mirror of
https://github.com/MariaDB/server.git
synced 2025-01-29 18:20:07 +01:00
Bug#20411: "GRANT ... REQUIRE ISSUER nnn AND SUBJECT mmm" fails to require both
when X.509 subject was required for a connect, we tested whether it was the right one, but did not refuse the connexion if not. fixed. (corrected CS now --replace_results socket-path)
This commit is contained in:
tnurnberg@salvation.intern.azundris.com
parent
dee4105ce0
commit
002adef0e1
3 changed files with 19 additions and 9 deletions
|
|
@ -3,9 +3,12 @@ create table t1(f1 int);
|
|||
insert into t1 values (5);
|
||||
grant select on test.* to ssl_user1@localhost require SSL;
|
||||
grant select on test.* to ssl_user2@localhost require cipher "DHE-RSA-AES256-SHA";
|
||||
grant select on test.* to ssl_user3@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/L=Uppsala/O=MySQL AB/CN=MySQL Client/emailAddress=abstract.mysql.developer@mysql.com";
|
||||
grant select on test.* to ssl_user4@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/L=Uppsala/O=MySQL AB/CN=MySQL Client/emailAddress=abstract.mysql.developer@mysql.com" ISSUER "/C=SE/L=Uppsala/O=MySQL AB/CN=Abstract MySQL Developer/emailAddress=abstract.mysql.developer@mysql.com";
|
||||
grant select on test.* to ssl_user3@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB";
|
||||
grant select on test.* to ssl_user4@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB" ISSUER "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB";
|
||||
grant select on test.* to ssl_user5@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "xxx";
|
||||
flush privileges;
|
||||
connect(localhost,ssl_user5,,test,MASTER_PORT,MASTER_SOCKET);
|
||||
ERROR 28000: Access denied for user 'ssl_user5'@'localhost' (using password: NO)
|
||||
SHOW STATUS LIKE 'Ssl_cipher';
|
||||
Variable_name Value
|
||||
Ssl_cipher DHE-RSA-AES256-SHA
|
||||
|
|
@ -39,7 +42,7 @@ f1
|
|||
delete from t1;
|
||||
ERROR 42000: DELETE command denied to user 'ssl_user4'@'localhost' for table 't1'
|
||||
drop user ssl_user1@localhost, ssl_user2@localhost,
|
||||
ssl_user3@localhost, ssl_user4@localhost;
|
||||
ssl_user3@localhost, ssl_user4@localhost, ssl_user5@localhost;
|
||||
drop table t1;
|
||||
mysqltest: Could not open connection 'default': 2026 SSL connection error
|
||||
mysqltest: Could not open connection 'default': 2026 SSL connection error
|
||||
|
|
|
|||
|
|
@ -10,14 +10,18 @@ insert into t1 values (5);
|
|||
|
||||
grant select on test.* to ssl_user1@localhost require SSL;
|
||||
grant select on test.* to ssl_user2@localhost require cipher "DHE-RSA-AES256-SHA";
|
||||
grant select on test.* to ssl_user3@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/L=Uppsala/O=MySQL AB/CN=MySQL Client/emailAddress=abstract.mysql.developer@mysql.com";
|
||||
grant select on test.* to ssl_user4@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/L=Uppsala/O=MySQL AB/CN=MySQL Client/emailAddress=abstract.mysql.developer@mysql.com" ISSUER "/C=SE/L=Uppsala/O=MySQL AB/CN=Abstract MySQL Developer/emailAddress=abstract.mysql.developer@mysql.com";
|
||||
grant select on test.* to ssl_user3@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB";
|
||||
grant select on test.* to ssl_user4@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB" ISSUER "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB";
|
||||
grant select on test.* to ssl_user5@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "xxx";
|
||||
flush privileges;
|
||||
|
||||
connect (con1,localhost,ssl_user1,,,,,SSL);
|
||||
connect (con2,localhost,ssl_user2,,,,,SSL);
|
||||
connect (con3,localhost,ssl_user3,,,,,SSL);
|
||||
connect (con4,localhost,ssl_user4,,,,,SSL);
|
||||
--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
|
||||
--error 1045
|
||||
connect (con5,localhost,ssl_user5,,,,,SSL);
|
||||
|
||||
connection con1;
|
||||
# Check ssl turned on
|
||||
|
|
@ -49,7 +53,7 @@ delete from t1;
|
|||
|
||||
connection default;
|
||||
drop user ssl_user1@localhost, ssl_user2@localhost,
|
||||
ssl_user3@localhost, ssl_user4@localhost;
|
||||
ssl_user3@localhost, ssl_user4@localhost, ssl_user5@localhost;
|
||||
|
||||
drop table t1;
|
||||
|
||||
|
|
|
|||
|
|
@ -874,6 +874,7 @@ int acl_getroot(THD *thd, USER_RESOURCES *mqh,
|
|||
sql_print_information("X509 issuer mismatch: should be '%s' "
|
||||
"but is '%s'", acl_user->x509_issuer, ptr);
|
||||
free(ptr);
|
||||
user_access=NO_ACCESS;
|
||||
break;
|
||||
}
|
||||
user_access= acl_user->access;
|
||||
|
|
@ -889,11 +890,13 @@ int acl_getroot(THD *thd, USER_RESOURCES *mqh,
|
|||
if (strcmp(acl_user->x509_subject,ptr))
|
||||
{
|
||||
if (global_system_variables.log_warnings)
|
||||
sql_print_information("X509 subject mismatch: '%s' vs '%s'",
|
||||
sql_print_information("X509 subject mismatch: should be '%s' but is '%s'",
|
||||
acl_user->x509_subject, ptr);
|
||||
free(ptr);
|
||||
user_access=NO_ACCESS;
|
||||
break;
|
||||
}
|
||||
else
|
||||
user_access= acl_user->access;
|
||||
user_access= acl_user->access;
|
||||
free(ptr);
|
||||
}
|
||||
break;
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue