puppetlabs
Implement caching_sha2_password Hashing
Use Case
I want to be able to use the Puppet MySQL module with future MySQL 8 versions. The MySQL Server warns me in his logs, that mysql_native_password will be removed in the future
[Warning] [MY-013360] [Server] Plugin mysql_native_password reported: ''mysql_native_password' is deprecated and will be removed in a future release. Please use caching_sha2_password instead'
Describe the Solution You Would Like
Implementing a feature that can create MySQL users using caching_sha2_password.
Additional Context
This one seems difficult as I couldn't find a documented way that MySQL uses to hash passwords with caching_sha2_password, so that Puppet can hash the password the same way. The MySQL password function has been removed, too. I was thinking about using
IDENTIFIED WITH caching_sha2_password BY '#{string}'"
but I guess this way Puppet would recreate the user every run.
Does anybody has already started on this or has any idea?
Hey I started a PR #1612 for this topic and found a way to implement it. Maybe someone with more knowledge can improve it.
caching_sha2_password is now the default on MySQL 8.4 and mysql_native_password is disabled by default.
Would like to upvote this request as I've upgraded MySQL to 8.4.6 as 8.0 is going EOL in April 2026. I had to comment out all the config in the following namespaces that would only create users with mysql_native_password plugin: mysql::databases (when specifying user), and mysql::server::root_password. For some reason, I also couldn't get the mysql_user creation to create a user properly when specifying plugin => ' caching_sha2_password',
- You can still add a override option for mysql_native_password=ON for mysqld, but the module should have an option to the use the more secure caching_sha2_password plugin when creating users.
