Implemented SHOW GRANTS functionality

4a585999 · Vicențiu Ciorbaru · Sergei Golubchik · d24ead2c · 4a585999 · 4a585999
Commit 4a585999 authored Oct 18, 2013 by Vicențiu Ciorbaru Committed by Sergei Golubchik Oct 18, 2013
10 changed files
--- a/mysql-test/r/acl_roles_show_grants.result
+++ b/mysql-test/r/acl_roles_show_grants.result
+create user 'test_user'@'localhost';
+create user 'test_role1'@'';
+create user 'test_role2'@'';
+update mysql.user set is_role='Y' where user='test_role1';
+update mysql.user set is_role='Y' where user='test_role2';
+insert into mysql.roles_mapping (HostFk, UserFk, RoleFk) values ('localhost',
+'test_user',
+'test_role1');
+insert into mysql.roles_mapping (HostFk, UserFk, RoleFk) values ('localhost',
+'test_user',
+'test_role2');
+insert into mysql.roles_mapping (HostFk, UserFk, RoleFk) values ('',
+'test_role1',
+'test_role2');
+select user, host from mysql.user where user not like 'root';
+user	host
+test_role1	
+test_role2	
+test_user	localhost
+select * from mysql.roles_mapping;
+HostFk	UserFk	RoleFk
+	test_role1	test_role2
+localhost	test_user	test_role1
+localhost	test_user	test_role2
+flush privileges;
+select user, host from mysql.db;
+user	host
+	%
+	%
+grant select on mysql.* to test_role2@'';
+flush privileges;
+show grants;
+Grants for test_user@localhost
+GRANT USAGE ON *.* TO 'test_user'@'localhost'
+GRANT test_role1 TO 'test_user'@'localhost'
+GRANT test_role2 TO 'test_user'@'localhost'
+set role test_role1;
+show grants;
+Grants for test_user@localhost
+GRANT SELECT ON `mysql`.* TO 'test_role2'
+GRANT USAGE ON *.* TO 'test_role1'
+GRANT USAGE ON *.* TO 'test_role2'
+GRANT USAGE ON *.* TO 'test_user'@'localhost'
+GRANT test_role1 TO 'test_user'@'localhost'
+GRANT test_role2 TO 'test_role1'
+GRANT test_role2 TO 'test_user'@'localhost'
+set role none;
+show grants;
+Grants for test_user@localhost
+GRANT USAGE ON *.* TO 'test_user'@'localhost'
+GRANT test_role1 TO 'test_user'@'localhost'
+GRANT test_role2 TO 'test_user'@'localhost'
+show grants for test_user@localhost;
+ERROR 42000: Access denied for user 'test_user'@'localhost' to database 'mysql'
+show grants for test_role1;
+ERROR 42000: Access denied for user 'test_user'@'localhost' to database 'mysql'
+show grants for test_role2;
+ERROR 42000: Access denied for user 'test_user'@'localhost' to database 'mysql'
+show grants for CURRENT_USER;
+Grants for test_user@localhost
+GRANT USAGE ON *.* TO 'test_user'@'localhost'
+GRANT test_role1 TO 'test_user'@'localhost'
+GRANT test_role2 TO 'test_user'@'localhost'
+show grants for CURRENT_USER();
+Grants for test_user@localhost
+GRANT USAGE ON *.* TO 'test_user'@'localhost'
+GRANT test_role1 TO 'test_user'@'localhost'
+GRANT test_role2 TO 'test_user'@'localhost'
+show grants for CURRENT_ROLE;
+ERROR 42000: There is no such grant defined for user 'test_user' on host 'localhost'
+show grants for CURRENT_ROLE();
+ERROR 42000: There is no such grant defined for user 'test_user' on host 'localhost'
+set role test_role2;
+show grants;
+Grants for test_user@localhost
+GRANT SELECT ON `mysql`.* TO 'test_role2'
+GRANT USAGE ON *.* TO 'test_role2'
+GRANT USAGE ON *.* TO 'test_user'@'localhost'
+GRANT test_role1 TO 'test_user'@'localhost'
+GRANT test_role2 TO 'test_user'@'localhost'
+show grants for test_user@localhost;
+Grants for test_user@localhost
+GRANT USAGE ON *.* TO 'test_user'@'localhost'
+GRANT test_role1 TO 'test_user'@'localhost'
+GRANT test_role2 TO 'test_user'@'localhost'
+show grants for test_role1;
+Grants for test_role1
+GRANT SELECT ON `mysql`.* TO 'test_role2'
+GRANT USAGE ON *.* TO 'test_role1'
+GRANT USAGE ON *.* TO 'test_role2'
+GRANT test_role2 TO 'test_role1'
+show grants for test_role2;
+Grants for test_role2
+GRANT SELECT ON `mysql`.* TO 'test_role2'
+GRANT USAGE ON *.* TO 'test_role2'
+show grants for CURRENT_USER;
+Grants for test_user@localhost
+GRANT USAGE ON *.* TO 'test_user'@'localhost'
+GRANT test_role1 TO 'test_user'@'localhost'
+GRANT test_role2 TO 'test_user'@'localhost'
+show grants for CURRENT_USER();
+Grants for test_user@localhost
+GRANT USAGE ON *.* TO 'test_user'@'localhost'
+GRANT test_role1 TO 'test_user'@'localhost'
+GRANT test_role2 TO 'test_user'@'localhost'
+show grants for CURRENT_ROLE;
+Grants for test_role2
+GRANT SELECT ON `mysql`.* TO 'test_role2'
+GRANT USAGE ON *.* TO 'test_role2'
+show grants for CURRENT_ROLE();
+Grants for test_role2
+GRANT SELECT ON `mysql`.* TO 'test_role2'
+GRANT USAGE ON *.* TO 'test_role2'
+drop user 'test_user'@'localhost';
+revoke select on mysql.* from test_role2@'';
+delete from mysql.user where user='test_role1';
+delete from mysql.user where user='test_role2';
+delete from mysql.roles_mapping where RoleFk='test_role1';
+delete from mysql.roles_mapping where RoleFk='test_role2';
+flush privileges;
--- a/mysql-test/t/acl_roles_show_grants.test
+++ b/mysql-test/t/acl_roles_show_grants.test
+#create a user with no privileges
+create user 'test_user'@'localhost';
+create user 'test_role1'@'';
+create user 'test_role2'@'';
+
+update mysql.user set is_role='Y' where user='test_role1';
+update mysql.user set is_role='Y' where user='test_role2';
+insert into mysql.roles_mapping (HostFk, UserFk, RoleFk) values ('localhost',
+                                                                 'test_user',
+                                                                 'test_role1');
+insert into mysql.roles_mapping (HostFk, UserFk, RoleFk) values ('localhost',
+                                                                 'test_user',
+                                                                 'test_role2');
+insert into mysql.roles_mapping (HostFk, UserFk, RoleFk) values ('',
+                                                                 'test_role1',
+                                                                 'test_role2');
+--sorted_result
+select user, host from mysql.user where user not like 'root';
+--sorted_result
+select * from mysql.roles_mapping;
+flush privileges;
+
+--sorted_result
+select user, host from mysql.db;
+
+grant select on mysql.* to test_role2@'';
+flush privileges;
+
+change_user 'test_user';
+
+--sorted_result
+show grants;
+set role test_role1;
+--sorted_result
+show grants;
+set role none;
+--sorted_result
+show grants;
+
+--error ER_DBACCESS_DENIED_ERROR
+show grants for test_user@localhost;
+--error ER_DBACCESS_DENIED_ERROR
+show grants for test_role1;
+--error ER_DBACCESS_DENIED_ERROR
+show grants for test_role2;
+--sorted_result
+show grants for CURRENT_USER;
+--sorted_result
+show grants for CURRENT_USER();
+--error ER_NONEXISTING_GRANT
+show grants for CURRENT_ROLE;
+--error ER_NONEXISTING_GRANT
+show grants for CURRENT_ROLE();
+
+set role test_role2;
+--sorted_result
+show grants;
+--sorted_result
+show grants for test_user@localhost;
+--sorted_result
+show grants for test_role1;
+--sorted_result
+show grants for test_role2;
+--sorted_result
+show grants for CURRENT_USER;
+--sorted_result
+show grants for CURRENT_USER();
+--sorted_result
+show grants for CURRENT_ROLE;
+--sorted_result
+show grants for CURRENT_ROLE();
+
+
+change_user 'root';
+drop user 'test_user'@'localhost';
+revoke select on mysql.* from test_role2@'';
+delete from mysql.user where user='test_role1';
+delete from mysql.user where user='test_role2';
+delete from mysql.roles_mapping where RoleFk='test_role1';
+delete from mysql.roles_mapping where RoleFk='test_role2';
+flush privileges;
--- a/sql/lex.h
+++ b/sql/lex.h
@@ -153,6 +153,7 @@ static SYMBOL symbols[] = {
  { "CUBE",		SYM(CUBE_SYM)},
  { "CURRENT_DATE",	SYM(CURDATE)},
  { "CURRENT_POS",      SYM(CURRENT_POS_SYM)},
+  { "CURRENT_ROLE",	SYM(CURRENT_ROLE)},
  { "CURRENT_TIME",	SYM(CURTIME)},
  { "CURRENT_TIMESTAMP", SYM(NOW_SYM)},
  { "CURRENT_USER",	SYM(CURRENT_USER)},

--- a/sql/mysqld.cc
+++ b/sql/mysqld.cc
@@ -3517,7 +3517,6 @@ SHOW_VAR com_status_vars[]= {
 #endif
  {"show_function_status", (char*) offsetof(STATUS_VAR, com_stat[(uint) SQLCOM_SHOW_STATUS_FUNC]), SHOW_LONG_STATUS},
  {"show_grants",          (char*) offsetof(STATUS_VAR, com_stat[(uint) SQLCOM_SHOW_GRANTS]), SHOW_LONG_STATUS},
-  {"show_grants_self",     (char*) offsetof(STATUS_VAR, com_stat[(uint) SQLCOM_SHOW_GRANTS_SELF]), SHOW_LONG_STATUS},
  {"show_keys",            (char*) offsetof(STATUS_VAR, com_stat[(uint) SQLCOM_SHOW_KEYS]), SHOW_LONG_STATUS},
  {"show_index_statistics",     (char*) offsetof(STATUS_VAR, com_stat[(uint) SQLCOM_SHOW_INDEX_STATS]), SHOW_LONG_STATUS},
  {"show_master_status",   (char*) offsetof(STATUS_VAR, com_stat[(uint) SQLCOM_SHOW_MASTER_STAT]), SHOW_LONG_STATUS},

--- a/sql/sp_head.cc
+++ b/sql/sp_head.cc
@@ -223,7 +223,6 @@ sp_get_flags_for_command(LEX *lex)
  case SQLCOM_SHOW_FIELDS:
  case SQLCOM_SHOW_FUNC_CODE:
  case SQLCOM_SHOW_GRANTS:
-  case SQLCOM_SHOW_GRANTS_SELF:
  case SQLCOM_SHOW_ENGINE_STATUS:
  case SQLCOM_SHOW_ENGINE_LOGS:
  case SQLCOM_SHOW_ENGINE_MUTEX:

--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
--- a/sql/sql_acl.h
+++ b/sql/sql_acl.h
@@ -175,6 +175,9 @@ extern bool mysql_user_table_is_in_short_password_format;

 extern const char *HOST_NOT_SPECIFIED;
 extern const char *NONE_ROLE;
+extern LEX_USER current_user;
+extern LEX_USER current_role;
+extern LEX_USER current_user_and_current_role;


 static inline int access_denied_error_code(int passwd_used)
@@ -227,7 +230,7 @@ ulong get_table_grant(THD *thd, TABLE_LIST *table);
 ulong get_column_grant(THD *thd, GRANT_INFO *grant,
                       const char *db_name, const char *table_name,
                       const char *field_name);
-bool mysql_show_grants(THD *thd, LEX_USER *user, bool print_current_role);
+bool mysql_show_grants(THD *thd, LEX_USER *user);
 void get_privilege_desc(char *to, uint max_length, ulong access);
 void get_mqh(const char *user, const char *host, USER_CONN *uc);
 bool mysql_create_user(THD *thd, List <LEX_USER> &list, bool handle_as_role);

--- a/sql/sql_lex.h
+++ b/sql/sql_lex.h
@@ -146,7 +146,6 @@ enum enum_sql_command {
  SQLCOM_SHOW_GRANTS, SQLCOM_SHOW_CREATE, SQLCOM_SHOW_CHARSETS,
  SQLCOM_SHOW_COLLATIONS, SQLCOM_SHOW_CREATE_DB, SQLCOM_SHOW_TABLE_STATUS,
  SQLCOM_SHOW_TRIGGERS,
-  SQLCOM_SHOW_GRANTS_SELF,

  SQLCOM_LOAD,SQLCOM_SET_OPTION,SQLCOM_LOCK_TABLES,SQLCOM_UNLOCK_TABLES,
  SQLCOM_GRANT, SQLCOM_GRANT_ROLE,

--- a/sql/sql_parse.cc
+++ b/sql/sql_parse.cc
@@ -341,7 +341,6 @@ void init_update_queries(void)
  sql_command_flags[SQLCOM_SHOW_EXPLAIN]= CF_STATUS_COMMAND;
  sql_command_flags[SQLCOM_SHOW_PROCESSLIST]= CF_STATUS_COMMAND;
  sql_command_flags[SQLCOM_SHOW_GRANTS]=      CF_STATUS_COMMAND;
-  sql_command_flags[SQLCOM_SHOW_GRANTS_SELF]= CF_STATUS_COMMAND;
  sql_command_flags[SQLCOM_SHOW_CREATE_DB]=   CF_STATUS_COMMAND;
  sql_command_flags[SQLCOM_SHOW_CREATE]=  CF_STATUS_COMMAND;
  sql_command_flags[SQLCOM_SHOW_MASTER_STAT]= CF_STATUS_COMMAND;
@@ -3991,18 +3990,16 @@ end_with_restore_list:

 #ifndef NO_EMBEDDED_ACCESS_CHECKS
  case SQLCOM_SHOW_GRANTS:
-  case SQLCOM_SHOW_GRANTS_SELF:
  {
-    LEX_USER *grant_user= get_current_user(thd, lex->grant_user);
+    LEX_USER *grant_user= lex->grant_user;
    if (!grant_user)
      goto error;
-    if ((thd->security_ctx->priv_user &&
-	 !strcmp(thd->security_ctx->priv_user, grant_user->user.str)) ||
+    if (grant_user == &current_user ||
+        grant_user == &current_role ||
+        grant_user == &current_user_and_current_role ||
        !check_access(thd, SELECT_ACL, "mysql", NULL, NULL, 1, 0))
    {
-      res = mysql_show_grants(thd, grant_user,
-                             (lex->sql_command == SQLCOM_SHOW_GRANTS_SELF) ?
-                              TRUE : FALSE);
+      res = mysql_show_grants(thd, grant_user);
    }
    break;
  }

--- a/sql/sql_yacc.yy
+++ b/sql/sql_yacc.yy
@@ -910,6 +910,7 @@ bool my_yyoverflow(short **a, YYSTYPE **b, ulong *yystacksize);
 %token  CUBE_SYM                      /* SQL-2003-R */
 %token  CURDATE                       /* MYSQL-FUNC */
 %token  CURRENT_USER                  /* SQL-2003-R */
+%token  CURRENT_ROLE                  /* SQL-2003-R */
 %token  CURRENT_POS_SYM
 %token  CURSOR_SYM                    /* SQL-2003-R */
 %token  CURSOR_NAME_SYM               /* SQL-2003-N */
@@ -11757,12 +11758,8 @@ show_param:
        | GRANTS
          {
            LEX *lex=Lex;
-            lex->sql_command= SQLCOM_SHOW_GRANTS_SELF;
-            LEX_USER *curr_user;
-            if (!(curr_user= (LEX_USER*) lex->thd->alloc(sizeof(st_lex_user))))
-              MYSQL_YYABORT;
-            bzero(curr_user, sizeof(st_lex_user));
-            lex->grant_user= curr_user;
+            lex->sql_command= SQLCOM_SHOW_GRANTS;
+            lex->grant_user= &current_user_and_current_role;
          }
        | GRANTS FOR_SYM user
          {
@@ -11771,6 +11768,12 @@ show_param:
            lex->grant_user=$3;
            lex->grant_user->password=null_lex_str;
          }
+        | GRANTS FOR_SYM CURRENT_ROLE optional_braces
+          {
+            LEX *lex=Lex;
+            lex->sql_command= SQLCOM_SHOW_GRANTS;
+            lex->grant_user= &current_role;
+          }
        | CREATE DATABASE opt_if_not_exists ident
          {
            Lex->sql_command=SQLCOM_SHOW_CREATE_DB;
@@ -13201,14 +13204,7 @@ user:
          }
        | CURRENT_USER optional_braces
          {
-            if (!($$=(LEX_USER*) thd->alloc(sizeof(st_lex_user))))
-              MYSQL_YYABORT;
-            /*
-              empty LEX_USER means current_user and
-              will be handled in the  get_current_user() function
-              later
-            */
-            bzero($$, sizeof(LEX_USER));
+            $$= &current_user;
          }
        ;