diff --git a/README.md b/README.md index 07411aa..421bed7 100644 --- a/README.md +++ b/README.md @@ -150,6 +150,45 @@ Default endpoint: http://127.0.0.1:3000/sse > 注/Note: 部分云MySQL需指定`DB_AUTH_PLUGIN`为`mysql_native_password`。 +### MySQL 8.0 认证支持 / MySQL 8.0 Authentication Support + +本系统完全支持 MySQL 8.0 的认证机制。MySQL 8.0 默认使用 `caching_sha2_password` 认证插件,提供更高的安全性。 + +This system fully supports MySQL 8.0 authentication mechanisms. MySQL 8.0 uses `caching_sha2_password` by default for enhanced security. + +#### 认证插件对比 / Authentication Plugin Comparison + +| 认证插件 / Plugin | 安全性 / Security | 兼容性 / Compatibility | 依赖要求 / Dependencies | +|------------------|-------------------|------------------------|------------------------| +| `mysql_native_password` | 中等 / Medium | 高 / High | 无 / None | +| `caching_sha2_password` | 高 / High | 中等 / Medium | cryptography | + +#### 配置建议 / Configuration Recommendations + +**生产环境 / Production**(推荐 / Recommended): +```ini +DB_AUTH_PLUGIN=caching_sha2_password +``` + +**开发环境 / Development**(简化配置 / Simplified): +```ini +DB_AUTH_PLUGIN=mysql_native_password +``` + +#### 依赖安装 / Dependency Installation + +使用 `caching_sha2_password` 时需要安装 `cryptography` 包(已包含在 requirements.txt 中): + +When using `caching_sha2_password`, the `cryptography` package is required (already included in requirements.txt): + +```bash +pip install cryptography +``` + +详细配置指南请参考:[MySQL 8.0 认证插件支持指南](docs/mysql8_authentication.md) + +For detailed configuration guide, see: [MySQL 8.0 Authentication Plugin Support Guide](docs/mysql8_authentication.md) + --- ## 6. 自动化与资源管理优化 / Automation & Resource Management Enhancements diff --git a/example.env b/example.env index 011b7d7..dfbea1c 100644 --- a/example.env +++ b/example.env @@ -9,6 +9,11 @@ MYSQL_USER=root # MySQL用户名 MYSQL_PASSWORD= # MySQL密码(留空表示无密码) MYSQL_DATABASE=testdb # 要连接的数据库名 DB_CONNECTION_TIMEOUT=5 # 连接超时时间(秒) + +# MySQL 8.0 认证插件配置 +# - mysql_native_password: 兼容性好,不需要额外依赖,但安全性较低 +# - caching_sha2_password: MySQL 8.0 默认,安全性高,需要 cryptography 包 +# 如果使用 MySQL 8.0 且用户采用 caching_sha2_password,请确保已安装 cryptography 包 DB_AUTH_PLUGIN=mysql_native_password # 认证插件类型 # 数据库连接池配置 @@ -26,7 +31,7 @@ ENV_TYPE=development # 安全配置 # 允许的风险等级: LOW(查询), MEDIUM(安全修改), HIGH(结构变更), CRITICAL(危险操作) -ALLOWED_RISK_LEVELS=LOW,MEDIUM +ALLOWED_RISK_LEVELS=LOW,MEDIUM,HIGH # 是否允许查询敏感字段信息(密码,凭证等) ALLOW_SENSITIVE_INFO=false diff --git a/requirements.txt b/requirements.txt index 71ebf59..892dc51 100644 --- a/requirements.txt +++ b/requirements.txt @@ -2,4 +2,5 @@ mcp>=1.4.1 aiomysql>=0.2.0 python-dotenv>=1.0.1 -sqlparse>=0.5.3 \ No newline at end of file +sqlparse>=0.5.3 +cryptography>=3.4.8 \ No newline at end of file diff --git a/src/db/mysql_operations.py b/src/db/mysql_operations.py index 2a6890d..13d975c 100644 --- a/src/db/mysql_operations.py +++ b/src/db/mysql_operations.py @@ -64,9 +64,28 @@ def get_db_config(): 'db': config['database'], # 'database' -> 'db' 'port': config['port'], 'connect_timeout': config.get('connection_timeout', 5), # 'connection_timeout' -> 'connect_timeout' - # auth_plugin在aiomysql中不直接支持,忽略此参数 + 'charset': 'utf8mb4', # 确保字符集支持 } + # MySQL 8.0 认证插件支持 + # 如果指定了认证插件且不是默认的mysql_native_password,则添加到配置中 + auth_plugin = config.get('auth_plugin', 'mysql_native_password') + if auth_plugin != 'mysql_native_password': + # 对于caching_sha2_password等现代认证插件,需要确保cryptography包可用 + try: + import cryptography + # 添加认证插件配置以支持caching_sha2_password + aiomysql_config.update({ + 'auth_plugin': auth_plugin + }) + logger.debug(f"使用认证插件: {auth_plugin} (已检测到 cryptography 包)") + except ImportError: + logger.warning(f"检测到认证插件 {auth_plugin},但未安装 cryptography 包") + logger.warning("将回退到 mysql_native_password 认证方式") + logger.warning("要完全支持 MySQL 8.0 认证,请安装: pip install cryptography") + else: + logger.debug(f"使用认证插件: {auth_plugin}") + return aiomysql_config # 自定义异常类,细化错误处理 @@ -176,7 +195,17 @@ async def init_db_pool(min_size: Optional[int] = None, max_size: Optional[int] = elif "Can't connect" in error_msg or "Connection refused" in error_msg: raise MySQLServerError("无法连接到MySQL服务器,请检查服务是否启动") elif "Authentication plugin" in error_msg: - raise MySQLAuthPluginError(f"认证插件问题: {error_msg},请尝试修改用户认证方式为mysql_native_password") + current_auth = DatabaseConfig.AUTH_PLUGIN + error_detail = f"认证插件问题: {error_msg}" + if current_auth == 'caching_sha2_password': + error_detail += "\n解决方案:" + error_detail += "\n1. 确保已安装 cryptography 包: pip install cryptography" + error_detail += "\n2. 或者修改用户认证方式为 mysql_native_password" + error_detail += "\n3. 或者在 .env 中设置 DB_AUTH_PLUGIN=mysql_native_password" + else: + error_detail += f"\n当前认证插件配置: {current_auth}" + error_detail += "\n请检查 MySQL 用户的认证插件设置是否匹配" + raise MySQLAuthPluginError(error_detail) else: raise MySQLConnectionError(f"数据库连接失败: {error_msg}") except Exception as e: @@ -239,7 +268,17 @@ async def get_db_connection(require_database: bool = True): elif "Can't connect" in error_msg or "Connection refused" in error_msg: raise MySQLServerError("无法连接到MySQL服务器,请检查服务是否启动") elif "Authentication plugin" in error_msg: - raise MySQLAuthPluginError(f"认证插件问题: {error_msg},请尝试修改用户认证方式为mysql_native_password") + current_auth = DatabaseConfig.AUTH_PLUGIN + error_detail = f"认证插件问题: {error_msg}" + if current_auth == 'caching_sha2_password': + error_detail += "\n解决方案:" + error_detail += "\n1. 确保已安装 cryptography 包: pip install cryptography" + error_detail += "\n2. 或者修改用户认证方式为 mysql_native_password" + error_detail += "\n3. 或者在 .env 中设置 DB_AUTH_PLUGIN=mysql_native_password" + else: + error_detail += f"\n当前认证插件配置: {current_auth}" + error_detail += "\n请检查 MySQL 用户的认证插件设置是否匹配" + raise MySQLAuthPluginError(error_detail) else: raise MySQLConnectionError(f"数据库连接失败: {error_msg}") except Exception as e: