mirror of
https://github.com/MariaDB/server.git
synced 2025-01-31 02:51:44 +01:00
16b2bb909a
The issue manifests due to a bug in mysql_routine_grant. This was a side
effect of e46eea8660 which fixed the problem of not giving appropriate error
message (ER_NONEXISTING_PROC_GRANT) when a routine grant existed due to role
inheritance.
When granting a routine privilege, it is possible to have a GRANT_NAME
entry already created from an inherited role, but with it's init_privs
set to 0.
In this case we must not create a *new* grant entry, but we must edit
this grant entry to set its init_privs.
Note that this case was already covered by MDEV-29458, however due to a
forgotten "flush privileges;" the actual code path never got hit.
Remove the flush privilege command as it was never intended to be there
in the first place.
163 lines
4.4 KiB
Text
163 lines
4.4 KiB
Text
--source include/not_embedded.inc
|
|
|
|
create user foo;
|
|
create database some_db;
|
|
create table some_db.t1 (a int, b int, secret int);
|
|
|
|
delimiter //;
|
|
CREATE PROCEDURE some_db.p1 (OUT param1 INT)
|
|
BEGIN
|
|
SELECT COUNT(*) INTO param1 FROM some_db.t1;
|
|
END;
|
|
//
|
|
delimiter ;//
|
|
|
|
delimiter //;
|
|
CREATE FUNCTION some_db.f1 (param1 INT) RETURNS INT
|
|
BEGIN
|
|
DECLARE c INT;
|
|
SET c = 100;
|
|
RETURN param1 + c;
|
|
END;
|
|
//
|
|
delimiter ;//
|
|
|
|
--echo #
|
|
--echo # These roles will form a two level hierarchy.
|
|
--echo # The "select" role will have the select privilege, while
|
|
--echo # the active role will inherit the select role.
|
|
--echo #
|
|
--echo # The active role will be granted a different privilege but on the same
|
|
--echo # level (global, database, table, proc respectively) *after* the 'select'
|
|
--echo # role has been granted its select privilege.
|
|
--echo #
|
|
|
|
create role r_select_global;
|
|
create role r_active_global;
|
|
|
|
create role r_select_database;
|
|
create role r_active_database;
|
|
|
|
create role r_select_table;
|
|
create role r_active_table;
|
|
|
|
create role r_select_column;
|
|
create role r_active_column;
|
|
|
|
create role r_execute_proc;
|
|
create role r_active_proc;
|
|
|
|
create role r_execute_func;
|
|
create role r_active_func;
|
|
|
|
grant r_select_global to r_active_global;
|
|
grant r_select_database to r_active_database;
|
|
grant r_select_table to r_active_table;
|
|
grant r_select_column to r_active_column;
|
|
grant r_execute_proc to r_active_proc;
|
|
grant r_execute_func to r_active_func;
|
|
|
|
--echo #
|
|
--echo # These 3 roles form a chain, where only the upper level has select
|
|
--echo # privileges and the middle level will receive a grant for the same level
|
|
--echo # privilege, but different kind (for example select on upper and insert
|
|
--echo # on middle).
|
|
--echo #
|
|
--echo # The lower level should inherit both rights.
|
|
--echo #
|
|
create role upper_level;
|
|
create role middle_level;
|
|
create role lower_level;
|
|
|
|
grant upper_level to middle_level;
|
|
grant middle_level to lower_level;
|
|
|
|
grant r_active_global to foo;
|
|
grant r_active_database to foo;
|
|
grant r_active_table to foo;
|
|
grant r_active_column to foo;
|
|
grant r_active_proc to foo;
|
|
grant r_active_func to foo;
|
|
grant lower_level to foo;
|
|
|
|
grant select on *.* to r_select_global;
|
|
grant select on some_db.* to r_select_database;
|
|
grant select on some_db.t1 to r_select_table;
|
|
grant select(a) on some_db.t1 to r_select_column;
|
|
grant select on *.* to upper_level;
|
|
|
|
grant execute on procedure some_db.p1 to r_execute_proc;
|
|
grant execute on function some_db.f1 to r_execute_func;
|
|
|
|
|
|
--echo #
|
|
--echo # Granting a privilege different than select on the corresponding level.
|
|
--echo # This tests that the base role correctly inherits its granted roles
|
|
--echo # privileges.
|
|
--echo #
|
|
grant insert on *.* to r_active_global;
|
|
grant insert on some_db.* to r_active_database;
|
|
grant insert on some_db.t1 to r_active_table;
|
|
grant insert(a) on some_db.t1 to r_active_column;
|
|
grant insert on *.* to middle_level;
|
|
|
|
grant alter routine on procedure some_db.p1 to r_active_proc;
|
|
grant alter routine on function some_db.f1 to r_active_func;
|
|
|
|
--connect (con1, localhost, foo,,)
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
select * from some_db.t1;
|
|
|
|
--echo #
|
|
--echo # Before MDEV-29458 fix, all these commands would return
|
|
--echo # ER_TABLEACCESS_DENIED_ERROR
|
|
--echo #
|
|
set role r_active_global;
|
|
select * from some_db.t1;
|
|
set role r_active_database;
|
|
select * from some_db.t1;
|
|
set role r_active_table;
|
|
select * from some_db.t1;
|
|
set role r_active_column;
|
|
select a from some_db.t1;
|
|
set role lower_level;
|
|
select * from some_db.t1;
|
|
|
|
set role r_active_proc;
|
|
set @var=100;
|
|
call some_db.p1(@var);
|
|
|
|
set role r_active_func;
|
|
select some_db.f1(10);
|
|
|
|
disconnect con1;
|
|
|
|
--echo #
|
|
--echo # Cleanup.
|
|
--echo #
|
|
connection default;
|
|
|
|
drop database some_db;
|
|
drop role r_select_global, r_select_database, r_select_table, r_select_column;
|
|
drop role r_active_global, r_active_database, r_active_table, r_active_column;
|
|
drop role r_execute_proc, r_execute_func;
|
|
drop role r_active_proc, r_active_func;
|
|
drop role upper_level, middle_level, lower_level;
|
|
drop user foo;
|
|
|
|
--echo #
|
|
--echo # Test that dropping of roles clears the intermediate generated
|
|
--echo # (such as an `acl_dbs` element with 0 init_access, but with access != 0)
|
|
--echo # datastructures.
|
|
--echo #
|
|
create role test_role1;
|
|
create role test_role2;
|
|
|
|
grant test_role2 to test_role1;
|
|
grant select on mysql.* to test_role2;
|
|
grant select on mysql.user to test_role2;
|
|
grant select(user) on mysql.user to test_role2;
|
|
drop role test_role1, test_role2;
|
|
|
|
create role test_role1;
|
|
drop role test_role1;
|