mirror/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-01-25 00:04:33 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
mariadb/mysql-test/suite/funcs_1/t/is_table_privileges.test

347 lines
14 KiB
Text
Raw Blame History

# suite/funcs_1/t/is_table_privileges.test
#
# Check the layout of information_schema.table_privileges and the impact of
# CREATE/ALTER/DROP TABLE/VIEW/SCHEMA ... on it.
#
# Note:
# This test is not intended
# - to show information about the all time existing tables
# within the databases information_schema and mysql
# - for checking storage engine properties
# Therefore please do not alter $engine_type and $other_engine_type.
#
# Author:
# 2008-01-23 mleich WL#4203 Reorganize and fix the data dictionary tests of
# testsuite funcs_1
# Create this script based on older scripts and new code.
#
# This test cannot be used for the embedded server because we check here
# privileges.
--source include/not_embedded.inc
let $engine_type = MEMORY;
let $other_engine_type = MyISAM;
let $is_table = TABLE_PRIVILEGES;
# The table INFORMATION_SCHEMA.TABLE_PRIVILEGES must exist
eval SHOW TABLES FROM information_schema LIKE '$is_table';
--echo #######################################################################
--echo # Testcase 3.2.1.1: INFORMATION_SCHEMA tables can be queried via SELECT
--echo #######################################################################
# Ensure that every INFORMATION_SCHEMA table can be queried with a SELECT
# statement, just as if it were an ordinary user-defined table.
#
--source suite/funcs_1/datadict/is_table_query.inc
--echo #########################################################################
--echo # Testcase 3.2.11.1: INFORMATION_SCHEMA.TABLE_PRIVILEGES layout
--echo #########################################################################
# Ensure that the INFORMATION_SCHEMA.TABLE_PRIVILEGES table has the following
# columns, in the following order:
#
# GRANTEE (shows the name of a user who has either granted, or been granted a
# table privilege),
# TABLE_CATALOG (always shows NULL),
# TABLE_SCHEMA (shows the name of the schema, or database, in which the table
# for which a privilege has been granted resides),
# TABLE_NAME (shows the name of the table),
# PRIVILEGE_TYPE (shows the type of privilege that was granted; must be either
# SELECT, INSERT, UPDATE, DELETE, REFERENCES, ALTER, INDEX, DROP or
# CREATE VIEW),
# IS_GRANTABLE (shows whether that privilege was granted WITH GRANT OPTION).
#
--source suite/funcs_1/datadict/datadict_bug_12777.inc
eval DESCRIBE information_schema.$is_table;
--source suite/funcs_1/datadict/datadict_bug_12777.inc
eval SHOW CREATE TABLE information_schema.$is_table;
--source suite/funcs_1/datadict/datadict_bug_12777.inc
eval SHOW COLUMNS FROM information_schema.$is_table;
# Note: Retrieval of information within information_schema.columns
# about information_schema.table_privileges is in is_columns_is.test.
# Show that TABLE_CATALOG is always NULL.
SELECT table_catalog, table_schema, table_name, privilege_type
FROM information_schema.table_privileges WHERE table_catalog IS NOT NULL;
--echo ######################################################################
--echo # Testcase 3.2.11.2+3.2.11.3+3.2.11.4:
--echo # INFORMATION_SCHEMA.TABLE_PRIVILEGES accessible information
--echo ######################################################################
# 3.2.11.2: Ensure that the table shows the relevant information on every
# table privilege which has been granted to the current user or
# PUBLIC, or which was granted by the current user.
# 3.2.11.3: Ensure that the table does not show any information on any table
# privilege which was granted to any user other than the current
# user or PUBLIC, or which was granted by any user other than the
# current user.
# 3.2.11.4: Ensure that the table does not show any information on any
# privileges that are not table privileges for the current user.
#
# To be implemented:
# Check of content within information_schema.table_privileges about
# databases like 'information_schema' or 'mysql'.
# 2008-02-15 Neither root nor a just created low privileged user has table
# privileges within these schemas.
#
--disable_warnings
DROP DATABASE IF EXISTS db_datadict;
--enable_warnings
CREATE DATABASE db_datadict;
--replace_result $engine_type <engine_type>
eval
CREATE TABLE db_datadict.tb1(f1 INT, f2 INT, f3 INT)
ENGINE = $engine_type;
--error 0,ER_CANNOT_USER
DROP USER 'testuser1'@'localhost';
CREATE USER 'testuser1'@'localhost';
GRANT CREATE, SELECT ON db_datadict.*
TO 'testuser1'@'localhost' WITH GRANT OPTION;
GRANT SELECT ON db_datadict.tb1 TO 'testuser1'@'localhost';
--error 0,ER_CANNOT_USER
DROP USER 'testuser2'@'localhost';
CREATE USER 'testuser2'@'localhost';
GRANT ALL ON db_datadict.tb1 TO 'testuser2'@'localhost' WITH GRANT OPTION;
--error 0,ER_CANNOT_USER
DROP USER 'testuser3'@'localhost';
CREATE USER 'testuser3'@'localhost';
let $my_select = SELECT * FROM information_schema.table_privileges
WHERE table_name LIKE 'tb%'
ORDER BY grantee,table_schema,table_name,privilege_type;
--replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK
connect (testuser1, localhost, testuser1, , db_datadict);
--replace_result $other_engine_type <other_engine_type>
eval
CREATE TABLE tb3 (f1 TEXT)
ENGINE = $other_engine_type;
GRANT SELECT ON db_datadict.tb3 TO 'testuser3'@'localhost';
eval $my_select;
SHOW GRANTS FOR 'testuser1'@'localhost';
--replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK
connect (testuser2, localhost, testuser2, , db_datadict);
# we see only table privileges for this user, and not any other privileges
eval $my_select;
SHOW GRANTS FOR 'testuser2'@'localhost';
--replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK
connect (testuser3, localhost, testuser3, , db_datadict);
# we see only table privileges for this user, and not any other privileges
eval $my_select;
SHOW GRANTS FOR 'testuser3'@'localhost';
connection default;
disconnect testuser1;
disconnect testuser2;
disconnect testuser3;
# we see only 'public' table privileges
eval $my_select;
SHOW GRANTS FOR 'testuser1'@'localhost';
SHOW GRANTS FOR 'testuser2'@'localhost';
SHOW GRANTS FOR 'testuser3'@'localhost';
# Cleanup
DROP USER 'testuser1'@'localhost';
DROP USER 'testuser2'@'localhost';
DROP USER 'testuser3'@'localhost';
DROP DATABASE db_datadict;
--echo ################################################################################
--echo # 3.2.1.13+3.2.1.14+3.2.1.15: INFORMATION_SCHEMA.TABLE_PRIVILEGES modifications
--echo ################################################################################
# 3.2.1.13: Ensure that the creation of any new database object (e.g. table or
# column) automatically inserts all relevant information on that
# object into every appropriate INFORMATION_SCHEMA table.
# 3.2.1.14: Ensure that the alteration of any existing database object
# automatically updates all relevant information on that object in
# every appropriate INFORMATION_SCHEMA table.
# 3.2.1.15: Ensure that the dropping of any existing database object
# automatically deletes all relevant information on that object from
# every appropriate INFORMATION_SCHEMA table.
#
# Note (mleich):
# The MySQL privilege system allows to GRANT objects before they exist.
# (Exception: Grant privileges for columns of not existing tables/views.)
# There is also no migration of privileges if objects (tables,views,columns)
# are moved to other databases (tables only), renamed or dropped.
#
--disable_warnings
DROP TABLE IF EXISTS test.t1_table;
DROP VIEW IF EXISTS test.t1_view;
DROP DATABASE IF EXISTS db_datadict;
--enable_warnings
CREATE DATABASE db_datadict;
--replace_result $engine_type <engine_type>
eval
CREATE TABLE test.t1_table (f1 BIGINT)
DEFAULT CHARACTER SET latin1 COLLATE latin1_swedish_ci
COMMENT = 'Initial Comment' ENGINE = $engine_type;
CREATE VIEW test.t1_view AS SELECT 1;
--error 0,ER_CANNOT_USER
DROP USER 'testuser1'@'localhost';
CREATE USER 'testuser1'@'localhost';
--error 0,ER_CANNOT_USER
DROP USER 'the_user'@'localhost';
#
# Check granted TABLE and VIEW
SELECT table_name FROM information_schema.table_privileges
WHERE table_name LIKE 't1_%';
GRANT ALL ON test.t1_table TO 'testuser1'@'localhost';
GRANT ALL ON test.t1_view TO 'testuser1'@'localhost';
SELECT * FROM information_schema.table_privileges
WHERE table_name LIKE 't1_%'
ORDER BY grantee, table_schema, table_name, privilege_type;
#
# Check modification of GRANTEE (migration of permissions)
SELECT DISTINCT grantee, table_name FROM information_schema.table_privileges
WHERE table_name LIKE 't1_%'
ORDER BY grantee, table_name;
RENAME USER 'testuser1'@'localhost' TO 'the_user'@'localhost';
# FIXME: mleich Workaround for bug to be reported
# It looks like an immediate reloading of the system tables is missing in case
# of RENAME USER.
FLUSH PRIVILEGES;
SELECT DISTINCT grantee, table_name FROM information_schema.table_privileges
WHERE table_name LIKE 't1_%'
ORDER BY grantee, table_name;
--error ER_NONEXISTING_GRANT
SHOW GRANTS FOR 'testuser1'@'localhost';
SHOW GRANTS FOR 'the_user'@'localhost';
#
# Check modification of TABLE_SCHEMA (no migration of permissions)
SELECT DISTINCT table_schema,table_name FROM information_schema.table_privileges
WHERE table_name LIKE 't1_%'
ORDER BY table_schema,table_name;
RENAME TABLE test.t1_table TO db_datadict.t1_table;
--error ER_FORBID_SCHEMA_CHANGE
RENAME TABLE test.t1_view TO db_datadict.t1_view;
SELECT DISTINCT table_schema,table_name FROM information_schema.table_privileges
WHERE table_name LIKE 't1_%'
ORDER BY table_schema,table_name;
SHOW GRANTS FOR 'the_user'@'localhost';
REVOKE ALL PRIVILEGES ON test.t1_table FROM 'the_user'@'localhost';
REVOKE ALL PRIVILEGES ON test.t1_view FROM 'the_user'@'localhost';
DROP VIEW test.t1_view;
CREATE VIEW db_datadict.t1_view AS SELECT 1;
GRANT ALL ON db_datadict.t1_table TO 'the_user'@'localhost';
GRANT ALL ON db_datadict.t1_view TO 'the_user'@'localhost';
#
# Check modification of TABLE_NAME (no migration of permissions)
SELECT DISTINCT table_name FROM information_schema.table_privileges
WHERE table_name LIKE 't1_%'
ORDER BY table_name;
RENAME TABLE db_datadict.t1_table TO db_datadict.t1_tablex;
RENAME TABLE db_datadict.t1_view TO db_datadict.t1_viewx;
SELECT DISTINCT table_name FROM information_schema.table_privileges
WHERE table_name LIKE 't1_%'
ORDER BY table_name;
RENAME TABLE db_datadict.t1_tablex TO db_datadict.t1_table;
RENAME TABLE db_datadict.t1_viewx TO db_datadict.t1_view;
#
# Check impact of DROP TABLE/VIEW (no removal of permissions)
SELECT DISTINCT table_name FROM information_schema.table_privileges
WHERE table_name LIKE 't1_%'
ORDER BY table_name;
DROP TABLE db_datadict.t1_table;
DROP VIEW db_datadict.t1_view;
SELECT DISTINCT table_name FROM information_schema.table_privileges
WHERE table_name LIKE 't1_%'
ORDER BY table_name;
#
# Check impact of DROP SCHEMA (no removal of permissions)
--replace_result $engine_type <engine_type>
eval
CREATE TABLE db_datadict.t1_table
ENGINE = $engine_type AS
SELECT 1;
CREATE VIEW db_datadict.t1_view AS SELECT 1;
GRANT ALL ON db_datadict.t1_table TO 'the_user'@'localhost';
GRANT ALL ON db_datadict.t1_view TO 'the_user'@'localhost';
SELECT DISTINCT table_name FROM information_schema.table_privileges
WHERE table_name LIKE 't1_%'
ORDER BY table_name;
DROP DATABASE db_datadict;
SELECT DISTINCT table_name FROM information_schema.table_privileges
WHERE table_name LIKE 't1_%'
ORDER BY table_name;
# Cleanup
DROP USER 'the_user'@'localhost';
--echo ########################################################################
--echo # Testcases 3.2.1.3-3.2.1.5 + 3.2.1.8-3.2.1.12: INSERT/UPDATE/DELETE and
--echo # DDL on INFORMATION_SCHEMA table are not supported
--echo ########################################################################
# 3.2.1.3: Ensure that no user may execute an INSERT statement on any
# INFORMATION_SCHEMA table.
# 3.2.1.4: Ensure that no user may execute an UPDATE statement on any
# INFORMATION_SCHEMA table.
# 3.2.1.5: Ensure that no user may execute a DELETE statement on any
# INFORMATION_SCHEMA table.
# 3.2.1.8: Ensure that no user may create an index on an
# INFORMATION_SCHEMA table.
# 3.2.1.9: Ensure that no user may alter the definition of an
# INFORMATION_SCHEMA table.
# 3.2.1.10: Ensure that no user may drop an INFORMATION_SCHEMA table.
# 3.2.1.11: Ensure that no user may move an INFORMATION_SCHEMA table to any
# other database.
# 3.2.1.12: Ensure that no user may directly add to, alter, or delete any data
# in an INFORMATION_SCHEMA table.
#
--disable_warnings
DROP DATABASE IF EXISTS db_datadict;
--enable_warnings
CREATE DATABASE db_datadict;
--replace_result $engine_type <engine_type>
eval
CREATE TABLE db_datadict.t1 (f1 BIGINT, f2 BIGINT)
ENGINE = $engine_type;
--error 0,ER_CANNOT_USER
DROP USER 'testuser1'@'localhost';
CREATE USER 'testuser1'@'localhost';
GRANT SELECT (f1) ON db_datadict.t1 TO 'testuser1'@'localhost';
--error ER_DBACCESS_DENIED_ERROR
INSERT INTO information_schema.table_privileges
SELECT * FROM information_schema.table_privileges;
--error ER_DBACCESS_DENIED_ERROR
UPDATE information_schema.table_privileges SET table_schema = 'test'
WHERE table_name = 't1';
--error ER_DBACCESS_DENIED_ERROR
DELETE FROM information_schema.table_privileges WHERE table_name = 't1';
--error ER_DBACCESS_DENIED_ERROR
TRUNCATE information_schema.table_privileges;
--error ER_DBACCESS_DENIED_ERROR
CREATE INDEX my_idx_on_tables
ON information_schema.table_privileges(table_schema);
--error ER_DBACCESS_DENIED_ERROR
ALTER TABLE information_schema.table_privileges ADD f1 INT;
--error ER_DBACCESS_DENIED_ERROR
DROP TABLE information_schema.table_privileges;
--error ER_DBACCESS_DENIED_ERROR
ALTER TABLE information_schema.table_privileges
RENAME db_datadict.table_privileges;
--error ER_DBACCESS_DENIED_ERROR
ALTER TABLE information_schema.table_privileges
RENAME information_schema.xtable_privileges;
# Cleanup
DROP DATABASE db_datadict;
DROP USER 'testuser1'@'localhost';
Reference in a new issue View git blame Copy permalink