mirror of
https://github.com/MariaDB/server.git
synced 2025-01-16 03:52:35 +01:00
MDEV-5526 Assertion `proxied_user->host.length' fails on GRANT PROXY ON <role>
recognize the context better: always treat the barename as a username in the username context
This commit is contained in:
Sergei Golubchik
parent
5a385146ae
commit
416148a4cf
7 changed files with 55 additions and 28 deletions
|
|
@ -38,5 +38,5 @@ create role '';
|
|||
ERROR OP000: Invalid role specification ``.
|
||||
create role r1;
|
||||
drop user r1;
|
||||
ERROR HY000: Operation DROP USER failed for 'r1'
|
||||
ERROR HY000: Operation DROP USER failed for 'r1'@'%'
|
||||
drop role r1;
|
||||
|
|
|
|||
9
mysql-test/suite/roles/grant_proxy-5526.result
Normal file
9
mysql-test/suite/roles/grant_proxy-5526.result
Normal file
|
|
@ -0,0 +1,9 @@
|
|||
create role r1;
|
||||
create user user;
|
||||
grant proxy on r1 to user;
|
||||
show grants for user;
|
||||
Grants for user@%
|
||||
GRANT USAGE ON *.* TO 'user'@'%'
|
||||
GRANT PROXY ON 'r1'@'%' TO 'user'@'%'
|
||||
drop user user;
|
||||
drop role r1;
|
||||
10
mysql-test/suite/roles/grant_proxy-5526.test
Normal file
10
mysql-test/suite/roles/grant_proxy-5526.test
Normal file
|
|
@ -0,0 +1,10 @@
|
|||
#
|
||||
# MDEV-5526 Assertion `proxied_user->host.length' fails on GRANT PROXY ON <role>
|
||||
#
|
||||
create role r1;
|
||||
create user user;
|
||||
grant proxy on r1 to user;
|
||||
show grants for user;
|
||||
drop user user;
|
||||
drop role r1;
|
||||
|
||||
|
|
@ -1,14 +1,14 @@
|
|||
create role r1;
|
||||
grant select on *.* to r1 identified by 'foobar';
|
||||
ERROR 28000: Can't find any matching row in the user table
|
||||
drop user r1;
|
||||
grant select on *.* to r1 identified by '';
|
||||
ERROR 28000: Can't find any matching row in the user table
|
||||
drop user r1;
|
||||
grant select on mysql.user to r1 identified by password '00000000000000000000000000000000000000000';
|
||||
ERROR 28000: Can't find any matching row in the user table
|
||||
drop user r1;
|
||||
grant select on *.* to r1 identified via plugin;
|
||||
ERROR 28000: Can't find any matching row in the user table
|
||||
ERROR HY000: Plugin 'plugin' is not loaded
|
||||
grant select on mysql.user to r1 identified via plugin using 'param';
|
||||
ERROR 28000: Can't find any matching row in the user table
|
||||
ERROR HY000: Plugin 'plugin' is not loaded
|
||||
grant select on *.* to r1 require subject 'foobar';
|
||||
ERROR 28000: Can't find any matching row in the user table
|
||||
grant select on mysql.user to r1 require issuer 'foobar';
|
||||
|
|
|
|||
|
|
@ -12,16 +12,18 @@
|
|||
|
||||
create role r1;
|
||||
|
||||
--error ER_PASSWORD_NO_MATCH
|
||||
# IDENTIFIED does not apply to roles, using it forces username context
|
||||
grant select on *.* to r1 identified by 'foobar';
|
||||
--error ER_PASSWORD_NO_MATCH
|
||||
drop user r1;
|
||||
grant select on *.* to r1 identified by '';
|
||||
--error ER_PASSWORD_NO_MATCH
|
||||
drop user r1;
|
||||
grant select on mysql.user to r1 identified by password '00000000000000000000000000000000000000000';
|
||||
--error ER_PASSWORD_NO_MATCH
|
||||
drop user r1;
|
||||
--error ER_PLUGIN_IS_NOT_LOADED
|
||||
grant select on *.* to r1 identified via plugin;
|
||||
--error ER_PASSWORD_NO_MATCH
|
||||
--error ER_PLUGIN_IS_NOT_LOADED
|
||||
grant select on mysql.user to r1 identified via plugin using 'param';
|
||||
|
||||
--error ER_PASSWORD_NO_MATCH
|
||||
grant select on *.* to r1 require subject 'foobar';
|
||||
--error ER_PASSWORD_NO_MATCH
|
||||
|
|
|
|||
|
|
@ -8351,7 +8351,7 @@ static int handle_roles_mappings_table(TABLE *table, bool drop,
|
|||
{
|
||||
role= safe_str(get_field(thd->mem_root, role_field));
|
||||
|
||||
if (strcmp(user_from->user.str, role))
|
||||
if (!user_from->is_role() || strcmp(user_from->user.str, role))
|
||||
continue;
|
||||
|
||||
error= 0;
|
||||
|
|
@ -8574,7 +8574,6 @@ static int handle_grant_struct(enum enum_acl_lists struct_no, bool drop,
|
|||
const char *UNINIT_VAR(user);
|
||||
const char *UNINIT_VAR(host);
|
||||
const char *UNINIT_VAR(role);
|
||||
uint role_not_matched= 1;
|
||||
ACL_USER *acl_user= NULL;
|
||||
ACL_ROLE *acl_role= NULL;
|
||||
ACL_DB *acl_db= NULL;
|
||||
|
|
@ -8734,11 +8733,10 @@ static int handle_grant_struct(enum enum_acl_lists struct_no, bool drop,
|
|||
|
||||
if (struct_no == ROLES_MAPPINGS_HASH)
|
||||
{
|
||||
role_not_matched= strcmp(user_from->user.str, role);
|
||||
if (role_not_matched &&
|
||||
if (user_from->is_role() ? strcmp(user_from->user.str, role) :
|
||||
(strcmp(user_from->user.str, user) ||
|
||||
my_strcasecmp(system_charset_info, user_from->host.str, host)))
|
||||
continue;
|
||||
continue;
|
||||
}
|
||||
else
|
||||
{
|
||||
|
|
@ -8858,14 +8856,14 @@ static int handle_grant_struct(enum enum_acl_lists struct_no, bool drop,
|
|||
size_t old_key_length= role_grant_pair->hashkey.length;
|
||||
bool oom;
|
||||
|
||||
if (role_not_matched)
|
||||
oom= role_grant_pair->init(&acl_memroot, user_to->user.str,
|
||||
user_to->host.str,
|
||||
role_grant_pair->r_uname, false);
|
||||
else
|
||||
if (user_to->is_role())
|
||||
oom= role_grant_pair->init(&acl_memroot, role_grant_pair->u_uname,
|
||||
role_grant_pair->u_hname,
|
||||
user_to->user.str, false);
|
||||
else
|
||||
oom= role_grant_pair->init(&acl_memroot, user_to->user.str,
|
||||
user_to->host.str,
|
||||
role_grant_pair->r_uname, false);
|
||||
if (oom)
|
||||
DBUG_RETURN(-1);
|
||||
|
||||
|
|
@ -9349,20 +9347,20 @@ bool mysql_rename_user(THD *thd, List <LEX_USER> &list)
|
|||
while ((tmp_user_from= user_list++))
|
||||
{
|
||||
tmp_user_to= user_list++;
|
||||
if (!(user_from= get_current_user(thd, tmp_user_from, false)) ||
|
||||
user_from->is_role())
|
||||
if (!(user_from= get_current_user(thd, tmp_user_from, false)))
|
||||
{
|
||||
append_user(&wrong_users, user_from);
|
||||
result= TRUE;
|
||||
continue;
|
||||
}
|
||||
if (!(user_to= get_current_user(thd, tmp_user_to, false)) ||
|
||||
user_to->is_role())
|
||||
if (!(user_to= get_current_user(thd, tmp_user_to, false)))
|
||||
{
|
||||
append_user(&wrong_users, user_to);
|
||||
result= TRUE;
|
||||
continue;
|
||||
}
|
||||
DBUG_ASSERT(!user_from->is_role());
|
||||
DBUG_ASSERT(!user_to->is_role());
|
||||
|
||||
/*
|
||||
Search all in-memory structures and grant tables
|
||||
|
|
|
|||
|
|
@ -1771,7 +1771,7 @@ bool my_yyoverflow(short **a, YYSTYPE **b, ulong *yystacksize);
|
|||
%type <symbol> keyword keyword_sp
|
||||
|
||||
%type <lex_user> user grant_user grant_role user_or_role current_role
|
||||
admin_option_for_role
|
||||
admin_option_for_role user_maybe_role
|
||||
|
||||
%type <charset>
|
||||
opt_collate
|
||||
|
|
@ -13916,7 +13916,7 @@ ident_or_text:
|
|||
| LEX_HOSTNAME { $$=$1;}
|
||||
;
|
||||
|
||||
user:
|
||||
user_maybe_role:
|
||||
ident_or_text
|
||||
{
|
||||
if (!($$=(LEX_USER*) thd->alloc(sizeof(st_lex_user))))
|
||||
|
|
@ -13974,7 +13974,15 @@ user:
|
|||
}
|
||||
;
|
||||
|
||||
user_or_role: user | current_role;
|
||||
user_or_role: user_maybe_role | current_role;
|
||||
|
||||
user: user_maybe_role
|
||||
{
|
||||
if ($1->user.str != current_user.str && $1->host.str == 0)
|
||||
$1->host= host_not_specified;
|
||||
$$= $1;
|
||||
}
|
||||
;
|
||||
|
||||
/* Keyword that we allow for identifiers (except SP labels) */
|
||||
keyword:
|
||||
|
|
|
|||
Loading…
Reference in a new issue