This section describes how to write a server-side password-validation plugin. The instructions are based on the source code in theplugin/password_validation directory of MySQL source distributions. Thevalidate_password.cc source file in that directory implements the plugin namedvalidate_password.
To write a password-validation plugin, include the following header file in the plugin source file. Other MySQL or general header files might also be needed, depending on the plugin capabilities and requirements.
#include <mysql/plugin_validate_password.h>plugin_validate_password.h includesplugin.h, so you need not include the latter file explicitly.plugin.h defines theMYSQL_VALIDATE_PASSWORD_PLUGIN server plugin type and the data structures needed to declare the plugin.plugin_validate_password.h defines data structures specific to password-validation plugins.
A password-validation plugin, like any MySQL server plugin, has a general plugin descriptor (seeSection 4.4.2.1, “Server Plugin Library and Plugin Descriptors”). Invalidate_password.cc, the general descriptor forvalidate_password looks like this:
mysql_declare_plugin(validate_password){ MYSQL_VALIDATE_PASSWORD_PLUGIN, /* type */ &validate_password_descriptor, /* descriptor */ "validate_password", /* name */ "Oracle Corporation", /* author */ "check password strength", /* description */ PLUGIN_LICENSE_GPL, validate_password_init, /* init function (when loaded) */ validate_password_deinit, /* deinit function (when unloaded) */ 0x0100, /* version */ NULL, validate_password_system_variables, /* system variables */ NULL, 0,}mysql_declare_plugin_end; Thename member (validate_password) indicates the name to use for references to the plugin in statements such asINSTALL PLUGIN orUNINSTALL PLUGIN. This is also the name displayed byINFORMATION_SCHEMA.PLUGINS orSHOW PLUGINS.
The general descriptor also refers tovalidate_password_system_variables, a structure that exposes several system variables to theSHOW VARIABLES statement:
static struct st_mysql_sys_var* validate_password_system_variables[]= { MYSQL_SYSVAR(length), MYSQL_SYSVAR(number_count), MYSQL_SYSVAR(mixed_case_count), MYSQL_SYSVAR(special_char_count), MYSQL_SYSVAR(policy), MYSQL_SYSVAR(dictionary_file), NULL}; Thevalidate_password_init initialization function reads the dictionary file if one was specified, and thevalidate_password_deinit function frees data structures associated with the file.
Thevalidate_password_descriptor value in the general descriptor points to the type-specific descriptor. For password-validation plugins, this descriptor has the following structure:
struct st_mysql_validate_password{ int interface_version; /* This function returns TRUE for passwords which satisfy the password policy (as chosen by plugin variable) and FALSE for all other password */ int (*validate_password)(mysql_string_handle password); /* This function returns the password strength (0-100) depending upon the policies */ int (*get_password_strength)(mysql_string_handle password);};The type-specific descriptor has these members:
interface_version: By convention, type-specific plugin descriptors begin with the interface version for the given plugin type. The server checksinterface_versionwhen it loads the plugin to see whether the plugin is compatible with it. For password-validation plugins, the value of theinterface_versionmember isMYSQL_VALIDATE_PASSWORD_INTERFACE_VERSION(defined inplugin_validate_password.h).validate_password: A function that the server calls to test whether a password satisfies the current password policy. It returns 1 if the password is okay and 0 otherwise. The argument is the password, passed as amysql_string_handlevalue. This data type is implemented by themysql_stringserver service. For details, see thestring_service.handstring_service.ccsource files in thesqldirectory.get_password_strength: A function that the server calls to assess the strength of a password. It returns a value from 0 (weak) to 100 (strong). The argument is the password, passed as amysql_string_handlevalue.
For thevalidate_password plugin, the type-specific descriptor looks like this:
static struct st_mysql_validate_password validate_password_descriptor={ MYSQL_VALIDATE_PASSWORD_INTERFACE_VERSION, validate_password, /* validate function */ get_password_strength /* validate strength function */}; To compile and install a plugin library file, use the instructions inSection 4.4.3, “Compiling and Installing Plugin Libraries”. To make the library file available for use, install it in the plugin directory (the directory named by theplugin_dir system variable). For thevalidate_password plugin, it is compiled and installed when you build MySQL from source. It is also included in binary distributions. The build process produces a shared object library with a name ofvalidate_password.so (the.so suffix might differ depending on your platform).
To register the plugin at runtime, use this statement, adjusting the.so suffix for your platform as necessary:
INSTALL PLUGIN validate_password SONAME 'validate_password.so';For additional information about plugin loading, seeInstalling and Uninstalling Plugins.
To verify plugin installation, examine theINFORMATION_SCHEMA.PLUGINS table or use theSHOW PLUGINS statement. SeeObtaining Server Plugin Information.
While thevalidate_password plugin is installed, it exposes system variables that indicate the password-checking parameters:
mysql> SHOW VARIABLES LIKE 'validate_password%';+--------------------------------------+--------+| Variable_name | Value |+--------------------------------------+--------+| validate_password_dictionary_file | || validate_password_length | 8 || validate_password_mixed_case_count | 1 || validate_password_number_count | 1 || validate_password_policy | MEDIUM || validate_password_special_char_count | 1 |+--------------------------------------+--------+For descriptions of these variables, seePassword Validation Plugin Options and Variables.
To disable the plugin after testing it, use this statement to unload it:
UNINSTALL PLUGIN validate_password;