mirror of
https://github.com/MariaDB/server.git
synced 2025-01-16 03:52:35 +01:00
be758322e2
Whenever we call merge_role_privileges on a role, we make use of the role->counter variable to check if all it's children have had their privileges merged. Only if all children have had their privileges merged, do we update the privileges on parent. This is done to prevent extra work. The same idea is employed during flush privileges. You only begin merging from "leaf" roles. The recursive calls will merge their parents at some point. A problem arises when we try to "re-merge" a parent. Take the following graph: {noformat} A (0) ---- C (2) ---- D (2) ---- USER / / B (0) ----/ / / E (0) --------------/ {noformat} In parentheses we have the "counter" value right before we start to iterate through the roles hash and propagate values. It represents the number of roles granted to the current role. The order in which we iterate through the roles hash is alphabetical. * First merge A, which leads to decreasing the counter for C to 1. Since C is not 0, we don't proceed with merging into C. * Second we merge B, which leads to decreasing the counter for C to 0. Now we proceed with merging into C. This leads to reducing the counter for D to 1 as part of C merge process. * Third as we iterate through the hash, we see that C has counter 0, thus we start the merge process *again*. This leads to reducing the counter for D to 0! We then attempt to merge D. * Fourth we start merging E. When E sees D as it's parent (according to the code) it attempts to reduce D's counter, which leads to overflow. Now D's counter is a very large number, thus E's privileges are not forwarded to D yet. To correct this behavior we must make sure to only start merging from initial leaf nodes.
379 lines
12 KiB
Text
379 lines
12 KiB
Text
--source include/not_embedded.inc
|
|
--echo #
|
|
--echo # MDEV-12366: FLUSH PRIVILEGES can break hierarchy of roles
|
|
--echo #
|
|
--echo # This testcase contains a user, who is granted a master role
|
|
--echo # operations_cluster. operations_cluster is granted 8 different roles
|
|
--echo # who in turn each have 4 different roles granted to them.
|
|
--echo #
|
|
--echo # Only the leaf roles contain privileges to access databases.
|
|
--echo # Make sure the user has access to all databases if the master role
|
|
--echo # is granted to him.
|
|
--echo #
|
|
CREATE USER u;
|
|
CREATE ROLE operations_cluster;
|
|
GRANT operations_cluster TO u;
|
|
CREATE DATABASE bob_live_sg;
|
|
CREATE TABLE bob_live_sg.a (i INT(10));
|
|
CREATE TABLE bob_live_sg.b (i INT(10));
|
|
CREATE TABLE bob_live_sg.c (i INT(10));
|
|
CREATE TABLE bob_live_sg.d (i INT(10));
|
|
CREATE DATABASE oms_live_sg;
|
|
CREATE TABLE oms_live_sg.a (i INT(10));
|
|
CREATE TABLE oms_live_sg.b (i INT(10));
|
|
CREATE TABLE oms_live_sg.c (i INT(10));
|
|
CREATE TABLE oms_live_sg.d (i INT(10));
|
|
CREATE DATABASE bob_live_ph;
|
|
CREATE TABLE bob_live_ph.a (i INT(10));
|
|
CREATE TABLE bob_live_ph.b (i INT(10));
|
|
CREATE TABLE bob_live_ph.c (i INT(10));
|
|
CREATE TABLE bob_live_ph.d (i INT(10));
|
|
CREATE DATABASE oms_live_ph;
|
|
CREATE TABLE oms_live_ph.a (i INT(10));
|
|
CREATE TABLE oms_live_ph.b (i INT(10));
|
|
CREATE TABLE oms_live_ph.c (i INT(10));
|
|
CREATE TABLE oms_live_ph.d (i INT(10));
|
|
CREATE DATABASE bob_live_id;
|
|
CREATE TABLE bob_live_id.a (i INT(10));
|
|
CREATE TABLE bob_live_id.b (i INT(10));
|
|
CREATE TABLE bob_live_id.c (i INT(10));
|
|
CREATE TABLE bob_live_id.d (i INT(10));
|
|
CREATE DATABASE oms_live_id;
|
|
CREATE TABLE oms_live_id.a (i INT(10));
|
|
CREATE TABLE oms_live_id.b (i INT(10));
|
|
CREATE TABLE oms_live_id.c (i INT(10));
|
|
CREATE TABLE oms_live_id.d (i INT(10));
|
|
CREATE DATABASE bob_live_hk;
|
|
CREATE TABLE bob_live_hk.a (i INT(10));
|
|
CREATE TABLE bob_live_hk.b (i INT(10));
|
|
CREATE TABLE bob_live_hk.c (i INT(10));
|
|
CREATE TABLE bob_live_hk.d (i INT(10));
|
|
CREATE DATABASE oms_live_hk;
|
|
CREATE TABLE oms_live_hk.a (i INT(10));
|
|
CREATE TABLE oms_live_hk.b (i INT(10));
|
|
CREATE TABLE oms_live_hk.c (i INT(10));
|
|
CREATE TABLE oms_live_hk.d (i INT(10));
|
|
CREATE DATABASE bob_live_vn;
|
|
CREATE TABLE bob_live_vn.a (i INT(10));
|
|
CREATE TABLE bob_live_vn.b (i INT(10));
|
|
CREATE TABLE bob_live_vn.c (i INT(10));
|
|
CREATE TABLE bob_live_vn.d (i INT(10));
|
|
CREATE DATABASE oms_live_vn;
|
|
CREATE TABLE oms_live_vn.a (i INT(10));
|
|
CREATE TABLE oms_live_vn.b (i INT(10));
|
|
CREATE TABLE oms_live_vn.c (i INT(10));
|
|
CREATE TABLE oms_live_vn.d (i INT(10));
|
|
CREATE DATABASE bob_live_tw;
|
|
CREATE TABLE bob_live_tw.a (i INT(10));
|
|
CREATE TABLE bob_live_tw.b (i INT(10));
|
|
CREATE TABLE bob_live_tw.c (i INT(10));
|
|
CREATE TABLE bob_live_tw.d (i INT(10));
|
|
CREATE DATABASE oms_live_tw;
|
|
CREATE TABLE oms_live_tw.a (i INT(10));
|
|
CREATE TABLE oms_live_tw.b (i INT(10));
|
|
CREATE TABLE oms_live_tw.c (i INT(10));
|
|
CREATE TABLE oms_live_tw.d (i INT(10));
|
|
CREATE DATABASE bob_live_my;
|
|
CREATE TABLE bob_live_my.a (i INT(10));
|
|
CREATE TABLE bob_live_my.b (i INT(10));
|
|
CREATE TABLE bob_live_my.c (i INT(10));
|
|
CREATE TABLE bob_live_my.d (i INT(10));
|
|
CREATE DATABASE oms_live_my;
|
|
CREATE TABLE oms_live_my.a (i INT(10));
|
|
CREATE TABLE oms_live_my.b (i INT(10));
|
|
CREATE TABLE oms_live_my.c (i INT(10));
|
|
CREATE TABLE oms_live_my.d (i INT(10));
|
|
CREATE DATABASE bob_live_th;
|
|
CREATE TABLE bob_live_th.a (i INT(10));
|
|
CREATE TABLE bob_live_th.b (i INT(10));
|
|
CREATE TABLE bob_live_th.c (i INT(10));
|
|
CREATE TABLE bob_live_th.d (i INT(10));
|
|
CREATE DATABASE oms_live_th;
|
|
CREATE TABLE oms_live_th.a (i INT(10));
|
|
CREATE TABLE oms_live_th.b (i INT(10));
|
|
CREATE TABLE oms_live_th.c (i INT(10));
|
|
CREATE TABLE oms_live_th.d (i INT(10));
|
|
CREATE ROLE a_sg;
|
|
CREATE ROLE b_sg;
|
|
CREATE ROLE c_sg;
|
|
CREATE ROLE d_sg;
|
|
CREATE ROLE operations_sg;
|
|
GRANT a_sg TO operations_sg;
|
|
GRANT b_sg TO operations_sg;
|
|
GRANT c_sg TO operations_sg;
|
|
GRANT d_sg TO operations_sg;
|
|
GRANT SELECT ON bob_live_sg.a TO a_sg;
|
|
GRANT SELECT ON bob_live_sg.b TO b_sg;
|
|
GRANT SELECT ON bob_live_sg.c TO c_sg;
|
|
GRANT SELECT ON bob_live_sg.d TO d_sg;
|
|
GRANT SELECT ON oms_live_sg.a TO a_sg;
|
|
GRANT SELECT ON oms_live_sg.b TO b_sg;
|
|
GRANT SELECT ON oms_live_sg.c TO c_sg;
|
|
GRANT SELECT ON oms_live_sg.d TO d_sg;
|
|
CREATE ROLE a_ph;
|
|
CREATE ROLE b_ph;
|
|
CREATE ROLE c_ph;
|
|
CREATE ROLE d_ph;
|
|
CREATE ROLE operations_ph;
|
|
GRANT a_ph TO operations_ph;
|
|
GRANT b_ph TO operations_ph;
|
|
GRANT c_ph TO operations_ph;
|
|
GRANT d_ph TO operations_ph;
|
|
GRANT SELECT ON bob_live_ph.a TO a_ph;
|
|
GRANT SELECT ON bob_live_ph.b TO b_ph;
|
|
GRANT SELECT ON bob_live_ph.c TO c_ph;
|
|
GRANT SELECT ON bob_live_ph.d TO d_ph;
|
|
GRANT SELECT ON oms_live_ph.a TO a_ph;
|
|
GRANT SELECT ON oms_live_ph.b TO b_ph;
|
|
GRANT SELECT ON oms_live_ph.c TO c_ph;
|
|
GRANT SELECT ON oms_live_ph.d TO d_ph;
|
|
CREATE ROLE a_id;
|
|
CREATE ROLE b_id;
|
|
CREATE ROLE c_id;
|
|
CREATE ROLE d_id;
|
|
CREATE ROLE operations_id;
|
|
GRANT a_id TO operations_id;
|
|
GRANT b_id TO operations_id;
|
|
GRANT c_id TO operations_id;
|
|
GRANT d_id TO operations_id;
|
|
GRANT SELECT ON bob_live_id.a TO a_id;
|
|
GRANT SELECT ON bob_live_id.b TO b_id;
|
|
GRANT SELECT ON bob_live_id.c TO c_id;
|
|
GRANT SELECT ON bob_live_id.d TO d_id;
|
|
GRANT SELECT ON oms_live_id.a TO a_id;
|
|
GRANT SELECT ON oms_live_id.b TO b_id;
|
|
GRANT SELECT ON oms_live_id.c TO c_id;
|
|
GRANT SELECT ON oms_live_id.d TO d_id;
|
|
CREATE ROLE a_hk;
|
|
CREATE ROLE b_hk;
|
|
CREATE ROLE c_hk;
|
|
CREATE ROLE d_hk;
|
|
CREATE ROLE operations_hk;
|
|
GRANT a_hk TO operations_hk;
|
|
GRANT b_hk TO operations_hk;
|
|
GRANT c_hk TO operations_hk;
|
|
GRANT d_hk TO operations_hk;
|
|
GRANT SELECT ON bob_live_hk.a TO a_hk;
|
|
GRANT SELECT ON bob_live_hk.b TO b_hk;
|
|
GRANT SELECT ON bob_live_hk.c TO c_hk;
|
|
GRANT SELECT ON bob_live_hk.d TO d_hk;
|
|
GRANT SELECT ON oms_live_hk.a TO a_hk;
|
|
GRANT SELECT ON oms_live_hk.b TO b_hk;
|
|
GRANT SELECT ON oms_live_hk.c TO c_hk;
|
|
GRANT SELECT ON oms_live_hk.d TO d_hk;
|
|
CREATE ROLE a_vn;
|
|
CREATE ROLE b_vn;
|
|
CREATE ROLE c_vn;
|
|
CREATE ROLE d_vn;
|
|
CREATE ROLE operations_vn;
|
|
GRANT a_vn TO operations_vn;
|
|
GRANT b_vn TO operations_vn;
|
|
GRANT c_vn TO operations_vn;
|
|
GRANT d_vn TO operations_vn;
|
|
GRANT SELECT ON bob_live_vn.a TO a_vn;
|
|
GRANT SELECT ON bob_live_vn.b TO b_vn;
|
|
GRANT SELECT ON bob_live_vn.c TO c_vn;
|
|
GRANT SELECT ON bob_live_vn.d TO d_vn;
|
|
GRANT SELECT ON oms_live_vn.a TO a_vn;
|
|
GRANT SELECT ON oms_live_vn.b TO b_vn;
|
|
GRANT SELECT ON oms_live_vn.c TO c_vn;
|
|
GRANT SELECT ON oms_live_vn.d TO d_vn;
|
|
CREATE ROLE a_tw;
|
|
CREATE ROLE b_tw;
|
|
CREATE ROLE c_tw;
|
|
CREATE ROLE d_tw;
|
|
CREATE ROLE operations_tw;
|
|
GRANT a_tw TO operations_tw;
|
|
GRANT b_tw TO operations_tw;
|
|
GRANT c_tw TO operations_tw;
|
|
GRANT d_tw TO operations_tw;
|
|
GRANT SELECT ON bob_live_tw.a TO a_tw;
|
|
GRANT SELECT ON bob_live_tw.b TO b_tw;
|
|
GRANT SELECT ON bob_live_tw.c TO c_tw;
|
|
GRANT SELECT ON bob_live_tw.d TO d_tw;
|
|
GRANT SELECT ON oms_live_tw.a TO a_tw;
|
|
GRANT SELECT ON oms_live_tw.b TO b_tw;
|
|
GRANT SELECT ON oms_live_tw.c TO c_tw;
|
|
GRANT SELECT ON oms_live_tw.d TO d_tw;
|
|
CREATE ROLE a_my;
|
|
CREATE ROLE b_my;
|
|
CREATE ROLE c_my;
|
|
CREATE ROLE d_my;
|
|
CREATE ROLE operations_my;
|
|
GRANT a_my TO operations_my;
|
|
GRANT b_my TO operations_my;
|
|
GRANT c_my TO operations_my;
|
|
GRANT d_my TO operations_my;
|
|
GRANT SELECT ON bob_live_my.a TO a_my;
|
|
GRANT SELECT ON bob_live_my.b TO b_my;
|
|
GRANT SELECT ON bob_live_my.c TO c_my;
|
|
GRANT SELECT ON bob_live_my.d TO d_my;
|
|
GRANT SELECT ON oms_live_my.a TO a_my;
|
|
GRANT SELECT ON oms_live_my.b TO b_my;
|
|
GRANT SELECT ON oms_live_my.c TO c_my;
|
|
GRANT SELECT ON oms_live_my.d TO d_my;
|
|
CREATE ROLE a_th;
|
|
CREATE ROLE b_th;
|
|
CREATE ROLE c_th;
|
|
CREATE ROLE d_th;
|
|
CREATE ROLE operations_th;
|
|
GRANT a_th TO operations_th;
|
|
GRANT b_th TO operations_th;
|
|
GRANT c_th TO operations_th;
|
|
GRANT d_th TO operations_th;
|
|
GRANT SELECT ON bob_live_th.a TO a_th;
|
|
GRANT SELECT ON bob_live_th.b TO b_th;
|
|
GRANT SELECT ON bob_live_th.c TO c_th;
|
|
GRANT SELECT ON bob_live_th.d TO d_th;
|
|
GRANT SELECT ON oms_live_th.a TO a_th;
|
|
GRANT SELECT ON oms_live_th.b TO b_th;
|
|
GRANT SELECT ON oms_live_th.c TO c_th;
|
|
GRANT SELECT ON oms_live_th.d TO d_th;
|
|
GRANT operations_sg TO operations_cluster;
|
|
GRANT operations_ph TO operations_cluster;
|
|
GRANT operations_id TO operations_cluster;
|
|
GRANT operations_hk TO operations_cluster;
|
|
GRANT operations_vn TO operations_cluster;
|
|
GRANT operations_tw TO operations_cluster;
|
|
GRANT operations_my TO operations_cluster;
|
|
GRANT operations_th TO operations_cluster;
|
|
|
|
connect(con1,localhost,u,,);
|
|
SHOW DATABASES;
|
|
SET ROLE operations_cluster;
|
|
SHOW DATABASES;
|
|
SELECT COUNT(1) FROM oms_live_sg.a;
|
|
SELECT COUNT(1) FROM oms_live_sg.b;
|
|
SELECT COUNT(1) FROM oms_live_sg.c;
|
|
SELECT COUNT(1) FROM oms_live_sg.d;
|
|
SELECT COUNT(1) FROM oms_live_ph.a;
|
|
SELECT COUNT(1) FROM oms_live_ph.b;
|
|
SELECT COUNT(1) FROM oms_live_ph.c;
|
|
SELECT COUNT(1) FROM oms_live_ph.d;
|
|
SELECT COUNT(1) FROM oms_live_id.a;
|
|
SELECT COUNT(1) FROM oms_live_id.b;
|
|
SELECT COUNT(1) FROM oms_live_id.c;
|
|
SELECT COUNT(1) FROM oms_live_id.d;
|
|
SELECT COUNT(1) FROM oms_live_hk.a;
|
|
SELECT COUNT(1) FROM oms_live_hk.b;
|
|
SELECT COUNT(1) FROM oms_live_hk.c;
|
|
SELECT COUNT(1) FROM oms_live_hk.d;
|
|
SELECT COUNT(1) FROM oms_live_vn.a;
|
|
SELECT COUNT(1) FROM oms_live_vn.b;
|
|
SELECT COUNT(1) FROM oms_live_vn.c;
|
|
SELECT COUNT(1) FROM oms_live_vn.d;
|
|
SELECT COUNT(1) FROM oms_live_tw.a;
|
|
SELECT COUNT(1) FROM oms_live_tw.b;
|
|
SELECT COUNT(1) FROM oms_live_tw.c;
|
|
SELECT COUNT(1) FROM oms_live_tw.d;
|
|
SELECT COUNT(1) FROM oms_live_my.a;
|
|
SELECT COUNT(1) FROM oms_live_my.b;
|
|
SELECT COUNT(1) FROM oms_live_my.c;
|
|
SELECT COUNT(1) FROM oms_live_my.d;
|
|
SELECT COUNT(1) FROM oms_live_th.a;
|
|
SELECT COUNT(1) FROM oms_live_th.b;
|
|
SELECT COUNT(1) FROM oms_live_th.c;
|
|
SELECT COUNT(1) FROM oms_live_th.d;
|
|
|
|
|
|
connect(con2,localhost,root,,);
|
|
FLUSH PRIVILEGES;
|
|
|
|
connect(con3,localhost,u,,);
|
|
SHOW DATABASES;
|
|
SET ROLE operations_cluster;
|
|
SHOW DATABASES;
|
|
SELECT COUNT(1) FROM oms_live_sg.a;
|
|
SELECT COUNT(1) FROM oms_live_sg.b;
|
|
SELECT COUNT(1) FROM oms_live_sg.c;
|
|
SELECT COUNT(1) FROM oms_live_sg.d;
|
|
SELECT COUNT(1) FROM oms_live_ph.a;
|
|
SELECT COUNT(1) FROM oms_live_ph.b;
|
|
SELECT COUNT(1) FROM oms_live_ph.c;
|
|
SELECT COUNT(1) FROM oms_live_ph.d;
|
|
SELECT COUNT(1) FROM oms_live_id.a;
|
|
SELECT COUNT(1) FROM oms_live_id.b;
|
|
SELECT COUNT(1) FROM oms_live_id.c;
|
|
SELECT COUNT(1) FROM oms_live_id.d;
|
|
SELECT COUNT(1) FROM oms_live_hk.a;
|
|
SELECT COUNT(1) FROM oms_live_hk.b;
|
|
SELECT COUNT(1) FROM oms_live_hk.c;
|
|
SELECT COUNT(1) FROM oms_live_hk.d;
|
|
SELECT COUNT(1) FROM oms_live_vn.a;
|
|
SELECT COUNT(1) FROM oms_live_vn.b;
|
|
SELECT COUNT(1) FROM oms_live_vn.c;
|
|
SELECT COUNT(1) FROM oms_live_vn.d;
|
|
SELECT COUNT(1) FROM oms_live_tw.a;
|
|
SELECT COUNT(1) FROM oms_live_tw.b;
|
|
SELECT COUNT(1) FROM oms_live_tw.c;
|
|
SELECT COUNT(1) FROM oms_live_tw.d;
|
|
SELECT COUNT(1) FROM oms_live_my.a;
|
|
SELECT COUNT(1) FROM oms_live_my.b;
|
|
SELECT COUNT(1) FROM oms_live_my.c;
|
|
SELECT COUNT(1) FROM oms_live_my.d;
|
|
SELECT COUNT(1) FROM oms_live_th.a;
|
|
SELECT COUNT(1) FROM oms_live_th.b;
|
|
SELECT COUNT(1) FROM oms_live_th.c;
|
|
SELECT COUNT(1) FROM oms_live_th.d;
|
|
|
|
|
|
connect(con4,localhost,root,,);
|
|
|
|
DROP DATABASE bob_live_sg;
|
|
DROP DATABASE oms_live_sg;
|
|
DROP DATABASE bob_live_ph;
|
|
DROP DATABASE oms_live_ph;
|
|
DROP DATABASE bob_live_id;
|
|
DROP DATABASE oms_live_id;
|
|
DROP DATABASE bob_live_hk;
|
|
DROP DATABASE oms_live_hk;
|
|
DROP DATABASE bob_live_vn;
|
|
DROP DATABASE oms_live_vn;
|
|
DROP DATABASE bob_live_tw;
|
|
DROP DATABASE oms_live_tw;
|
|
DROP DATABASE bob_live_my;
|
|
DROP DATABASE oms_live_my;
|
|
DROP DATABASE bob_live_th;
|
|
DROP DATABASE oms_live_th;
|
|
DROP ROLE operations_sg;
|
|
DROP ROLE a_sg;
|
|
DROP ROLE b_sg;
|
|
DROP ROLE c_sg;
|
|
DROP ROLE d_sg;
|
|
DROP ROLE operations_ph;
|
|
DROP ROLE a_ph;
|
|
DROP ROLE b_ph;
|
|
DROP ROLE c_ph;
|
|
DROP ROLE d_ph;
|
|
DROP ROLE operations_id;
|
|
DROP ROLE a_id;
|
|
DROP ROLE b_id;
|
|
DROP ROLE c_id;
|
|
DROP ROLE d_id;
|
|
DROP ROLE operations_hk;
|
|
DROP ROLE a_hk;
|
|
DROP ROLE b_hk;
|
|
DROP ROLE c_hk;
|
|
DROP ROLE d_hk;
|
|
DROP ROLE operations_vn;
|
|
DROP ROLE a_vn;
|
|
DROP ROLE b_vn;
|
|
DROP ROLE c_vn;
|
|
DROP ROLE d_vn;
|
|
DROP ROLE operations_tw;
|
|
DROP ROLE a_tw;
|
|
DROP ROLE b_tw;
|
|
DROP ROLE c_tw;
|
|
DROP ROLE d_tw;
|
|
DROP ROLE operations_my;
|
|
DROP ROLE a_my;
|
|
DROP ROLE b_my;
|
|
DROP ROLE c_my;
|
|
DROP ROLE d_my;
|
|
DROP ROLE operations_th;
|
|
DROP ROLE a_th;
|
|
DROP ROLE b_th;
|
|
DROP ROLE c_th;
|
|
DROP ROLE d_th;
|
|
DROP USER u;
|
|
DROP ROLE operations_cluster;
|