MDEV-14443: Ignore denies privilege now takes effectvicentiu-tmp

author: Vicențiu Ciorbaru <cvicentiu@gmail.com> 2022-09-12 16:37:52 +0300
committer: Vicențiu Ciorbaru <cvicentiu@gmail.com> 2022-09-20 16:14:44 +0300
commit: b3c4205d9bc354b3adaacf772c5f148cda6d90b7 (patch)
tree: 1fee0ba5b8372eaca32106831ccc0cfaa2fc8a04
parent: 62a6f156c4991e4a1773bce6427541084c8c5447 (diff)
download: mariadb-git-vicentiu-tmp.tar.gz
5 files changed, 52 insertions, 24 deletions
diff --git a/mysql-test/suite/deny/columns.result b/mysql-test/suite/deny/columns.result
index fd97c27f161..3eb6b594b1c 100644
--- a/mysql-test/suite/deny/columns.result
+++ b/mysql-test/suite/deny/columns.result
@@ -4,6 +4,7 @@ create table deny_db.t1 (a int, b int, secret int);
 create table deny_db.t2 (a2 int, b2 int, secret2 int);
 insert into deny_db.t2 values (100, 200, 300);
 grant all on *.* to foo;
+revoke ignore denies on *.* from foo;
 grant all on deny_db.* to foo;
 grant all on deny_db.t1 to foo;
 grant all on deny_db.t2 to foo;
diff --git a/mysql-test/suite/deny/columns.test b/mysql-test/suite/deny/columns.test
index 889c33ba2b0..d5868e0f779 100644
--- a/mysql-test/suite/deny/columns.test
+++ b/mysql-test/suite/deny/columns.test
@@ -7,6 +7,7 @@ create table deny_db.t2 (a2 int, b2 int, secret2 int);
 insert into deny_db.t2 values (100, 200, 300);
 
 grant all on *.* to foo;
+revoke ignore denies on *.* from foo;
 grant all on deny_db.* to foo;
 grant all on deny_db.t1 to foo;
 grant all on deny_db.t2 to foo;
diff --git a/mysql-test/suite/deny/global_role.result b/mysql-test/suite/deny/global_role.result
index 4f0c970340e..77e8a6db72b 100644
--- a/mysql-test/suite/deny/global_role.result
+++ b/mysql-test/suite/deny/global_role.result
@@ -4,6 +4,7 @@ create database some_db;
 create table some_db.t1 (a int, b int, secret int);
 create view some_db.v1 as (select a, b, secret from some_db.t1);
 grant all on *.* to foo;
+revoke ignore denies on *.* from foo;
 grant all on some_db.* to foo;
 grant all on some_db.t1 to foo;
 grant all on some_db.v1 to foo;
@@ -34,7 +35,7 @@ set role r1;
 show grants;
 Grants for foo@%
 GRANT `r1` TO `foo`@`%`
-GRANT ALL PRIVILEGES ON *.* TO `foo`@`%`
+GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN, BINLOG REPLAY, SLAVE MONITOR ON *.* TO `foo`@`%`
 GRANT ALL PRIVILEGES ON `some_db`.* TO `foo`@`%`
 GRANT ALL PRIVILEGES ON `some_db`.`v1` TO `foo`@`%`
 GRANT ALL PRIVILEGES ON `some_db`.`t1` TO `foo`@`%`
@@ -73,7 +74,7 @@ a	b	secret
 show grants;
 Grants for foo@%
 GRANT `r1` TO `foo`@`%`
-GRANT ALL PRIVILEGES ON *.* TO `foo`@`%`
+GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, BINLOG MONITOR, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, DELETE HISTORY, SET USER, FEDERATED ADMIN, CONNECTION ADMIN, READ_ONLY ADMIN, REPLICATION SLAVE ADMIN, REPLICATION MASTER ADMIN, BINLOG ADMIN, BINLOG REPLAY, SLAVE MONITOR ON *.* TO `foo`@`%`
 GRANT ALL PRIVILEGES ON `some_db`.* TO `foo`@`%`
 GRANT ALL PRIVILEGES ON `some_db`.`v1` TO `foo`@`%`
 GRANT ALL PRIVILEGES ON `some_db`.`t1` TO `foo`@`%`
diff --git a/mysql-test/suite/deny/global_role.test b/mysql-test/suite/deny/global_role.test
index eb335342130..9e2bf1bc3fc 100644
--- a/mysql-test/suite/deny/global_role.test
+++ b/mysql-test/suite/deny/global_role.test
@@ -8,6 +8,7 @@ create table some_db.t1 (a int, b int, secret int);
 create view some_db.v1 as (select a, b, secret from some_db.t1);
 
 grant all on *.* to foo;
+revoke ignore denies on *.* from foo;
 grant all on some_db.* to foo;
 grant all on some_db.t1 to foo;
 grant all on some_db.v1 to foo;
diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc
index cb73ccf28da..f6d7f41e842 100644
--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@@ -26,6 +26,7 @@
 */
 
 #include "mariadb.h"                          /* NO_EMBEDDED_ACCESS_CHECKS */
+#include "privilege.h"
 #include "sql_priv.h"
 #include "sql_acl.h"         // MYSQL_DB_FIELD_COUNT, ACL_ACCESS
 #include "sql_base.h"                           // close_mysql_tables
@@ -5016,15 +5017,25 @@ bool acl_getroot(Security_context *sctx, const char *user, const char *host,
     if (acl_user)
     {
       res= 0;
-      if (ACL_DB *acl_db= acl_db_find(db, user, host, ip, FALSE))
+      ACL_DB *acl_db;
+      if ((acl_db= acl_db_find(db, user, host, ip, FALSE)))
         sctx->db_access= acl_db->access;
 
       sctx->master_access= acl_user->access;
       sctx->set_user_denies(NO_PRIV);
       if (acl_user->denies)
       {
-        sctx->master_access&= ~acl_user->denies->get_global();
         sctx->set_user_denies(acl_user->denies->get_specified_denies());
+        if (!(sctx->master_access & IGNORE_DENIES_ACL))
+        {
+          sctx->master_access&= ~acl_user->denies->get_global();
+          if (acl_db)
+          {
+            LEX_CSTRING db{acl_db->db, strlen(acl_db->db)};
+            sctx->db_access&= ~(acl_user->denies->get_global() |
+                                acl_user->denies->get_db_deny(db));
+          }
+        }
       }
 
       strmake_buf(sctx->priv_user, user);
@@ -5038,18 +5049,29 @@ bool acl_getroot(Security_context *sctx, const char *user, const char *host,
     ACL_ROLE *acl_role= find_acl_role(user);
     if (acl_role)
     {
+      ACL_DB *acl_db;
       res= 0;
-      if (ACL_DB *acl_db= acl_db_find(db, user, "", "", FALSE))
+      if ((acl_db= acl_db_find(db, user, "", "", FALSE)))
         sctx->db_access = acl_db->access;
 
       sctx->master_access= acl_role->access;
       sctx->set_user_denies(NO_PRIV);
+
+      /* TODO(cvicentiu) Test this with denies. */
       if (acl_role->denies)
       {
-        sctx->master_access&= ~acl_role->denies->get_global();
         sctx->set_user_denies(acl_role->denies->get_specified_denies());
+        if (!(sctx->master_access & IGNORE_DENIES_ACL))
+        {
+          sctx->master_access&= ~acl_role->denies->get_global();
+          if (acl_db)
+          {
+            LEX_CSTRING db{acl_db->db, strlen(acl_db->db)};
+            sctx->db_access&= ~(acl_role->denies->get_global() |
+                                acl_role->denies->get_db_deny(db));
+          }
+        }
       }
-
       strmake_buf(sctx->priv_role, user);
     }
   }
@@ -5093,6 +5115,13 @@ static int check_user_can_set_role(THD *thd, const char *user,
   ACL_USER *UNINIT_VAR(acl_user);
   bool is_granted= FALSE;
   int result= 0;
+  /* Simplifies follow-up code, no need for ptr checking */
+  privilege_t dummy;
+  PRIV_TYPE dummy_role_denies_active;
+  if (!access)
+    access= &dummy;
+  if (!role_denies_active)
+    role_denies_active= &dummy_role_denies_active;
 
   /* clear role privileges */
   mysql_mutex_lock(&acl_cache->lock);
@@ -5108,9 +5137,8 @@ static int check_user_can_set_role(THD *thd, const char *user,
       result= ER_INVALID_CURRENT_USER;
     else
     {
-      if (access)
-        *access= acl_user->access;
-      if (acl_user->denies)
+      *access= acl_user->access;
+      if (acl_user->denies && !((*access) & IGNORE_DENIES_ACL))
         *access&= ~acl_user->denies->get_global();
     }
 
@@ -5147,24 +5175,17 @@ static int check_user_can_set_role(THD *thd, const char *user,
     goto end;
   }
 
-  if (access)
-  {
-    *access= acl_user->access | role->access;
+  *access= acl_user->access | role->access;
 
-  /* TODO(cvicentiu) IGNORE_DENIES_PRIV! */
-    if (acl_user->denies)
-      *access&= ~acl_user->denies->get_global();
-  }
+  if (acl_user->denies && !((*access) & IGNORE_DENIES_ACL))
+    *access&= ~acl_user->denies->get_global();
 
-  if (role_denies_active)
-    *role_denies_active= NO_PRIV;
+  *role_denies_active= NO_PRIV;
 
-  if (role->denies)
+  if (role->denies && !((*access) & IGNORE_DENIES_ACL))
   {
-    if (access)
-      *access&= ~role->denies->get_global();
-    if (role_denies_active)
-      *role_denies_active= role->denies->get_specified_denies();
+    *access&= ~role->denies->get_global();
+    *role_denies_active= role->denies->get_specified_denies();
   }
 
 end:
@@ -5664,6 +5685,9 @@ privilege_t acl_get_effective_deny_mask_impl(const Security_context *ctx,
   if (likely(!ctx->denies_active()))
     return NO_ACL;
 
+  if (ctx->master_access & IGNORE_DENIES_ACL)
+    return NO_ACL;
+
   /*
     Finer grained shortcuts.
     No database and no global level denies.
author	Vicențiu Ciorbaru <cvicentiu@gmail.com>	2022-09-12 16:37:52 +0300
committer	Vicențiu Ciorbaru <cvicentiu@gmail.com>	2022-09-20 16:14:44 +0300
commit	b3c4205d9bc354b3adaacf772c5f148cda6d90b7 (patch)
tree	1fee0ba5b8372eaca32106831ccc0cfaa2fc8a04
parent	62a6f156c4991e4a1773bce6427541084c8c5447 (diff)
download	mariadb-git-vicentiu-tmp.tar.gz