Password Expiration for MariaDB Xpand

Overview

MariaDB Xpand supports enabling password expiration with global and user-level settings.

Compatibility

Xpand Series

First Supported Version

5.3

N/A

6

6.0.4

Password Expiration

The password expiration settings for a user are set when the user is created and can be changed when the user is altered. There is also a global default expiration value in the default_password_lifetime global variable that controls any user that is set to honor the global expiration default.

If a user has expiration enabled and the expiration period elapses before a new password is set, the user will be disconnected when trying to login. When a user's password is changed, the expiration countdown clock is reset and a new countdown begins.

The root user and certain internal/replication users are set to use PASSWORD EXPIRE NEVER. It is best to leave these unchanged to avoid losing access to your database or breaking replication.

By default, regular users get the PASSWORD EXPIRE DEFAULT setting and are governed by the default expiration settings.

Enable Password Expiration

Password expiration values can be set individually for each user, globally with the default expiration value, or with a combination of the two.

The current implementation of password expiry does not include sandbox support.

Individual Expiration

When a user is created, an optional expiration clause can be specified:

Clause

Effect

PASSWORD EXPIRE INTERVAL n DAY

The numeric value n controls how many days a user's password remains valid, overriding the global default

PASSWORD EXPIRE NEVER

The user's password never expires, overriding the global default

PASSWORD EXPIRE DEFAULT

The user's expiration settings are controlled by the default_password_lifetime global variable

If the PASSWORD EXPIRE clause is omitted, the user is created with an implied PASSWORD EXPIRE DEFAULT setting.

The expire interval is always expressed in days, and no other interval unit is accepted in this context.

CREATE USER 'joe'@'localhost' PASSWORD EXPIRE 42 DAY;

Password expiration settings can be changed using an ALTER USER command and the PASSWORD EXPIRE clause choices shown above.

ALTER USER 'joe'@'localhost' PASSWORD EXPIRE NEVER;

The root user and certain internal/replication users are set to use PASSWORD EXPIRE NEVER. It is best to leave these unchanged to avoid losing access to your database or breaking replication.

Regular users get the PASSWORD EXPIRE DEFAULT setting by default and are governed by the default expiration settings.

Default Expiration

Any user that has PASSWORD EXPIRE DEFAULT set is controlled using the global value of the default_password_lifetime variable, which defaults to 0. When set to a positive value, all default-expiration users are configured to expire a user's passwords after that count of days has elapsed without a new password being set. Setting the value to 0 indicates the default is for default-expiration users to never expire their passwords.

The default_password_lifetime value can be set with a SET statement as long as the user has the SUPER privilege:

SET GLOBAL default_password_lifetime = 30;

Note that the password-related variables don't have a separate session value in addition to the global value, so changing a global password variable causes the new value to be applied to all sessions.

Show Expiration Settings

To see the expiration settings for a user, use the SHOW CREATE USER command for individual users or run a select system.users to see them all. For example, a new installation typically starts with an xpand user with an empty password:

SHOW CREATE USER 'xpand'@'localhost';
+-----------------------------------------------------------------------------------------------------+
| CREATE USER 'xpand'@'localhost'                                                                     |
+-----------------------------------------------------------------------------------------------------+
| CREATE USER 'xpand'@'localhost' IDENTIFIED WITH mysql_native_password AS '' PASSWORD EXPIRE DEFAULT |
+-----------------------------------------------------------------------------------------------------+

While two new columns in the system.users table contain information on expiration settings:

SELECT username, host, pw_last_changed, pw_lifetime FROM system.users;
+------------------+-----------+----------------------------+-------------+
| username         | host      | pw_last_changed            | pw_lifetime |
+------------------+-----------+----------------------------+-------------+
| root             | 127.0.0.1 | NULL                       |           0 |
| mysql_slave      |           | NULL                       |           0 |
| clx_maint        | 127.0.0.1 | NULL                       |           0 |
| clx_view_definer | 127.0.0.1 | NULL                       |           0 |
| xpand            | localhost | 2022-05-11 19:11:41.869268 |          -1 |
| xpandm           | localhost | 2022-05-11 19:11:42.141268 |          -1 |
| tester           | %         | 2022-05-11 19:47:40.043196 |          90 |
+------------------+-----------+----------------------------+-------------+

In the output above, a pw_lifetime value has these meanings:

pw_lifetime value

Meaning

-1

PASSWORD EXPIRE DEFAULT

0

PASSWORD EXPIRE NEVER

n

PASSWORD EXPIRE INTERVAL n DAY