Commit graph

16 commits

Author SHA1 Message Date
Marko Mäkelä
7b2bb67113 Merge 10.3 into 10.4 2020-10-29 13:38:38 +02:00
Marko Mäkelä
a8de8f261d Merge 10.2 into 10.3 2020-10-28 10:01:50 +02:00
Oleksandr Byelkin
57325e4706 Merge branch '10.3' into 10.4 2020-08-03 14:44:06 +02:00
Oleksandr Byelkin
c32f71af7e Merge branch '10.2' into 10.3 2020-08-03 13:41:29 +02:00
Sergei Golubchik
78f09b12d3 MDEV-23009 SIGSEGV in get_field from acl_load (on optimized builds)
Classes that handle privilege tables (like Tables_priv_table)
could read some columns conditionally but they expect a certain
minimal number of colunms always to exist.

Add a check for a minimal required number of columns in privilege tables,
don't use a table that has fewer columns than required.
2020-07-31 09:00:05 +02:00
Sergei Golubchik
b58586aae9 MDEV-21560 Assertion `grant_table || grant_table_role' failed in check_grant_all_columns
With RETURNING it can happen that the user has some privileges on
the table (namely, DELETE), but later needs different privileges
on individual columns (namely, SELECT).

Do the same as in check_grant_column() - ER_COLUMNACCESS_DENIED_ERROR,
not an assert.
2020-06-13 18:49:42 +02:00
Oleksandr Byelkin
646d1ec83a Merge branch '10.3' into 10.4 2020-02-11 14:40:35 +01:00
Oleksandr Byelkin
fafb35ee51 MDEV-20076: SHOW GRANTS does not quote role names properly
Quotes added to output.
2020-02-05 17:22:26 +01:00
Sergei Golubchik
b8e655ce02 bugfix: crash on the empty db name
followup for 0a43df4fbc
2019-06-17 23:41:43 +02:00
Sergei Golubchik
0a43df4fbc MDEV-14735 better matching order for grants
fixes
MDEV-14732 mysql.db privileges evaluated on order of grants rather than hierarchically
MDEV-8269 Correct fix for Bug #20181776 :- ACCESS CONTROL DOESN'T MATCH MOST SPECIFIC HOST WHEN IT CONTAINS WILDCARD

reimplement the old ad hoc get_sort() function to use a wildcard
pattern ordering logic that works correctly in may be all practical cases.

get_sort() is renamed to catch merge errors at compilation time.
moved to a separate included file, because of a long comment.
2019-06-17 12:26:25 +02:00
Sergei Golubchik
c94ec9fc67 MDEV-17950 SHOW GRANTS FOR does not work for a user identified with non-existing plugin
Revert the side effect of 7c40996cc8.
Do not convert password hash to its binary representation when a user
entry is loaded. Do it lazily on the first authenticatation attempt.

As a collateral - force all authentication plugins to follow the
protocol and read_packet at least once before accessing info->username
(username is not available before first client handshake packet is read).

Fix PAM and GSSAPI plugins to behave.
2019-02-04 15:54:10 +01:00
Marko Mäkelä
734510a44d Merge 10.3 into 10.4 2019-01-06 17:43:02 +02:00
Sergei Golubchik
6bb11efa4a Merge branch '10.2' into 10.3 2019-01-03 13:09:41 +01:00
Sergei Golubchik
4abb8216a0 MDEV-17658 change the structure of mysql.user table
Implement User_table_json.
Fix scripts to use mysql.global_priv.
Fix tests.
2018-12-12 00:31:44 +01:00
Sergei Golubchik
7c40996cc8 MDEV-12321 authentication plugin: SET PASSWORD support
Support SET PASSWORD for authentication plugins.

Authentication plugin API is extended with two optional methods:
* hash_password() is used to compute a password hash (or digest)
  from the plain-text password. This digest will be stored in mysql.user
  table
* preprocess_hash() is used to convert this digest into some memory
  representation that can be later used to authenticate a user.
  Build-in plugins convert the hash from hexadecimal or base64 to binary,
  to avoid doing it on every authentication attempt.

Note a change in behavior: when loading privileges (on startup or on
FLUSH PRIVILEGES) an account with an unknown plugin was loaded with a
warning (e.g. "Plugin 'foo' is not loaded"). But such an account could
not be used for authentication until the plugin is installed. Now an
account like that will not be loaded at all (with a warning, still).
Indeed, without plugin's preprocess_hash() method the server cannot know
how to load an account. Thus, if a new authentication plugin is
installed run-time, one might need FLUSH PRIVILEGES to activate all
existing accounts that were using this new plugin.
2018-10-31 16:06:16 +01:00
Michael Widenius
a7abddeffa Create 'main' test directory and move 't' and 'r' there 2018-03-29 13:59:44 +03:00
Renamed from mysql-test/t/grant5.test (Browse further)