Commit 67985b28 authored by Sergei Golubchik's avatar Sergei Golubchik

require SUPER to specify an arbitrary admin

parent 7fb978c7
create user foo@localhost;
grant create user on *.* to foo@localhost;
create role role1;
create role role2 with admin current_user;
create role role3 with admin current_role;
ERROR 0L000: Invalid definer
create role role3 with admin role1;
create role role4 with admin root@localhost;
create role role5 with admin root@localhost;
ERROR 42000: Access denied; you need (at least one of) the SUPER privilege(s) for this operation
create role role5 with admin role3;
ERROR 42000: Access denied; you need (at least one of) the SUPER privilege(s) for this operation
create role role5 with admin foo@localhost;
call mtr.add_suppression("Invalid roles_mapping table entry user:'foo@bar', rolename:'role6'");
create role role6 with admin foo@bar;
ERROR HY000: The user specified as a definer ('foo'@'bar') does not exist
create user foo@bar;
create role role6 with admin foo@bar;
Warnings:
Note 1449 The user specified as a definer ('foo'@'bar') does not exist
create user bar with admin current_user;
ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'admin current_user' at line 1
grant role1 to foo@localhost with admin option;
......@@ -20,7 +24,7 @@ grant select on *.* to foo@localhost with admin option;
ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'admin option' at line 1
show grants for foo@localhost;
Grants for foo@localhost
GRANT USAGE ON *.* TO 'foo'@'localhost'
GRANT CREATE USER ON *.* TO 'foo'@'localhost'
GRANT role1 TO 'foo'@'localhost' WITH ADMIN OPTION
GRANT role2 TO 'foo'@'localhost'
GRANT role5 TO 'foo'@'localhost' WITH ADMIN OPTION
......@@ -51,7 +55,7 @@ localhost root role4 Y
flush privileges;
show grants for foo@localhost;
Grants for foo@localhost
GRANT USAGE ON *.* TO 'foo'@'localhost'
GRANT CREATE USER ON *.* TO 'foo'@'localhost'
GRANT role1 TO 'foo'@'localhost' WITH ADMIN OPTION
GRANT role2 TO 'foo'@'localhost'
GRANT role5 TO 'foo'@'localhost' WITH ADMIN OPTION
......@@ -73,7 +77,7 @@ revoke admin option for role3 from role4;
revoke admin option for role2 from foo@localhost;
show grants for foo@localhost;
Grants for foo@localhost
GRANT USAGE ON *.* TO 'foo'@'localhost'
GRANT CREATE USER ON *.* TO 'foo'@'localhost'
GRANT role2 TO 'foo'@'localhost'
GRANT role5 TO 'foo'@'localhost' WITH ADMIN OPTION
show grants for role1;
......@@ -102,7 +106,7 @@ localhost root role4 Y
flush privileges;
show grants for foo@localhost;
Grants for foo@localhost
GRANT USAGE ON *.* TO 'foo'@'localhost'
GRANT CREATE USER ON *.* TO 'foo'@'localhost'
GRANT role2 TO 'foo'@'localhost'
GRANT role5 TO 'foo'@'localhost' WITH ADMIN OPTION
show grants for role1;
......@@ -118,4 +122,4 @@ GRANT USAGE ON *.* TO 'role3'
GRANT USAGE ON *.* TO 'role4'
GRANT role3 TO 'role4'
drop role role1, role2, role3, role4, role5, role6;
drop user foo@localhost, foo@bar;
drop user foo@localhost;
create user foo@localhost;
grant create user on *.* to foo@localhost;
########################################
# syntax tests
......@@ -10,11 +10,18 @@ create role role2 with admin current_user;
create role role3 with admin current_role;
create role role3 with admin role1;
create role role4 with admin root@localhost;
# privilege checks, one needs SUPER to specify an arbitrary admin
connect (c1, localhost, foo,,);
--error ER_SPECIFIC_ACCESS_DENIED_ERROR
create role role5 with admin root@localhost;
--error ER_SPECIFIC_ACCESS_DENIED_ERROR
create role role5 with admin role3;
create role role5 with admin foo@localhost;
--error ER_NO_SUCH_USER
create role role6 with admin foo@bar;
create user foo@bar;
connection default;
# non-existing admin. works. warning. error in the log on acl_load.
call mtr.add_suppression("Invalid roles_mapping table entry user:'foo@bar', rolename:'role6'");
create role role6 with admin foo@bar;
--error ER_PARSE_ERROR
......@@ -68,5 +75,5 @@ show grants for role4;
# cleanup
########################################
drop role role1, role2, role3, role4, role5, role6;
drop user foo@localhost, foo@bar;
drop user foo@localhost;
......@@ -8944,13 +8944,16 @@ bool mysql_create_user(THD *thd, List <LEX_USER> &list, bool handle_as_role)
{
int result;
String wrong_users;
LEX_USER *user_name, *admin;
LEX_USER *user_name;
List_iterator <LEX_USER> user_list(list);
TABLE_LIST tables[GRANT_TABLES];
bool some_users_created= FALSE;
DBUG_ENTER("mysql_create_user");
DBUG_PRINT("entry", ("Handle as %s", handle_as_role ? "role" : "user"));
if (handle_as_role && sp_process_definer(thd))
DBUG_RETURN(TRUE);
/* CREATE USER may be skipped on replication client. */
if ((result= open_grant_tables(thd, tables)))
DBUG_RETURN(result != 1);
......@@ -8958,32 +8961,6 @@ bool mysql_create_user(THD *thd, List <LEX_USER> &list, bool handle_as_role)
mysql_rwlock_wrlock(&LOCK_grant);
mysql_mutex_lock(&acl_cache->lock);
if (handle_as_role)
{
if (thd->lex->definer)
admin= get_current_user(thd, thd->lex->definer, false);
else
admin= create_default_definer(thd, false);
if (!admin)
{
mysql_mutex_unlock(&acl_cache->lock);
mysql_rwlock_unlock(&LOCK_grant);
DBUG_RETURN(TRUE);
}
bool exists;
if (admin->is_role())
exists= find_acl_role(admin->user.str);
else
exists= find_user_no_anon(admin->host.str, admin->user.str, TRUE);
if (!exists)
{
my_error(ER_NO_SUCH_USER, MYF(0), admin->user.str, admin->host.str);
mysql_mutex_unlock(&acl_cache->lock);
mysql_rwlock_unlock(&LOCK_grant);
DBUG_RETURN(TRUE);
}
}
while ((user_name= user_list++))
{
if (!user_name->host.str)
......@@ -9014,8 +8991,8 @@ bool mysql_create_user(THD *thd, List <LEX_USER> &list, bool handle_as_role)
{
ROLE_GRANT_PAIR *pair= new (thd->mem_root) ROLE_GRANT_PAIR;
if (pair->init(thd->mem_root, admin->user.str, admin->host.str,
user_name->user.str, true))
if (pair->init(thd->mem_root, thd->lex->definer->user.str,
thd->lex->definer->host.str, user_name->user.str, true))
{
result= TRUE;
break;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment