mirror of
https://github.com/MariaDB/server.git
synced 2025-01-30 18:41:56 +01:00
b527bfe823
The change from MDEV-29465 exposed a flaw in replace_column_table where again we were not properly updating the column-level bits. replace_table_table was changed in MDEV-29465 to properly update grant_table->init_cols, however replace_column_table still only modified grant_column->rights when the GRANT_COLUMN already existed. This lead to a missmatch between GRANT_COLUMN::init_rights and GRANT_COLUMN::rights, *if* the GRANT_COLUMN already existed. As an example: GRANT SELECT (col1) ... Here: For col1 GRANT_COLUMN::init_rights and GRANT_COLUMN::rights are set to 1 (SELECT) in replace_column_table. GRANT INSERT (col1) ... Here, without this patch GRANT_COLUMN::init_rights is still 1 and GRANT_COLUMN::rights is 3 (SELECT_PRIV | INSERT_PRIV) Finally, if before this patch, one does: REVOKE SELECT (col1) ... replace_table_table will see that init_rights loses bit 1 thus it considers there are no more rights granted on that particular table. This prompts the whole GRANT_TABLE to be removed via the first revoke, when the GRANT_COLUMN corresponding to it should still have init_rights == 2. By also updating replace_column_table to keep init_rights in sync properly, the issue is resolved. Reviewed by <serg@mariadb.com>
281 lines
7.6 KiB
Text
281 lines
7.6 KiB
Text
-- source include/not_embedded.inc
|
|
|
|
#
|
|
# MDEV-6625 SHOW GRANTS for current_user_name@wrong_host_name
|
|
#
|
|
--error ER_NONEXISTING_GRANT
|
|
SHOW GRANTS FOR root@invalid_host;
|
|
|
|
#
|
|
# MDEV-9580 SHOW GRANTS FOR <current_user> fails
|
|
#
|
|
create user test;
|
|
create user foo;
|
|
create role foo;
|
|
grant foo to test;
|
|
--connect (conn_1, localhost, test,,)
|
|
set role foo;
|
|
show grants for test; # user
|
|
show grants for foo; # role
|
|
--error ER_DBACCESS_DENIED_ERROR
|
|
show grants for foo@'%'; # user
|
|
--connection default
|
|
drop user test, foo;
|
|
drop role foo;
|
|
|
|
#
|
|
# MDEV-17975 Assertion `! is_set()' or `!is_set() || (m_status == DA_OK_BULK && is_bulk_op())' failed upon REVOKE under LOCK TABLE
|
|
#
|
|
CREATE TABLE t1 (a INT);
|
|
LOCK TABLE t1 WRITE;
|
|
--error ER_TABLE_NOT_LOCKED
|
|
REVOKE EXECUTE ON PROCEDURE sp FROM u;
|
|
--error ER_TABLE_NOT_LOCKED
|
|
REVOKE PROCESS ON *.* FROM u;
|
|
DROP TABLE t1;
|
|
|
|
#
|
|
# MDEV-23010 UPDATE privilege at Database and Table level fail to update with SELECT command denied to user
|
|
#
|
|
create database mysqltest1;
|
|
use mysqltest1;
|
|
create table t1(id int);
|
|
insert t1 values(2);
|
|
create user u1@localhost;
|
|
grant select on mysqltest1.t1 to u1@localhost;
|
|
grant update on mysqltest1.* to u1@localhost;
|
|
connect u1, localhost, u1;
|
|
update mysqltest1.t1 set id=1 where id=2;
|
|
connection default;
|
|
disconnect u1;
|
|
drop user u1@localhost;
|
|
drop database mysqltest1;
|
|
|
|
#
|
|
# MDEV-22313: Neither SHOW CREATE USER nor SHOW GRANTS prints a user's default role
|
|
#
|
|
CREATE ROLE test_role;
|
|
CREATE USER test_user;
|
|
GRANT test_role TO test_user;
|
|
SET DEFAULT ROLE test_role FOR test_user;
|
|
SHOW GRANTS FOR test_user;
|
|
SET DEFAULT ROLE NONE for test_user;
|
|
SHOW GRANTS FOR test_user;
|
|
SET ROLE test_role;
|
|
SET DEFAULT ROLE test_role;
|
|
SHOW GRANTS;
|
|
SET DEFAULT ROLE NONE;
|
|
SHOW GRANTS;
|
|
DROP USER test_user;
|
|
DROP ROLE test_role;
|
|
|
|
#
|
|
# End of 10.1 tests
|
|
#
|
|
|
|
--echo #
|
|
--echo # MDEV-20076: SHOW GRANTS does not quote role names properly
|
|
--echo #
|
|
|
|
create role 'role1';
|
|
create role 'fetch';
|
|
create role 'role-1';
|
|
create role 'rock\'n\'roll';
|
|
create user 'user1'@'localhost';
|
|
create user 'fetch'@'localhost';
|
|
create user 'user-1'@'localhost';
|
|
create user 'O\'Brien'@'localhost';
|
|
grant select on mysql.user to role1;
|
|
grant select on mysql.user to 'fetch';
|
|
grant select on mysql.user to 'role-1';
|
|
grant select on mysql.user to 'rock\'n\'roll';
|
|
GRANT 'role1' TO 'user1'@'localhost';
|
|
GRANT 'fetch' TO 'fetch'@'localhost';
|
|
GRANT 'role-1' TO 'user-1'@'localhost';
|
|
GRANT 'rock\'n\'roll' TO 'O\'Brien'@'localhost';
|
|
show grants for 'role1';
|
|
show grants for 'fetch';
|
|
show grants for 'role-1';
|
|
show grants for 'rock\'n\'roll';
|
|
show grants for 'user1'@'localhost';
|
|
show grants for 'fetch'@'localhost';
|
|
show grants for 'user-1'@'localhost';
|
|
show grants for 'O\'Brien'@'localhost';
|
|
set @save_sql_quote_show_create= @@sql_quote_show_create;
|
|
set @@sql_quote_show_create= OFF;
|
|
show grants for 'role1';
|
|
show grants for 'fetch';
|
|
show grants for 'role-1';
|
|
show grants for 'rock\'n\'roll';
|
|
show grants for 'user1'@'localhost';
|
|
show grants for 'fetch'@'localhost';
|
|
show grants for 'user-1'@'localhost';
|
|
show grants for 'O\'Brien'@'localhost';
|
|
set @@sql_quote_show_create= @save_sql_quote_show_create;
|
|
drop role 'role1';
|
|
drop role 'fetch';
|
|
drop role 'role-1';
|
|
drop role 'rock\'n\'roll';
|
|
drop user 'user1'@'localhost';
|
|
drop user 'fetch'@'localhost';
|
|
drop user 'user-1'@'localhost';
|
|
drop user 'O\'Brien'@'localhost';
|
|
|
|
--echo #
|
|
--echo # MDEV-26080 SHOW GRANTS does not quote role names properly for DEFAULT ROLE
|
|
--echo #
|
|
|
|
CREATE USER 'test-user';
|
|
CREATE ROLE `r``o'l"e`;
|
|
select user from mysql.user where is_role='Y';
|
|
GRANT `r``o'l"e` TO 'test-user';
|
|
SET DEFAULT ROLE `r``o'l"e` FOR 'test-user';
|
|
# it is expected that quotes won't be shown correctly
|
|
SHOW GRANTS FOR 'test-user';
|
|
DROP ROLE `r``o'l"e`;
|
|
DROP USER 'test-user';
|
|
|
|
--echo #
|
|
--echo # MDEV-28548: ER_TABLEACCESS_DENIED_ERROR is missing information about DB
|
|
--echo #
|
|
|
|
create database db1;
|
|
create user foo@localhost;
|
|
grant create on db1.* to foo@localhost;
|
|
|
|
--connect (con1,localhost,foo,,db1)
|
|
create table t(t int);
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
show columns in t;
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
show columns in db1.t;
|
|
# CREATE_VIEW_ACL needed
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
create view t_v as select * from t;
|
|
# show create view needs to have SELECT_ACL and SHOW_VIEW_ACL
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
show create view t_v;
|
|
|
|
create table t2(id int primary key, b int);
|
|
|
|
# Reference non existing DB with wrong DB name
|
|
--error ER_WRONG_DB_NAME
|
|
create table t3(a int, b int, CONSTRAINT `fk_db2_db1_t1`
|
|
FOREIGN KEY (a)
|
|
REFERENCES `db1 `.t1 (a)
|
|
ON DELETE CASCADE
|
|
ON UPDATE RESTRICT);
|
|
|
|
# Reference non-existing DB (with qualified DB name)
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
create table t3(a int, b int, CONSTRAINT `fk_db2_db3_t1`
|
|
FOREIGN KEY (a)
|
|
REFERENCES db3.t1 (a)
|
|
ON DELETE CASCADE
|
|
ON UPDATE RESTRICT);
|
|
|
|
# Reference DB (with not qualified DB name)
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
create table t1(a int, b int, CONSTRAINT `fk_db2_db3_t1`
|
|
FOREIGN KEY (a)
|
|
REFERENCES t2 (id)
|
|
ON DELETE CASCADE
|
|
ON UPDATE RESTRICT);
|
|
|
|
--connection default
|
|
--disconnect con1
|
|
# Add CREATE_VIEW_ACL and SELECT_ACL
|
|
grant create view, select on db1.* to foo@localhost;
|
|
|
|
--connect (con1,localhost,foo,,db1)
|
|
create view t_v as select * from t;
|
|
show grants;
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
show create view t_v;
|
|
|
|
--connection default
|
|
--disconnect con1
|
|
# Add SHOW_VIEW_ACL
|
|
grant show view on db1.* to foo@localhost;
|
|
|
|
--connect (con1,localhost,foo,,db1)
|
|
show grants;
|
|
show create view t_v;
|
|
|
|
--connection default
|
|
--disconnect con1
|
|
drop database db1;
|
|
drop user foo@localhost;
|
|
--echo #
|
|
--echo # MDEV-28455: CREATE TEMPORARY TABLES privilege
|
|
--echo # is insufficient for SHOW COLUMNS
|
|
--echo #
|
|
|
|
create database db;
|
|
create user foo@localhost;
|
|
create user bar@localhost;
|
|
create user buz@localhost;
|
|
grant create temporary tables on db.* to foo@localhost;
|
|
grant create temporary tables on db.* to bar@localhost;
|
|
|
|
--connect (con1,localhost,foo,,db)
|
|
create temporary table tmp (a int, key(a));
|
|
show tables;
|
|
show full tables;
|
|
show table status;
|
|
show index in tmp;
|
|
show columns in tmp;
|
|
show full columns in tmp;
|
|
--echo # we don't expect to show temporary tables in information_schema.columns
|
|
select * from information_schema.columns where table_schema='db';
|
|
--disconnect con1
|
|
|
|
--connect (con1,localhost,bar,,db)
|
|
# User doesn't have `select` privilege on table
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
show full columns in tmp;
|
|
|
|
--disconnect con1
|
|
|
|
--connection default
|
|
grant select on db.* to bar@localhost;
|
|
|
|
--connect (con1,localhost,bar,,db)
|
|
# Table doesn't exist for this session
|
|
show grants for current_user;
|
|
--error ER_NO_SUCH_TABLE
|
|
show full columns in tmp;
|
|
--disconnect con1
|
|
|
|
--connect (con1,localhost,buz,,)
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
show columns in db.tmp;
|
|
--disconnect con1
|
|
|
|
--connection default
|
|
# Cleanup
|
|
drop database db;
|
|
drop user foo@localhost;
|
|
drop user bar@localhost;
|
|
drop user buz@localhost;
|
|
|
|
CREATE USER foo;
|
|
CREATE DATABASE db;
|
|
CREATE TABLE db.test_getcolpriv(col1 INT, col2 INT);
|
|
|
|
GRANT SELECT (col1,col2) ON db.test_getcolpriv TO foo;
|
|
GRANT INSERT (col1) ON db.test_getcolpriv TO foo;
|
|
|
|
SHOW GRANTS FOR foo;
|
|
REVOKE SELECT (col1,col2) ON db.test_getcolpriv FROM foo;
|
|
SHOW GRANTS FOR foo;
|
|
REVOKE INSERT (col1) ON db.test_getcolpriv FROM foo;
|
|
|
|
SHOW GRANTS FOR foo;
|
|
FLUSH PRIVILEGES;
|
|
SHOW GRANTS FOR foo;
|
|
|
|
DROP USER foo;
|
|
DROP DATABASE db;
|
|
|
|
--echo # End of 10.3 tests
|