Documentation Home
Security in MySQL
Related Documentation Download this Excerpt
PDF (US Ltr) - 2.5Mb
PDF (A4) - 2.5Mb


Security in MySQL  /  ...  /  Transitioning to the Password Validation Component

6.3.3 Transitioning to the Password Validation Component

Note

In MySQL 8.0, the validate_password plugin was reimplemented as the validate_password component. The validate_password plugin is deprecated; expect it to be removed in a future version of MySQL.

MySQL installations that currently use the validate_password plugin should make the transition to using the validate_password component instead. To do so, use the following procedure. The procedure installs the component before uninstalling the plugin, to avoid having a time window during which no password validation occurs. (The component and plugin can be installed simultaneously. In this case, the server attempts to use the component, falling back to the plugin if the component is unavailable.)

  1. Install the validate_password component:

    INSTALL COMPONENT 'file://component_validate_password';
  2. Test the validate_password component to ensure that it works as expected. If you need to set any validate_password.xxx system variables, you can do so at runtime using SET GLOBAL. (Any option file changes that must be made are performed in the next step.)

  3. Adjust any references to the plugin system and status variables to refer to the corresponding component system and status variables. Suppose that previously you had configured the plugin at startup using an option file like this:

    [mysqld]
    validate-password=FORCE_PLUS_PERMANENT
    validate_password_dictionary_file=/usr/share/dict/words
    validate_password_length=10
    validate_password_number_count=2

    Those settings are appropriate for the plugin, but must be modified to apply to the component. To adjust the option file, omit the --validate-password option (it applies only to the plugin, not the component), and modify the system variable references from no-dot names appropriate for the plugin to dotted names appropriate for the component:

    [mysqld]
    validate_password.dictionary_file=/usr/share/dict/words
    validate_password.length=10
    validate_password.number_count=2

    Similar adjustments are needed for applications that refer at runtime to validate_password plugin system and status variables. Change the no-dot plugin variable names to the corresponding dotted component variable names.

  4. Uninstall the validate_password plugin:

    UNINSTALL PLUGIN validate_password;

    If the validate_password plugin is loaded at server startup using a --plugin-load or --plugin-load-add option, omit that option from the server startup procedure. For example, if the option is listed in a server option file, remove it from the file.

  5. Restart the server.