Fix for:

MDEV-5221: User auto-creation does not work upon GRANT <role>

Fix for:
MDEV-5221: User auto-creation does not work upon GRANT <role>
ad5ddaff · Vicentiu Ciorbaru · Sergei Golubchik · 1df23d6f · ad5ddaff · ad5ddaff
Commit ad5ddaff authored Dec 18, 2013 by Vicentiu Ciorbaru Committed by Sergei Golubchik Dec 18, 2013
3 changed files
--- a/mysql-test/suite/roles/grant_role_auto_create_user.result
+++ b/mysql-test/suite/roles/grant_role_auto_create_user.result
+create database db;
+create role auto_create;
+grant all on db.* to auto_create;
+drop user foo@localhost, bar@localhost;
+grant auto_create to foo@localhost;
+grant auto_create to bar@localhost identified by 'baz';
+set role 'auto_create';
+use db;
+create table t1 (i int);
+set role auto_create;
+use db;
+insert into t1 values (1);
+drop user foo@localhost, bar@localhost;
+set sql_mode = 'no_auto_create_user';
+grant auto_create to foo@localhost;
+ERROR 28000: Can't find any matching row in the user table
+grant auto_create to bar@localhost identified by 'baz';
+select user, host from mysql.user where user = 'bar';
+user	host
+bar	localhost
+set sql_mode = '';
+set role auto_create;
+use db;
+drop table t1;
+create user foo@localhost;
+set sql_mode = '';
+grant auto_create to bar2@localhost;
+ERROR 28000: Access denied for user 'foo'@'localhost'
+grant auto_create to foo2@localhost;
+ERROR 28000: Access denied for user 'foo'@'localhost'
+set sql_mode = 'no_auto_create_user';
+grant auto_create to bar2@localhost;
+ERROR 28000: Access denied for user 'foo'@'localhost'
+grant auto_create to foo2@localhost identified by 'pass';
+ERROR 28000: Access denied for user 'foo'@'localhost'
+grant auto_create to foo@localhost;
+set sql_mode = '';
+grant auto_create to bar@localhost;
+ERROR 28000: Access denied for user 'foo'@'localhost'
+grant auto_create to bar2@localhost;
+ERROR 28000: Access denied for user 'foo'@'localhost'
+grant auto_create to foo2@localhost identified by 'pass';
+ERROR 28000: Access denied for user 'foo'@'localhost'
+set sql_mode = 'no_auto_create_user';
+grant auto_create to bar2@localhost;
+ERROR 28000: Access denied for user 'foo'@'localhost'
+grant auto_create to foo2@localhost identified by 'pass';
+ERROR 28000: Access denied for user 'foo'@'localhost'
+grant auto_create to foo@localhost with admin option;
+set sql_mode = '';
+grant auto_create to bar@localhost;
+grant auto_create to bar2@localhost;
+ERROR 42000: You are not allowed to create a user with GRANT
+grant auto_create to foo2@localhost identified by 'pass';
+ERROR 42000: You are not allowed to create a user with GRANT
+set sql_mode = 'no_auto_create_user';
+grant auto_create to bar2@localhost;
+ERROR 28000: Can't find any matching row in the user table
+grant auto_create to foo2@localhost identified by 'pass';
+ERROR 42000: You are not allowed to create a user with GRANT
+drop user foo@localhost;
+drop user bar@localhost;
+drop role auto_create;
+drop database db;
--- a/mysql-test/suite/roles/grant_role_auto_create_user.test
+++ b/mysql-test/suite/roles/grant_role_auto_create_user.test
+create database db;
+create role auto_create;
+grant all on db.* to auto_create;
+
+--error 0,ER_CANNOT_USER
+drop user foo@localhost, bar@localhost;
+
+grant auto_create to foo@localhost;
+grant auto_create to bar@localhost identified by 'baz';
+
+# Test if the users have been created and the role has been granted to them
+--connect (con1,localhost,foo,,)
+set role 'auto_create';
+use db;
+create table t1 (i int);
+--disconnect con1
+
+--connect (con1,localhost,bar,baz,)
+set role auto_create;
+use db;
+insert into t1 values (1);
+--disconnect con1
+
+--connection default
+drop user foo@localhost, bar@localhost;
+
+set sql_mode = 'no_auto_create_user';
+--error ER_PASSWORD_NO_MATCH
+grant auto_create to foo@localhost;
+grant auto_create to bar@localhost identified by 'baz';
+select user, host from mysql.user where user = 'bar';
+set sql_mode = '';
+
+--connect (con1,localhost,bar,baz,)
+set role auto_create;
+use db;
+drop table t1;
+--disconnect con1
+
+--connection default
+
+create user foo@localhost;
+
+# test all possible cases with a user who has no rights to grant the role
+--connect (con1, localhost, foo,,)
+
+set sql_mode = '';
+#try and grant roles, no rights however
+--error ER_ACCESS_DENIED_NO_PASSWORD_ERROR
+grant auto_create to bar2@localhost;
+--error ER_ACCESS_DENIED_NO_PASSWORD_ERROR
+grant auto_create to foo2@localhost;
+
+set sql_mode = 'no_auto_create_user';
+#try and grant roles, no rights however
+--error ER_ACCESS_DENIED_NO_PASSWORD_ERROR
+grant auto_create to bar2@localhost;
+--error ER_ACCESS_DENIED_NO_PASSWORD_ERROR
+grant auto_create to foo2@localhost identified by 'pass';
+--disconnect con1
+--connection default
+grant auto_create to foo@localhost;
+
+--connect (con1, localhost, foo,,)
+
+#we now have the role granted to us, but we don't have insert privileges,
+#we should not be able to create a new user
+
+set sql_mode = '';
+#also test that we can not grant a role without admin option
+--error ER_ACCESS_DENIED_NO_PASSWORD_ERROR
+grant auto_create to bar@localhost;
+
+--error ER_ACCESS_DENIED_NO_PASSWORD_ERROR
+grant auto_create to bar2@localhost;
+--error ER_ACCESS_DENIED_NO_PASSWORD_ERROR
+grant auto_create to foo2@localhost identified by 'pass';
+
+set sql_mode = 'no_auto_create_user';
+--error ER_ACCESS_DENIED_NO_PASSWORD_ERROR
+grant auto_create to bar2@localhost;
+--error ER_ACCESS_DENIED_NO_PASSWORD_ERROR
+grant auto_create to foo2@localhost identified by 'pass';
+
+#test that we can grant a role with admin option to an existing user, but not
+#create one
+
+--connection default
+grant auto_create to foo@localhost with admin option;
+
+--disconnect con1
+--connect (con1, localhost, foo,,)
+
+#we now have the role granted to us, but we don't have insert privileges,
+#we should not be able to create a new user
+
+set sql_mode = '';
+#also test that we can grant a role with admin option
+grant auto_create to bar@localhost;
+
+#test that we don't create users if we don't have insert privileges
+--error ER_CANT_CREATE_USER_WITH_GRANT
+grant auto_create to bar2@localhost;
+--error ER_CANT_CREATE_USER_WITH_GRANT
+grant auto_create to foo2@localhost identified by 'pass';
+
+set sql_mode = 'no_auto_create_user';
+--error ER_PASSWORD_NO_MATCH
+grant auto_create to bar2@localhost;
+--error ER_CANT_CREATE_USER_WITH_GRANT
+grant auto_create to foo2@localhost identified by 'pass';
+
+
+--connection default
+drop user foo@localhost;
+drop user bar@localhost;
+drop role auto_create;
+drop database db;
+
--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@@ -5844,6 +5844,7 @@ bool mysql_grant_role(THD *thd, List <LEX_USER> &list, bool revoke)
   */
  DBUG_ASSERT(list.elements >= 2);
  bool result= 0;
+  bool create_new_user, no_auto_create_user;
  String wrong_users;
  LEX_USER *user, *granted_role;
  LEX_STRING rolename;
@@ -5859,12 +5860,18 @@ bool mysql_grant_role(THD *thd, List <LEX_USER> &list, bool revoke)
  DBUG_ASSERT(granted_role->is_role());
  rolename= granted_role->user;

-  TABLE_LIST tables;
-  tables.init_one_table(C_STRING_WITH_LEN("mysql"),
-                        C_STRING_WITH_LEN("roles_mapping"),
-                        "roles_mapping", TL_WRITE);
+  create_new_user= test_if_create_new_users(thd);
+  no_auto_create_user= test(thd->variables.sql_mode & MODE_NO_AUTO_CREATE_USER);
+
+  TABLE_LIST tables[2];
+  tables[0].init_one_table(C_STRING_WITH_LEN("mysql"),
+                           C_STRING_WITH_LEN("roles_mapping"),
+                           "roles_mapping", TL_WRITE);
+  tables[1].init_one_table(C_STRING_WITH_LEN("mysql"),
+                           C_STRING_WITH_LEN("user"), "user", TL_WRITE);
+  tables[0].next_local= tables[0].next_global= tables+1;

-  if (open_and_lock_tables(thd, &tables, FALSE, MYSQL_LOCK_IGNORE_TIMEOUT))
+  if (open_and_lock_tables(thd, tables, FALSE, MYSQL_LOCK_IGNORE_TIMEOUT))
    DBUG_RETURN(TRUE);                          /* purecov: deadcode */

  mysql_rwlock_wrlock(&LOCK_grant);
@@ -5952,6 +5959,27 @@ bool mysql_grant_role(THD *thd, List <LEX_USER> &list, bool revoke)
    if (!grantee)
      grantee= find_user_exact(hostname.str, username.str);

+    if (!grantee && !revoke)
+    {
+      LEX_USER user_combo = *user;
+      user_combo.host = hostname;
+      user_combo.user = username;
+
+      /* create the user if it does not exist */
+      if (replace_user_table(thd, tables[1].table, user_combo, 0,
+                             false, create_new_user,
+                             no_auto_create_user))
+      {
+        append_user(&wrong_users, username.str, hostname.str);
+        result= 1;
+        continue;
+      }
+      grantee= find_user_exact(hostname.str, username.str);
+
+      /* either replace_user_table failed, or we've added the user */
+      DBUG_ASSERT(grantee);
+    }
+
    if (!grantee)
    {
      append_user(&wrong_users, username.str, hostname.str);
@@ -6004,7 +6032,7 @@ bool mysql_grant_role(THD *thd, List <LEX_USER> &list, bool revoke)
    }

    /* write into the roles_mapping table */
-    if (replace_roles_mapping_table(tables.table,
+    if (replace_roles_mapping_table(tables[0].table,
                                    &username, &hostname, &rolename,
                                    thd->lex->with_admin_option,
                                    hash_entry, revoke))