1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
|
#
# MDEV-5215 Granted to PUBLIC
#
#
# Test DB/TABLE/COLUMN privileges in queries
#
SHOW GRANTS FOR PUBLIC;
Grants for PUBLIC
create user testuser;
create database testdb1;
use testdb1;
create table t1 (a int, b int);
insert into t1 values (1,2);
create database testdb2;
use testdb2;
create table t2 (a int, b int);
insert into t2 values (1,2);
create table t3 (a int, b int);
insert into t3 values (1,2);
connect testuser,localhost,testuser,,;
select * from testdb1.t1;
ERROR 42000: SELECT command denied to user 'testuser'@'localhost' for table `testdb1`.`t1`
select * from testdb2.t2;
ERROR 42000: SELECT command denied to user 'testuser'@'localhost' for table `testdb2`.`t2`
select b from testdb2.t3;
ERROR 42000: SELECT command denied to user 'testuser'@'localhost' for table `testdb2`.`t3`
select a from testdb2.t3;
ERROR 42000: SELECT command denied to user 'testuser'@'localhost' for table `testdb2`.`t3`
connection default;
GRANT SELECT ON testdb1.* to PUBLIC;
GRANT SELECT ON testdb2.t2 to PUBLIC;
GRANT SELECT (b) ON testdb2.t3 to PUBLIC;
connection testuser;
select * from testdb1.t1;
a b
1 2
select * from testdb2.t2;
a b
1 2
select b from testdb2.t3;
b
2
select a from testdb2.t3;
ERROR 42000: SELECT command denied to user 'testuser'@'localhost' for column 'a' in table 't3'
show grants;
Grants for testuser@%
GRANT USAGE ON *.* TO `testuser`@`%`
GRANT SELECT ON `testdb1`.* TO PUBLIC
GRANT SELECT ON `testdb2`.`t2` TO PUBLIC
GRANT SELECT (b) ON `testdb2`.`t3` TO PUBLIC
show grants for testuser@'%';
Grants for testuser@%
GRANT USAGE ON *.* TO `testuser`@`%`
connection default;
disconnect testuser;
# check that the privileges are correctly read by acl_load
flush privileges;
connect testuser,localhost,testuser,,;
select * from testdb1.t1;
a b
1 2
select * from testdb2.t2;
a b
1 2
select b from testdb2.t3;
b
2
select a from testdb2.t3;
ERROR 42000: SELECT command denied to user 'testuser'@'localhost' for column 'a' in table 't3'
connection default;
use test;
disconnect testuser;
REVOKE SELECT ON testdb1.* from PUBLIC;
REVOKE SELECT ON testdb2.t2 from PUBLIC;
REVOKE SELECT (b) ON testdb2.t3 from PUBLIC;
drop user testuser;
drop database testdb1;
drop database testdb2;
#
# test global process list privilege and EXECUTE db level
#
create user testuser;
create database testdb;
use testdb;
create procedure p1 () select 1;
connect testuser,localhost,testuser,,;
select user,db from information_schema.processlist where user='root';
user db
call testdb.p1();
ERROR 42000: execute command denied to user 'testuser'@'%' for routine 'testdb.p1'
connection default;
GRANT PROCESS ON *.* to PUBLIC;
GRANT EXECUTE ON testdb.* to PUBLIC;
disconnect testuser;
connect testuser,localhost,testuser,,;
select user,db from information_schema.processlist where user='root';
user db
root testdb
call testdb.p1();
1
1
connection default;
disconnect testuser;
# check that the privileges are correctly read by acl_load
flush privileges;
connect testuser,localhost,testuser,,;
select user,db from information_schema.processlist where user='root';
user db
root testdb
call testdb.p1();
1
1
connection default;
use test;
disconnect testuser;
REVOKE PROCESS ON *.* from PUBLIC;
REVOKE EXECUTE ON testdb.* from PUBLIC;
drop user testuser;
drop database testdb;
#
# test DB privilege to allow USE statement
#
create user testuser;
create database testdb;
connect testuser,localhost,testuser,,;
use testdb;
ERROR 42000: Access denied for user 'testuser'@'%' to database 'testdb'
connection default;
GRANT LOCK TABLES ON testdb.* to PUBLIC;
connection testuser;
use testdb;
connection default;
disconnect testuser;
# check that the privileges are correctly read by acl_load
flush privileges;
connect testuser,localhost,testuser,,;
use testdb;
connection default;
use test;
disconnect testuser;
REVOKE LOCK TABLES ON testdb.* from PUBLIC;
drop user testuser;
drop database testdb;
#
# test DB privilege to allow USE statement (as above)
# test current db privileges
#
create user testuser;
create database testdb;
use testdb;
create table t1 (a int);
insert into t1 values (1);
GRANT LOCK TABLES ON testdb.* to PUBLIC;
connect testuser,localhost,testuser,,;
use testdb;
update t1 set a=a+1;
ERROR 42000: UPDATE command denied to user 'testuser'@'localhost' for table `testdb`.`t1`
connection default;
GRANT UPDATE,SELECT ON testdb.* to PUBLIC;
connection testuser;
use testdb;
update t1 set a=a+1;
connection default;
select * from testdb.t1;
a
2
use test;
disconnect testuser;
REVOKE LOCK TABLES ON testdb.* from PUBLIC;
REVOKE UPDATE,SELECT ON testdb.* from PUBLIC;
drop user testuser;
drop database testdb;
#
# test DB privilege to allow USE statement (as above)
# test table/column privileges in current DB
#
create user testuser;
create database testdb;
use testdb;
create table t1 (a int);
insert into t1 values (1);
create table t2 (a int, b int);
insert into t2 values (1,2);
GRANT LOCK TABLES ON testdb.* to PUBLIC;
connect testuser,localhost,testuser,,;
use testdb;
delete from t1;
ERROR 42000: DELETE command denied to user 'testuser'@'localhost' for table `testdb`.`t1`
select b from t2;
ERROR 42000: SELECT command denied to user 'testuser'@'localhost' for table `testdb`.`t2`
select a from t2;
ERROR 42000: SELECT command denied to user 'testuser'@'localhost' for table `testdb`.`t2`
connection default;
GRANT DELETE ON testdb.t1 to PUBLIC;
GRANT SELECT (a) ON testdb.t2 to PUBLIC;
connection testuser;
use testdb;
delete from t1;
select a from t2;
a
1
select b from t2;
ERROR 42000: SELECT command denied to user 'testuser'@'localhost' for column 'b' in table 't2'
connection default;
select * from testdb.t1;
a
insert into t1 values (1);
disconnect testuser;
# check that the privileges are correctly read by acl_load
flush privileges;
connect testuser,localhost,testuser,,;
use testdb;
delete from t1;
select a from t2;
a
1
select b from t2;
ERROR 42000: SELECT command denied to user 'testuser'@'localhost' for column 'b' in table 't2'
connection default;
select * from testdb.t1;
a
use test;
disconnect testuser;
REVOKE ALL PRIVILEGES, GRANT OPTION from `PUBLIC`;
SHOW GRANTS FOR PUBLIC;
Grants for PUBLIC
drop user testuser;
drop database testdb;
#
# test function privilege
#
create user testuser;
create database testdb;
use testdb;
create function f1() returns int return 2;
connect testuser,localhost,testuser,,;
alter function testdb.f1 comment "A stupid function";
ERROR 42000: alter routine command denied to user 'testuser'@'%' for routine 'testdb.f1'
select testdb.f1();
ERROR 42000: execute command denied to user 'testuser'@'%' for routine 'testdb.f1'
connection default;
GRANT ALTER ROUTINE ON testdb.* to PUBLIC;
connection testuser;
alter function testdb.f1 comment "A stupid function";
select testdb.f1();
ERROR 42000: execute command denied to user 'testuser'@'%' for routine 'testdb.f1'
connection default;
disconnect testuser;
# check that the privileges are correctly read by acl_load
flush privileges;
connect testuser,localhost,testuser,,;
alter function testdb.f1 comment "A stupid function";
select testdb.f1();
ERROR 42000: execute command denied to user 'testuser'@'%' for routine 'testdb.f1'
connection default;
use test;
disconnect testuser;
REVOKE ALTER ROUTINE ON testdb.* from PUBLIC;
drop function testdb.f1;
drop user testuser;
drop database testdb;
#
# bug with automatically added PUBLIC role
#
# automaticly added PUBLIC
delete from mysql.global_priv where user="PUBLIC";
flush privileges;
GRANT SELECT on test.* to PUBLIC;
REVOKE SELECT on test.* from PUBLIC;
create user testuser;
create database testdb1;
use testdb1;
create table t1 (a int, b int);
insert into t1 values (1,2);
connect testuser,localhost,testuser,,;
select * from testdb1.t1;
ERROR 42000: SELECT command denied to user 'testuser'@'localhost' for table `testdb1`.`t1`
connection default;
disconnect testuser;
drop user testuser;
drop database testdb1;
#
# check assigning privileges via GRAND role TO PUBLIC
#
create user testuser;
create database testdb1;
use testdb1;
create table t1 (a int, b int);
# check that user do not have rights
connect testuser,localhost,testuser,,*NO-ONE*;
select * from testdb1.t1;
ERROR 42000: SELECT command denied to user 'testuser'@'localhost' for table `testdb1`.`t1`
connection default;
give rights to everyone via assigning the role to public
create role roletest;
GRANT SELECT ON testdb1.* TO roletest;
GRANT roletest TO PUBLIC;
connection testuser;
select * from testdb1.t1;
a b
connection default;
disconnect testuser;
# check that the privileges are correctly read by acl_load
flush privileges;
connect testuser,localhost,testuser,,*NO-ONE*;
select * from testdb1.t1;
a b
connection default;
# drop role...
drop role roletest;
# ... and check that user does not have rights again
connection testuser;
select * from testdb1.t1;
ERROR 42000: SELECT command denied to user 'testuser'@'localhost' for table `testdb1`.`t1`
connection default;
disconnect testuser;
drop user testuser;
drop database testdb1;
# clean up
delete from mysql.global_priv where user="PUBLIC";
flush privileges;
#
# MDEV-29752 SHOW GRANTS FOR PUBLIC should work for all users
#
create database dbtest;
create user `testuser`@`%`;
GRANT USAGE ON *.* TO `testuser`@`%`;
GRANT ALL PRIVILEGES ON `dbtest`.* TO `PUBLIC`;
connect testuser,localhost,testuser,,;
show grants for public;
Grants for PUBLIC
GRANT ALL PRIVILEGES ON `dbtest`.* TO PUBLIC
show grants for testuser;
Grants for testuser@%
GRANT USAGE ON *.* TO `testuser`@`%`
connection default;
disconnect testuser;
REVOKE ALL PRIVILEGES ON `dbtest`.* FROM `PUBLIC`;
REVOKE USAGE ON *.* FROM `testuser`@`%`;
drop user `testuser`@`%`;
drop database dbtest;
# clean up
delete from mysql.global_priv where user="PUBLIC";
flush privileges;
|