mirror of
https://github.com/MariaDB/server.git
synced 2025-01-27 17:33:44 +01:00
8bbe3a3cd2
mariadb-install-db --auth-root-authentication-method=normal created 4 root accounts by default, but only two of these had PROXY privilege granted. mariadb-install-db (default option --auth-root-authentication-method=socket) as non-root user also didn't grant PROXY priv to the created nonroot@localhost user. To fix this, in mysql_system_tables_data.sql, we re-use tmp_user_nopasswd as this contains the list of all root users. REPLACE INTO tmp_proxies_priv SELECT @current_hostname, IFNULL(@auth_root_socket, 'root') creates the $user@$current_host but will not error if @auth_root_socket is null. Note @current_hostname lines are filtered out with --cross-bootstrap in mariadb-install-db so it was needed to include this expression for consistency. Like the existing mysql_system_tables.sql is used to create teh $user@localhost proxies_priv. Test cases roles.acl_statistics, perfschema,privilege_table_io depends on the number of proxy users. After: --auth-root-authentication-method=normal: MariaDB [mysql]> select * from global_priv; +-----------+-------------+--------------------------------------------------------------------------------------------------------------------------+ | Host | User | Priv | +-----------+-------------+--------------------------------------------------------------------------------------------------------------------------+ | localhost | mariadb.sys | {"access":0,"plugin":"mysql_native_password","authentication_string":"","account_locked":true,"password_last_changed":0} | | localhost | root | {"access":18446744073709551615} | | bark | root | {"access":18446744073709551615} | | 127.0.0.1 | root | {"access":18446744073709551615} | | ::1 | root | {"access":18446744073709551615} | | localhost | | {} | | bark | | {} | +-----------+-------------+--------------------------------------------------------------------------------------------------------------------------+ 7 rows in set (0.001 sec) MariaDB [mysql]> select * from proxies_priv; +-----------+------+--------------+--------------+------------+---------+---------------------+ | Host | User | Proxied_host | Proxied_user | With_grant | Grantor | Timestamp | +-----------+------+--------------+--------------+------------+---------+---------------------+ | localhost | root | | | 1 | | 2023-07-10 12:12:24 | | 127.0.0.1 | root | | | 1 | | 2023-07-10 12:12:24 | | ::1 | root | | | 1 | | 2023-07-10 12:12:24 | | bark | root | | | 1 | | 2023-07-10 12:12:24 | +-----------+------+--------------+--------------+------------+---------+---------------------+ --auth-root-authentication-method=socket: MariaDB [mysql]> select * from proxies_priv; +-----------+------+--------------+--------------+------------+---------+---------------------+ | Host | User | Proxied_host | Proxied_user | With_grant | Grantor | Timestamp | +-----------+------+--------------+--------------+------------+---------+---------------------+ | localhost | root | | | 1 | | 2023-07-10 12:11:55 | | localhost | dan | | | 1 | | 2023-07-10 12:11:55 | | bark | dan | | | 1 | | 2023-07-10 12:11:55 | +-----------+------+--------------+--------------+------------+---------+---------------------+ 3 rows in set (0.017 sec) MariaDB [mysql]> select * from global_priv; +-----------+-------------+--------------------------------------------------------------------------------------------------------------------------------------------+ | Host | User | Priv | +-----------+-------------+--------------------------------------------------------------------------------------------------------------------------------------------+ | localhost | mariadb.sys | {"access":0,"plugin":"mysql_native_password","authentication_string":"","account_locked":true,"password_last_changed":0} | | localhost | root | {"access":18446744073709551615,"plugin":"mysql_native_password","authentication_string":"invalid","auth_or":[{},{"plugin":"unix_socket"}]} | | localhost | dan | {"access":18446744073709551615,"plugin":"mysql_native_password","authentication_string":"invalid","auth_or":[{},{"plugin":"unix_socket"}]} | | localhost | | {} | | bark | | {} | +-----------+-------------+--------------------------------------------------------------------------------------------------------------------------------------------+ 5 rows in set (0.000 sec) MariaDB [mysql]> show grants; +----------------------------------------------------------------------------------------------------------------------------------------+ | Grants for dan@localhost | +----------------------------------------------------------------------------------------------------------------------------------------+ | GRANT ALL PRIVILEGES ON *.* TO `dan`@`localhost` IDENTIFIED VIA mysql_native_password USING 'invalid' OR unix_socket WITH GRANT OPTION | | GRANT PROXY ON ''@'%' TO 'dan'@'localhost' WITH GRANT OPTION | +----------------------------------------------------------------------------------------------------------------------------------------+
110 lines
2.8 KiB
Text
110 lines
2.8 KiB
Text
SHOW STATUS LIKE 'Acl%';
|
|
Variable_name Value
|
|
Acl_column_grants 0
|
|
Acl_database_grants 2
|
|
Acl_function_grants 0
|
|
Acl_procedure_grants 0
|
|
Acl_package_spec_grants 0
|
|
Acl_package_body_grants 0
|
|
Acl_proxy_users 4
|
|
Acl_role_grants 0
|
|
Acl_roles 0
|
|
Acl_table_grants 1
|
|
Acl_users 5
|
|
SELECT count(*) COLUMN_GRANTS from mysql.columns_priv;
|
|
COLUMN_GRANTS
|
|
0
|
|
SELECT count(*) DATABASE_GRANTS from mysql.db;
|
|
DATABASE_GRANTS
|
|
2
|
|
SELECT count(*) FUNCTION_GRANTS from mysql.procs_priv where routine_type='FUNCTION';
|
|
FUNCTION_GRANTS
|
|
0
|
|
SELECT count(*) PROCEDURE_GRANTS from mysql.procs_priv where routine_type='PROCEDURE';
|
|
PROCEDURE_GRANTS
|
|
0
|
|
SELECT count(*) PROXY_USERS from mysql.proxies_priv;
|
|
PROXY_USERS
|
|
4
|
|
SELECT count(*) ROLE_GRANTS from mysql.roles_mapping;
|
|
ROLE_GRANTS
|
|
0
|
|
SELECT count(*) ROLES from mysql.user where is_role='Y';
|
|
ROLES
|
|
0
|
|
SELECT count(*) TABLE_GRANTS from mysql.tables_priv;
|
|
TABLE_GRANTS
|
|
1
|
|
SELECT count(*) USERS from mysql.user where is_role='N';
|
|
USERS
|
|
5
|
|
CREATE USER u1;
|
|
CREATE ROLE r1;
|
|
CREATE ROLE r2;
|
|
GRANT PROXY ON root TO u1;
|
|
GRANT SELECT ON *.* to u1;
|
|
GRANT SELECT ON *.* to r1;
|
|
GRANT DELETE ON mysql.* to u1;
|
|
GRANT DELETE ON mysql.* to r1;
|
|
GRANT INSERT ON mysql.user to u1;
|
|
GRANT INSERT ON mysql.user to r1;
|
|
GRANT UPDATE (host) ON mysql.user to u1;
|
|
GRANT UPDATE (host) ON mysql.user to r1;
|
|
GRANT r1 to u1;
|
|
GRANT r2 to r1;
|
|
create procedure mysql.test_proc (OUT param1 INT)
|
|
begin
|
|
select COUNT(*) into param1 from mysql.roles_mapping;
|
|
end|
|
|
GRANT EXECUTE ON PROCEDURE mysql.test_proc TO r1;
|
|
GRANT EXECUTE ON PROCEDURE mysql.test_proc TO u1;
|
|
CREATE FUNCTION mysql.test_func (param INT) RETURNS INT
|
|
RETURN (SELECT COUNT(*) FROM mysql.user);
|
|
GRANT EXECUTE ON FUNCTION mysql.test_func TO r1;
|
|
GRANT EXECUTE ON FUNCTION mysql.test_func TO u1;
|
|
GRANT EXECUTE ON FUNCTION mysql.test_func TO r2;
|
|
SHOW STATUS LIKE 'Acl%';
|
|
Variable_name Value
|
|
Acl_column_grants 2
|
|
Acl_database_grants 4
|
|
Acl_function_grants 3
|
|
Acl_procedure_grants 2
|
|
Acl_package_spec_grants 0
|
|
Acl_package_body_grants 0
|
|
Acl_proxy_users 5
|
|
Acl_role_grants 4
|
|
Acl_roles 2
|
|
Acl_table_grants 3
|
|
Acl_users 6
|
|
SELECT count(*) COLUMN_GRANTS from mysql.columns_priv;
|
|
COLUMN_GRANTS
|
|
2
|
|
SELECT count(*) DATABASE_GRANTS from mysql.db;
|
|
DATABASE_GRANTS
|
|
4
|
|
SELECT count(*) FUNCTION_GRANTS from mysql.procs_priv where routine_type='FUNCTION';
|
|
FUNCTION_GRANTS
|
|
3
|
|
SELECT count(*) PROCEDURE_GRANTS from mysql.procs_priv where routine_type='PROCEDURE';
|
|
PROCEDURE_GRANTS
|
|
2
|
|
SELECT count(*) PROXY_USERS from mysql.proxies_priv;
|
|
PROXY_USERS
|
|
5
|
|
SELECT count(*) ROLE_GRANTS from mysql.roles_mapping;
|
|
ROLE_GRANTS
|
|
4
|
|
SELECT count(*) ROLES from mysql.user where is_role='Y';
|
|
ROLES
|
|
2
|
|
SELECT count(*) TABLE_GRANTS from mysql.tables_priv;
|
|
TABLE_GRANTS
|
|
3
|
|
SELECT count(*) USERS from mysql.user where is_role='N';
|
|
USERS
|
|
6
|
|
DROP PROCEDURE mysql.test_proc;
|
|
DROP FUNCTION mysql.test_func;
|
|
DROP ROLE r2;
|
|
DROP ROLE r1;
|
|
DROP USER u1;
|