries are already cleaned up in step 3, since DROP USER
   automatically removes all mysql.db rows for the dropped user.

All five changes use PREPARE/EXECUTE with GROUP_CONCAT-generated DDL to handle
cases where multiple rows need to be acted on in a single statement.

Also added:
- MTR test case 'main.mysql_secure_installation' to verify the script works
  as expected and that the new DDL statements are correctly generated and
  executed.
- Support in 'mariadb-test-run.pl' to locate the 'mysql_secure_installation'
  script during tests.

Author: kjarir

mysql-test/main/mysql_secure_installation.result

@@ -0,0 +1,20 @@
+# restart: --datadir=MYSQLTEST_VARDIR/tmp/msi_datadir
+# Verify: anonymous users removed
+SELECT user, host FROM mysql.global_priv WHERE user = '' ORDER BY host;
+user	host
+# Verify: only local root accounts remain
+SELECT user, host FROM mysql.global_priv
+WHERE user = 'root' ORDER BY host;
+user	host
+root	127.0.0.1
+root	::1
+root	localhost
+# Verify: test database removed
+SHOW DATABASES LIKE 'test';
+Database (test)
+# Verify: no test DB privileges remain in mysql.db
+SELECT user, host, db FROM mysql.db
+WHERE db = 'test' OR db LIKE 'test\\_%'
+  ORDER BY user, host, db;
+user	host	db
+# restart

mysql-test/main/mysql_secure_installation.test

@@ -0,0 +1,66 @@
+# MDEV-10112: mysql_secure_installation should use DDL (GRANT, REVOKE, etc)
+#             instead of DML for Galera compatibility
+#
+# This test verifies that mysql_secure_installation works correctly
+# after being converted from DML (UPDATE/DELETE on system tables) to
+# DDL (ALTER USER, DROP USER, REVOKE, etc).
+
+--source include/not_windows.inc
+--source include/not_embedded.inc
+
+# To avoid affecting other tests, we run this test on a temporary datadir
+# using MTR's official restart mechanism.
+--let $MSI_DATADIR= $MYSQLTEST_VARDIR/tmp/msi_datadir
+--mkdir $MSI_DATADIR
+--exec cp -R $MYSQLTEST_VARDIR/install.db/. $MSI_DATADIR/
+--exec chmod -R 700 $MSI_DATADIR
+
+--let $old_restart_parameters= $restart_parameters
+--let $restart_parameters= --datadir=$MSI_DATADIR
+--source include/restart_mysqld.inc
+
+#
+# Scripted answers for mariadb-secure-installation
+#
+--write_file $MYSQLTEST_VARDIR/tmp/msi_input.txt
+
+n
+n
+Y
+Y
+Y
+Y
+EOF
+
+# --basedir is needed so the script can find my_print_defaults and mariadb
+# from the build tree (extra/ and client/ directories).
+# Output redirected to log file to keep result file clean.
+--exec $MYSQL_SECURE_INSTALLATION --basedir=$MYSQL_BINDIR -S $MASTER_MYSOCK < $MYSQLTEST_VARDIR/tmp/msi_input.txt > $MYSQLTEST_VARDIR/tmp/msi.log 2>&1
+
+--remove_file $MYSQLTEST_VARDIR/tmp/msi_input.txt
+--remove_file $MYSQLTEST_VARDIR/tmp/msi.log
+
+#
+# Verify the results
+#
+--echo # Verify: anonymous users removed
+SELECT user, host FROM mysql.global_priv WHERE user = '' ORDER BY host;
+
+--echo # Verify: only local root accounts remain
+SELECT user, host FROM mysql.global_priv
+  WHERE user = 'root' ORDER BY host;
+
+--echo # Verify: test database removed
+SHOW DATABASES LIKE 'test';
+
+--echo # Verify: no test DB privileges remain in mysql.db
+SELECT user, host, db FROM mysql.db
+  WHERE db = 'test' OR db LIKE 'test\\_%'
+  ORDER BY user, host, db;
+
+#
+# Clean up: restore the original server state
+#
+--let $restart_parameters= $old_restart_parameters
+--source include/restart_mysqld.inc
+--rmdir $MSI_DATADIR

mysql-test/mariadb-test-run.pl

@@ -2233,12 +2233,13 @@ sub environment_setup {
   $ENV{'MYSQL_PLUGIN'}=             $exe_mysql_plugin;
   $ENV{'MYSQL_EMBEDDED'}=           $exe_mysql_embedded;
   $ENV{'MARIADB_CONV'}=             "$exe_mariadb_conv --character-sets-dir=$path_charsetsdir";
+  $ENV{'MYSQL_INSTALL_DB_EXE'}=  mtr_exe_maybe_exists("$bindir/sql/mariadb-install-db",
+                                                   "$bindir/bin/mariadb-install-db",
+                                                   "$bindir/scripts/mariadb-install-db");
   if(IS_WINDOWS)
   {
-     $ENV{'MYSQL_INSTALL_DB_EXE'}=  mtr_exe_exists("$bindir/sql$multiconfig/mariadb-install-db",
-       "$bindir/bin/mariadb-install-db");
      $ENV{'MARIADB_UPGRADE_SERVICE_EXE'}= mtr_exe_exists("$bindir/sql$multiconfig/mariadb-upgrade-service",
-      "$bindir/bin/mariadb-upgrade-service");
+       "$bindir/bin/mariadb-upgrade-service");
      $ENV{'MARIADB_UPGRADE_EXE'}= mtr_exe_exists("$path_client_bindir/mariadb-upgrade");
   }
 
@@ -2312,6 +2313,19 @@ sub environment_setup {
     $ENV{'MYSQLHOTCOPY'}= $mysqlhotcopy;
   }
 
+  # ----------------------------------------------------
+  # mysql_secure_installation
+  # ----------------------------------------------------
+  my $mysql_secure_installation=
+    mtr_pl_maybe_exists("$bindir/scripts/mariadb-secure-installation") ||
+    mtr_pl_maybe_exists("$bindir/scripts/mysql_secure_installation") ||
+    mtr_pl_maybe_exists("$path_client_bindir/mariadb-secure-installation") ||
+    mtr_pl_maybe_exists("$path_client_bindir/mysql_secure_installation");
+  if ($mysql_secure_installation)
+  {
+    $ENV{'MYSQL_SECURE_INSTALLATION'}= $mysql_secure_installation;
+  }
+
   # ----------------------------------------------------
   # perror
   # ----------------------------------------------------

scripts/mysql_secure_installation.sh

@@ -167,10 +167,10 @@ then
     cannot_find_file my_print_defaults $basedir/bin $basedir/extra
     exit 1
   fi
-  mysql_command=`find_in_basedir mariadb bin`
+  mysql_command=`find_in_basedir mariadb bin client`
   if test -z "$mysql_command"
   then
-      cannot_find_file mariadb $basedir/bin
+      cannot_find_file mariadb $basedir/bin $basedir/client
       exit 1
   fi
 else
@@ -316,7 +316,13 @@ set_root_password() {
     fi
 
     esc_pass=`basic_single_escape "$password1"`
-    do_query "UPDATE mysql.global_priv SET priv=json_set(priv, '$.plugin', 'mysql_native_password', '$.authentication_string', PASSWORD('$esc_pass')) WHERE User='root';"
+    query="
+SET @str = IFNULL((SELECT GROUP_CONCAT(CONCAT('\'', User, '\'@\'', Host, '\'')) FROM mysql.global_priv WHERE User='root'), 'root@localhost');
+SET @str = CONCAT('ALTER USER ', @str, ' IDENTIFIED BY \'$esc_pass\'');
+PREPARE stmt FROM @str;
+EXECUTE stmt;
+DEALLOCATE PREPARE stmt;"
+    do_query "$query"
     if [ $? -eq 0 ]; then
 	echo "Password updated successfully!"
 	echo "Reloading privilege tables.."
@@ -336,7 +342,13 @@ set_root_password() {
 }
 
 remove_anonymous_users() {
-    do_query "DELETE FROM mysql.global_priv WHERE User='';"
+    query="
+SET @str = (SELECT IFNULL(CONCAT('DROP USER IF EXISTS ', GROUP_CONCAT(CONCAT('\'', User, '\'@\'', Host, '\''))), '') FROM mysql.global_priv WHERE User='');
+SET @str = IF(@str = '', 'DO 1', @str);
+PREPARE stmt FROM @str;
+EXECUTE stmt;
+DEALLOCATE PREPARE stmt;"
+    do_query "$query"
     if [ $? -eq 0 ]; then
 	echo " ... Success!"
     else
@@ -348,7 +360,13 @@ remove_anonymous_users() {
 }
 
 remove_remote_root() {
-    do_query "DELETE FROM mysql.global_priv WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');"
+    query="
+SET @str = (SELECT IFNULL(CONCAT('DROP USER IF EXISTS ', GROUP_CONCAT(CONCAT('\'', User, '\'@\'', Host, '\''))), '') FROM mysql.global_priv WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1'));
+SET @str = IF(@str = '', 'DO 1', @str);
+PREPARE stmt FROM @str;
+EXECUTE stmt;
+DEALLOCATE PREPARE stmt;"
+    do_query "$query"
     if [ $? -eq 0 ]; then
 	echo " ... Success!"
     else
@@ -366,12 +384,16 @@ remove_test_database() {
     fi
 
     echo " - Removing privileges on test database..."
-    do_query "DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%'"
-    if [ $? -eq 0 ]; then
-	echo " ... Success!"
-    else
-	echo " ... Failed!  Not critical, keep moving..."
-    fi
+    # REVOKE explicit grants on 'test' from any remaining named users.
+    # Anonymous users (User='') are already removed by remove_anonymous_users()
+    # via DROP USER, which also removes their mysql.db rows automatically.
+    # FLUSH PRIVILEGES below clears any remaining stale cache entries.
+    query="
+SET @str = (SELECT IFNULL(CONCAT('REVOKE ALL PRIVILEGES ON \`test\`.* FROM ', GROUP_CONCAT(CONCAT('\'', User, '\'@\'', Host, '\''))), 'DO 1') FROM mysql.db WHERE Db='test' AND User <> '');
+PREPARE stmt FROM @str;
+EXECUTE stmt;
+DEALLOCATE PREPARE stmt;"
+    do_query "$query"
 
     return 0
 }
@@ -448,7 +470,13 @@ if [ "$reply" = "n" ]; then
   echo " ... skipping."
 else
   emptypass=0
-  do_query "UPDATE mysql.global_priv SET priv=json_set(priv, '$.password_last_changed', UNIX_TIMESTAMP(), '$.plugin', 'mysql_native_password', '$.authentication_string', 'invalid', '$.auth_or', json_array(json_object(), json_object('plugin', 'unix_socket'))) WHERE User='root';"
+  query="
+SET @str = IFNULL((SELECT GROUP_CONCAT(CONCAT('\'', User, '\'@\'', Host, '\'')) FROM mysql.global_priv WHERE User='root'), 'root@localhost');
+SET @str = CONCAT('ALTER USER ', @str, ' IDENTIFIED VIA mysql_native_password USING \'invalid\' OR unix_socket');
+PREPARE stmt FROM @str;
+EXECUTE stmt;
+DEALLOCATE PREPARE stmt;"
+  do_query "$query"
   if [ $? -eq 0 ]; then
    echo "Enabled successfully!"
    echo "Reloading privilege tables.."