mirror of
https://github.com/MariaDB/server.git
synced 2026-05-16 03:47:17 +02:00
MDEV-21743 Split up SUPER privilege to smaller privileges
This commit is contained in:
Alexander Barkov
parent
91ba789aaf
commit
a1e330de5a
82 changed files with 1510 additions and 235 deletions
|
|
@ -21,26 +21,30 @@ alter user foo;
|
|||
select * from mysql.user where user = 'foo';
|
||||
Host User Password Select_priv Insert_priv Update_priv Delete_priv Create_priv Drop_priv Reload_priv Shutdown_priv Process_priv File_priv Grant_priv References_priv Index_priv Alter_priv Show_db_priv Super_priv Create_tmp_table_priv Lock_tables_priv Execute_priv Repl_slave_priv Repl_client_priv Create_view_priv Show_view_priv Create_routine_priv Alter_routine_priv Create_user_priv Event_priv Trigger_priv Create_tablespace_priv Delete_history_priv ssl_type ssl_cipher x509_issuer x509_subject max_questions max_updates max_connections max_user_connections plugin authentication_string password_expired is_role default_role max_statement_time
|
||||
% foo N N N N N N N N N N N N N N N N N N N N N N N N N N N N N N 0 0 0 0 mysql_native_password N N 0.000000
|
||||
# Test super privilege works correctly with a read only database.
|
||||
#
|
||||
# Test READ_ONLY privilege works correctly with a read only database.
|
||||
#
|
||||
SET @start_read_only = @@global.read_only;
|
||||
SET GLOBAL read_only=1;
|
||||
grant create user on *.* to foo;
|
||||
# Currently no super privileges.
|
||||
# Currently no READ_ONLY ADMIN privileges.
|
||||
connect a, localhost, foo;
|
||||
select @@global.read_only;
|
||||
@@global.read_only
|
||||
1
|
||||
alter user foo;
|
||||
ERROR HY000: The MariaDB server is running with the --read-only option so it cannot execute this statement
|
||||
# Grant super privilege to the user.
|
||||
# Grant READ_ONLY ADMIN privilege to the user.
|
||||
connection default;
|
||||
grant super on *.* to foo;
|
||||
# We now have super privilege. We should be able to run alter user.
|
||||
grant READ_ONLY ADMIN on *.* to foo;
|
||||
# We now have READ_ONLY ADMIN privilege. We should be able to run alter user.
|
||||
connect b, localhost, foo;
|
||||
alter user foo;
|
||||
connection default;
|
||||
SET GLOBAL read_only = @start_read_only;
|
||||
#
|
||||
# Test inexistant user.
|
||||
#
|
||||
alter user boo;
|
||||
ERROR HY000: Operation ALTER USER failed for 'boo'
|
||||
#--warning ER_CANNOT_USER
|
||||
|
|
@ -48,19 +52,21 @@ alter if exists user boo;
|
|||
Warnings:
|
||||
Error 1133 Can't find any matching row in the user table
|
||||
Note 1396 Operation ALTER USER failed for 'boo'
|
||||
#
|
||||
# Test password related altering.
|
||||
#
|
||||
alter user foo identified by 'something';
|
||||
select * from mysql.user where user = 'foo';
|
||||
Host User Password Select_priv Insert_priv Update_priv Delete_priv Create_priv Drop_priv Reload_priv Shutdown_priv Process_priv File_priv Grant_priv References_priv Index_priv Alter_priv Show_db_priv Super_priv Create_tmp_table_priv Lock_tables_priv Execute_priv Repl_slave_priv Repl_client_priv Create_view_priv Show_view_priv Create_routine_priv Alter_routine_priv Create_user_priv Event_priv Trigger_priv Create_tablespace_priv Delete_history_priv ssl_type ssl_cipher x509_issuer x509_subject max_questions max_updates max_connections max_user_connections plugin authentication_string password_expired is_role default_role max_statement_time
|
||||
% foo *88C89BE093D4ECF72D039F62EBB7477EA1FD4D63 N N N N N N N N N N N N N N N Y N N N N N N N N N Y N N N N 0 0 0 0 mysql_native_password *88C89BE093D4ECF72D039F62EBB7477EA1FD4D63 N N 0.000000
|
||||
% foo *88C89BE093D4ECF72D039F62EBB7477EA1FD4D63 N N N N N N N N N N N N N N N N N N N N N N N N N Y N N N N 0 0 0 0 mysql_native_password *88C89BE093D4ECF72D039F62EBB7477EA1FD4D63 N N 0.000000
|
||||
alter user foo identified by 'something2';
|
||||
select * from mysql.user where user = 'foo';
|
||||
Host User Password Select_priv Insert_priv Update_priv Delete_priv Create_priv Drop_priv Reload_priv Shutdown_priv Process_priv File_priv Grant_priv References_priv Index_priv Alter_priv Show_db_priv Super_priv Create_tmp_table_priv Lock_tables_priv Execute_priv Repl_slave_priv Repl_client_priv Create_view_priv Show_view_priv Create_routine_priv Alter_routine_priv Create_user_priv Event_priv Trigger_priv Create_tablespace_priv Delete_history_priv ssl_type ssl_cipher x509_issuer x509_subject max_questions max_updates max_connections max_user_connections plugin authentication_string password_expired is_role default_role max_statement_time
|
||||
% foo *9CD58369E930E28C8996A89DB18B63294E6DC10C N N N N N N N N N N N N N N N Y N N N N N N N N N Y N N N N 0 0 0 0 mysql_native_password *9CD58369E930E28C8996A89DB18B63294E6DC10C N N 0.000000
|
||||
% foo *9CD58369E930E28C8996A89DB18B63294E6DC10C N N N N N N N N N N N N N N N N N N N N N N N N N Y N N N N 0 0 0 0 mysql_native_password *9CD58369E930E28C8996A89DB18B63294E6DC10C N N 0.000000
|
||||
alter user foo identified by password '*88C89BE093D4ECF72D039F62EBB7477EA1FD4D63';
|
||||
select * from mysql.user where user = 'foo';
|
||||
Host User Password Select_priv Insert_priv Update_priv Delete_priv Create_priv Drop_priv Reload_priv Shutdown_priv Process_priv File_priv Grant_priv References_priv Index_priv Alter_priv Show_db_priv Super_priv Create_tmp_table_priv Lock_tables_priv Execute_priv Repl_slave_priv Repl_client_priv Create_view_priv Show_view_priv Create_routine_priv Alter_routine_priv Create_user_priv Event_priv Trigger_priv Create_tablespace_priv Delete_history_priv ssl_type ssl_cipher x509_issuer x509_subject max_questions max_updates max_connections max_user_connections plugin authentication_string password_expired is_role default_role max_statement_time
|
||||
% foo *88C89BE093D4ECF72D039F62EBB7477EA1FD4D63 N N N N N N N N N N N N N N N Y N N N N N N N N N Y N N N N 0 0 0 0 mysql_native_password *88C89BE093D4ECF72D039F62EBB7477EA1FD4D63 N N 0.000000
|
||||
% foo *88C89BE093D4ECF72D039F62EBB7477EA1FD4D63 N N N N N N N N N N N N N N N N N N N N N N N N N Y N N N N 0 0 0 0 mysql_native_password *88C89BE093D4ECF72D039F62EBB7477EA1FD4D63 N N 0.000000
|
||||
alter user foo identified with 'somecoolplugin';
|
||||
ERROR HY000: Operation ALTER USER failed for 'foo'@'%'
|
||||
show warnings;
|
||||
|
|
@ -70,32 +76,36 @@ Error 1396 Operation ALTER USER failed for 'foo'@'%'
|
|||
alter user foo identified with 'mysql_old_password';
|
||||
select * from mysql.user where user = 'foo';
|
||||
Host User Password Select_priv Insert_priv Update_priv Delete_priv Create_priv Drop_priv Reload_priv Shutdown_priv Process_priv File_priv Grant_priv References_priv Index_priv Alter_priv Show_db_priv Super_priv Create_tmp_table_priv Lock_tables_priv Execute_priv Repl_slave_priv Repl_client_priv Create_view_priv Show_view_priv Create_routine_priv Alter_routine_priv Create_user_priv Event_priv Trigger_priv Create_tablespace_priv Delete_history_priv ssl_type ssl_cipher x509_issuer x509_subject max_questions max_updates max_connections max_user_connections plugin authentication_string password_expired is_role default_role max_statement_time
|
||||
% foo N N N N N N N N N N N N N N N Y N N N N N N N N N Y N N N N 0 0 0 0 mysql_old_password N N 0.000000
|
||||
% foo N N N N N N N N N N N N N N N N N N N N N N N N N Y N N N N 0 0 0 0 mysql_old_password N N 0.000000
|
||||
alter user foo identified with 'mysql_old_password' using '0123456789ABCDEF';
|
||||
select * from mysql.user where user = 'foo';
|
||||
Host User Password Select_priv Insert_priv Update_priv Delete_priv Create_priv Drop_priv Reload_priv Shutdown_priv Process_priv File_priv Grant_priv References_priv Index_priv Alter_priv Show_db_priv Super_priv Create_tmp_table_priv Lock_tables_priv Execute_priv Repl_slave_priv Repl_client_priv Create_view_priv Show_view_priv Create_routine_priv Alter_routine_priv Create_user_priv Event_priv Trigger_priv Create_tablespace_priv Delete_history_priv ssl_type ssl_cipher x509_issuer x509_subject max_questions max_updates max_connections max_user_connections plugin authentication_string password_expired is_role default_role max_statement_time
|
||||
% foo 0123456789ABCDEF N N N N N N N N N N N N N N N Y N N N N N N N N N Y N N N N 0 0 0 0 mysql_old_password 0123456789ABCDEF N N 0.000000
|
||||
% foo 0123456789ABCDEF N N N N N N N N N N N N N N N N N N N N N N N N N Y N N N N 0 0 0 0 mysql_old_password 0123456789ABCDEF N N 0.000000
|
||||
#
|
||||
# Test ssl related altering.
|
||||
#
|
||||
alter user foo identified by 'something' require SSL;
|
||||
select * from mysql.user where user = 'foo';
|
||||
Host User Password Select_priv Insert_priv Update_priv Delete_priv Create_priv Drop_priv Reload_priv Shutdown_priv Process_priv File_priv Grant_priv References_priv Index_priv Alter_priv Show_db_priv Super_priv Create_tmp_table_priv Lock_tables_priv Execute_priv Repl_slave_priv Repl_client_priv Create_view_priv Show_view_priv Create_routine_priv Alter_routine_priv Create_user_priv Event_priv Trigger_priv Create_tablespace_priv Delete_history_priv ssl_type ssl_cipher x509_issuer x509_subject max_questions max_updates max_connections max_user_connections plugin authentication_string password_expired is_role default_role max_statement_time
|
||||
% foo *88C89BE093D4ECF72D039F62EBB7477EA1FD4D63 N N N N N N N N N N N N N N N Y N N N N N N N N N Y N N N N ANY 0 0 0 0 mysql_native_password *88C89BE093D4ECF72D039F62EBB7477EA1FD4D63 N N 0.000000
|
||||
% foo *88C89BE093D4ECF72D039F62EBB7477EA1FD4D63 N N N N N N N N N N N N N N N N N N N N N N N N N Y N N N N ANY 0 0 0 0 mysql_native_password *88C89BE093D4ECF72D039F62EBB7477EA1FD4D63 N N 0.000000
|
||||
alter user foo identified by 'something' require X509;
|
||||
select * from mysql.user where user = 'foo';
|
||||
Host User Password Select_priv Insert_priv Update_priv Delete_priv Create_priv Drop_priv Reload_priv Shutdown_priv Process_priv File_priv Grant_priv References_priv Index_priv Alter_priv Show_db_priv Super_priv Create_tmp_table_priv Lock_tables_priv Execute_priv Repl_slave_priv Repl_client_priv Create_view_priv Show_view_priv Create_routine_priv Alter_routine_priv Create_user_priv Event_priv Trigger_priv Create_tablespace_priv Delete_history_priv ssl_type ssl_cipher x509_issuer x509_subject max_questions max_updates max_connections max_user_connections plugin authentication_string password_expired is_role default_role max_statement_time
|
||||
% foo *88C89BE093D4ECF72D039F62EBB7477EA1FD4D63 N N N N N N N N N N N N N N N Y N N N N N N N N N Y N N N N X509 0 0 0 0 mysql_native_password *88C89BE093D4ECF72D039F62EBB7477EA1FD4D63 N N 0.000000
|
||||
% foo *88C89BE093D4ECF72D039F62EBB7477EA1FD4D63 N N N N N N N N N N N N N N N N N N N N N N N N N Y N N N N X509 0 0 0 0 mysql_native_password *88C89BE093D4ECF72D039F62EBB7477EA1FD4D63 N N 0.000000
|
||||
alter user foo identified by 'something'
|
||||
require cipher 'text' issuer 'foo_issuer' subject 'foo_subject';
|
||||
select * from mysql.user where user = 'foo';
|
||||
Host User Password Select_priv Insert_priv Update_priv Delete_priv Create_priv Drop_priv Reload_priv Shutdown_priv Process_priv File_priv Grant_priv References_priv Index_priv Alter_priv Show_db_priv Super_priv Create_tmp_table_priv Lock_tables_priv Execute_priv Repl_slave_priv Repl_client_priv Create_view_priv Show_view_priv Create_routine_priv Alter_routine_priv Create_user_priv Event_priv Trigger_priv Create_tablespace_priv Delete_history_priv ssl_type ssl_cipher x509_issuer x509_subject max_questions max_updates max_connections max_user_connections plugin authentication_string password_expired is_role default_role max_statement_time
|
||||
% foo *88C89BE093D4ECF72D039F62EBB7477EA1FD4D63 N N N N N N N N N N N N N N N Y N N N N N N N N N Y N N N N SPECIFIED text foo_issuer foo_subject 0 0 0 0 mysql_native_password *88C89BE093D4ECF72D039F62EBB7477EA1FD4D63 N N 0.000000
|
||||
% foo *88C89BE093D4ECF72D039F62EBB7477EA1FD4D63 N N N N N N N N N N N N N N N N N N N N N N N N N Y N N N N SPECIFIED text foo_issuer foo_subject 0 0 0 0 mysql_native_password *88C89BE093D4ECF72D039F62EBB7477EA1FD4D63 N N 0.000000
|
||||
#
|
||||
# Test resource limits altering.
|
||||
#
|
||||
alter user foo with MAX_QUERIES_PER_HOUR 10
|
||||
MAX_UPDATES_PER_HOUR 20
|
||||
MAX_CONNECTIONS_PER_HOUR 30
|
||||
MAX_USER_CONNECTIONS 40;
|
||||
select * from mysql.user where user = 'foo';
|
||||
Host User Password Select_priv Insert_priv Update_priv Delete_priv Create_priv Drop_priv Reload_priv Shutdown_priv Process_priv File_priv Grant_priv References_priv Index_priv Alter_priv Show_db_priv Super_priv Create_tmp_table_priv Lock_tables_priv Execute_priv Repl_slave_priv Repl_client_priv Create_view_priv Show_view_priv Create_routine_priv Alter_routine_priv Create_user_priv Event_priv Trigger_priv Create_tablespace_priv Delete_history_priv ssl_type ssl_cipher x509_issuer x509_subject max_questions max_updates max_connections max_user_connections plugin authentication_string password_expired is_role default_role max_statement_time
|
||||
% foo *88C89BE093D4ECF72D039F62EBB7477EA1FD4D63 N N N N N N N N N N N N N N N Y N N N N N N N N N Y N N N N SPECIFIED text foo_issuer foo_subject 10 20 30 40 mysql_native_password *88C89BE093D4ECF72D039F62EBB7477EA1FD4D63 N N 0.000000
|
||||
% foo *88C89BE093D4ECF72D039F62EBB7477EA1FD4D63 N N N N N N N N N N N N N N N N N N N N N N N N N Y N N N N SPECIFIED text foo_issuer foo_subject 10 20 30 40 mysql_native_password *88C89BE093D4ECF72D039F62EBB7477EA1FD4D63 N N 0.000000
|
||||
drop user foo;
|
||||
update mysql.global_priv set priv=@root_priv where user='root' and host='localhost';
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue