Skip to content

M
mariadb
Commit 1bfc610d authored by Vicențiu Ciorbaru's avatar Vicențiu Ciorbaru Committed by Sergei Golubchik
Browse files
Options

Added show role grants functionality to the mysql_show_grants function.

parent 0fea3316
Hide whitespace changes
Inline Side-by-side
Showing with 104 additions and 0 deletions
mysql-test/r/acl_roles_set_role-multiple-role.result
View file @ 1bfc610d
...@@ -62,10 +62,24 @@ ERROR 42000: SELECT command denied to user 'test_user'@'localhost' for table 'ro ...@@ -62,10 +62,24 @@ ERROR 42000: SELECT command denied to user 'test_user'@'localhost' for table 'ro
show grants; show grants;
Grants for test_user@localhost Grants for test_user@localhost
GRANT USAGE ON *.* TO 'test_user'@'localhost' GRANT USAGE ON *.* TO 'test_user'@'localhost'
GRANT r_crt TO 'test_user'@'localhost'
GRANT r_del TO 'test_user'@'localhost'
GRANT r_drp TO 'test_user'@'localhost'
GRANT r_ins TO 'test_user'@'localhost'
GRANT r_rld TO 'test_user'@'localhost'
GRANT r_sel TO 'test_user'@'localhost'
GRANT r_upd TO 'test_user'@'localhost'
set role r_sel; set role r_sel;
show grants; show grants;
Grants for test_user@localhost Grants for test_user@localhost
GRANT USAGE ON *.* TO 'test_user'@'localhost' GRANT USAGE ON *.* TO 'test_user'@'localhost'
GRANT r_crt TO 'test_user'@'localhost'
GRANT r_del TO 'test_user'@'localhost'
GRANT r_drp TO 'test_user'@'localhost'
GRANT r_ins TO 'test_user'@'localhost'
GRANT r_rld TO 'test_user'@'localhost'
GRANT r_sel TO 'test_user'@'localhost'
GRANT r_upd TO 'test_user'@'localhost'
select * from mysql.roles_mapping; select * from mysql.roles_mapping;
HostFk UserFk RoleFk HostFk UserFk RoleFk
localhost test_user r_crt localhost test_user r_crt
...@@ -79,6 +93,13 @@ set role r_ins; ...@@ -79,6 +93,13 @@ set role r_ins;
show grants; show grants;
Grants for test_user@localhost Grants for test_user@localhost
GRANT USAGE ON *.* TO 'test_user'@'localhost' GRANT USAGE ON *.* TO 'test_user'@'localhost'
GRANT r_crt TO 'test_user'@'localhost'
GRANT r_del TO 'test_user'@'localhost'
GRANT r_drp TO 'test_user'@'localhost'
GRANT r_ins TO 'test_user'@'localhost'
GRANT r_rld TO 'test_user'@'localhost'
GRANT r_sel TO 'test_user'@'localhost'
GRANT r_upd TO 'test_user'@'localhost'
select * from mysql.roles_mapping; select * from mysql.roles_mapping;
ERROR 42000: SELECT command denied to user 'test_user'@'localhost' for table 'roles_mapping' ERROR 42000: SELECT command denied to user 'test_user'@'localhost' for table 'roles_mapping'
insert into mysql.roles_mapping (HostFk, UserFk, RoleFk) values ('', insert into mysql.roles_mapping (HostFk, UserFk, RoleFk) values ('',
......
mysql-test/r/acl_roles_set_role-recursive.result
View file @ 1bfc610d
...@@ -34,49 +34,59 @@ ERROR 42000: SELECT command denied to user 'test_user'@'localhost' for table 'ro ...@@ -34,49 +34,59 @@ ERROR 42000: SELECT command denied to user 'test_user'@'localhost' for table 'ro
show grants; show grants;
Grants for test_user@localhost Grants for test_user@localhost
GRANT USAGE ON *.* TO 'test_user'@'localhost' GRANT USAGE ON *.* TO 'test_user'@'localhost'
GRANT test_role1 TO 'test_user'@'localhost'
set role test_role1; set role test_role1;
show grants; show grants;
Grants for test_user@localhost Grants for test_user@localhost
GRANT USAGE ON *.* TO 'test_user'@'localhost' GRANT USAGE ON *.* TO 'test_user'@'localhost'
GRANT test_role1 TO 'test_user'@'localhost'
select * from mysql.roles_mapping where HostFk=''; select * from mysql.roles_mapping where HostFk='';
HostFk UserFk RoleFk HostFk UserFk RoleFk
test_role1 test_role2 test_role1 test_role2
show grants; show grants;
Grants for test_user@localhost Grants for test_user@localhost
GRANT USAGE ON *.* TO 'test_user'@'localhost' GRANT USAGE ON *.* TO 'test_user'@'localhost'
GRANT test_role1 TO 'test_user'@'localhost'
set role none; set role none;
show grants; show grants;
Grants for test_user@localhost Grants for test_user@localhost
GRANT USAGE ON *.* TO 'test_user'@'localhost' GRANT USAGE ON *.* TO 'test_user'@'localhost'
GRANT test_role1 TO 'test_user'@'localhost'
select * from mysql.roles_mapping; select * from mysql.roles_mapping;
ERROR 42000: SELECT command denied to user 'test_user'@'localhost' for table 'roles_mapping' ERROR 42000: SELECT command denied to user 'test_user'@'localhost' for table 'roles_mapping'
show grants; show grants;
Grants for test_user@localhost Grants for test_user@localhost
GRANT USAGE ON *.* TO 'test_user'@'localhost' GRANT USAGE ON *.* TO 'test_user'@'localhost'
GRANT test_role1 TO 'test_user'@'localhost'
set role test_role2; set role test_role2;
ERROR HY000: The role 'test_role2' has not been granted or is invalid. ERROR HY000: The role 'test_role2' has not been granted or is invalid.
show grants; show grants;
Grants for test_user@localhost Grants for test_user@localhost
GRANT USAGE ON *.* TO 'test_user'@'localhost' GRANT USAGE ON *.* TO 'test_user'@'localhost'
GRANT test_role1 TO 'test_user'@'localhost'
select * from mysql.roles_mapping; select * from mysql.roles_mapping;
ERROR 42000: SELECT command denied to user 'test_user'@'localhost' for table 'roles_mapping' ERROR 42000: SELECT command denied to user 'test_user'@'localhost' for table 'roles_mapping'
show grants; show grants;
Grants for test_user@localhost Grants for test_user@localhost
GRANT USAGE ON *.* TO 'test_user'@'localhost' GRANT USAGE ON *.* TO 'test_user'@'localhost'
GRANT test_role1 TO 'test_user'@'localhost'
set role test_role1; set role test_role1;
show grants; show grants;
Grants for test_user@localhost Grants for test_user@localhost
GRANT USAGE ON *.* TO 'test_user'@'localhost' GRANT USAGE ON *.* TO 'test_user'@'localhost'
GRANT test_role1 TO 'test_user'@'localhost'
select * from mysql.roles_mapping where HostFk=''; select * from mysql.roles_mapping where HostFk='';
HostFk UserFk RoleFk HostFk UserFk RoleFk
test_role1 test_role2 test_role1 test_role2
show grants; show grants;
Grants for test_user@localhost Grants for test_user@localhost
GRANT USAGE ON *.* TO 'test_user'@'localhost' GRANT USAGE ON *.* TO 'test_user'@'localhost'
GRANT test_role1 TO 'test_user'@'localhost'
set role none; set role none;
show grants; show grants;
Grants for test_user@localhost Grants for test_user@localhost
GRANT USAGE ON *.* TO 'test_user'@'localhost' GRANT USAGE ON *.* TO 'test_user'@'localhost'
GRANT test_role1 TO 'test_user'@'localhost'
select * from mysql.roles_mapping; select * from mysql.roles_mapping;
ERROR 42000: SELECT command denied to user 'test_user'@'localhost' for table 'roles_mapping' ERROR 42000: SELECT command denied to user 'test_user'@'localhost' for table 'roles_mapping'
delete from mysql.user where user='test_role1'; delete from mysql.user where user='test_role1';
......
mysql-test/r/acl_roles_set_role-simple.result
View file @ 1bfc610d
...@@ -21,10 +21,12 @@ ERROR 42000: SELECT command denied to user 'test_user'@'localhost' for table 'ro ...@@ -21,10 +21,12 @@ ERROR 42000: SELECT command denied to user 'test_user'@'localhost' for table 'ro
show grants; show grants;
Grants for test_user@localhost Grants for test_user@localhost
GRANT USAGE ON *.* TO 'test_user'@'localhost' GRANT USAGE ON *.* TO 'test_user'@'localhost'
GRANT test_role1 TO 'test_user'@'localhost'
set role test_role1; set role test_role1;
show grants; show grants;
Grants for test_user@localhost Grants for test_user@localhost
GRANT USAGE ON *.* TO 'test_user'@'localhost' GRANT USAGE ON *.* TO 'test_user'@'localhost'
GRANT test_role1 TO 'test_user'@'localhost'
select * from mysql.roles_mapping; select * from mysql.roles_mapping;
HostFk UserFk RoleFk HostFk UserFk RoleFk
localhost test_user test_role1 localhost test_user test_role1
......
mysql-test/t/acl_roles_set_role-multiple-role.test
View file @ 1bfc610d
...@@ -57,13 +57,16 @@ change_user 'test_user'; ...@@ -57,13 +57,16 @@ change_user 'test_user';
--error ER_TABLEACCESS_DENIED_ERROR --error ER_TABLEACCESS_DENIED_ERROR
select * from mysql.roles_mapping; select * from mysql.roles_mapping;
--sorted_result
show grants; show grants;
set role r_sel; set role r_sel;
--sorted_result
show grants; show grants;
--sorted_result --sorted_result
select * from mysql.roles_mapping; select * from mysql.roles_mapping;
set role r_ins; set role r_ins;
--sorted_result
show grants; show grants;
--error ER_TABLEACCESS_DENIED_ERROR --error ER_TABLEACCESS_DENIED_ERROR
select * from mysql.roles_mapping; select * from mysql.roles_mapping;
......
mysql-test/t/acl_roles_set_role-recursive.test
View file @ 1bfc610d
...@@ -15,11 +15,16 @@ insert into mysql.roles_mapping (HostFk, UserFk, RoleFk) values ('', ...@@ -15,11 +15,16 @@ insert into mysql.roles_mapping (HostFk, UserFk, RoleFk) values ('',
'test_role2'); 'test_role2');
flush privileges; flush privileges;
--sorted_result
select user, host from mysql.user where user not like 'root'; select user, host from mysql.user where user not like 'root';
--sorted_result
select * from mysql.roles_mapping where UserFk like 'test_user'; select * from mysql.roles_mapping where UserFk like 'test_user';
--sorted_result
select * from mysql.roles_mapping where UserFk like 'test_role1'; select * from mysql.roles_mapping where UserFk like 'test_role1';
grant select on *.* to 'test_role2'@''; grant select on *.* to 'test_role2'@'';
--sorted_result
select * from mysql.user where user like 'test_role1'; select * from mysql.user where user like 'test_role1';
--sorted_result
select * from mysql.user where user like 'test_role2'; select * from mysql.user where user like 'test_role2';
flush privileges; flush privileges;
...@@ -28,32 +33,43 @@ change_user 'test_user'; ...@@ -28,32 +33,43 @@ change_user 'test_user';
--error ER_TABLEACCESS_DENIED_ERROR --error ER_TABLEACCESS_DENIED_ERROR
select * from mysql.roles_mapping; select * from mysql.roles_mapping;
--sorted_result
show grants; show grants;
set role test_role1; set role test_role1;
--sorted_result
show grants; show grants;
select * from mysql.roles_mapping where HostFk=''; select * from mysql.roles_mapping where HostFk='';
--sorted_result
show grants; show grants;
set role none; set role none;
--sorted_result
show grants; show grants;
--error ER_TABLEACCESS_DENIED_ERROR --error ER_TABLEACCESS_DENIED_ERROR
select * from mysql.roles_mapping; select * from mysql.roles_mapping;
--sorted_result
show grants; show grants;
--error ER_INVALID_ROLE --error ER_INVALID_ROLE
set role test_role2; set role test_role2;
--sorted_result
show grants; show grants;
--error ER_TABLEACCESS_DENIED_ERROR --error ER_TABLEACCESS_DENIED_ERROR
select * from mysql.roles_mapping; select * from mysql.roles_mapping;
#Make sure that this still works after an ER_INVALID_ROLE error #Make sure that this still works after an ER_INVALID_ROLE error
--sorted_result
show grants; show grants;
set role test_role1; set role test_role1;
--sorted_result
show grants; show grants;
--sorted_result
select * from mysql.roles_mapping where HostFk=''; select * from mysql.roles_mapping where HostFk='';
--sorted_result
show grants; show grants;
set role none; set role none;
--sorted_result
show grants; show grants;
--error ER_TABLEACCESS_DENIED_ERROR --error ER_TABLEACCESS_DENIED_ERROR
select * from mysql.roles_mapping; select * from mysql.roles_mapping;
......
mysql-test/t/acl_roles_set_role-simple.test
View file @ 1bfc610d
...@@ -7,9 +7,12 @@ update mysql.user set is_role='Y' where user='test_role1'; ...@@ -7,9 +7,12 @@ update mysql.user set is_role='Y' where user='test_role1';
insert into mysql.roles_mapping (HostFk, UserFk, RoleFk) values ('localhost', insert into mysql.roles_mapping (HostFk, UserFk, RoleFk) values ('localhost',
'test_user', 'test_user',
'test_role1'); 'test_role1');
--sorted_result
select user, host from mysql.user where user not like 'root'; select user, host from mysql.user where user not like 'root';
--sorted_result
select * from mysql.roles_mapping; select * from mysql.roles_mapping;
grant select on *.* to 'test_role1'@''; grant select on *.* to 'test_role1'@'';
--sorted_result
select * from mysql.user where user='test_role1'; select * from mysql.user where user='test_role1';
flush privileges; flush privileges;
...@@ -18,9 +21,12 @@ change_user 'test_user'; ...@@ -18,9 +21,12 @@ change_user 'test_user';
--error ER_TABLEACCESS_DENIED_ERROR --error ER_TABLEACCESS_DENIED_ERROR
select * from mysql.roles_mapping; select * from mysql.roles_mapping;
--sorted_result
show grants; show grants;
set role test_role1; set role test_role1;
--sorted_result
show grants; show grants;
--sorted_result
select * from mysql.roles_mapping; select * from mysql.roles_mapping;
set role none; set role none;
......
sql/sql_acl.cc
View file @ 1bfc610d
...@@ -309,6 +309,9 @@ static bool compare_hostname(const acl_host_and_ip *host, const char *hostname, ...@@ -309,6 +309,9 @@ static bool compare_hostname(const acl_host_and_ip *host, const char *hostname,
const char *ip); const char *ip);
static bool show_proxy_grants (THD *thd, LEX_USER *user, static bool show_proxy_grants (THD *thd, LEX_USER *user,
char *buff, size_t buffsize); char *buff, size_t buffsize);
static bool show_role_grants(THD *thd, LEX_USER *lex_user,
ACL_USER_BASE *acl_entry,
char *buff, size_t buffsize);
static bool show_global_privileges(THD *thd, LEX_USER *lex_user, static bool show_global_privileges(THD *thd, LEX_USER *lex_user,
ACL_USER_BASE *acl_entry, bool handle_as_role, ACL_USER_BASE *acl_entry, bool handle_as_role,
char *buff, size_t buffsize); char *buff, size_t buffsize);
...@@ -6300,6 +6303,13 @@ bool mysql_show_grants(THD *thd,LEX_USER *lex_user) ...@@ -6300,6 +6303,13 @@ bool mysql_show_grants(THD *thd,LEX_USER *lex_user)
DBUG_RETURN(TRUE); DBUG_RETURN(TRUE);
} }
/* Show granted roles to acl_user */
if (show_role_grants(thd, lex_user, acl_user, buff, sizeof(buff)))
{
error= -1;
goto end;
}
/* Add first global access grants */ /* Add first global access grants */
if (show_global_privileges(thd, lex_user, acl_user, FALSE, buff, sizeof(buff))) if (show_global_privileges(thd, lex_user, acl_user, FALSE, buff, sizeof(buff)))
{ {
...@@ -6349,6 +6359,42 @@ end: ...@@ -6349,6 +6359,42 @@ end:
DBUG_RETURN(error); DBUG_RETURN(error);
} }
static bool show_role_grants(THD *thd, LEX_USER *lex_user,
ACL_USER_BASE *acl_entry,
char *buff, size_t buffsize)
{
uint counter;
Protocol *protocol= thd->protocol;
String grant(buff,sizeof(buff),system_charset_info);
for (counter= 0; counter < acl_entry->role_grants.elements; counter++)
{
grant.length(0);
grant.append(STRING_WITH_LEN("GRANT "));
ACL_ROLE *acl_role= *(dynamic_element(&acl_entry->role_grants, counter,
ACL_ROLE**));
grant.append(acl_role->user.str, acl_role->user.length,
system_charset_info);
grant.append(STRING_WITH_LEN(" TO '"));
grant.append(lex_user->user.str, lex_user->user.length,
system_charset_info);
if (!(acl_entry->flags & IS_ROLE))
{
grant.append(STRING_WITH_LEN("'@'"));
grant.append(lex_user->host.str, lex_user->host.length,
system_charset_info);
}
grant.append('\'');
protocol->prepare_for_resend();
protocol->store(grant.ptr(),grant.length(),grant.charset());
if (protocol->write())
{
return TRUE;
}
}
return FALSE;
}
static bool show_global_privileges(THD *thd, LEX_USER *lex_user, static bool show_global_privileges(THD *thd, LEX_USER *lex_user,
ACL_USER_BASE *acl_entry, bool handle_as_role, ACL_USER_BASE *acl_entry, bool handle_as_role,
char *buff, size_t buffsize) char *buff, size_t buffsize)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7