require SUPER to specify an arbitrary admin

author: Sergei Golubchik <sergii@pisem.net> 2013-10-18 12:26:29 -0700
committer: Sergei Golubchik <sergii@pisem.net> 2013-10-18 12:26:29 -0700
commit: 67985b283a36302f78b6a776a4b78a281727b511 (patch)
tree: b345fce402f6a8f48914188a233e78afdcadc9fa
parent: 7fb978c79359780591324f98b32a7ec66da0f50e (diff)
download: mariadb-git-67985b283a36302f78b6a776a4b78a281727b511.tar.gz
3 files changed, 31 insertions, 43 deletions
diff --git a/mysql-test/r/acl_roles_admin.result b/mysql-test/r/acl_roles_admin.result
index d92b1057736..f9cb6088f88 100644
--- a/mysql-test/r/acl_roles_admin.result
+++ b/mysql-test/r/acl_roles_admin.result
@@ -1,15 +1,19 @@
-create user foo@localhost;
+grant create user on *.* to foo@localhost;
 create role role1;
 create role role2 with admin current_user;
 create role role3 with admin current_role;
 ERROR 0L000: Invalid definer
 create role role3 with admin role1;
 create role role4 with admin root@localhost;
+create role role5 with admin root@localhost;
+ERROR 42000: Access denied; you need (at least one of) the SUPER privilege(s) for this operation
+create role role5 with admin role3;
+ERROR 42000: Access denied; you need (at least one of) the SUPER privilege(s) for this operation
 create role role5 with admin foo@localhost;
+call mtr.add_suppression("Invalid roles_mapping table entry user:'foo@bar', rolename:'role6'");
 create role role6 with admin foo@bar;
-ERROR HY000: The user specified as a definer ('foo'@'bar') does not exist
-create user foo@bar;
-create role role6 with admin foo@bar;
+Warnings:
+Note	1449	The user specified as a definer ('foo'@'bar') does not exist
 create user bar with admin current_user;
 ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'admin current_user' at line 1
 grant role1 to foo@localhost with admin option;
@@ -20,7 +24,7 @@ grant select on *.* to foo@localhost with admin option;
 ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'admin option' at line 1
 show grants for foo@localhost;
 Grants for foo@localhost
-GRANT USAGE ON *.* TO 'foo'@'localhost'
+GRANT CREATE USER ON *.* TO 'foo'@'localhost'
 GRANT role1 TO 'foo'@'localhost' WITH ADMIN OPTION
 GRANT role2 TO 'foo'@'localhost'
 GRANT role5 TO 'foo'@'localhost' WITH ADMIN OPTION
@@ -51,7 +55,7 @@ localhost	root	role4	Y
 flush privileges;
 show grants for foo@localhost;
 Grants for foo@localhost
-GRANT USAGE ON *.* TO 'foo'@'localhost'
+GRANT CREATE USER ON *.* TO 'foo'@'localhost'
 GRANT role1 TO 'foo'@'localhost' WITH ADMIN OPTION
 GRANT role2 TO 'foo'@'localhost'
 GRANT role5 TO 'foo'@'localhost' WITH ADMIN OPTION
@@ -73,7 +77,7 @@ revoke admin option for role3 from role4;
 revoke admin option for role2 from foo@localhost;
 show grants for foo@localhost;
 Grants for foo@localhost
-GRANT USAGE ON *.* TO 'foo'@'localhost'
+GRANT CREATE USER ON *.* TO 'foo'@'localhost'
 GRANT role2 TO 'foo'@'localhost'
 GRANT role5 TO 'foo'@'localhost' WITH ADMIN OPTION
 show grants for role1;
@@ -102,7 +106,7 @@ localhost	root	role4	Y
 flush privileges;
 show grants for foo@localhost;
 Grants for foo@localhost
-GRANT USAGE ON *.* TO 'foo'@'localhost'
+GRANT CREATE USER ON *.* TO 'foo'@'localhost'
 GRANT role2 TO 'foo'@'localhost'
 GRANT role5 TO 'foo'@'localhost' WITH ADMIN OPTION
 show grants for role1;
@@ -118,4 +122,4 @@ GRANT USAGE ON *.* TO 'role3'
 GRANT USAGE ON *.* TO 'role4'
 GRANT role3 TO 'role4'
 drop role role1, role2, role3, role4, role5, role6;
-drop user foo@localhost, foo@bar;
+drop user foo@localhost;
diff --git a/mysql-test/t/acl_roles_admin.test b/mysql-test/t/acl_roles_admin.test
index 4be4652dcf8..4a8fc078324 100644
--- a/mysql-test/t/acl_roles_admin.test
+++ b/mysql-test/t/acl_roles_admin.test
@@ -1,4 +1,4 @@
-create user foo@localhost;
+grant create user on *.* to foo@localhost;
 
 ########################################
 # syntax tests
@@ -10,11 +10,18 @@ create role role2 with admin current_user;
 create role role3 with admin current_role;
 create role role3 with admin role1;
 create role role4 with admin root@localhost;
+
+# privilege checks, one needs SUPER to specify an arbitrary admin
+connect (c1, localhost, foo,,);
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+create role role5 with admin root@localhost;
+--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+create role role5 with admin role3;
 create role role5 with admin foo@localhost;
---error ER_NO_SUCH_USER
-create role role6 with admin foo@bar;
 
-create user foo@bar;
+connection default;
+# non-existing admin. works. warning. error in the log on acl_load.
+call mtr.add_suppression("Invalid roles_mapping table entry user:'foo@bar', rolename:'role6'");
 create role role6 with admin foo@bar;
 
 --error ER_PARSE_ERROR
@@ -68,5 +75,5 @@ show grants for role4;
 # cleanup
 ########################################
 drop role role1, role2, role3, role4, role5, role6;
-drop user foo@localhost, foo@bar;
+drop user foo@localhost;
 
diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc
index 57063dd4f68..60eac36a4e3 100644
--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@@ -8944,13 +8944,16 @@ bool mysql_create_user(THD *thd, List <LEX_USER> &list, bool handle_as_role)
 {
   int result;
   String wrong_users;
-  LEX_USER *user_name, *admin;
+  LEX_USER *user_name;
   List_iterator <LEX_USER> user_list(list);
   TABLE_LIST tables[GRANT_TABLES];
   bool some_users_created= FALSE;
   DBUG_ENTER("mysql_create_user");
   DBUG_PRINT("entry", ("Handle as %s", handle_as_role ? "role" : "user"));
 
+  if (handle_as_role && sp_process_definer(thd))
+    DBUG_RETURN(TRUE);
+
   /* CREATE USER may be skipped on replication client. */
   if ((result= open_grant_tables(thd, tables)))
     DBUG_RETURN(result != 1);
@@ -8958,32 +8961,6 @@ bool mysql_create_user(THD *thd, List <LEX_USER> &list, bool handle_as_role)
   mysql_rwlock_wrlock(&LOCK_grant);
   mysql_mutex_lock(&acl_cache->lock);
 
-  if (handle_as_role)
-  {
-    if (thd->lex->definer)
-      admin= get_current_user(thd, thd->lex->definer, false);
-    else
-      admin= create_default_definer(thd, false);
-    if (!admin)
-    {
-      mysql_mutex_unlock(&acl_cache->lock);
-      mysql_rwlock_unlock(&LOCK_grant);
-      DBUG_RETURN(TRUE);
-    }
-    bool exists;
-    if (admin->is_role())
-      exists= find_acl_role(admin->user.str);
-    else
-      exists= find_user_no_anon(admin->host.str, admin->user.str, TRUE);
-    if (!exists)
-    {
-      my_error(ER_NO_SUCH_USER, MYF(0), admin->user.str, admin->host.str);
-      mysql_mutex_unlock(&acl_cache->lock);
-      mysql_rwlock_unlock(&LOCK_grant);
-      DBUG_RETURN(TRUE);
-    }
-  }
-
   while ((user_name= user_list++))
   {
     if (!user_name->host.str)
@@ -9014,8 +8991,8 @@ bool mysql_create_user(THD *thd, List <LEX_USER> &list, bool handle_as_role)
     {
       ROLE_GRANT_PAIR *pair= new (thd->mem_root) ROLE_GRANT_PAIR;
 
-      if (pair->init(thd->mem_root, admin->user.str, admin->host.str,
-                     user_name->user.str, true))
+      if (pair->init(thd->mem_root, thd->lex->definer->user.str,
+                     thd->lex->definer->host.str, user_name->user.str, true))
       {
         result= TRUE;
         break;
author	Sergei Golubchik <sergii@pisem.net>	2013-10-18 12:26:29 -0700
committer	Sergei Golubchik <sergii@pisem.net>	2013-10-18 12:26:29 -0700
commit	67985b283a36302f78b6a776a4b78a281727b511 (patch)
tree	b345fce402f6a8f48914188a233e78afdcadc9fa
parent	7fb978c79359780591324f98b32a7ec66da0f50e (diff)
download	mariadb-git-67985b283a36302f78b6a776a4b78a281727b511.tar.gz