mirror of
https://github.com/MariaDB/server.git
synced 2025-01-16 03:52:35 +01:00
MWL#182: Explain running statements: address review feedback
- Fix the year in Monty Program Ab copyrights in the new files. - Fix permissions handling so that SHOW EXPLAIN's handling is the same as SHOW PROCESSLIST's.
This commit is contained in:
Sergey Petrunya
parent
94bf016321
commit
b9093d370b
7 changed files with 138 additions and 10 deletions
|
|
@ -728,4 +728,49 @@ a
|
|||
2
|
||||
set debug_dbug='';
|
||||
drop table t1,t3,t4;
|
||||
#
|
||||
# ---------- SHOW EXPLAIN and permissions -----------------
|
||||
#
|
||||
grant ALL on test.* to test2@localhost;
|
||||
#
|
||||
# First, make sure that user 'test2' cannot do SHOW EXPLAIN on us
|
||||
#
|
||||
set debug_dbug='d,show_explain_probe_join_exec_start';
|
||||
select * from t0 where a < 3;
|
||||
show explain for $thr2;
|
||||
ERROR 42000: Access denied; you need (at least one of) the PROCESSLIST privilege(s) for this operation
|
||||
show explain for $thr2;
|
||||
id select_type table type possible_keys key key_len ref rows Extra
|
||||
1 SIMPLE t0 ALL NULL NULL NULL NULL 10 Using where
|
||||
Warnings:
|
||||
Note 1003 select * from t0 where a < 3
|
||||
a
|
||||
0
|
||||
1
|
||||
2
|
||||
set debug_dbug='';
|
||||
#
|
||||
# Unfortunately, our test setup doesn't allow to check that test2
|
||||
# can do SHOW EXPLAIN on his own queries. This is because SET debug_dbug
|
||||
# requires SUPER privilege. Giving SUPER to test2 will make the test
|
||||
# meaningless
|
||||
#
|
||||
#
|
||||
# Now, grant test2 a PROCESSLIST permission, and see that he's able to observe us
|
||||
#
|
||||
grant process on *.* to test2@localhost;
|
||||
set debug_dbug='d,show_explain_probe_join_exec_start';
|
||||
select * from t0 where a < 3;
|
||||
show explain for $thr2;
|
||||
id select_type table type possible_keys key key_len ref rows Extra
|
||||
1 SIMPLE t0 ALL NULL NULL NULL NULL 10 Using where
|
||||
Warnings:
|
||||
Note 1003 select * from t0 where a < 3
|
||||
a
|
||||
0
|
||||
1
|
||||
2
|
||||
set debug_dbug='';
|
||||
revoke all privileges on test.* from test2@localhost;
|
||||
drop user test2@localhost;
|
||||
drop table t0;
|
||||
|
|
|
|||
|
|
@ -727,10 +727,71 @@ reap;
|
|||
set debug_dbug='';
|
||||
|
||||
drop table t1,t3,t4;
|
||||
|
||||
--echo #
|
||||
--echo # ---------- SHOW EXPLAIN and permissions -----------------
|
||||
--echo #
|
||||
grant ALL on test.* to test2@localhost;
|
||||
|
||||
connect (con2, localhost, test2,,);
|
||||
connection con1;
|
||||
|
||||
--echo #
|
||||
--echo # First, make sure that user 'test2' cannot do SHOW EXPLAIN on us
|
||||
--echo #
|
||||
set debug_dbug='d,show_explain_probe_join_exec_start';
|
||||
send
|
||||
select * from t0 where a < 3;
|
||||
|
||||
connection default;
|
||||
--source include/wait_condition.inc
|
||||
|
||||
connection con2;
|
||||
--error ER_SPECIFIC_ACCESS_DENIED_ERROR
|
||||
evalp show explain for $thr2;
|
||||
|
||||
connection default;
|
||||
evalp show explain for $thr2;
|
||||
|
||||
connection con1;
|
||||
reap;
|
||||
set debug_dbug='';
|
||||
|
||||
--echo #
|
||||
--echo # Unfortunately, our test setup doesn't allow to check that test2
|
||||
--echo # can do SHOW EXPLAIN on his own queries. This is because SET debug_dbug
|
||||
--echo # requires SUPER privilege. Giving SUPER to test2 will make the test
|
||||
--echo # meaningless
|
||||
--echo #
|
||||
|
||||
--echo #
|
||||
--echo # Now, grant test2 a PROCESSLIST permission, and see that he's able to observe us
|
||||
--echo #
|
||||
disconnect con2;
|
||||
grant process on *.* to test2@localhost;
|
||||
connect (con2, localhost, test2,,);
|
||||
connection con1;
|
||||
|
||||
set debug_dbug='d,show_explain_probe_join_exec_start';
|
||||
send
|
||||
select * from t0 where a < 3;
|
||||
|
||||
connection default;
|
||||
--source include/wait_condition.inc
|
||||
|
||||
connection con2;
|
||||
evalp show explain for $thr2;
|
||||
|
||||
connection con1;
|
||||
reap;
|
||||
set debug_dbug='';
|
||||
|
||||
|
||||
|
||||
revoke all privileges on test.* from test2@localhost;
|
||||
drop user test2@localhost;
|
||||
|
||||
## TODO: Test this: have several SHOW EXPLAIN requests be queued up for a
|
||||
## thread and served together.
|
||||
|
||||
## TODO: SHOW EXPLAIN while the primary query is running EXPLAIN EXTENDED/PARTITIONS
|
||||
##
|
||||
|
||||
drop table t0;
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
Copyright (c) 2009, 2011, Monty Program Ab
|
||||
Copyright (c) 2011 - 2012, Monty Program Ab
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
Copyright (c) 2009, 2011, Monty Program Ab
|
||||
Copyright (c) 2011 - 2012, Monty Program Ab
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
|
|
|
|||
|
|
@ -1552,7 +1552,7 @@ public:
|
|||
};
|
||||
|
||||
class THD;
|
||||
void mysqld_show_explain(THD *thd, ulong thread_id);
|
||||
void mysqld_show_explain(THD *thd, const char *calling_user, ulong thread_id);
|
||||
#ifndef DBUG_OFF
|
||||
void dbug_serve_apcs(THD *thd, int n_calls);
|
||||
#endif
|
||||
|
|
|
|||
|
|
@ -3130,6 +3130,7 @@ end_with_restore_list:
|
|||
break;
|
||||
case SQLCOM_SHOW_EXPLAIN:
|
||||
{
|
||||
const char *effective_user;
|
||||
/* Same security as SHOW PROCESSLIST (TODO check this) */
|
||||
if (!thd->security_ctx->priv_user[0] &&
|
||||
check_global_access(thd,PROCESS_ACL))
|
||||
|
|
@ -3150,8 +3151,10 @@ end_with_restore_list:
|
|||
MYF(0));
|
||||
goto error;
|
||||
}
|
||||
effective_user=(thd->security_ctx->master_access & PROCESS_ACL ? NullS :
|
||||
thd->security_ctx->priv_user);
|
||||
|
||||
mysqld_show_explain(thd, (ulong)it->val_int());
|
||||
mysqld_show_explain(thd, effective_user, (ulong)it->val_int());
|
||||
break;
|
||||
}
|
||||
case SQLCOM_SHOW_AUTHORS:
|
||||
|
|
|
|||
|
|
@ -2002,8 +2002,11 @@ void mysqld_list_processes(THD *thd,const char *user, bool verbose)
|
|||
/*
|
||||
SHOW EXPLAIN FOR command handler
|
||||
|
||||
@param thd Current thread's thd
|
||||
@param thread_id Thread whose explain we need
|
||||
@param thd Current thread's thd
|
||||
@param calling_user User that invoked SHOW EXPLAIN, or NULL if the user
|
||||
has SUPER or PROCESS privileges, and so is allowed
|
||||
to run SHOW EXPLAIN on anybody.
|
||||
@param thread_id Thread whose explain we need
|
||||
|
||||
@notes
|
||||
- Attempt to do "SHOW EXPLAIN FOR <myself>" will properly produce "target not
|
||||
|
|
@ -2011,7 +2014,7 @@ void mysqld_list_processes(THD *thd,const char *user, bool verbose)
|
|||
- todo: check how all this can/will work when using thread pools
|
||||
*/
|
||||
|
||||
void mysqld_show_explain(THD *thd, ulong thread_id)
|
||||
void mysqld_show_explain(THD *thd, const char *calling_user, ulong thread_id)
|
||||
{
|
||||
THD *tmp;
|
||||
Protocol *protocol= thd->protocol;
|
||||
|
|
@ -2043,6 +2046,22 @@ void mysqld_show_explain(THD *thd, ulong thread_id)
|
|||
|
||||
if (tmp)
|
||||
{
|
||||
Security_context *tmp_sctx= tmp->security_ctx;
|
||||
/*
|
||||
If calling_user==NULL, calling thread has SUPER or PROCESS
|
||||
privilege, and so can do SHOW EXPLAIN on any user.
|
||||
|
||||
if calling_user!=NULL, he's only allowed to view SHOW EXPLAIN on
|
||||
his own threads.
|
||||
*/
|
||||
if (calling_user && (!tmp_sctx->user || strcmp(calling_user,
|
||||
tmp_sctx->user)))
|
||||
{
|
||||
my_error(ER_SPECIFIC_ACCESS_DENIED_ERROR, MYF(0), "PROCESSLIST");
|
||||
mysql_mutex_unlock(&tmp->LOCK_thd_data);
|
||||
DBUG_VOID_RETURN;
|
||||
}
|
||||
|
||||
bool bres;
|
||||
/*
|
||||
Ok we've found the thread of interest and it won't go away because
|
||||
|
|
|
|||
Loading…
Reference in a new issue