diff options
| author | Vicențiu Ciorbaru <vicentiu@mariadb.org> | 2017-05-22 13:38:26 +0300 |
|---|---|---|
| committer | Vicențiu Ciorbaru <vicentiu@mariadb.org> | 2017-05-31 17:46:13 +0300 |
| commit | c148b19018106d18eb39fd897ac779e80bc415c9 (patch) | |
| tree | 925ad93571265d76b70a9bd953edf66452d3f043 | |
| parent | c13b5011629b5ff7b969d648265002e4d1ba94c2 (diff) | |
| download | mariadb-git-bb-10.1.20-claudio.tar.gz | |
MDEV-10463: Granted as a whole to roles, databases are not show in SHOW DATABASESbb-10.1.20-claudio10.0-claudio
The problem lies in not checking role privileges as well during SHOW
DATABASES command. This problem is also apparent for SHOW CREATE
DATABASE command.
Other SHOW COMMANDS make use of check_access, which in turn makes use of
acl_get for both priv_user and priv_role parts, which allows them to
function correctly.
| -rw-r--r-- | mysql-test/suite/roles/show_create_database-10463.result | 65 | ||||
| -rw-r--r-- | mysql-test/suite/roles/show_create_database-10463.test | 55 | ||||
| -rw-r--r-- | sql/sql_show.cc | 15 |
3 files changed, 131 insertions, 4 deletions
diff --git a/mysql-test/suite/roles/show_create_database-10463.result b/mysql-test/suite/roles/show_create_database-10463.result new file mode 100644 index 00000000000..1bf14933966 --- /dev/null +++ b/mysql-test/suite/roles/show_create_database-10463.result @@ -0,0 +1,65 @@ +drop database if exists db; +Warnings: +Note 1008 Can't drop database 'db'; database doesn't exist +create role r1; +create user beep@'%'; +create database db; +create table db.t1 (i int); +create table db.t2 (b int); +grant select on db.* to r1; +grant r1 to beep@'%'; +show databases; +Database +information_schema +test +show create database db; +ERROR 42000: Access denied for user 'beep'@'localhost' to database 'db' +select table_schema, table_name from information_schema.tables +where table_schema = 'db'; +table_schema table_name +set role r1; +show databases; +Database +db +information_schema +test +show create database db; +Database Create Database +db CREATE DATABASE `db` /*!40100 DEFAULT CHARACTER SET latin1 */ +select table_schema, table_name from information_schema.tables +where table_schema = 'db'; +table_schema table_name +db t1 +db t2 +create role r2; +create user beep2@'%'; +grant update on db.* to r2; +grant r2 to beep2; +show databases; +Database +information_schema +test +show create database db; +ERROR 42000: Access denied for user 'beep2'@'localhost' to database 'db' +select table_schema, table_name from information_schema.tables +where table_schema = 'db'; +table_schema table_name +set role r2; +show databases; +Database +db +information_schema +test +show create database db; +Database Create Database +db CREATE DATABASE `db` /*!40100 DEFAULT CHARACTER SET latin1 */ +select table_schema, table_name from information_schema.tables +where table_schema = 'db'; +table_schema table_name +db t1 +db t2 +drop database db; +drop role r1; +drop user beep; +drop role r2; +drop user beep2; diff --git a/mysql-test/suite/roles/show_create_database-10463.test b/mysql-test/suite/roles/show_create_database-10463.test new file mode 100644 index 00000000000..2d921629c10 --- /dev/null +++ b/mysql-test/suite/roles/show_create_database-10463.test @@ -0,0 +1,55 @@ +source include/not_embedded.inc; + +drop database if exists db; + +create role r1; +create user beep@'%'; + +create database db; +create table db.t1 (i int); +create table db.t2 (b int); +grant select on db.* to r1; +grant r1 to beep@'%'; + +--connect (con1,localhost,beep,,) +show databases; +--error ER_DBACCESS_DENIED_ERROR +show create database db; +select table_schema, table_name from information_schema.tables +where table_schema = 'db'; + +set role r1; +show databases; +show create database db; +select table_schema, table_name from information_schema.tables +where table_schema = 'db'; + + +connection default; +create role r2; +create user beep2@'%'; + +grant update on db.* to r2; +grant r2 to beep2; +--connect (con2,localhost,beep2,,) +show databases; +--error ER_DBACCESS_DENIED_ERROR +show create database db; +select table_schema, table_name from information_schema.tables +where table_schema = 'db'; + +set role r2; +show databases; + +show create database db; +select table_schema, table_name from information_schema.tables +where table_schema = 'db'; + + +connection default; + +drop database db; +drop role r1; +drop user beep; +drop role r2; +drop user beep2; diff --git a/sql/sql_show.cc b/sql/sql_show.cc index ae3874506dd..ede807a0539 100644 --- a/sql/sql_show.cc +++ b/sql/sql_show.cc @@ -1322,8 +1322,13 @@ bool mysqld_show_create_db(THD *thd, LEX_STRING *dbname, if (test_all_bits(sctx->master_access, DB_ACLS)) db_access=DB_ACLS; else - db_access= (acl_get(sctx->host, sctx->ip, sctx->priv_user, dbname->str, 0) | - sctx->master_access); + { + db_access= acl_get(sctx->host, sctx->ip, sctx->priv_user, dbname->str, 0) | + sctx->master_access; + if (sctx->priv_role[0]) + db_access|= acl_get("", "", sctx->priv_role, dbname->str, 0); + } + if (!(db_access & DB_ACLS) && check_grant_db(thd,dbname->str)) { status_var_increment(thd->status_var.access_denied_errors); @@ -4892,8 +4897,10 @@ int fill_schema_schemata(THD *thd, TABLE_LIST *tables, COND *cond) } #ifndef NO_EMBEDDED_ACCESS_CHECKS if (sctx->master_access & (DB_ACLS | SHOW_DB_ACL) || - acl_get(sctx->host, sctx->ip, sctx->priv_user, db_name->str, 0) || - !check_grant_db(thd, db_name->str)) + acl_get(sctx->host, sctx->ip, sctx->priv_user, db_name->str, false) || + (sctx->priv_role[0] ? + acl_get("", "", sctx->priv_role, db_name->str, false) : 0) || + !check_grant_db(thd, db_name->str)) #endif { load_db_opt_by_name(thd, db_name->str, &create); |