[Request] Add possibility to set password hash

[TheAlgorythm]

It would be nice if I could provide a MARIADB_ROOT_PASSWORD_HASH and MARIADB_PASSWORD_HASH.
This would greatly simplify credential management as a password hash isn't as critical as the password itself.

There is a corresponding MariaDB functionality: https://mariadb.com/kb/en/create-user/#identified-by-password-password_hash

https://github.com/MariaDB/mariadb-docker/blob/master/docker-entrypoint.sh#L353 could be extended with a case like

CREATE USER '$MARIADB_USER'@'%' IDENTIFIED BY PASSWORD '$userPasswordHashEscaped';

https://github.com/MariaDB/mariadb-docker/blob/master/docker-entrypoint.sh#L291 could be changed in the same way.

[grooverdan]

I'm ok with the concept. Its even easier as the hash doesn't need to be escaped as nothing in the hash falls into the special SQL handling category. Did you want to create a PR?

[TheAlgorythm]

I can try to create a PR.

Should I change the docker-entrypoint.sh of the root?

[grooverdan]

Added to coming release docker-library/official-images#13184

[TheAlgorythm]

Thank you for your help to implement this significant security feature.

[TheAlgorythm]

What is the standard way to update the README of Dockerhub?

[martadinata666]

Im seeing this and pretty interesting, is there a way generate the hash?

[TheAlgorythm]

is there a way generate the hash?

@martadinata666

The Hash is basically two encapsulated SHA-1 hashes where the outer digest is binary.
In Python it would be something like this:

import hashlib, getpass

def mysql_hash(pw: str) -> str:
    pw = pw.encode()
    mid = hashlib.sha1(pw).digest()
    inner = hashlib.sha1(mid).hexdigest()
    return '*' + inner.upper()

assert mysql_hash('mariadb') == '*54958E764CE10E50764C2EECBB71D01F08549980'

print(mysql_hash(getpass.getpass('Password: ')))

[yosifkit]

What is the standard way to update the README of Dockerhub?

The Docker Hub docs are over here: https://github.com/docker-library/docs/ (likely just an edit to mariadb/content.md).

[grooverdan]

The more direct way is SELECT PASSWORD('bob') as a query. I hadn't forgotten about docs, but if you have time to add a PR that would be much appreciated.

[TheAlgorythm]

The more direct way with SQL is definitely easier. But the script has the advantage to generate the hash without exposing the password in cleartext. Maybe it should be considered to include the script in the image so that it's possible to generate the hash via docker exec. Or is this considered bloat?