diff options
author | Anel Husakovic <anel@mariadb.org> | 2020-04-22 20:13:21 +0200 |
---|---|---|
committer | Anel Husakovic <anel@mariadb.org> | 2020-10-24 02:03:42 +0200 |
commit | ebc9bbb4865e1ccb2c21314138639432577de0bb (patch) | |
tree | be1172b4a286918c808103b27d58d07883c74413 | |
parent | 985ede92034696d544d484a29b45828d56a031a5 (diff) | |
download | mariadb-git-bb-10.2-anel-MDEV-22313.tar.gz |
MDEV-22313: Neither SHOW CREATE USER nor SHOW GRANTS prints a user's default rolebb-10.2-anel-MDEV-22313
-rw-r--r-- | mysql-test/r/grant5.result | 32 | ||||
-rw-r--r-- | mysql-test/suite/roles/set_default_role_clear.result | 1 | ||||
-rw-r--r-- | mysql-test/suite/roles/set_default_role_for.result | 2 | ||||
-rw-r--r-- | mysql-test/suite/roles/set_default_role_invalid.result | 3 | ||||
-rw-r--r-- | mysql-test/suite/roles/set_default_role_new_connection.result | 2 | ||||
-rw-r--r-- | mysql-test/t/grant5.test | 18 | ||||
-rw-r--r-- | sql/sql_acl.cc | 54 |
7 files changed, 104 insertions, 8 deletions
diff --git a/mysql-test/r/grant5.result b/mysql-test/r/grant5.result index 338bbd36e14..a69070e8399 100644 --- a/mysql-test/r/grant5.result +++ b/mysql-test/r/grant5.result @@ -39,3 +39,35 @@ connection default; disconnect u1; drop user u1@localhost; drop database mysqltest1; +CREATE ROLE test_role; +CREATE USER test_user; +GRANT test_role TO test_user; +SET DEFAULT ROLE test_role FOR test_user; +SHOW GRANTS FOR test_user; +Grants for test_user@% +GRANT test_role TO 'test_user'@'%' +GRANT USAGE ON *.* TO 'test_user'@'%' +SET DEFAULT ROLE test_role FOR 'test_user'@'%' +SET DEFAULT ROLE NONE for test_user; +SHOW GRANTS FOR test_user; +Grants for test_user@% +GRANT test_role TO 'test_user'@'%' +GRANT USAGE ON *.* TO 'test_user'@'%' +SET ROLE test_role; +SET DEFAULT ROLE test_role; +SHOW GRANTS; +Grants for root@localhost +GRANT test_role TO 'root'@'localhost' WITH ADMIN OPTION +GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' WITH GRANT OPTION +GRANT PROXY ON ''@'%' TO 'root'@'localhost' WITH GRANT OPTION +GRANT USAGE ON *.* TO 'test_role' +SET DEFAULT ROLE test_role FOR 'root'@'localhost' +SET DEFAULT ROLE NONE; +SHOW GRANTS; +Grants for root@localhost +GRANT test_role TO 'root'@'localhost' WITH ADMIN OPTION +GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' WITH GRANT OPTION +GRANT PROXY ON ''@'%' TO 'root'@'localhost' WITH GRANT OPTION +GRANT USAGE ON *.* TO 'test_role' +DROP USER test_user; +DROP ROLE test_role; diff --git a/mysql-test/suite/roles/set_default_role_clear.result b/mysql-test/suite/roles/set_default_role_clear.result index 7f54b5eabcc..3cb13f55b4b 100644 --- a/mysql-test/suite/roles/set_default_role_clear.result +++ b/mysql-test/suite/roles/set_default_role_clear.result @@ -17,6 +17,7 @@ Grants for test_user@localhost GRANT test_role TO 'test_user'@'localhost' GRANT USAGE ON *.* TO 'test_user'@'localhost' GRANT SELECT ON *.* TO 'test_role' +SET DEFAULT ROLE test_role FOR 'test_user'@'localhost' select user, host, default_role from mysql.user where user='test_user'; user host default_role test_user localhost test_role diff --git a/mysql-test/suite/roles/set_default_role_for.result b/mysql-test/suite/roles/set_default_role_for.result index b55ca49c680..62c31373486 100644 --- a/mysql-test/suite/roles/set_default_role_for.result +++ b/mysql-test/suite/roles/set_default_role_for.result @@ -21,6 +21,7 @@ Grants for user_a@localhost GRANT role_a TO 'user_a'@'localhost' GRANT USAGE ON *.* TO 'user_a'@'localhost' GRANT SELECT ON *.* TO 'role_a' +SET DEFAULT ROLE role_a FOR 'user_a'@'localhost' select user, host, default_role from mysql.user where user like 'user_%'; user host default_role user_a localhost role_a @@ -42,6 +43,7 @@ Grants for user_b@localhost GRANT role_b TO 'user_b'@'localhost' GRANT USAGE ON *.* TO 'user_b'@'localhost' GRANT INSERT, UPDATE ON *.* TO 'role_b' +SET DEFAULT ROLE role_b FOR 'user_b'@'localhost' select user, host, default_role from mysql.user where user like 'user_%'; ERROR 42000: SELECT command denied to user 'user_b'@'localhost' for table 'user' insert ignore into mysql.user (user, host) values ('someuser', 'somehost'); diff --git a/mysql-test/suite/roles/set_default_role_invalid.result b/mysql-test/suite/roles/set_default_role_invalid.result index 74d517b7c8f..53ee464e2c1 100644 --- a/mysql-test/suite/roles/set_default_role_invalid.result +++ b/mysql-test/suite/roles/set_default_role_invalid.result @@ -24,6 +24,7 @@ Grants for test_user@localhost GRANT test_role TO 'test_user'@'localhost' GRANT USAGE ON *.* TO 'test_user'@'localhost' GRANT SELECT ON *.* TO 'test_role' +SET DEFAULT ROLE test_role FOR 'test_user'@'localhost' select user, host, default_role from mysql.user where user='test_user'; user host default_role test_user localhost test_role @@ -71,6 +72,7 @@ GRANT r1 TO 'b'@'%' GRANT r2 TO 'b'@'%' GRANT USAGE ON *.* TO 'b'@'%' GRANT SELECT ON `mysql`.* TO 'b'@'%' +SET DEFAULT ROLE r2 FOR 'b'@'%' SET DEFAULT ROLE r1 FOR a; ERROR 42000: Access denied for user 'b'@'%' to database 'mysql' SELECT CURRENT_ROLE; @@ -96,6 +98,7 @@ GRANT r1 TO 'b'@'%' GRANT r2 TO 'b'@'%' GRANT USAGE ON *.* TO 'b'@'%' GRANT SELECT, UPDATE ON `mysql`.* TO 'b'@'%' +SET DEFAULT ROLE r2 FOR 'b'@'%' SET DEFAULT ROLE r1 FOR a; ERROR OP000: User `a@%` has not been granted role `r1` SET DEFAULT ROLE invalid_role; diff --git a/mysql-test/suite/roles/set_default_role_new_connection.result b/mysql-test/suite/roles/set_default_role_new_connection.result index a59ecbd75f7..75e4075ff9e 100644 --- a/mysql-test/suite/roles/set_default_role_new_connection.result +++ b/mysql-test/suite/roles/set_default_role_new_connection.result @@ -23,6 +23,7 @@ Grants for test_user@localhost GRANT test_role TO 'test_user'@'localhost' GRANT USAGE ON *.* TO 'test_user'@'localhost' GRANT SELECT ON *.* TO 'test_role' +SET DEFAULT ROLE test_role FOR 'test_user'@'localhost' select user, host, default_role from mysql.user where user = 'test_user'; user host default_role test_user localhost test_role @@ -51,6 +52,7 @@ Grants for test_user@localhost GRANT test_role TO 'test_user'@'localhost' GRANT USAGE ON *.* TO 'test_user'@'localhost' GRANT SELECT ON *.* TO 'test_role' +SET DEFAULT ROLE test_role FOR 'test_user'@'localhost' select user, host, default_role from mysql.user where user = 'test_user'; user host default_role test_user localhost test_role diff --git a/mysql-test/t/grant5.test b/mysql-test/t/grant5.test index 74a69952124..944918e63ec 100644 --- a/mysql-test/t/grant5.test +++ b/mysql-test/t/grant5.test @@ -53,5 +53,23 @@ drop user u1@localhost; drop database mysqltest1; # +# MDEV-22313: Neither SHOW CREATE USER nor SHOW GRANTS prints a user's default role +# +CREATE ROLE test_role; +CREATE USER test_user; +GRANT test_role TO test_user; +SET DEFAULT ROLE test_role FOR test_user; +SHOW GRANTS FOR test_user; +SET DEFAULT ROLE NONE for test_user; +SHOW GRANTS FOR test_user; +SET ROLE test_role; +SET DEFAULT ROLE test_role; +SHOW GRANTS; +SET DEFAULT ROLE NONE; +SHOW GRANTS; +DROP USER test_user; +DROP ROLE test_role; + +# # End of 10.1 tests # diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc index 894988c4931..497915384ce 100644 --- a/sql/sql_acl.cc +++ b/sql/sql_acl.cc @@ -353,8 +353,9 @@ static void update_hostname(acl_host_and_ip *host, const char *hostname); static ulong get_sort(uint count,...); static bool show_proxy_grants (THD *, const char *, const char *, char *, size_t); -static bool show_role_grants(THD *, const char *, const char *, +static bool show_role_grants(THD *, const char *, ACL_USER_BASE *, char *, size_t); +static bool show_default_role(THD *, ACL_USER *, char *, size_t); static bool show_global_privileges(THD *, ACL_USER_BASE *, bool, char *, size_t); static bool show_database_privileges(THD *, const char *, const char *, @@ -8531,7 +8532,7 @@ static bool print_grants_for_role(THD *thd, ACL_ROLE * role) { char buff[1024]; - if (show_role_grants(thd, role->user.str, "", role, buff, sizeof(buff))) + if (show_role_grants(thd, "", role, buff, sizeof(buff))) return TRUE; if (show_global_privileges(thd, role, TRUE, buff, sizeof(buff))) @@ -8746,7 +8747,7 @@ bool mysql_show_grants(THD *thd, LEX_USER *lex_user) } /* Show granted roles to acl_user */ - if (show_role_grants(thd, username, hostname, acl_user, buff, sizeof(buff))) + if (show_role_grants(thd, hostname, acl_user, buff, sizeof(buff))) goto end; /* Add first global access grants */ @@ -8795,6 +8796,14 @@ bool mysql_show_grants(THD *thd, LEX_USER *lex_user) } } + if (username) + { + /* Show default role to acl_user */ + if (show_default_role(thd, acl_user, buff, sizeof(buff))) + goto end; + } + + error= 0; end: mysql_mutex_unlock(&acl_cache->lock); @@ -8821,15 +8830,44 @@ static ROLE_GRANT_PAIR *find_role_grant_pair(const LEX_STRING *u, my_hash_search(&acl_roles_mappings, (uchar*)pair_key.ptr(), key_length); } -static bool show_role_grants(THD *thd, const char *username, - const char *hostname, ACL_USER_BASE *acl_entry, +static bool show_default_role(THD *thd, ACL_USER *acl_entry, + char *buff, size_t buffsize) +{ + Protocol *protocol= thd->protocol; + LEX_STRING def_rolename= acl_entry->default_rolename; + + if (def_rolename.length) + { + String def_str(buff, buffsize, system_charset_info); + def_str.length(0); + def_str.append(STRING_WITH_LEN("SET DEFAULT ROLE ")); + def_str.append(&def_rolename); + def_str.append(" FOR '"); + def_str.append(&acl_entry->user); + DBUG_ASSERT(!(acl_entry->flags & IS_ROLE)); + def_str.append(STRING_WITH_LEN("'@'")); + def_str.append(acl_entry->host.hostname, acl_entry->hostname_length, + system_charset_info); + def_str.append('\''); + protocol->prepare_for_resend(); + protocol->store(def_str.ptr(),def_str.length(),def_str.charset()); + if (protocol->write()) + { + return TRUE; + } + } + return FALSE; +} + +static bool show_role_grants(THD *thd, const char *hostname, + ACL_USER_BASE *acl_entry, char *buff, size_t buffsize) { uint counter; Protocol *protocol= thd->protocol; LEX_STRING host= {const_cast<char*>(hostname), strlen(hostname)}; - String grant(buff,sizeof(buff),system_charset_info); + String grant(buff, buffsize, system_charset_info); for (counter= 0; counter < acl_entry->role_grants.elements; counter++) { grant.length(0); @@ -8873,7 +8911,7 @@ static bool show_global_privileges(THD *thd, ACL_USER_BASE *acl_entry, ulong want_access; Protocol *protocol= thd->protocol; - String global(buff,sizeof(buff),system_charset_info); + String global(buff, buffsize, system_charset_info); global.length(0); global.append(STRING_WITH_LEN("GRANT ")); @@ -8952,7 +8990,7 @@ static bool show_database_privileges(THD *thd, const char *username, want_access=acl_db->initial_access; if (want_access) { - String db(buff,sizeof(buff),system_charset_info); + String db(buff, buffsize, system_charset_info); db.length(0); db.append(STRING_WITH_LEN("GRANT ")); |