Commit d2c68352 authored by Sergei Golubchik's avatar Sergei Golubchik

recursive privilege propagation for roles.

functions for traversing the role graph in either direction.
merging of global, database, table, column, routine privileges.
debug status variables for counting number of privilege merges.
tests.
parent 7fba8e51
#
# This file tests how privilege are propagated through a complex role graph.
# Here's a graph
#
# role1 ->- role2 -->- role4 -->- role6 ->- role8
# \ / \
# \->- role5 ->-/ \->- role9 ->- role10 ->- foo@localhost
# / \ /
# role3 ->-/ \->- role7 ->-/
#
# privilege checks verify that grants/revokes are propagated correctly
# from the role1 to role10. additionally debug status variables verify
# that propagation doesn't do unnecessary work (only touches the
# smallest possible number of nodes and doesn't merge privileges that
# didn't change)
#
create user foo@localhost;
create role role1;
create role role2;
create role role3;
create role role4;
create role role5;
create role role6;
create role role7;
create role role8;
create role role9;
create role role10;
grant role1 to role2;
grant role2 to role4;
grant role2 to role5;
grant role3 to role5;
grant role4 to role6;
grant role5 to role6;
grant role5 to role7;
grant role6 to role8;
grant role6 to role9;
grant role7 to role9;
grant role9 to role10;
grant role10 to foo@localhost;
# try to create a cycle
--error ER_CANNOT_GRANT_ROLE
grant role10 to role2;
connect (foo, localhost, foo);
--sorted_result
show grants;
--sorted_result
select * from information_schema.applicable_roles;
show status like 'debug%';
#
# global privileges
#
connection default;
grant select on *.* to role1;
show status like 'debug%';
connection foo;
--error ER_TABLEACCESS_DENIED_ERROR
select count(*) from mysql.roles_mapping;
set role role10;
select count(*) from mysql.roles_mapping;
--sorted_result
show grants;
--sorted_result
select * from information_schema.enabled_roles;
connection default;
revoke select on *.* from role1;
show status like 'debug%';
connection foo;
# global privileges are cached in the THD, changes don't take effect immediately
select count(*) from mysql.roles_mapping;
set role none;
set role role10;
--error ER_TABLEACCESS_DENIED_ERROR
select count(*) from mysql.roles_mapping;
set role none;
#
# database privileges
#
connection default;
grant select on mysql.* to role1;
show status like 'debug%';
connection foo;
--error ER_TABLEACCESS_DENIED_ERROR
select count(*) from mysql.roles_mapping;
set role role10;
select count(*) from mysql.roles_mapping;
--sorted_result
show grants;
connection default;
revoke select on mysql.* from role1;
show status like 'debug%';
connection foo;
--error ER_TABLEACCESS_DENIED_ERROR
select count(*) from mysql.roles_mapping;
set role none;
#
# table privileges
#
connection default;
grant select on mysql.roles_mapping to role1;
show status like 'debug%';
connection foo;
--error ER_TABLEACCESS_DENIED_ERROR
select count(*) from mysql.roles_mapping;
set role role10;
select count(*) from mysql.roles_mapping;
--sorted_result
show grants;
connection default;
revoke select on mysql.roles_mapping from role1;
show status like 'debug%';
connection foo;
--error ER_TABLEACCESS_DENIED_ERROR
select count(*) from mysql.roles_mapping;
set role none;
#
# column privileges
#
connection default;
grant select(User) on mysql.roles_mapping to role1;
show status like 'debug%';
connection foo;
--error ER_TABLEACCESS_DENIED_ERROR
select count(*) from mysql.roles_mapping;
set role role10;
--error ER_COLUMNACCESS_DENIED_ERROR
select count(concat(User,Host,Role)) from mysql.roles_mapping;
select count(concat(User)) from mysql.roles_mapping;
--sorted_result
show grants;
connection default;
grant select(Host) on mysql.roles_mapping to role3;
show status like 'debug%';
connection foo;
--error ER_COLUMNACCESS_DENIED_ERROR
select count(concat(User,Host,Role)) from mysql.roles_mapping;
select count(concat(User,Host)) from mysql.roles_mapping;
--sorted_result
show grants;
connection default;
revoke select(User) on mysql.roles_mapping from role1;
show status like 'debug%';
connection foo;
--error ER_COLUMNACCESS_DENIED_ERROR
select count(concat(User,Host)) from mysql.roles_mapping;
select count(concat(Host)) from mysql.roles_mapping;
connection default;
revoke select(Host) on mysql.roles_mapping from role3;
show status like 'debug%';
connection foo;
--error ER_TABLEACCESS_DENIED_ERROR
select count(concat(Host)) from mysql.roles_mapping;
set role none;
#
# routine privileges
#
connection default;
create procedure pr1() select "pr1";
create function fn1() returns char(10) return "fn1";
grant execute on procedure test.pr1 to role1;
show status like 'debug%';
connection foo;
--error ER_PROCACCESS_DENIED_ERROR
call pr1();
set role role10;
call pr1();
--error ER_PROCACCESS_DENIED_ERROR
select fn1();
connection default;
grant execute on function test.fn1 to role5;
show status like 'debug%';
connection foo;
select fn1();
connection default;
revoke execute on procedure test.pr1 from role1;
show status like 'debug%';
connection foo;
--error ER_PROCACCESS_DENIED_ERROR
call pr1();
select fn1();
connection default;
revoke execute on function test.fn1 from role5;
show status like 'debug%';
connection foo;
--error ER_PROCACCESS_DENIED_ERROR
select fn1();
set role none;
connection default;
drop procedure pr1;
drop function fn1;
#
# test shortcuts
#
grant select on mysql.roles_mapping to role3;
show status like 'debug%';
# this grant only propagates to roles role2 and role4,
# and tries to propagate to role5, discovering that it already has it
grant select on mysql.roles_mapping to role1;
show status like 'debug%';
# this only tries to propagate to role5 and exits early
revoke select on mysql.roles_mapping from role3;
show status like 'debug%';
# propagates to all 8 roles, normally
revoke select on mysql.roles_mapping from role1;
show status like 'debug%';
grant select on mysql.* to role1;
show status like 'debug%';
# only entries for `test` are merged, not for `mysql`
grant select on test.* to role1;
show status like 'debug%';
revoke select on mysql.* from role1;
show status like 'debug%';
revoke select on test.* from role1;
show status like 'debug%';
#
# cleanup
#
connection default;
drop user foo@localhost;
drop role role1;
drop role role2;
drop role role3;
drop role role4;
drop role role5;
drop role role6;
drop role role7;
drop role role8;
drop role role9;
drop role role10;
create user foo@localhost;
create role role1;
create role role2;
create role role3;
create role role4;
create role role5;
create role role6;
create role role7;
create role role8;
create role role9;
create role role10;
grant role1 to role2;
grant role2 to role4;
grant role2 to role5;
grant role3 to role5;
grant role4 to role6;
grant role5 to role6;
grant role5 to role7;
grant role6 to role8;
grant role6 to role9;
grant role7 to role9;
grant role9 to role10;
grant role10 to foo@localhost;
grant role10 to role2;
ERROR HY000: Cannot grant role 'role10' to: 'role2'.
show grants;
Grants for foo@localhost
GRANT USAGE ON *.* TO 'foo'@'localhost'
GRANT role10 TO 'foo'@'localhost'
select * from information_schema.applicable_roles;
GRANTEE ROLE_NAME IS_GRANTABLE
foo@localhost role10 NO
role10 role9 NO
role2 role1 NO
role4 role2 NO
role5 role2 NO
role5 role3 NO
role6 role4 NO
role6 role5 NO
role7 role5 NO
role9 role6 NO
role9 role7 NO
show status like 'debug%';
Variable_name Value
grant select on *.* to role1;
show status like 'debug%';
Variable_name Value
select count(*) from mysql.roles_mapping;
ERROR 42000: SELECT command denied to user 'foo'@'localhost' for table 'roles_mapping'
set role role10;
select count(*) from mysql.roles_mapping;
count(*)
22
show grants;
Grants for foo@localhost
GRANT SELECT ON *.* TO 'role1'
GRANT USAGE ON *.* TO 'foo'@'localhost'
GRANT USAGE ON *.* TO 'role10'
GRANT USAGE ON *.* TO 'role2'
GRANT USAGE ON *.* TO 'role3'
GRANT USAGE ON *.* TO 'role4'
GRANT USAGE ON *.* TO 'role5'
GRANT USAGE ON *.* TO 'role6'
GRANT USAGE ON *.* TO 'role7'
GRANT USAGE ON *.* TO 'role9'
GRANT role1 TO 'role2'
GRANT role10 TO 'foo'@'localhost'
GRANT role2 TO 'role4'
GRANT role2 TO 'role5'
GRANT role3 TO 'role5'
GRANT role4 TO 'role6'
GRANT role5 TO 'role6'
GRANT role5 TO 'role7'
GRANT role6 TO 'role9'
GRANT role7 TO 'role9'
GRANT role9 TO 'role10'
select * from information_schema.enabled_roles;
ROLE_NAME
role1
role10
role2
role3
role4
role5
role6
role7
role9
revoke select on *.* from role1;
show status like 'debug%';
Variable_name Value
select count(*) from mysql.roles_mapping;
count(*)
22
set role none;
set role role10;
select count(*) from mysql.roles_mapping;
ERROR 42000: SELECT command denied to user 'foo'@'localhost' for table 'roles_mapping'
set role none;
grant select on mysql.* to role1;
show status like 'debug%';
Variable_name Value
select count(*) from mysql.roles_mapping;
ERROR 42000: SELECT command denied to user 'foo'@'localhost' for table 'roles_mapping'
set role role10;
select count(*) from mysql.roles_mapping;
count(*)
22
show grants;
Grants for foo@localhost
GRANT SELECT ON `mysql`.* TO 'role1'
GRANT USAGE ON *.* TO 'foo'@'localhost'
GRANT USAGE ON *.* TO 'role1'
GRANT USAGE ON *.* TO 'role10'
GRANT USAGE ON *.* TO 'role2'
GRANT USAGE ON *.* TO 'role3'
GRANT USAGE ON *.* TO 'role4'
GRANT USAGE ON *.* TO 'role5'
GRANT USAGE ON *.* TO 'role6'
GRANT USAGE ON *.* TO 'role7'
GRANT USAGE ON *.* TO 'role9'
GRANT role1 TO 'role2'
GRANT role10 TO 'foo'@'localhost'
GRANT role2 TO 'role4'
GRANT role2 TO 'role5'
GRANT role3 TO 'role5'
GRANT role4 TO 'role6'
GRANT role5 TO 'role6'
GRANT role5 TO 'role7'
GRANT role6 TO 'role9'
GRANT role7 TO 'role9'
GRANT role9 TO 'role10'
revoke select on mysql.* from role1;
show status like 'debug%';
Variable_name Value
select count(*) from mysql.roles_mapping;
ERROR 42000: SELECT command denied to user 'foo'@'localhost' for table 'roles_mapping'
set role none;
grant select on mysql.roles_mapping to role1;
show status like 'debug%';
Variable_name Value
select count(*) from mysql.roles_mapping;
ERROR 42000: SELECT command denied to user 'foo'@'localhost' for table 'roles_mapping'
set role role10;
select count(*) from mysql.roles_mapping;
count(*)
22
show grants;
Grants for foo@localhost
GRANT SELECT ON `mysql`.`roles_mapping` TO 'role1'
GRANT USAGE ON *.* TO 'foo'@'localhost'
GRANT USAGE ON *.* TO 'role1'
GRANT USAGE ON *.* TO 'role10'
GRANT USAGE ON *.* TO 'role2'
GRANT USAGE ON *.* TO 'role3'
GRANT USAGE ON *.* TO 'role4'
GRANT USAGE ON *.* TO 'role5'
GRANT USAGE ON *.* TO 'role6'
GRANT USAGE ON *.* TO 'role7'
GRANT USAGE ON *.* TO 'role9'
GRANT role1 TO 'role2'
GRANT role10 TO 'foo'@'localhost'
GRANT role2 TO 'role4'
GRANT role2 TO 'role5'
GRANT role3 TO 'role5'
GRANT role4 TO 'role6'
GRANT role5 TO 'role6'
GRANT role5 TO 'role7'
GRANT role6 TO 'role9'
GRANT role7 TO 'role9'
GRANT role9 TO 'role10'
revoke select on mysql.roles_mapping from role1;
show status like 'debug%';
Variable_name Value
select count(*) from mysql.roles_mapping;
ERROR 42000: SELECT command denied to user 'foo'@'localhost' for table 'roles_mapping'
set role none;
grant select(User) on mysql.roles_mapping to role1;
show status like 'debug%';
Variable_name Value
select count(*) from mysql.roles_mapping;
ERROR 42000: SELECT command denied to user 'foo'@'localhost' for table 'roles_mapping'
set role role10;
select count(concat(User,Host,Role)) from mysql.roles_mapping;
ERROR 42000: SELECT command denied to user 'foo'@'localhost' for column 'Host' in table 'roles_mapping'
select count(concat(User)) from mysql.roles_mapping;
count(concat(User))
22
show grants;
Grants for foo@localhost
GRANT SELECT (User) ON `mysql`.`roles_mapping` TO 'role1'
GRANT USAGE ON *.* TO 'foo'@'localhost'
GRANT USAGE ON *.* TO 'role1'
GRANT USAGE ON *.* TO 'role10'
GRANT USAGE ON *.* TO 'role2'
GRANT USAGE ON *.* TO 'role3'
GRANT USAGE ON *.* TO 'role4'
GRANT USAGE ON *.* TO 'role5'
GRANT USAGE ON *.* TO 'role6'
GRANT USAGE ON *.* TO 'role7'
GRANT USAGE ON *.* TO 'role9'
GRANT role1 TO 'role2'
GRANT role10 TO 'foo'@'localhost'
GRANT role2 TO 'role4'
GRANT role2 TO 'role5'
GRANT role3 TO 'role5'
GRANT role4 TO 'role6'
GRANT role5 TO 'role6'
GRANT role5 TO 'role7'
GRANT role6 TO 'role9'
GRANT role7 TO 'role9'
GRANT role9 TO 'role10'
grant select(Host) on mysql.roles_mapping to role3;
show status like 'debug%';
Variable_name Value
select count(concat(User,Host,Role)) from mysql.roles_mapping;
ERROR 42000: SELECT command denied to user 'foo'@'localhost' for column 'Role' in table 'roles_mapping'
select count(concat(User,Host)) from mysql.roles_mapping;
count(concat(User,Host))
22
show grants;
Grants for foo@localhost
GRANT SELECT (Host) ON `mysql`.`roles_mapping` TO 'role3'
GRANT SELECT (User) ON `mysql`.`roles_mapping` TO 'role1'
GRANT USAGE ON *.* TO 'foo'@'localhost'
GRANT USAGE ON *.* TO 'role1'
GRANT USAGE ON *.* TO 'role10'
GRANT USAGE ON *.* TO 'role2'
GRANT USAGE ON *.* TO 'role3'
GRANT USAGE ON *.* TO 'role4'
GRANT USAGE ON *.* TO 'role5'
GRANT USAGE ON *.* TO 'role6'
GRANT USAGE ON *.* TO 'role7'
GRANT USAGE ON *.* TO 'role9'
GRANT role1 TO 'role2'
GRANT role10 TO 'foo'@'localhost'
GRANT role2 TO 'role4'
GRANT role2 TO 'role5'
GRANT role3 TO 'role5'
GRANT role4 TO 'role6'
GRANT role5 TO 'role6'
GRANT role5 TO 'role7'
GRANT role6 TO 'role9'
GRANT role7 TO 'role9'
GRANT role9 TO 'role10'
revoke select(User) on mysql.roles_mapping from role1;
show status like 'debug%';
Variable_name Value
select count(concat(User,Host)) from mysql.roles_mapping;
ERROR 42000: SELECT command denied to user 'foo'@'localhost' for column 'User' in table 'roles_mapping'
select count(concat(Host)) from mysql.roles_mapping;
count(concat(Host))
22
revoke select(Host) on mysql.roles_mapping from role3;
show status like 'debug%';
Variable_name Value
select count(concat(Host)) from mysql.roles_mapping;
ERROR 42000: SELECT command denied to user 'foo'@'localhost' for table 'roles_mapping'
set role none;
create procedure pr1() select "pr1";
create function fn1() returns char(10) return "fn1";
grant execute on procedure test.pr1 to role1;
show status like 'debug%';
Variable_name Value
call pr1();
ERROR 42000: execute command denied to user 'foo'@'localhost' for routine 'test.pr1'
set role role10;
call pr1();
pr1
pr1
select fn1();
ERROR 42000: execute command denied to user 'foo'@'localhost' for routine 'test.fn1'
grant execute on function test.fn1 to role5;
show status like 'debug%';
Variable_name Value
select fn1();
fn1()
fn1
revoke execute on procedure test.pr1 from role1;
show status like 'debug%';
Variable_name Value
call pr1();
ERROR 42000: execute command denied to user 'foo'@'localhost' for routine 'test.pr1'
select fn1();
fn1()
fn1
revoke execute on function test.fn1 from role5;
show status like 'debug%';
Variable_name Value
select fn1();
ERROR 42000: execute command denied to user 'foo'@'localhost' for routine 'test.fn1'
set role none;
drop procedure pr1;
drop function fn1;
grant select on mysql.roles_mapping to role3;
show status like 'debug%';
Variable_name Value
grant select on mysql.roles_mapping to role1;
show status like 'debug%';
Variable_name Value
revoke select on mysql.roles_mapping from role3;
show status like 'debug%';
Variable_name Value
revoke select on mysql.roles_mapping from role1;
show status like 'debug%';
Variable_name Value
grant select on mysql.* to role1;
show status like 'debug%';
Variable_name Value
grant select on test.* to role1;
show status like 'debug%';
Variable_name Value
revoke select on mysql.* from role1;
show status like 'debug%';
Variable_name Value
revoke select on test.* from role1;
show status like 'debug%';
Variable_name Value
drop user foo@localhost;
drop role role1;
drop role role2;
drop role role3;
drop role role4;
drop role role5;
drop role role6;
drop role role7;
drop role role8;
drop role role9;
drop role role10;
This diff is collapsed.
create user 'test_user'@'localhost';
create user test_user@localhost;
create role test_role1;
create role test_role2;
grant test_role1 to test_user@localhost;
......@@ -55,10 +55,29 @@ localhost root test_role1 Y
localhost root test_role2 Y
localhost test_user test_role1 N
localhost test_user test_role2 N
drop user 'test_user'@'localhost';
revoke select on mysql.* from test_role2;
delete from mysql.user where user='test_role1';
delete from mysql.user where user='test_role2';
delete from mysql.roles_mapping where Role='test_role1';
delete from mysql.roles_mapping where Role='test_role2';
flush privileges;
create role test_role3;
grant test_role3 to test_role2;
create role test_role4;
grant test_role4 to test_role3;
set role test_role1;
delete from mysql.user where user='no such user';
ERROR 42000: DELETE command denied to user 'test_user'@'localhost' for table 'user'
grant delete on mysql.* to test_role4;
set role test_role1;
delete from mysql.user where user='no such user';
show grants;
Grants for test_user@localhost
GRANT DELETE ON `mysql`.* TO 'test_role4'
GRANT SELECT ON `mysql`.* TO 'test_role2'
GRANT USAGE ON *.* TO 'test_role1'
GRANT USAGE ON *.* TO 'test_role2'
GRANT USAGE ON *.* TO 'test_role3'
GRANT USAGE ON *.* TO 'test_role4'
GRANT USAGE ON *.* TO 'test_user'@'localhost'
GRANT test_role1 TO 'test_user'@'localhost'
GRANT test_role2 TO 'test_role1'
GRANT test_role2 TO 'test_user'@'localhost'
GRANT test_role3 TO 'test_role2'
GRANT test_role4 TO 'test_role3'
drop user test_user@localhost;
drop role test_role1, test_role2, test_role3, test_role4;
source include/not_debug.inc;
source include/acl_roles_recursive.inc;
#
# run acl_roles_recursive and count the number of merges
#
source include/have_debug.inc;
show status like 'debug%';
set @old_dbug=@@global.debug_dbug;
set global debug_dbug="+d,role_merge_stats";
source include/acl_roles_recursive.inc;
set global debug_dbug=@old_dbug;
#create a user with no privileges
create user 'test_user'@'localhost';
create user test_user@localhost;
create role test_role1;
create role test_role2;
......@@ -37,10 +37,26 @@ select current_user(), current_role();
select * from mysql.roles_mapping;
change_user 'root';
drop user 'test_user'@'localhost';
revoke select on mysql.* from test_role2;
delete from mysql.user where user='test_role1';
delete from mysql.user where user='test_role2';
delete from mysql.roles_mapping where Role='test_role1';
delete from mysql.roles_mapping where Role='test_role2';
flush privileges;
create role test_role3;
grant test_role3 to test_role2;
create role test_role4;
grant test_role4 to test_role3;
change_user 'test_user';
set role test_role1;
--error ER_TABLEACCESS_DENIED_ERROR
delete from mysql.user where user='no such user';
change_user 'root';
grant delete on mysql.* to test_role4;
change_user 'test_user';
set role test_role1;
delete from mysql.user where user='no such user';
--sorted_result
show grants;
change_user 'root';
drop user test_user@localhost;
drop role test_role1, test_role2, test_role3, test_role4;
......@@ -7183,6 +7183,42 @@ static int show_default_keycache(THD *thd, SHOW_VAR *var, char *buff)
return 0;
}
#ifndef DBUG_OFF
static int debug_status_func(THD *thd, SHOW_VAR *var, char *buff)
{
#define add_var(X,Y,Z) \
v->name= X; \
v->value= (char*)Y; \
v->type= Z; \
v++;
var->type= SHOW_ARRAY;
var->value= buff;
SHOW_VAR *v= (SHOW_VAR *)buff;
if (_db_keyword_(0, "role_merge_stats", 1))
{
static SHOW_VAR roles[]= {
{"global", (char*) &role_global_merges, SHOW_ULONG},
{"db", (char*) &role_db_merges, SHOW_ULONG},
{"table", (char*) &role_table_merges, SHOW_ULONG},
{"column", (char*) &role_column_merges, SHOW_ULONG},
{"routine", (char*) &role_routine_merges, SHOW_ULONG},
{NullS, NullS, SHOW_LONG}
};
add_var("role_merges", roles, SHOW_ARRAY);
}
v->name= 0;
#undef add_var
return 0;
}
#endif
#ifdef HAVE_POOL_OF_THREADS
int show_threadpool_idle_threads(THD *thd, SHOW_VAR *var, char *buff)
{
......@@ -7216,6 +7252,9 @@ SHOW_VAR status_vars[]= {
{"Created_tmp_disk_tables", (char*) offsetof(STATUS_VAR, created_tmp_disk_tables), SHOW_LONG_STATUS},
{"Created_tmp_files", (char*) &my_tmp_file_created, SHOW_LONG},
{"Created_tmp_tables", (char*) offsetof(STATUS_VAR, created_tmp_tables), SHOW_LONG_STATUS},
#ifndef DBUG_OFF
{"Debug", (char*) &debug_status_func, SHOW_FUNC},
#endif
{"Delayed_errors", (char*) &delayed_insert_errors, SHOW_LONG},
{"Delayed_insert_threads", (char*) &delayed_insert_threads, SHOW_LONG_NOFLUSH},
{"Delayed_writes", (char*) &delayed_insert_writes, SHOW_LONG},
......
This diff is collapsed.
......@@ -394,4 +394,9 @@ bool acl_check_proxy_grant_access (THD *thd, const char *host, const char *user,
bool with_grant);
int acl_setrole(THD *thd, char *rolename, ulonglong access);
int acl_check_setrole(THD *thd, char *rolename, ulonglong *access);
#ifndef DBUG_OFF
extern ulong role_global_merges, role_db_merges, role_table_merges,
role_column_merges, role_routine_merges;
#endif
#endif /* SQL_ACL_INCLUDED */
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment