英文:
MySQL - The password hash doesn't have the expected format
问题
我正在使用Percona Toolkit的pt-show-grants命令在另一个环境中复制用户和权限,该命令返回类似以下内容:
[root@mysqlen1 ~]# pt-show-grants --only my_user
-- 由pt-show-grants转储的授权
-- 从服务器Localhost通过UNIX套接字转储,MySQL 8.0.33-commercial,于2023-07-06 13:32:06
-- 'my_user'@'%'的授权
CREATE USER IF NOT EXISTS 'my_user'@'%';
ALTER USER 'my_user'@'%' IDENTIFIED WITH 'caching_sha2_password' AS '$A$005$E),\ZrJ%8K[y!MrHfAAAN44c/fazzdk49SINtIQYq6zPo67VJ0lBbLX2' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY DEFAULT PASSWORD REUSE INTERVAL DEFAULT PASSWORD REQUIRE CURRENT DEFAULT;
GRANT ALTER, ALTER ROUTINE, CREATE, CREATE ROLE, CREATE ROUTINE, CREATE TABLESPACE, CREATE TEMPORARY TABLES, CREATE USER, CREATE VIEW, DELETE, DROP, DROP ROLE, EVENT, EXECUTE, FILE, INDEX, INSERT, LOCK TABLES, PROCESS, REFERENCES, RELOAD, REPLICATION CLIENT, REPLICATION SLAVE, SELECT, SHOW DATABASES, SHOW VIEW, SHUTDOWN, SUPER, TRIGGER, UPDATE ON *.* TO 'my_user'@'%' WITH GRANT OPTION;
GRANT APPLICATION_PASSWORD_ADMIN, AUDIT_ABORT_EXEMPT, AUDIT_ADMIN, AUTHENTICATION_POLICY_ADMIN, BACKUP_ADMIN, BINLOG_ADMIN, BINLOG_ENCRYPTION_ADMIN, CLONE_ADMIN, CONNECTION_ADMIN, ENCRYPTION_KEY_ADMIN, FIREWALL_EXEMPT, FLUSH_OPTIMIZER_COSTS, FLUSH_STATUS, FLUSH_TABLES, FLUSH_USER_RESOURCES, GROUP_REPLICATION_ADMIN, GROUP_REPLICATION_STREAM, INNODB_REDO_LOG_ARCHIVE, INNODB_REDO_LOG_ENABLE, PASSWORDLESS_USER_ADMIN, PERSIST_RO_VARIABLES_ADMIN, REPLICATION_APPLIER, REPLICATION_SLAVE_ADMIN, RESOURCE_GROUP_ADMIN, RESOURCE_GROUP_USER, ROLE_ADMIN, SENSITIVE_VARIABLES_OBSERVER, SERVICE_CONNECTION_ADMIN, SESSION_VARIABLES_ADMIN, SET_USER_ID, SHOW_ROUTINE, SYSTEM_USER, SYSTEM_VARIABLES_ADMIN, TABLE_ENCRYPTION_ADMIN, TELEMETRY_LOG_ADMIN, XA_RECOVER_ADMIN ON *.* TO 'my_user'@'%' WITH GRANT OPTION;
但执行ALTER USER命令返回以下错误:
mysql> ALTER USER 'my_user'@'%' IDENTIFIED WITH 'caching_sha2_password' AS '$A$005$E),\ZrJ%8K[y!MrHfAAAN44c/fazzdk49SINtIQYq6zPo67VJ0lBbLX2' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY DEFAULT PASSWORD REUSE INTERVAL DEFAULT PASSWORD REQUIRE CURRENT DEFAULT;
ERROR 1827 (HY000): 密码哈希格式不符合预期。
为什么?我相信Percona Toolkit的`pt-show-grants`命令没有问题,因为它基本上执行了`SHOW CREATE USER`命令,结果相同:
```plaintext
mysql> SHOW CREATE USER 'my_user'@'%';
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| CREATE USER for my_user@% |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| CREATE USER 'my_user'@'%' IDENTIFIED WITH 'caching_sha2_password' AS '$A$005$E),\ZrJ%8K[y!MrHfAAAN44c/fazzdk49SINtIQYq6zPo67VJ0lBbLX2' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY DEFAULT PASSWORD REUSE INTERVAL DEFAULT PASSWORD REQUIRE CURRENT DEFAULT |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)
为什么会这样?
英文:
I am using percona tollkit pt-show-grants command to replicate a user and privileges in another environment, the command return something like it
[root@mysqlen1 ~]# pt-show-grants --only my_user
-- Grants dumped by pt-show-grants
-- Dumped from server Localhost via UNIX socket, MySQL 8.0.33-commercial at 2023-07-06 13:32:06
-- Grants for 'my_user'@'%'
CREATE USER IF NOT EXISTS `my_user`@`%`;
ALTER USER `my_user`@`%` IDENTIFIED WITH 'caching_sha2_password' AS '$A$005$E)\,\ZrJ%8K[y!MrHfAAAN44c/fazzdk49SINtIQYq6zPo67VJ0lBbLX2' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY DEFAULT PASSWORD REUSE INTERVAL DEFAULT PASSWORD REQUIRE CURRENT DEFAULT;
GRANT ALTER, ALTER ROUTINE, CREATE, CREATE ROLE, CREATE ROUTINE, CREATE TABLESPACE, CREATE TEMPORARY TABLES, CREATE USER, CREATE VIEW, DELETE, DROP, DROP ROLE, EVENT, EXECUTE, FILE, INDEX, INSERT, LOCK TABLES, PROCESS, REFERENCES, RELOAD, REPLICATION CLIENT, REPLICATION SLAVE, SELECT, SHOW DATABASES, SHOW VIEW, SHUTDOWN, SUPER, TRIGGER, UPDATE ON *.* TO `my_user`@`%` WITH GRANT OPTION;
GRANT APPLICATION_PASSWORD_ADMIN,AUDIT_ABORT_EXEMPT,AUDIT_ADMIN,AUTHENTICATION_POLICY_ADMIN,BACKUP_ADMIN,BINLOG_ADMIN,BINLOG_ENCRYPTION_ADMIN,CLONE_ADMIN,CONNECTION_ADMIN,ENCRYPTION_KEY_ADMIN,FIREWALL_EXEMPT,FLUSH_OPTIMIZER_COSTS,FLUSH_STATUS,FLUSH_TABLES,FLUSH_USER_RESOURCES,GROUP_REPLICATION_ADMIN,GROUP_REPLICATION_STREAM,INNODB_REDO_LOG_ARCHIVE,INNODB_REDO_LOG_ENABLE,PASSWORDLESS_USER_ADMIN,PERSIST_RO_VARIABLES_ADMIN,REPLICATION_APPLIER,REPLICATION_SLAVE_ADMIN,RESOURCE_GROUP_ADMIN,RESOURCE_GROUP_USER,ROLE_ADMIN,SENSITIVE_VARIABLES_OBSERVER,SERVICE_CONNECTION_ADMIN,SESSION_VARIABLES_ADMIN,SET_USER_ID,SHOW_ROUTINE,SYSTEM_USER,SYSTEM_VARIABLES_ADMIN,TABLE_ENCRYPTION_ADMIN,TELEMETRY_LOG_ADMIN,XA_RECOVER_ADMIN ON *.* TO `my_user`@`%` WITH GRANT OPTION;
But executing the alter user return the following error:
mysql> ALTER USER `my_user`@`%` IDENTIFIED WITH 'caching_sha2_password' AS '$A$005$E)\,\ZrJ%8K[y!MrHfAAAN44c/fazzdk49SINtIQYq6zPo67VJ0lBbLX2' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY DEFAULT PASSWORD REUSE INTERVAL DEFAULT PASSWORD REQUIRE CURRENT DEFAULT;
ERROR 1827 (HY000): The password hash doesn't have the expected format.
Why? I belive there is nothing wrong with percona tollkit pt-show-grants command, because it basically execute the SHOW CREATE USER command, and it's the same result:
mysql> SHOW CREATE USER 'my_user'@'%';
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| CREATE USER for my_user@% |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| CREATE USER `my_user`@`%` IDENTIFIED WITH 'caching_sha2_password' AS '$A$005$E)\,\ZrJ%8K[y!MrHfAAAN44c/fazzdk49SINtIQYq6zPo67VJ0lBbLX2' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY DEFAULT PASSWORD REUSE INTERVAL DEFAULT PASSWORD REQUIRE CURRENT DEFAULT |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)
答案1
得分: 1
这可能是哈希中的二进制符号导致的,这些符号在您的终端应用程序中可能无法正确显示/处理。这也可能受到当前连接的字符集的影响。
您尝试过了吗:
SET @@SESSION.print_identified_with_as_hex = 1;
根据MySQL文档:
在SHOW CREATE USER输出的IDENTIFIED WITH子句中显示的密码哈希值可能包含不可打印字符,这可能会对终端显示和其他环境产生不利影响。启用
print_identified_with_as_hex将导致SHOW CREATE USER将这些哈希值显示为十六进制字符串,而不是常规字符串文字。即使启用了这个变量,不包含不可打印字符的哈希值仍然显示为常规字符串文字。
例如(使用Windows命令提示符和我的默认character_set_client cp850),如果我们创建一个用户:
CREATE USER `my_user`@`localhost` IDENTIFIED WITH 'caching_sha2_password' BY 'my strong password';
然后(由于我们只关心密码哈希,所以输出被裁剪了):
SHOW CREATE USER 'my_user'@'localhost';
现在,尝试使用上面的输出创建另一个用户(my_user2):
CREATE USER `my_user2`@`localhost` IDENTIFIED WITH 'caching_sha2_password' AS '$A$005$lL`'?5xT.%↓cJ.Ҳ.PQbn/IHRX12PeN9qrO23RAla71qmV28pEeeztcgJ.Cvgul.';
将会出现错误:
ERROR 1396 (HY000): Operation CREATE USER failed for 'my_user2'@'localhost'
设置 print_identified_with_as_hex = 1:
SET @@SESSION.print_identified_with_as_hex = 1;
现在再次尝试使用SHOW CREATE USER ...的输出创建新用户:
SHOW CREATE USER 'my_user'@'localhost';
然后创建用户my_user2:
CREATE USER `my_user2`@`localhost` IDENTIFIED WITH 'caching_sha2_password' AS 0x244124303035246C4C60273F3578542E2519634A2E142E5051626E2F49485258313250654E3971724F323352416C613731716D563238704565657A7463674A2E437667756C2E;
注意:更改连接的字符集也可以正常工作,无需更改print_identified_with_as_hex:
SET NAMES utf8mb4;
英文:
This may be due to binary symbols in the hash, which may not be displayed/handled correctly in your terminal application. This can also be affected by the character set of your current connection.
Have you tried:
SET @@SESSION.print_identified_with_as_hex = 1;
From the MySQL docs:
> Password hash values displayed in the IDENTIFIED WITH clause of output from SHOW CREATE USER may contain unprintable characters that have adverse effects on terminal displays and in other environments. Enabling print_identified_with_as_hex causes SHOW CREATE USER to display such hash values as hexadecimal strings rather than as regular string literals. Hash values that do not contain unprintable characters still display as regular string literals, even with this variable enabled.
For example (using Windows Command Prompt with my default character_set_client cp850), if we create a user:
mysql> CREATE USER `my_user`@`localhost` IDENTIFIED WITH 'caching_sha2_password' BY 'my strong password';
Query OK, 0 rows affected (0.01 sec)
And then (cropped output as we are only interested in the password hash):
mysql> SHOW CREATE USER 'my_user'@'localhost';
+--------------------------------------------------------------------------------------------------------------------------------------------------------+
| CREATE USER for my_user@localhost |
+--------------------------------------------------------------------------------------------------------------------------------------------------------+
| CREATE USER `my_user`@`localhost` IDENTIFIED WITH 'caching_sha2_password' AS '$A$005$lL`\'?5xT.%↓cJ.¶.PQbn/IHRX12PeN9qrO23RAla71qmV28pEeeztcgJ.Cvgul.' |
+--------------------------------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)
Now, try to create another user (my_user2) from the above output:
mysql> CREATE USER `my_user2`@`localhost` IDENTIFIED WITH 'caching_sha2_password' AS '$A$005$lL`\'?5xT.%↓cJ.¶.PQbn/IHRX12PeN9qrO23RAla71qmV28pEeeztcgJ.Cvgul.';
ERROR 1396 (HY000): Operation CREATE USER failed for 'my_user2'@'localhost'
Set print_identified_with_as_hex = 1:
mysql> SET @@SESSION.print_identified_with_as_hex = 1;
Query OK, 0 rows affected (0.00 sec)
Now try again to create a new user with output from SHOW CREATE USER ...:
mysql> SHOW CREATE USER 'my_user'@'localhost';
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| CREATE USER for my_user@localhost |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| CREATE USER `my_user`@`localhost` IDENTIFIED WITH 'caching_sha2_password' AS 0x244124303035246C4C60273F3578542E2519634A2E142E5051626E2F49485258313250654E3971724F323352416C613731716D563238704565657A7463674A2E437667756C2E |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)
mysql> CREATE USER `my_user2`@`localhost` IDENTIFIED WITH 'caching_sha2_password' AS 0x244124303035246C4C60273F3578542E2519634A2E142E5051626E2F49485258313250654E3971724F323352416C613731716D563238704565657A7463674A2E437667756C2E;
Query OK, 0 rows affected (0.00 sec)
Note: Changing the character set for my connection also worked, without needing to change print_identified_with_as_hex.
mysql> SET NAMES utf8mb4;
Query OK, 0 rows affected (0.00 sec)
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论