mirror of
https://github.com/MariaDB/server.git
synced 2025-01-16 12:02:42 +01:00
0253ea7f22
Also fixes: MDEV-21487: Implement option for mysql_upgrade that allows root@localhost to be replaced MDEV-21486: Implement option for mysql_install_db that allows root@localhost to be replaced Add user mariadb.sys to be definer of user view (and has right on underlying table global_priv for required operation over global_priv (SELECT,UPDATE,DELETE)) Also changed definer of gis functions in case of creation, but they work with any definer so upgrade script do not try to push this change.
104 lines
3.3 KiB
Text
104 lines
3.3 KiB
Text
create user 'test_user'@'localhost';
|
|
create role test_role1;
|
|
create role test_role2;
|
|
create role test_role3;
|
|
grant test_role1 to test_user@localhost;
|
|
grant test_role3 to test_user@localhost;
|
|
grant test_role2 to test_role1;
|
|
select user, host from mysql.user where user not like 'root';
|
|
User Host
|
|
mariadb.sys localhost
|
|
test_role1
|
|
test_role2
|
|
test_role3
|
|
test_user localhost
|
|
select * from mysql.roles_mapping;
|
|
Host User Role Admin_option
|
|
test_role1 test_role2 N
|
|
localhost root test_role1 Y
|
|
localhost root test_role2 Y
|
|
localhost root test_role3 Y
|
|
localhost test_user test_role1 N
|
|
localhost test_user test_role3 N
|
|
create function mysql.test_func (s CHAR(20))
|
|
returns CHAR(50) DETERMINISTIC
|
|
return concat('Test string: ',s);
|
|
create procedure mysql.test_proc (OUT param1 INT)
|
|
begin
|
|
select COUNT(*) into param1 from mysql.roles_mapping;
|
|
end|
|
|
grant execute on function mysql.test_func to test_role2;
|
|
grant execute on procedure mysql.test_proc to test_role2;
|
|
grant execute on mysql.* to test_role3;
|
|
show grants;
|
|
Grants for test_user@localhost
|
|
GRANT USAGE ON *.* TO `test_user`@`localhost`
|
|
GRANT `test_role1` TO `test_user`@`localhost`
|
|
GRANT `test_role3` TO `test_user`@`localhost`
|
|
use mysql;
|
|
ERROR 42000: Access denied for user 'test_user'@'localhost' to database 'mysql'
|
|
select current_user(), current_role();
|
|
current_user() current_role()
|
|
test_user@localhost NULL
|
|
set role test_role1;
|
|
select current_user(), current_role();
|
|
current_user() current_role()
|
|
test_user@localhost test_role1
|
|
use mysql;
|
|
call test_proc(@a);
|
|
SELECT @a;
|
|
@a
|
|
6
|
|
SELECT test_func('AABBCCDD');
|
|
test_func('AABBCCDD')
|
|
Test string: AABBCCDD
|
|
show grants;
|
|
Grants for test_user@localhost
|
|
GRANT EXECUTE ON FUNCTION `mysql`.`test_func` TO `test_role2`
|
|
GRANT EXECUTE ON PROCEDURE `mysql`.`test_proc` TO `test_role2`
|
|
GRANT USAGE ON *.* TO `test_role1`
|
|
GRANT USAGE ON *.* TO `test_role2`
|
|
GRANT USAGE ON *.* TO `test_user`@`localhost`
|
|
GRANT `test_role1` TO `test_user`@`localhost`
|
|
GRANT `test_role2` TO `test_role1`
|
|
GRANT `test_role3` TO `test_user`@`localhost`
|
|
set role none;
|
|
select current_user(), current_role();
|
|
current_user() current_role()
|
|
test_user@localhost NULL
|
|
show grants;
|
|
Grants for test_user@localhost
|
|
GRANT USAGE ON *.* TO `test_user`@`localhost`
|
|
GRANT `test_role1` TO `test_user`@`localhost`
|
|
GRANT `test_role3` TO `test_user`@`localhost`
|
|
call test_proc(@a);
|
|
ERROR 42000: execute command denied to user 'test_user'@'localhost' for routine 'mysql.test_proc'
|
|
SELECT test_func('AABBCCDD');
|
|
ERROR 42000: execute command denied to user 'test_user'@'localhost' for routine 'mysql.test_func'
|
|
set role test_role3;
|
|
select current_user(), current_role();
|
|
current_user() current_role()
|
|
test_user@localhost test_role3
|
|
show grants;
|
|
Grants for test_user@localhost
|
|
GRANT EXECUTE ON `mysql`.* TO `test_role3`
|
|
GRANT USAGE ON *.* TO `test_role3`
|
|
GRANT USAGE ON *.* TO `test_user`@`localhost`
|
|
GRANT `test_role1` TO `test_user`@`localhost`
|
|
GRANT `test_role3` TO `test_user`@`localhost`
|
|
call test_proc(@a);
|
|
SELECT @a;
|
|
@a
|
|
6
|
|
SELECT test_func('AABBCCDD');
|
|
test_func('AABBCCDD')
|
|
Test string: AABBCCDD
|
|
drop user 'test_user'@'localhost';
|
|
revoke execute on function mysql.test_func from test_role2;
|
|
revoke execute on procedure mysql.test_proc from test_role2;
|
|
revoke execute on mysql.* from test_role3;
|
|
delete from mysql.user where user like'test_%';
|
|
delete from mysql.roles_mapping where Role like 'test%';
|
|
drop function mysql.test_func;
|
|
drop procedure mysql.test_proc;
|
|
flush privileges;
|