mirror of
https://github.com/MariaDB/server.git
synced 2025-01-17 20:42:30 +01:00
9cba6c5aa3
This allows one to run the test suite even if any of the following options are changed: - character-set-server - collation-server - join-cache-level - log-basename - max-allowed-packet - optimizer-switch - query-cache-size and query-cache-type - skip-name-resolve - table-definition-cache - table-open-cache - Some innodb options etc Changes: - Don't print out the value of system variables as one can't depend on them to being constants. - Don't set global variables to 'default' as the default may not be the same as the test was started with if there was an additional option file. Instead save original value and reset it at end of test. - Test that depends on the latin1 character set should include default_charset.inc or set the character set to latin1 - Test that depends on the original optimizer switch, should include default_optimizer_switch.inc - Test that depends on the value of a specific system variable should set it in the test (like optimizer_use_condition_selectivity) - Split subselect3.test into subselect3.test and subselect3.inc to make it easier to set and reset system variables. - Added .opt files for test that required specfic options that could be changed by external configuration files. - Fixed result files in rockdsb & tokudb that had not been updated for a while.
462 lines
12 KiB
Text
462 lines
12 KiB
Text
# create view
|
|
# create trigger
|
|
# create procedure
|
|
# create event
|
|
# mysqldump dumping the definer
|
|
|
|
--source include/not_embedded.inc
|
|
--source include/default_charset.inc
|
|
|
|
let MYSQLD_DATADIR=`select @@datadir`;
|
|
|
|
create database mysqltest1;
|
|
use mysqltest1;
|
|
|
|
create table t1 (a int, b int, c int);
|
|
insert t1 values (1,10,100),(2,20,200);
|
|
|
|
# non-priv role granted
|
|
create role role1;
|
|
grant select (a) on mysqltest1.t1 to role1;
|
|
grant event,execute,trigger on mysqltest1.* to role1;
|
|
|
|
grant role1 to current_user;
|
|
|
|
# priv role
|
|
create role role2;
|
|
grant insert,select on mysqltest1.t1 to role2;
|
|
grant event,execute,trigger on mysqltest1.* to role2;
|
|
|
|
# create a non-priv user and a priv role granted to him
|
|
create user foo@localhost;
|
|
grant create view on mysqltest1.* to foo@localhost;
|
|
create role role4;
|
|
grant select on mysqltest1.t1 to role4;
|
|
grant role4 to foo@localhost;
|
|
|
|
##################################################
|
|
# views
|
|
##################################################
|
|
|
|
# no curent role = error
|
|
--error ER_MALFORMED_DEFINER
|
|
create definer=current_role view test.v1 as select a+b,c from t1;
|
|
|
|
# definer=current_role, but it has doesn't have enough privileges
|
|
set role role1;
|
|
create definer=current_role view test.v1 as select a+b,c from t1;
|
|
show create view test.v1;
|
|
set role none;
|
|
|
|
# definer=role_name, privileges ok
|
|
create definer=role2 view test.v2 as select a+b,c,current_role() from t1;
|
|
show create view test.v2;
|
|
|
|
# definer=non_existent_role
|
|
create definer=role3 view test.v3 as select a+b,c from t1;
|
|
show create view test.v3;
|
|
|
|
connect (c1, localhost, foo,,mysqltest1);
|
|
connection c1;
|
|
show grants;
|
|
|
|
# role1 doesn't have enough privileges for v1 to work
|
|
--error ER_VIEW_INVALID
|
|
select * from test.v1;
|
|
|
|
# role2 is ok, v2 is ok
|
|
select * from test.v2;
|
|
|
|
# role3 is treated as a user name role3@%, doesn't exist, v3 fails
|
|
--error ER_ACCESS_DENIED_ERROR
|
|
select * from test.v3;
|
|
|
|
# fails, no SUPER - cannot specify a definer arbitrarily
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
create definer=role4 view test.v4 as select a+b,c from t1;
|
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
select * from t1;
|
|
set role role4;
|
|
select * from t1;
|
|
|
|
# can select from t1, but the view won't work, by default definer=current_user
|
|
create view test.v4 as select a+b,c from t1;
|
|
|
|
# now role4 is the current_role, can be specified as a definer
|
|
create definer=role4 view test.v5 as select a+b,c from t1;
|
|
|
|
--error ER_VIEW_INVALID
|
|
select * from test.v4;
|
|
select * from test.v5;
|
|
set role none;
|
|
--error ER_VIEW_INVALID
|
|
select * from test.v4;
|
|
select * from test.v5;
|
|
|
|
connection default;
|
|
|
|
drop role role4;
|
|
|
|
show create view test.v5;
|
|
--error ER_NO_SUCH_USER
|
|
select * from test.v5;
|
|
|
|
create user role4;
|
|
grant select on mysqltest1.t1 to role4;
|
|
show create view test.v5;
|
|
--error ER_NO_SUCH_USER
|
|
select * from test.v5;
|
|
|
|
# pretend it's an old view from before 10.0.5
|
|
perl;
|
|
local $/;
|
|
my $f= "$ENV{MYSQLD_DATADIR}/test/v5.frm";
|
|
open(F, '<', $f) or die "open(<$f): $!";
|
|
$_=<F>;
|
|
s/create-version=2/create-version=1/;
|
|
open(F, '>', $f) or die "open(>$f): $!";
|
|
syswrite F, $_ or die "syswrite($f): $!"
|
|
EOF
|
|
|
|
flush tables;
|
|
show create view test.v5;
|
|
select * from test.v5;
|
|
drop user role4;
|
|
|
|
|
|
##################################################
|
|
# trigger
|
|
##################################################
|
|
|
|
create table t2 select * from t1;
|
|
|
|
# no curent role = error
|
|
--error ER_MALFORMED_DEFINER
|
|
create definer=current_role trigger tr1 before insert on t2 for each row
|
|
insert t1 values (111, 222, 333);
|
|
|
|
# definer=current_role, but it has doesn't have enough privileges
|
|
set role role1;
|
|
create definer=current_role trigger tr1 before insert on t2 for each row
|
|
insert t1 values (111, 222, 333);
|
|
--replace_column 7 #
|
|
show create trigger tr1;
|
|
set role none;
|
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
insert t2 values (11,22,33);
|
|
select * from t1;
|
|
select * from t2;
|
|
|
|
# definer=role_name, privileges ok
|
|
create definer=role2 trigger tr2 before delete on t2 for each row
|
|
insert t1 values (111, 222, 333);
|
|
--replace_column 7 #
|
|
show create trigger tr2;
|
|
delete from t2 where a=1;
|
|
select * from t1;
|
|
select * from t2;
|
|
delete from t1 where a=111;
|
|
|
|
# definer=non_existent_role
|
|
create definer=role3 trigger tr3 before update on t2 for each row
|
|
insert t1 values (111, 222, 333);
|
|
--replace_column 7 #
|
|
show create trigger tr3;
|
|
--error ER_NO_SUCH_USER
|
|
update t2 set b=2 where a=2;
|
|
select * from t1;
|
|
select * from t2;
|
|
|
|
flush tables;
|
|
|
|
# change triggers to use pre-10.0.5 definer with an empty hostname
|
|
perl;
|
|
local $/;
|
|
my $f= "$ENV{MYSQLD_DATADIR}/mysqltest1/t2.TRG";
|
|
open(F, '<', $f) or die "open(<$f): $!";
|
|
$_=<F>;
|
|
s/'role2'/'role2\@'/;
|
|
s/`role2`/$&\@``/;
|
|
open(F, '>', $f) or die "open(>$f): $!";
|
|
syswrite F, $_ or die "syswrite($f): $!"
|
|
EOF
|
|
|
|
--replace_column 7 #
|
|
show create trigger tr2;
|
|
--error ER_NO_SUCH_USER
|
|
delete from t2 where a=2;
|
|
select * from t1;
|
|
select * from t2;
|
|
|
|
##################################################
|
|
# stored procedures
|
|
##################################################
|
|
|
|
# no curent role = error
|
|
--error ER_MALFORMED_DEFINER
|
|
create definer=current_role procedure pr1() insert t1 values (111, 222, 333);
|
|
|
|
# definer=current_role, but it has doesn't have enough privileges
|
|
set role role1;
|
|
create definer=current_role procedure pr1() insert t1 values (111, 222, 333);
|
|
show create procedure pr1;
|
|
set role none;
|
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
call pr1();
|
|
select * from t1;
|
|
|
|
# definer=role_name, privileges ok
|
|
create definer=role2 procedure pr2() insert t1 values (111, 222, 333);
|
|
show create procedure pr2;
|
|
call pr2();
|
|
select * from t1;
|
|
delete from t1 where a=111;
|
|
|
|
# definer=non_existent_role
|
|
create definer=role3 procedure pr3() insert t1 values (111, 222, 333);
|
|
show create procedure pr3;
|
|
--error ER_NO_SUCH_USER
|
|
call pr3();
|
|
select * from t1;
|
|
|
|
# change a procedure to use pre-10.0.5 definer with an empty hostname
|
|
update mysql.proc set definer='role2@' where definer='role2';
|
|
--error ER_NO_SUCH_USER
|
|
call pr2();
|
|
|
|
##################################################
|
|
# stored functions
|
|
##################################################
|
|
|
|
# no curent role = error
|
|
--error ER_MALFORMED_DEFINER
|
|
create definer=current_role function fn1() returns int return (select sum(a+b) from t1);
|
|
|
|
# definer=current_role, but it has doesn't have enough privileges
|
|
set role role1;
|
|
create definer=current_role function fn1() returns int return (select sum(a+b) from t1);
|
|
show create function fn1;
|
|
set role none;
|
|
|
|
--error ER_COLUMNACCESS_DENIED_ERROR
|
|
select fn1();
|
|
select * from t1;
|
|
|
|
# definer=role_name, privileges ok
|
|
create definer=role2 function fn2() returns int return (select sum(a+b) from t1);
|
|
show create function fn2;
|
|
select fn2();
|
|
|
|
# definer=non_existent_role
|
|
create definer=role3 function fn3() returns int return (select sum(a+b) from t1);
|
|
show create function fn3;
|
|
--error ER_NO_SUCH_USER
|
|
select fn3();
|
|
|
|
##################################################
|
|
# events
|
|
##################################################
|
|
|
|
set global event_scheduler=on;
|
|
|
|
# no curent role = error
|
|
--error ER_MALFORMED_DEFINER
|
|
create definer=current_role event e1 on schedule every 1 second starts '2000-01-01' do
|
|
insert t1 values (111, 1, 0);
|
|
|
|
# definer=current_role, but it has doesn't have enough privileges
|
|
set role role1;
|
|
create definer=current_role event e1 on schedule every 1 second starts '2000-01-01' do
|
|
insert t1 values (111, 2, 0);
|
|
show create event e1;
|
|
set role none;
|
|
|
|
# definer=non_existent_role
|
|
create definer=role3 event e3 on schedule every 1 second starts '2000-01-01' do
|
|
insert t1 values (111, 3, 0);
|
|
show create event e3;
|
|
|
|
# definer=role_name, privileges ok
|
|
create definer=role2 event e2 on schedule every 1 second starts '2000-01-01' do
|
|
insert t1 values (111, 4, 0);
|
|
show create event e2;
|
|
|
|
let $wait_condition=select count(*) >= 4 from t1;
|
|
--source include/wait_condition.inc
|
|
|
|
set global event_scheduler=off;
|
|
|
|
--sorted_result
|
|
select distinct * from t1;
|
|
delete from t1 where a=111;
|
|
|
|
##################################################
|
|
# mysqldump
|
|
##################################################
|
|
|
|
# note that LOCK TABLES won't work because v3 has invalid definer
|
|
|
|
--exec $MYSQL_DUMP --compact --events --routines --skip-lock-tables --databases test mysqltest1
|
|
|
|
##################################################
|
|
# cleanup
|
|
##################################################
|
|
|
|
drop trigger tr1;
|
|
drop trigger tr2;
|
|
drop trigger tr3;
|
|
drop procedure pr1;
|
|
drop procedure pr2;
|
|
drop procedure pr3;
|
|
drop function fn1;
|
|
drop function fn2;
|
|
drop function fn3;
|
|
drop event e1;
|
|
drop event e2;
|
|
drop event e3;
|
|
drop view test.v1, test.v2, test.v3, test.v4, test.v5;
|
|
drop table t1, t2;
|
|
drop role role1, role2;
|
|
drop user foo@localhost;
|
|
drop database mysqltest1;
|
|
use test;
|
|
|
|
##################################################
|
|
# reexecution
|
|
##################################################
|
|
|
|
create user utest;
|
|
prepare stmt1 from 'grant select on *.* to utest';
|
|
execute stmt1;
|
|
show grants for utest;
|
|
drop user utest;
|
|
create role utest;
|
|
execute stmt1;
|
|
show grants for utest;
|
|
drop role utest;
|
|
|
|
--echo #
|
|
--echo # MDEV-13676: Field "create Procedure" is NULL, even if the the user
|
|
--echo # has role which is the definer. (SHOW CREATE PROCEDURE)
|
|
--echo #
|
|
|
|
create database rtest;
|
|
create role r1;
|
|
create role r2;
|
|
create role r3;
|
|
grant all privileges on rtest.* to r1;
|
|
|
|
create user user1;
|
|
grant r1 to user1;
|
|
grant r1 to r2;
|
|
grant r2 to user1;
|
|
grant r3 to user1;
|
|
|
|
connect (user1, localhost,user1,,,,,);
|
|
set role r2;
|
|
use rtest;
|
|
|
|
DELIMITER //;
|
|
CREATE DEFINER=current_role() PROCEDURE user1_proc() SQL SECURITY INVOKER
|
|
BEGIN
|
|
SELECT NOW(), VERSION();
|
|
END;//
|
|
DELIMITER ;//
|
|
|
|
set role r2;
|
|
show create procedure user1_proc;
|
|
|
|
--echo #
|
|
--echo # Currently one can not use as definer any role except CURRENT_ROLE
|
|
--echo #
|
|
DELIMITER //;
|
|
--error ER_SPECIFIC_ACCESS_DENIED_ERROR
|
|
CREATE DEFINER='r1' PROCEDURE user1_proc2() SQL SECURITY INVOKER
|
|
BEGIN
|
|
SELECT NOW(), VERSION();
|
|
END;//
|
|
DELIMITER ;//
|
|
|
|
set role r1;
|
|
DELIMITER //;
|
|
CREATE DEFINER='r1' PROCEDURE user1_proc2() SQL SECURITY INVOKER
|
|
BEGIN
|
|
SELECT NOW(), VERSION();
|
|
END;//
|
|
DELIMITER ;//
|
|
|
|
show create procedure user1_proc2;
|
|
--echo #
|
|
--echo # Test to see if the user can still see the procedure code if the
|
|
--echo # role that owns it is granted to him indirectly.
|
|
--echo #
|
|
set role r2;
|
|
show create procedure user1_proc2;
|
|
|
|
--echo #
|
|
--echo # One should not be able to see the procedure code if the role that owns
|
|
--echo # the procedure is not set by the user or is not in the subgraph of the
|
|
--echo # currently active role.
|
|
--echo #
|
|
set role r3;
|
|
--error ER_SP_DOES_NOT_EXIST
|
|
show create procedure user1_proc2;
|
|
|
|
connection default;
|
|
|
|
use rtest;
|
|
|
|
--echo #
|
|
--echo # Try a few edge cases, with usernames identical to role name;
|
|
--echo #
|
|
|
|
create user user_like_role;
|
|
create user foo;
|
|
create role user_like_role;
|
|
grant select on rtest.* to user_like_role;
|
|
grant select on rtest.* to foo;
|
|
grant select on rtest.* to user_like_role@'%';
|
|
|
|
grant user_like_role to foo;
|
|
|
|
--echo #
|
|
--echo # Here we have a procedure that is owned by user_like_role USER
|
|
--echo # We don't want user_like_role ROLE to have access to its code.
|
|
--echo #
|
|
DELIMITER //;
|
|
CREATE DEFINER=`user_like_role`@`%` PROCEDURE sensitive_proc() SQL SECURITY INVOKER
|
|
BEGIN
|
|
SELECT NOW(), VERSION();
|
|
END;//
|
|
DELIMITER ;//
|
|
|
|
connect (user_like_role, localhost, user_like_role,,,,,);
|
|
use rtest;
|
|
show create procedure sensitive_proc;
|
|
|
|
connect (foo, localhost, foo,,,,,);
|
|
set role user_like_role;
|
|
use rtest;
|
|
|
|
--echo #
|
|
--echo # Foo has the set rolename identical to the procedure's definer's username.
|
|
--echo # Foo should not have access to this procedure.
|
|
--echo #
|
|
--error ER_SP_DOES_NOT_EXIST
|
|
show create procedure sensitive_proc;
|
|
|
|
connection default;
|
|
drop role r1;
|
|
drop role r2;
|
|
drop role r3;
|
|
drop role user_like_role;
|
|
drop user user1;
|
|
drop user foo;
|
|
drop user user_like_role;
|
|
drop procedure user1_proc;
|
|
drop procedure user1_proc2;
|
|
drop procedure sensitive_proc;
|
|
drop database rtest;
|