MDEV-19276 during connect, write error log warning for ER_DBACCESS_DENIED_ERROR,

if log_warnings > 1. This makes ER_DBACCESS_DENIED_ERROR handling the same as we do for other "access denied"
author: Vladislav Vaintroub <wlad@mariadb.com> 2019-04-24 22:13:12 +0100
committer: Vladislav Vaintroub <wlad@mariadb.com> 2019-04-28 12:49:59 +0200
commit: 7590861779e3da5760153c0d01ffbf26048e4cef (patch)
tree: 214daaeeed37c7842ccf90c03ad560e6e2be4447
parent: 6c9a6bad4fe90c8bfcfe6dbf46835a39edc95c6f (diff)
download: mariadb-git-7590861779e3da5760153c0d01ffbf26048e4cef.tar.gz
5 files changed, 60 insertions, 18 deletions
diff --git a/mysql-test/r/mdev_19276.result b/mysql-test/r/mdev_19276.result
new file mode 100644
index 00000000000..09d51561427
--- /dev/null
+++ b/mysql-test/r/mdev_19276.result
@@ -0,0 +1,9 @@
+CREATE DATABASE db1;
+CREATE USER u@localhost IDENTIFIED BY 'pw';
+set global log_warnings=2;
+connect(localhost,u,pw,db1,MASTER_PORT,MASTER_SOCKET);
+ERROR 42000: Access denied for user 'u'@'localhost' to database 'db1'
+FOUND /Access denied for user 'u'@'localhost' to database 'db1'/ in mysqld.1.err
+set global log_warnings=@@log_warnings;
+DROP DATABASE db1;
+DROP USER u@localhost;
diff --git a/mysql-test/t/mdev_19276.test b/mysql-test/t/mdev_19276.test
new file mode 100644
index 00000000000..3e6b72a3f55
--- /dev/null
+++ b/mysql-test/t/mdev_19276.test
@@ -0,0 +1,17 @@
+source include/not_embedded.inc;
+
+CREATE DATABASE db1;
+CREATE USER u@localhost IDENTIFIED BY 'pw';
+set global log_warnings=2;
+
+--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
+--error ER_DBACCESS_DENIED_ERROR
+--connect(con1,localhost,u,pw,db1)
+--connection default
+let SEARCH_FILE=$MYSQLTEST_VARDIR/log/mysqld.1.err;
+let SEARCH_RANGE= -50;
+let SEARCH_PATTERN=Access denied for user 'u'@'localhost' to database 'db1';
+source include/search_pattern_in_file.inc;
+set global log_warnings=@@log_warnings;
+DROP DATABASE db1;
+DROP USER u@localhost;
diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc
index 83526532bdd..6448f65a2cd 100644
--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@@ -11295,7 +11295,7 @@ struct MPVIO_EXT :public MYSQL_PLUGIN_VIO
 };
 
 /**
-  a helper function to report an access denied error in all the proper places
+  a helper function to report an access denied error in most proper places
 */
 static void login_failed_error(THD *thd)
 {
@@ -12715,10 +12715,26 @@ bool acl_authenticate(THD *thd, uint com_change_user_pkt_len)
   /* Change a database if necessary */
   if (mpvio.db.length)
   {
-    if (mysql_change_db(thd, &mpvio.db, FALSE))
+    uint err = mysql_change_db(thd, &mpvio.db, FALSE);
+    if(err)
     {
-      /* mysql_change_db() has pushed the error message. */
-      status_var_increment(thd->status_var.access_denied_errors);
+      if (err == ER_DBACCESS_DENIED_ERROR)
+      {
+        /*
+          Got an "access denied" error, which must be handled
+          other access denied errors (see login_failed_error()).
+          mysql_change_db() already sent error to client, and
+          wrote to general log, we only need to increment the counter
+          and maybe write a warning to error log.
+        */
+        status_var_increment(thd->status_var.access_denied_errors);
+        if (global_system_variables.log_warnings > 1)
+        {
+          Security_context* sctx = thd->security_ctx;
+          sql_print_warning(ER_THD(thd, err),
+            sctx->priv_user, sctx->priv_host, mpvio.db.str);
+        }
+      }
       DBUG_RETURN(1);
     }
   }
diff --git a/sql/sql_db.cc b/sql/sql_db.cc
index d7ed82a2ef3..7b83332ea62 100644
--- a/sql/sql_db.cc
+++ b/sql/sql_db.cc
@@ -1451,12 +1451,12 @@ static void backup_current_db_name(THD *thd,
   a stack pointer set by Stored Procedures was used by replication after
   the stack address was long gone.
 
-  @return Operation status
-    @retval FALSE Success
-    @retval TRUE  Error
+  @return error code (ER_XXX)
+    @retval 0 Success
+    @retval >0  Error
 */
 
-bool mysql_change_db(THD *thd, const LEX_STRING *new_db_name, bool force_switch)
+uint mysql_change_db(THD *thd, const LEX_STRING *new_db_name, bool force_switch)
 {
   LEX_STRING new_db_file_name;
 
@@ -1480,13 +1480,13 @@ bool mysql_change_db(THD *thd, const LEX_STRING *new_db_name, bool force_switch)
 
       mysql_change_db_impl(thd, NULL, 0, thd->variables.collation_server);
 
-      DBUG_RETURN(FALSE);
+      DBUG_RETURN(0);
     }
     else
     {
       my_message(ER_NO_DB_ERROR, ER_THD(thd, ER_NO_DB_ERROR), MYF(0));
 
-      DBUG_RETURN(TRUE);
+      DBUG_RETURN(ER_NO_DB_ERROR);
     }
   }
   DBUG_PRINT("enter",("name: '%s'", new_db_name->str));
@@ -1498,7 +1498,7 @@ bool mysql_change_db(THD *thd, const LEX_STRING *new_db_name, bool force_switch)
     mysql_change_db_impl(thd, &INFORMATION_SCHEMA_NAME, SELECT_ACL,
                          system_charset_info);
 
-    DBUG_RETURN(FALSE);
+    DBUG_RETURN(0);
   }
 
   /*
@@ -1513,7 +1513,7 @@ bool mysql_change_db(THD *thd, const LEX_STRING *new_db_name, bool force_switch)
   new_db_file_name.length= new_db_name->length;
 
   if (new_db_file_name.str == NULL)
-    DBUG_RETURN(TRUE);                             /* the error is set */
+    DBUG_RETURN(ER_OUT_OF_RESOURCES);                             /* the error is set */
 
   /*
     NOTE: if check_db_name() fails, we should throw an error in any case,
@@ -1532,7 +1532,7 @@ bool mysql_change_db(THD *thd, const LEX_STRING *new_db_name, bool force_switch)
     if (force_switch)
       mysql_change_db_impl(thd, NULL, 0, thd->variables.collation_server);
 
-    DBUG_RETURN(TRUE);
+    DBUG_RETURN(ER_WRONG_DB_NAME);
   }
 
   DBUG_PRINT("info",("Use database: %s", new_db_file_name.str));
@@ -1562,7 +1562,7 @@ bool mysql_change_db(THD *thd, const LEX_STRING *new_db_name, bool force_switch)
     general_log_print(thd, COM_INIT_DB, ER_THD(thd, ER_DBACCESS_DENIED_ERROR),
                       sctx->priv_user, sctx->priv_host, new_db_file_name.str);
     my_free(new_db_file_name.str);
-    DBUG_RETURN(TRUE);
+    DBUG_RETURN(ER_DBACCESS_DENIED_ERROR);
   }
 #endif
 
@@ -1586,7 +1586,7 @@ bool mysql_change_db(THD *thd, const LEX_STRING *new_db_name, bool force_switch)
 
       /* The operation succeed. */
 
-      DBUG_RETURN(FALSE);
+      DBUG_RETURN(0);
     }
     else
     {
@@ -1597,7 +1597,7 @@ bool mysql_change_db(THD *thd, const LEX_STRING *new_db_name, bool force_switch)
 
       /* The operation failed. */
 
-      DBUG_RETURN(TRUE);
+      DBUG_RETURN(ER_BAD_DB_ERROR);
     }
   }
 
@@ -1610,7 +1610,7 @@ bool mysql_change_db(THD *thd, const LEX_STRING *new_db_name, bool force_switch)
 
   mysql_change_db_impl(thd, &new_db_file_name, db_access, db_default_cl);
 
-  DBUG_RETURN(FALSE);
+  DBUG_RETURN(0);
 }
 
 
diff --git a/sql/sql_db.h b/sql/sql_db.h
index ed8417a7793..b778e42645a 100644
--- a/sql/sql_db.h
+++ b/sql/sql_db.h
@@ -26,7 +26,7 @@ bool mysql_alter_db(THD *thd, const char *db,
                     const Schema_specification_st *create);
 bool mysql_rm_db(THD *thd, char *db, bool if_exists);
 bool mysql_upgrade_db(THD *thd, LEX_STRING *old_db);
-bool mysql_change_db(THD *thd, const LEX_STRING *new_db_name,
+uint mysql_change_db(THD *thd, const LEX_STRING *new_db_name,
                      bool force_switch);
 
 bool mysql_opt_change_db(THD *thd,
author	Vladislav Vaintroub <wlad@mariadb.com>	2019-04-24 22:13:12 +0100
committer	Vladislav Vaintroub <wlad@mariadb.com>	2019-04-28 12:49:59 +0200
commit	7590861779e3da5760153c0d01ffbf26048e4cef (patch)
tree	214daaeeed37c7842ccf90c03ad560e6e2be4447
parent	6c9a6bad4fe90c8bfcfe6dbf46835a39edc95c6f (diff)
download	mariadb-git-7590861779e3da5760153c0d01ffbf26048e4cef.tar.gz