mirror of
https://github.com/MariaDB/server.git
synced 2025-01-27 09:14:17 +01:00
409 lines
8.4 KiB
Text
409 lines
8.4 KiB
Text
--source include/not_embedded.inc
|
|
--echo #
|
|
--echo # MDEV-5215 Granted to PUBLIC
|
|
--echo #
|
|
|
|
--echo #
|
|
--echo # Test DB/TABLE/COLUMN privileges in queries
|
|
--echo #
|
|
|
|
SHOW GRANTS FOR PUBLIC;
|
|
|
|
create user testuser;
|
|
create database testdb1;
|
|
use testdb1;
|
|
create table t1 (a int, b int);
|
|
insert into t1 values (1,2);
|
|
create database testdb2;
|
|
use testdb2;
|
|
create table t2 (a int, b int);
|
|
insert into t2 values (1,2);
|
|
create table t3 (a int, b int);
|
|
insert into t3 values (1,2);
|
|
|
|
connect (testuser,localhost,testuser,,);
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
select * from testdb1.t1;
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
select * from testdb2.t2;
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
select b from testdb2.t3;
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
select a from testdb2.t3;
|
|
|
|
connection default;
|
|
|
|
GRANT SELECT ON testdb1.* to PUBLIC;
|
|
GRANT SELECT ON testdb2.t2 to PUBLIC;
|
|
GRANT SELECT (b) ON testdb2.t3 to PUBLIC;
|
|
|
|
connection testuser;
|
|
select * from testdb1.t1;
|
|
select * from testdb2.t2;
|
|
select b from testdb2.t3;
|
|
--error ER_COLUMNACCESS_DENIED_ERROR
|
|
select a from testdb2.t3;
|
|
|
|
show grants;
|
|
show grants for testuser@'%';
|
|
|
|
connection default;
|
|
disconnect testuser;
|
|
|
|
--echo # check that the privileges are correctly read by acl_load
|
|
flush privileges;
|
|
|
|
connect (testuser,localhost,testuser,,);
|
|
select * from testdb1.t1;
|
|
select * from testdb2.t2;
|
|
select b from testdb2.t3;
|
|
--error ER_COLUMNACCESS_DENIED_ERROR
|
|
select a from testdb2.t3;
|
|
|
|
connection default;
|
|
use test;
|
|
disconnect testuser;
|
|
REVOKE SELECT ON testdb1.* from PUBLIC;
|
|
REVOKE SELECT ON testdb2.t2 from PUBLIC;
|
|
REVOKE SELECT (b) ON testdb2.t3 from PUBLIC;
|
|
drop user testuser;
|
|
drop database testdb1;
|
|
drop database testdb2;
|
|
|
|
--echo #
|
|
--echo # test global process list privilege and EXECUTE db level
|
|
--echo #
|
|
|
|
create user testuser;
|
|
create database testdb;
|
|
use testdb;
|
|
create procedure p1 () select 1;
|
|
|
|
connect (testuser,localhost,testuser,,);
|
|
|
|
select user,db from information_schema.processlist where user='root';
|
|
--error ER_PROCACCESS_DENIED_ERROR
|
|
call testdb.p1();
|
|
|
|
connection default;
|
|
|
|
GRANT PROCESS ON *.* to PUBLIC;
|
|
GRANT EXECUTE ON testdb.* to PUBLIC;
|
|
|
|
# need to reconnect because of PROCESS
|
|
disconnect testuser;
|
|
connect (testuser,localhost,testuser,,);
|
|
|
|
select user,db from information_schema.processlist where user='root';
|
|
call testdb.p1();
|
|
|
|
connection default;
|
|
disconnect testuser;
|
|
|
|
--echo # check that the privileges are correctly read by acl_load
|
|
flush privileges;
|
|
|
|
connect (testuser,localhost,testuser,,);
|
|
|
|
select user,db from information_schema.processlist where user='root';
|
|
call testdb.p1();
|
|
|
|
connection default;
|
|
use test;
|
|
disconnect testuser;
|
|
REVOKE PROCESS ON *.* from PUBLIC;
|
|
REVOKE EXECUTE ON testdb.* from PUBLIC;
|
|
drop user testuser;
|
|
drop database testdb;
|
|
|
|
--echo #
|
|
--echo # test DB privilege to allow USE statement
|
|
--echo #
|
|
|
|
create user testuser;
|
|
create database testdb;
|
|
|
|
connect (testuser,localhost,testuser,,);
|
|
|
|
--error ER_DBACCESS_DENIED_ERROR
|
|
use testdb;
|
|
|
|
connection default;
|
|
|
|
GRANT LOCK TABLES ON testdb.* to PUBLIC;
|
|
|
|
connection testuser;
|
|
|
|
use testdb;
|
|
|
|
connection default;
|
|
disconnect testuser;
|
|
|
|
--echo # check that the privileges are correctly read by acl_load
|
|
flush privileges;
|
|
|
|
connect (testuser,localhost,testuser,,);
|
|
|
|
use testdb;
|
|
|
|
connection default;
|
|
|
|
use test;
|
|
disconnect testuser;
|
|
REVOKE LOCK TABLES ON testdb.* from PUBLIC;
|
|
drop user testuser;
|
|
drop database testdb;
|
|
|
|
|
|
--echo #
|
|
--echo # test DB privilege to allow USE statement (as above)
|
|
--echo # test current db privileges
|
|
--echo #
|
|
|
|
create user testuser;
|
|
create database testdb;
|
|
use testdb;
|
|
create table t1 (a int);
|
|
insert into t1 values (1);
|
|
GRANT LOCK TABLES ON testdb.* to PUBLIC;
|
|
|
|
connect (testuser,localhost,testuser,,);
|
|
|
|
use testdb;
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
update t1 set a=a+1;
|
|
|
|
connection default;
|
|
|
|
GRANT UPDATE,SELECT ON testdb.* to PUBLIC;
|
|
|
|
connection testuser;
|
|
|
|
use testdb;
|
|
update t1 set a=a+1;
|
|
|
|
connection default;
|
|
select * from testdb.t1;
|
|
|
|
use test;
|
|
disconnect testuser;
|
|
REVOKE LOCK TABLES ON testdb.* from PUBLIC;
|
|
REVOKE UPDATE,SELECT ON testdb.* from PUBLIC;
|
|
drop user testuser;
|
|
drop database testdb;
|
|
|
|
|
|
--echo #
|
|
--echo # test DB privilege to allow USE statement (as above)
|
|
--echo # test table/column privileges in current DB
|
|
--echo #
|
|
|
|
create user testuser;
|
|
create database testdb;
|
|
use testdb;
|
|
create table t1 (a int);
|
|
insert into t1 values (1);
|
|
create table t2 (a int, b int);
|
|
insert into t2 values (1,2);
|
|
GRANT LOCK TABLES ON testdb.* to PUBLIC;
|
|
|
|
connect (testuser,localhost,testuser,,);
|
|
|
|
use testdb;
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
delete from t1;
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
select b from t2;
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
select a from t2;
|
|
|
|
connection default;
|
|
|
|
GRANT DELETE ON testdb.t1 to PUBLIC;
|
|
GRANT SELECT (a) ON testdb.t2 to PUBLIC;
|
|
|
|
connection testuser;
|
|
|
|
use testdb;
|
|
delete from t1;
|
|
select a from t2;
|
|
--error ER_COLUMNACCESS_DENIED_ERROR
|
|
select b from t2;
|
|
|
|
connection default;
|
|
select * from testdb.t1;
|
|
insert into t1 values (1);
|
|
disconnect testuser;
|
|
|
|
--echo # check that the privileges are correctly read by acl_load
|
|
flush privileges;
|
|
|
|
connect (testuser,localhost,testuser,,);
|
|
|
|
use testdb;
|
|
delete from t1;
|
|
select a from t2;
|
|
--error ER_COLUMNACCESS_DENIED_ERROR
|
|
select b from t2;
|
|
|
|
connection default;
|
|
select * from testdb.t1;
|
|
|
|
|
|
use test;
|
|
disconnect testuser;
|
|
REVOKE ALL PRIVILEGES, GRANT OPTION from `PUBLIC`;
|
|
SHOW GRANTS FOR PUBLIC;
|
|
|
|
drop user testuser;
|
|
drop database testdb;
|
|
|
|
--echo #
|
|
--echo # test function privilege
|
|
--echo #
|
|
|
|
create user testuser;
|
|
create database testdb;
|
|
use testdb;
|
|
create function f1() returns int return 2;
|
|
|
|
connect (testuser,localhost,testuser,,);
|
|
|
|
--error ER_PROCACCESS_DENIED_ERROR
|
|
alter function testdb.f1 comment "A stupid function";
|
|
--error ER_PROCACCESS_DENIED_ERROR
|
|
select testdb.f1();
|
|
|
|
connection default;
|
|
|
|
GRANT ALTER ROUTINE ON testdb.* to PUBLIC;
|
|
|
|
connection testuser;
|
|
|
|
alter function testdb.f1 comment "A stupid function";
|
|
--error ER_PROCACCESS_DENIED_ERROR
|
|
select testdb.f1();
|
|
|
|
connection default;
|
|
disconnect testuser;
|
|
|
|
--echo # check that the privileges are correctly read by acl_load
|
|
flush privileges;
|
|
|
|
connect (testuser,localhost,testuser,,);
|
|
|
|
alter function testdb.f1 comment "A stupid function";
|
|
--error ER_PROCACCESS_DENIED_ERROR
|
|
select testdb.f1();
|
|
|
|
connection default;
|
|
|
|
use test;
|
|
disconnect testuser;
|
|
REVOKE ALTER ROUTINE ON testdb.* from PUBLIC;
|
|
drop function testdb.f1;
|
|
drop user testuser;
|
|
drop database testdb;
|
|
|
|
--echo #
|
|
--echo # bug with automatically added PUBLIC role
|
|
--echo #
|
|
|
|
--echo # automaticly added PUBLIC
|
|
delete from mysql.global_priv where user="PUBLIC";
|
|
flush privileges;
|
|
GRANT SELECT on test.* to PUBLIC;
|
|
|
|
REVOKE SELECT on test.* from PUBLIC;
|
|
|
|
create user testuser;
|
|
create database testdb1;
|
|
use testdb1;
|
|
create table t1 (a int, b int);
|
|
insert into t1 values (1,2);
|
|
|
|
connect (testuser,localhost,testuser,,);
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
select * from testdb1.t1;
|
|
|
|
connection default;
|
|
|
|
disconnect testuser;
|
|
drop user testuser;
|
|
drop database testdb1;
|
|
|
|
--echo #
|
|
--echo # check assigning privileges via GRAND role TO PUBLIC
|
|
--echo #
|
|
create user testuser;
|
|
create database testdb1;
|
|
use testdb1;
|
|
create table t1 (a int, b int);
|
|
|
|
--echo # check that user do not have rights
|
|
connect (testuser,localhost,testuser,,*NO-ONE*);
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
select * from testdb1.t1;
|
|
connection default;
|
|
|
|
--echo give rights to everyone via assigning the role to public
|
|
create role roletest;
|
|
GRANT SELECT ON testdb1.* TO roletest;
|
|
GRANT roletest TO PUBLIC;
|
|
|
|
connection testuser;
|
|
select * from testdb1.t1;
|
|
connection default;
|
|
disconnect testuser;
|
|
|
|
--echo # check that the privileges are correctly read by acl_load
|
|
flush privileges;
|
|
|
|
connect (testuser,localhost,testuser,,*NO-ONE*);
|
|
select * from testdb1.t1;
|
|
connection default;
|
|
|
|
|
|
--echo # drop role...
|
|
drop role roletest;
|
|
|
|
--echo # ... and check that user does not have rights again
|
|
connection testuser;
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
select * from testdb1.t1;
|
|
connection default;
|
|
disconnect testuser;
|
|
|
|
drop user testuser;
|
|
drop database testdb1;
|
|
|
|
-- echo # clean up
|
|
delete from mysql.global_priv where user="PUBLIC";
|
|
flush privileges;
|
|
|
|
--echo #
|
|
--echo # MDEV-29752 SHOW GRANTS FOR PUBLIC should work for all users
|
|
--echo #
|
|
|
|
create database dbtest;
|
|
create user `testuser`@`%`;
|
|
|
|
GRANT USAGE ON *.* TO `testuser`@`%`;
|
|
GRANT ALL PRIVILEGES ON `dbtest`.* TO `PUBLIC`;
|
|
|
|
connect (testuser,localhost,testuser,,);
|
|
|
|
show grants for public;
|
|
show grants for testuser;
|
|
|
|
connection default;
|
|
disconnect testuser;
|
|
|
|
REVOKE ALL PRIVILEGES ON `dbtest`.* FROM `PUBLIC`;
|
|
REVOKE USAGE ON *.* FROM `testuser`@`%`;
|
|
drop user `testuser`@`%`;
|
|
drop database dbtest;
|
|
|
|
-- echo # clean up
|
|
delete from mysql.global_priv where user="PUBLIC";
|
|
flush privileges;
|