Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
M
mariadb
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Kirill Smelkov
mariadb
Commits
fd826cc3
Commit
fd826cc3
authored
Oct 23, 2013
by
Sergei Golubchik
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
properly propagate privilege changes on DROP ROLE
parent
82037f9c
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
193 additions
and
51 deletions
+193
-51
mysql-test/suite/roles/set_and_drop.result
mysql-test/suite/roles/set_and_drop.result
+69
-0
mysql-test/suite/roles/set_and_drop.test
mysql-test/suite/roles/set_and_drop.test
+74
-0
sql/sql_acl.cc
sql/sql_acl.cc
+50
-51
No files found.
mysql-test/suite/roles/set_and_drop.result
0 → 100644
View file @
fd826cc3
create database mysqltest1;
create table mysqltest1.t1 (a int, b int);
create table mysqltest1.t2 (a int, b int);
insert mysqltest1.t1 values (1,2),(3,4);
insert mysqltest1.t2 values (5,6),(7,8);
create procedure mysqltest1.pr1() select "pr1";
create user foo@localhost;
create role role1;
create role role2;
grant role2 to role1;
grant role1 to foo@localhost;
grant reload on *.* to role2;
grant select on mysql.* to role2;
grant execute on procedure mysqltest1.pr1 to role2;
grant select on mysqltest1.t1 to role2;
grant select (a) on mysqltest1.t2 to role2;
flush tables;
ERROR 42000: Access denied; you need (at least one of) the RELOAD privilege(s) for this operation
select * from mysql.roles_mapping;
ERROR 42000: SELECT command denied to user 'foo'@'localhost' for table 'roles_mapping'
show tables from mysqltest1;
ERROR 42000: Access denied for user 'foo'@'localhost' to database 'mysqltest1'
set role role1;
flush tables;
select * from mysql.roles_mapping;
Host User Role Admin_option
role1 role2 N
localhost foo role1 N
localhost root role1 Y
localhost root role2 Y
show tables from mysqltest1;
Tables_in_mysqltest1
t1
t2
select * from mysqltest1.t1;
a b
1 2
3 4
select * from mysqltest1.t2;
ERROR 42000: SELECT command denied to user 'foo'@'localhost' for table 't2'
select a from mysqltest1.t2;
a
5
7
call mysqltest1.pr1();
pr1
pr1
revoke execute on procedure mysqltest1.pr1 from role2;
call mysqltest1.pr1();
ERROR 42000: execute command denied to user 'foo'@'localhost' for routine 'mysqltest1.pr1'
drop role role2;
show grants;
Grants for foo@localhost
GRANT role1 TO 'foo'@'localhost'
GRANT USAGE ON *.* TO 'foo'@'localhost'
GRANT USAGE ON *.* TO 'role1'
select * from information_schema.enabled_roles;
ROLE_NAME
role1
flush tables;
select * from mysql.roles_mapping;
ERROR 42000: SELECT command denied to user 'foo'@'localhost' for table 'roles_mapping'
select * from mysqltest1.t1;
ERROR 42000: SELECT command denied to user 'foo'@'localhost' for table 't1'
select a from mysqltest1.t2;
ERROR 42000: SELECT command denied to user 'foo'@'localhost' for table 't2'
drop role role1;
drop user foo@localhost;
drop database mysqltest1;
mysql-test/suite/roles/set_and_drop.test
0 → 100644
View file @
fd826cc3
--
source
include
/
not_embedded
.
inc
#
# test setting and dropping a role
#
create
database
mysqltest1
;
create
table
mysqltest1
.
t1
(
a
int
,
b
int
);
create
table
mysqltest1
.
t2
(
a
int
,
b
int
);
insert
mysqltest1
.
t1
values
(
1
,
2
),(
3
,
4
);
insert
mysqltest1
.
t2
values
(
5
,
6
),(
7
,
8
);
create
procedure
mysqltest1
.
pr1
()
select
"pr1"
;
create
user
foo
@
localhost
;
create
role
role1
;
create
role
role2
;
grant
role2
to
role1
;
grant
role1
to
foo
@
localhost
;
grant
reload
on
*.*
to
role2
;
grant
select
on
mysql
.*
to
role2
;
grant
execute
on
procedure
mysqltest1
.
pr1
to
role2
;
grant
select
on
mysqltest1
.
t1
to
role2
;
grant
select
(
a
)
on
mysqltest1
.
t2
to
role2
;
connect
(
foo
,
localhost
,
foo
);
--
error
ER_SPECIFIC_ACCESS_DENIED_ERROR
flush
tables
;
--
error
ER_TABLEACCESS_DENIED_ERROR
select
*
from
mysql
.
roles_mapping
;
--
error
ER_DBACCESS_DENIED_ERROR
show
tables
from
mysqltest1
;
set
role
role1
;
flush
tables
;
--
sorted_result
select
*
from
mysql
.
roles_mapping
;
show
tables
from
mysqltest1
;
select
*
from
mysqltest1
.
t1
;
--
error
ER_TABLEACCESS_DENIED_ERROR
select
*
from
mysqltest1
.
t2
;
select
a
from
mysqltest1
.
t2
;
call
mysqltest1
.
pr1
();
connection
default
;
revoke
execute
on
procedure
mysqltest1
.
pr1
from
role2
;
connection
foo
;
--
error
ER_PROCACCESS_DENIED_ERROR
call
mysqltest1
.
pr1
();
connection
default
;
drop
role
role2
;
connection
foo
;
show
grants
;
select
*
from
information_schema
.
enabled_roles
;
flush
tables
;
--
error
ER_TABLEACCESS_DENIED_ERROR
select
*
from
mysql
.
roles_mapping
;
--
error
ER_TABLEACCESS_DENIED_ERROR
select
*
from
mysqltest1
.
t1
;
--
error
ER_TABLEACCESS_DENIED_ERROR
select
a
from
mysqltest1
.
t2
;
connection
default
;
disconnect
foo
;
drop
role
role1
;
drop
user
foo
@
localhost
;
drop
database
mysqltest1
;
sql/sql_acl.cc
View file @
fd826cc3
...
...
@@ -8539,6 +8539,9 @@ static int handle_grant_struct(enum enum_acl_lists struct_no, bool drop,
size_t
old_key_length
=
acl_role
->
user
.
length
;
if
(
drop
)
{
/* all grants must be revoked from this role by now. propagate this */
propagate_role_grants
(
acl_role
,
PRIVS_TO_MERGE
::
ALL
,
0
,
0
);
// delete the role from cross-reference arrays
for
(
uint
i
=
0
;
i
<
acl_role
->
role_grants
.
elements
;
i
++
)
{
...
...
@@ -8847,46 +8850,20 @@ static int handle_grant_data(TABLE_LIST *tables, bool drop,
int
result
=
0
;
int
found
;
bool
handle_as_role
=
user_from
->
is_role
();
bool
search_only
=
!
drop
&&
!
user_to
;
DBUG_ENTER
(
"handle_grant_data"
);
if
(
user_to
)
DBUG_ASSERT
(
handle_as_role
==
user_to
->
is_role
());
/* Handle user table. */
if
((
found
=
handle_grant_table
(
tables
,
0
,
drop
,
user_from
,
user_to
))
<
0
)
{
/* Handle of table failed, don't touch the in-memory array. */
result
=
-
1
;
}
else
if
(
search_only
)
{
if
(
handle_as_role
)
{
if
((
handle_grant_struct
(
ROLE_ACL
,
drop
,
user_from
,
user_to
))
||
found
)
{
result
=
1
;
/* At least one record/element found. */
/* If search is requested, we do not need to search further. */
if
(
!
drop
&&
!
user_to
)
goto
end
;
}
else
if
(
find_user_exact
(
user_from
->
host
.
str
,
user_from
->
user
.
str
))
goto
end
;
// looking for a role, found a user
}
else
{
/* Handle user array. */
if
((
handle_grant_struct
(
USER_ACL
,
drop
,
user_from
,
user_to
))
||
found
)
{
result
=
1
;
/* At least one record/element found. */
/* If search is requested, we do not need to search further. */
if
(
!
drop
&&
!
user_to
)
goto
end
;
}
else
if
(
find_acl_role
(
user_from
->
user
.
str
))
goto
end
;
// looking for a user, found a role
}
/* quickly search in-memory structures first */
if
(
handle_as_role
&&
find_acl_role
(
user_from
->
user
.
str
))
DBUG_RETURN
(
1
);
// found
if
(
!
handle_as_role
&&
find_user_exact
(
user_from
->
host
.
str
,
user_from
->
user
.
str
))
DBUG_RETURN
(
1
);
// found
}
/* Handle db table. */
...
...
@@ -8898,12 +8875,12 @@ static int handle_grant_data(TABLE_LIST *tables, bool drop,
else
{
/* Handle db array. */
if
((
(
handle_grant_struct
(
DB_ACL
,
drop
,
user_from
,
user_to
)
&&
!
result
)
||
found
)
&&
!
result
)
if
((
handle_grant_struct
(
DB_ACL
,
drop
,
user_from
,
user_to
)
||
found
)
&&
!
result
)
{
result
=
1
;
/* At least one record/element found. */
/* If search is requested, we do not need to search further. */
if
(
!
drop
&&
!
user_to
)
if
(
search_only
)
goto
end
;
}
}
...
...
@@ -8917,21 +8894,21 @@ static int handle_grant_data(TABLE_LIST *tables, bool drop,
else
{
/* Handle procs array. */
if
((
(
handle_grant_struct
(
PROC_PRIVILEGES_HASH
,
drop
,
user_from
,
user_to
)
&&
!
result
)
||
found
)
&&
!
result
)
if
((
handle_grant_struct
(
PROC_PRIVILEGES_HASH
,
drop
,
user_from
,
user_to
)
||
found
)
&&
!
result
)
{
result
=
1
;
/* At least one record/element found. */
/* If search is requested, we do not need to search further. */
if
(
!
drop
&&
!
user_to
)
if
(
search_only
)
goto
end
;
}
/* Handle funcs array. */
if
((
(
handle_grant_struct
(
FUNC_PRIVILEGES_HASH
,
drop
,
user_from
,
user_to
)
&&
!
result
)
||
found
)
&&
!
result
)
if
((
handle_grant_struct
(
FUNC_PRIVILEGES_HASH
,
drop
,
user_from
,
user_to
)
||
found
)
&&
!
result
)
{
result
=
1
;
/* At least one record/element found. */
/* If search is requested, we do not need to search further. */
if
(
!
drop
&&
!
user_to
)
if
(
search_only
)
goto
end
;
}
}
...
...
@@ -8948,7 +8925,7 @@ static int handle_grant_data(TABLE_LIST *tables, bool drop,
{
result
=
1
;
/* At least one record found. */
/* If search is requested, we do not need to search further. */
if
(
!
drop
&&
!
user_to
)
if
(
search_only
)
goto
end
;
}
...
...
@@ -8961,9 +8938,11 @@ static int handle_grant_data(TABLE_LIST *tables, bool drop,
else
{
/* Handle columns hash. */
if
((
(
handle_grant_struct
(
COLUMN_PRIVILEGES_HASH
,
drop
,
user_from
,
user_to
)
&&
!
result
)
||
found
)
&&
!
result
)
if
((
handle_grant_struct
(
COLUMN_PRIVILEGES_HASH
,
drop
,
user_from
,
user_to
)
||
found
)
&&
!
result
)
result
=
1
;
/* At least one record/element found. */
if
(
search_only
)
goto
end
;
}
}
...
...
@@ -8978,9 +8957,11 @@ static int handle_grant_data(TABLE_LIST *tables, bool drop,
else
{
/* Handle proxies_priv array. */
if
((
handle_grant_struct
(
PROXY_USERS_ACL
,
drop
,
user_from
,
user_to
)
&&
!
result
)
||
found
)
if
((
handle_grant_struct
(
PROXY_USERS_ACL
,
drop
,
user_from
,
user_to
)
||
found
)
&&
!
result
)
result
=
1
;
/* At least one record/element found. */
if
(
search_only
)
goto
end
;
}
}
...
...
@@ -8995,13 +8976,31 @@ static int handle_grant_data(TABLE_LIST *tables, bool drop,
else
{
/* Handle acl_roles_mappings array */
if
((
handle_grant_struct
(
ROLES_MAPPINGS_HASH
,
drop
,
user_from
,
user_to
)
&&
!
result
)
||
found
)
if
((
handle_grant_struct
(
ROLES_MAPPINGS_HASH
,
drop
,
user_from
,
user_to
)
||
found
)
&&
!
result
)
result
=
1
;
/* At least one record/element found */
if
(
search_only
)
goto
end
;
}
}
end:
/* Handle user table. */
if
((
found
=
handle_grant_table
(
tables
,
0
,
drop
,
user_from
,
user_to
))
<
0
)
{
/* Handle of table failed, don't touch the in-memory array. */
result
=
-
1
;
}
else
{
enum
enum_acl_lists
what
=
handle_as_role
?
ROLE_ACL
:
USER_ACL
;
if
(((
handle_grant_struct
(
what
,
drop
,
user_from
,
user_to
))
||
found
)
&&
!
result
)
{
result
=
1
;
/* At least one record/element found. */
DBUG_ASSERT
(
!
search_only
);
}
}
end:
DBUG_RETURN
(
result
);
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment