mirror of
				https://github.com/MariaDB/server.git
				synced 2025-10-26 01:18:31 +02:00 
			
		
		
		
	
		
			
				
	
	
		
			212 lines
		
	
	
	
		
			5.4 KiB
		
	
	
	
		
			Text
		
	
	
	
	
	
			
		
		
	
	
			212 lines
		
	
	
	
		
			5.4 KiB
		
	
	
	
		
			Text
		
	
	
	
	
	
| --source include/not_embedded.inc
 | |
| 
 | |
| --echo #
 | |
| --echo # MDEV-29458 Role grant commands do not propagate all grants
 | |
| --echo #
 | |
| 
 | |
| create user foo;
 | |
| create database some_db;
 | |
| create table some_db.t1 (a int, b int, secret int);
 | |
| 
 | |
| delimiter //;
 | |
| CREATE PROCEDURE some_db.p1 (OUT param1 INT)
 | |
|  BEGIN
 | |
|   SELECT COUNT(*) INTO param1 FROM some_db.t1;
 | |
|  END;
 | |
| //
 | |
| delimiter ;//
 | |
| 
 | |
| delimiter //;
 | |
| CREATE FUNCTION some_db.f1 (param1 INT) RETURNS INT
 | |
|  BEGIN
 | |
|   DECLARE c INT;
 | |
|   SET c = 100;
 | |
|   RETURN param1 + c;
 | |
|  END;
 | |
| //
 | |
| delimiter ;//
 | |
| 
 | |
| --echo #
 | |
| --echo # These roles will form a two level hierarchy.
 | |
| --echo # The "select" role will have the select privilege, while
 | |
| --echo # the active role will inherit the select role.
 | |
| --echo #
 | |
| --echo # The active role will be granted a different privilege but on the same
 | |
| --echo # level (global, database, table, proc respectively) *after* the 'select'
 | |
| --echo # role has been granted its select privilege.
 | |
| --echo #
 | |
| 
 | |
| create role r_select_global;
 | |
| create role r_active_global;
 | |
| 
 | |
| create role r_select_database;
 | |
| create role r_active_database;
 | |
| 
 | |
| create role r_select_table;
 | |
| create role r_active_table;
 | |
| 
 | |
| create role r_select_column;
 | |
| create role r_active_column;
 | |
| 
 | |
| create role r_execute_proc;
 | |
| create role r_active_proc;
 | |
| 
 | |
| create role r_execute_func;
 | |
| create role r_active_func;
 | |
| 
 | |
| grant r_select_global to r_active_global;
 | |
| grant r_select_database to r_active_database;
 | |
| grant r_select_table to r_active_table;
 | |
| grant r_select_column to r_active_column;
 | |
| grant r_execute_proc to r_active_proc;
 | |
| grant r_execute_func to r_active_func;
 | |
| 
 | |
| --echo #
 | |
| --echo # These 3 roles form a chain, where only the upper level has select
 | |
| --echo # privileges and the middle level will receive a grant for the same level
 | |
| --echo # privilege, but different kind (for example select on upper and insert
 | |
| --echo # on middle).
 | |
| --echo #
 | |
| --echo # The lower level should inherit both rights.
 | |
| --echo #
 | |
| create role upper_level;
 | |
| create role middle_level;
 | |
| create role lower_level;
 | |
| 
 | |
| grant upper_level to middle_level;
 | |
| grant middle_level to lower_level;
 | |
| 
 | |
| grant r_active_global   to foo;
 | |
| grant r_active_database to foo;
 | |
| grant r_active_table    to foo;
 | |
| grant r_active_column   to foo;
 | |
| grant r_active_proc     to foo;
 | |
| grant r_active_func     to foo;
 | |
| grant lower_level       to foo;
 | |
| 
 | |
| grant select on *.*        to r_select_global;
 | |
| grant select on some_db.*  to r_select_database;
 | |
| grant select on some_db.t1 to r_select_table;
 | |
| grant select(a) on some_db.t1 to r_select_column;
 | |
| grant select on *.*        to upper_level;
 | |
| 
 | |
| grant execute on procedure some_db.p1 to r_execute_proc;
 | |
| grant execute on function  some_db.f1 to r_execute_func;
 | |
| 
 | |
| 
 | |
| --echo #
 | |
| --echo # Granting a privilege different than select on the corresponding level.
 | |
| --echo # This tests that the base role correctly inherits its granted roles
 | |
| --echo # privileges.
 | |
| --echo #
 | |
| grant insert on *.*        to r_active_global;
 | |
| grant insert on some_db.*  to r_active_database;
 | |
| grant insert on some_db.t1 to r_active_table;
 | |
| grant insert(a) on some_db.t1 to r_active_column;
 | |
| grant insert on *.* to middle_level;
 | |
| 
 | |
| grant alter routine on procedure some_db.p1 to r_active_proc;
 | |
| grant alter routine on function some_db.f1 to r_active_func;
 | |
| 
 | |
| --connect (con1, localhost, foo,,)
 | |
| --error ER_TABLEACCESS_DENIED_ERROR
 | |
| select * from some_db.t1;
 | |
| 
 | |
| --echo #
 | |
| --echo # Before MDEV-29458 fix, all these commands would return
 | |
| --echo # ER_TABLEACCESS_DENIED_ERROR
 | |
| --echo #
 | |
| set role r_active_global;
 | |
| select * from some_db.t1;
 | |
| set role r_active_database;
 | |
| select * from some_db.t1;
 | |
| set role r_active_table;
 | |
| select * from some_db.t1;
 | |
| set role r_active_column;
 | |
| select a from some_db.t1;
 | |
| set role lower_level;
 | |
| select * from some_db.t1;
 | |
| 
 | |
| set role r_active_proc;
 | |
| set @var=100;
 | |
| call some_db.p1(@var);
 | |
| 
 | |
| set role r_active_func;
 | |
| select some_db.f1(10);
 | |
| 
 | |
| disconnect con1;
 | |
| 
 | |
| --echo #
 | |
| --echo # Cleanup.
 | |
| --echo #
 | |
| connection default;
 | |
| 
 | |
| drop database some_db;
 | |
| drop role r_select_global, r_select_database, r_select_table, r_select_column;
 | |
| drop role r_active_global, r_active_database, r_active_table, r_active_column;
 | |
| drop role r_execute_proc, r_execute_func;
 | |
| drop role r_active_proc, r_active_func;
 | |
| drop role upper_level, middle_level, lower_level;
 | |
| drop user foo;
 | |
| 
 | |
| --echo #
 | |
| --echo # Test that dropping of roles clears the intermediate generated
 | |
| --echo # (such as an `acl_dbs` element with 0 init_access, but with access != 0)
 | |
| --echo # datastructures.
 | |
| --echo #
 | |
| create role test_role1;
 | |
| create role test_role2;
 | |
| 
 | |
| grant test_role2 to test_role1;
 | |
| grant select on mysql.* to test_role2;
 | |
| grant select on mysql.user to test_role2;
 | |
| grant select(user) on mysql.user to test_role2;
 | |
| drop role test_role1, test_role2;
 | |
| 
 | |
| create role test_role1;
 | |
| drop role test_role1;
 | |
| 
 | |
| --echo #
 | |
| --echo # MDEV-29851 Cached role privileges are not invalidated when needed
 | |
| --echo #
 | |
| create role admin;
 | |
| create role student;
 | |
| create database crm;
 | |
| grant create on crm.* to admin;
 | |
| grant select on crm.* to student;
 | |
| create user intern@localhost;
 | |
| grant student to intern@localhost;
 | |
| set default role student for intern@localhost;
 | |
| 
 | |
| connect con1, localhost, intern;
 | |
| use crm;
 | |
| disconnect con1;
 | |
| 
 | |
| connection default;
 | |
| grant admin to student;
 | |
| 
 | |
| connect con1, localhost, intern;
 | |
| use crm;
 | |
| create table t1 (a int);
 | |
| disconnect con1;
 | |
| 
 | |
| connection default;
 | |
| drop user intern@localhost;
 | |
| drop role student;
 | |
| drop role admin;
 | |
| drop database crm;
 | |
| 
 | |
| --echo #
 | |
| --echo # MDEV-30526 Assertion `rights == merged->cols' failed in update_role_columns
 | |
| --echo #
 | |
| create table t1 ( pk int, i int);
 | |
| create role a;
 | |
| grant select (i), update (pk) on t1 to a;
 | |
| revoke  update (pk) on t1 from a;
 | |
| show grants for a;
 | |
| drop role a;
 | |
| drop table t1;
 | |
| 
 | |
| --echo #
 | |
| --echo # End of 10.3 tests
 | |
| --echo #
 | 
