mirror of
https://github.com/MariaDB/server.git
synced 2025-01-30 18:41:56 +01:00
ee77375377
- Regression introduced in957cb7b7ba- Patch4abb8216a0change `mysql.user` to `mysql.global_priv` for `add_anonymous.inc`, update `delete_anonymous.inc`. - Added test case with `--skip-name-resolve` - Add test case with anonymous user - Disable this test for windows, assignes current user to anonymous user. Reviewed by: <serg@mariadb.com>
168 lines
4.8 KiB
Text
168 lines
4.8 KiB
Text
source include/not_embedded.inc;
|
|
|
|
# This test checks the error paths possible during set default role.
|
|
|
|
# Create a user with no privileges
|
|
create user test_user@localhost;
|
|
|
|
create role test_role;
|
|
create role not_granted_role;
|
|
|
|
grant select on *.* to test_role;
|
|
grant test_role to test_user@localhost;
|
|
|
|
change_user 'test_user';
|
|
show grants;
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
select user, host, default_role from mysql.user;
|
|
|
|
# A user can not set a default role that does not exist in the database.
|
|
--error ER_INVALID_ROLE
|
|
set default role invalid_role;
|
|
|
|
# A user can not set a default role if he can not call set role <role>.
|
|
--error ER_INVALID_ROLE
|
|
set default role not_granted_role;
|
|
|
|
set default role test_role;
|
|
|
|
# Even though a user has the default role set, without reconnecting, we should
|
|
# not already have the roles privileges.
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
select user, host, default_role from mysql.user;
|
|
|
|
change_user 'root';
|
|
select user, host, default_role from mysql.user where user='test_user';
|
|
|
|
change_user 'test_user';
|
|
# This should show that the new test_user has the role's grants enabled.
|
|
show grants;
|
|
select user, host, default_role from mysql.user where user='test_user';
|
|
|
|
# If we have a failed set default role attempt, don't change the already set
|
|
# default role.
|
|
--error ER_INVALID_ROLE
|
|
set default role invalid_role;
|
|
select user, host, default_role from mysql.user where user='test_user';
|
|
|
|
change_user 'root';
|
|
# Now, even though a default role is still set for test_user, make sure the
|
|
# user does not get the rights, if he can not set the role.
|
|
revoke test_role from test_user@localhost;
|
|
|
|
change_user 'test_user';
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
select user, host, default_role from mysql.user where user='test_user';
|
|
|
|
change_user 'root';
|
|
|
|
# Cleanup
|
|
drop role test_role;
|
|
drop role not_granted_role;
|
|
drop user test_user@localhost;
|
|
|
|
--echo #
|
|
--echo # MDEV-22312: Bad error message for SET DEFAULT ROLE when user account
|
|
--echo # is not granted the role
|
|
--echo #
|
|
|
|
CREATE USER a;
|
|
CREATE USER b;
|
|
CREATE ROLE r1;
|
|
CREATE ROLE r2;
|
|
--error ER_INVALID_ROLE
|
|
SET DEFAULT ROLE r1 FOR a;
|
|
# Granting roles to user b
|
|
GRANT r1 TO b;
|
|
GRANT r2 TO b;
|
|
# After granting the role, role can be set as default
|
|
SET DEFAULT ROLE r1 FOR b;
|
|
|
|
--echo # Change user b
|
|
change_user b;
|
|
SELECT CURRENT_ROLE;
|
|
SET ROLE r2;
|
|
SELECT CURRENT_ROLE;
|
|
# User b has no UPDATE_PRIV for mysql.user
|
|
--error ER_DBACCESS_DENIED_ERROR
|
|
SET DEFAULT ROLE r1 FOR a;
|
|
SET DEFAULT ROLE r2;
|
|
|
|
--echo # Change user root (session 1: select_priv to b)
|
|
change_user root;
|
|
# Let's grant select_priv to user b
|
|
GRANT SELECT ON mysql.* TO b;
|
|
|
|
--echo # Change user b (session 1: select_priv)
|
|
change_user b;
|
|
SHOW GRANTS FOR b;
|
|
# User must have update_priv before setting the role
|
|
--error ER_DBACCESS_DENIED_ERROR
|
|
SET DEFAULT ROLE r1 FOR a;
|
|
# Testing the `CURRENT_ROLE` as a special case
|
|
SELECT CURRENT_ROLE;
|
|
SET DEFAULT ROLE NONE;
|
|
SELECT CURRENT_ROLE;
|
|
SET DEFAULT ROLE current_role FOR current_user;
|
|
# Testing of non-existing role
|
|
--error ER_INVALID_ROLE
|
|
SET DEFAULT ROLE invalid_role;
|
|
# Testing of non-existing role for different user
|
|
--error ER_DBACCESS_DENIED_ERROR
|
|
SET DEFAULT ROLE invalid_role FOR a;
|
|
# Testing the `None` role for different user
|
|
-- error ER_DBACCESS_DENIED_ERROR
|
|
SET DEFAULT ROLE none FOR a;
|
|
|
|
--echo # Change user root (session 2: adding update_priv to user b)
|
|
change_user root;
|
|
# update_priv are enough
|
|
GRANT UPDATE ON mysql.* TO b;
|
|
|
|
--echo # Change user b
|
|
change_user b;
|
|
SHOW GRANTS FOR b;
|
|
# In all tests in session user a has not been granted the role
|
|
# Testing setting role for different user, should fail with new error
|
|
--error ER_INVALID_ROLE
|
|
SET DEFAULT ROLE r1 FOR a;
|
|
# Testing of non-existing role
|
|
--error ER_INVALID_ROLE
|
|
SET DEFAULT ROLE invalid_role;
|
|
# Testing of non-existing role for different user with update_priv
|
|
--error ER_INVALID_ROLE
|
|
SET DEFAULT ROLE invalid_role FOR a;
|
|
# Testing the `None` role for different user with update_priv
|
|
SET DEFAULT ROLE none FOR a;
|
|
|
|
--echo # Change user root (session 3: Grant role to user a)
|
|
change_user root;
|
|
# After granting the privilege for a, user b can set default role
|
|
GRANT r1 TO a;
|
|
SET DEFAULT ROLE r1 FOR a;
|
|
|
|
--echo # Change user a (verify session 3)
|
|
change_user a;
|
|
SELECT CURRENT_ROLE;
|
|
SET DEFAULT ROLE None;
|
|
|
|
--echo # Change user b (session 3: role granted to user a)
|
|
change_user b;
|
|
# This should set role because b has update_priv
|
|
SET DEFAULT ROLE r1 FOR a;
|
|
# Testing non-granted role r2 still should fail
|
|
-- error ER_INVALID_ROLE
|
|
SET DEFAULT ROLE r2 FOR a;
|
|
# Testing of non-existing role
|
|
--error ER_INVALID_ROLE
|
|
SET DEFAULT ROLE invalid_role;
|
|
# Testing of non-existing role for different user
|
|
--error ER_INVALID_ROLE
|
|
SET DEFAULT ROLE invalid_role FOR a;
|
|
|
|
# Clear the workspace
|
|
change_user root;
|
|
--sorted_result
|
|
SELECT user, host, default_role FROM mysql.user where user='a' or user='b';
|
|
DROP ROLE r1, r2;
|
|
DROP USER a, b;
|