From 91ad0cd5801ed16670f1f6d31d1d3dbd1be104d2 Mon Sep 17 00:00:00 2001 From: Sergei Golubchik Date: Mon, 24 Nov 2014 16:53:51 +0100 Subject: sql_acl.cc: better recognize the context to tell the role from a user REQUIRE and MAX_QUERIES_PER_HOUR can not possibly apply to a role --- mysql-test/suite/roles/password.result | 20 ++++++++++---------- mysql-test/suite/roles/password.test | 22 ++++++++++++---------- sql/sql_acl.cc | 6 ++++++ sql/sql_yacc.yy | 15 ++++++++++----- 4 files changed, 38 insertions(+), 25 deletions(-) diff --git a/mysql-test/suite/roles/password.result b/mysql-test/suite/roles/password.result index 041a049ccec..1992431e1a3 100644 --- a/mysql-test/suite/roles/password.result +++ b/mysql-test/suite/roles/password.result @@ -10,25 +10,25 @@ ERROR HY000: Plugin 'plugin' is not loaded grant select on mysql.user to r1 identified via plugin using 'param'; ERROR HY000: Plugin 'plugin' is not loaded grant select on *.* to r1 require subject 'foobar'; -ERROR 28000: Can't find any matching row in the user table +drop user r1; grant select on mysql.user to r1 require issuer 'foobar'; -ERROR 28000: Can't find any matching row in the user table +drop user r1; grant select on *.* to r1 require cipher 'foobar'; -ERROR 28000: Can't find any matching row in the user table +drop user r1; grant select on mysql.user to r1 require ssl; -ERROR 28000: Can't find any matching row in the user table +drop user r1; grant select on *.* to r1 require x509; -ERROR 28000: Can't find any matching row in the user table +drop user r1; grant select on mysql.user to r1 require none; -ERROR 28000: Can't find any matching row in the user table +drop user r1; grant select on *.* to r1 with max_queries_per_hour 10; -ERROR 28000: Can't find any matching row in the user table +drop user r1; grant select on mysql.user to r1 with max_updates_per_hour 10; -ERROR 28000: Can't find any matching row in the user table +drop user r1; grant select on *.* to r1 with max_connections_per_hour 10; -ERROR 28000: Can't find any matching row in the user table +drop user r1; grant select on mysql.user to r1 with max_user_connections 10; -ERROR 28000: Can't find any matching row in the user table +drop user r1; set password for r1 = '00000000000000000000000000000000000000000'; ERROR 28000: Can't find any matching row in the user table drop role r1; diff --git a/mysql-test/suite/roles/password.test b/mysql-test/suite/roles/password.test index f638c5f39be..fed0f2f4a19 100644 --- a/mysql-test/suite/roles/password.test +++ b/mysql-test/suite/roles/password.test @@ -24,26 +24,28 @@ grant select on *.* to r1 identified via plugin; --error ER_PLUGIN_IS_NOT_LOADED grant select on mysql.user to r1 identified via plugin using 'param'; ---error ER_PASSWORD_NO_MATCH +# same for REQUIRE and mqh grant select on *.* to r1 require subject 'foobar'; ---error ER_PASSWORD_NO_MATCH +drop user r1; grant select on mysql.user to r1 require issuer 'foobar'; ---error ER_PASSWORD_NO_MATCH +drop user r1; grant select on *.* to r1 require cipher 'foobar'; ---error ER_PASSWORD_NO_MATCH +drop user r1; grant select on mysql.user to r1 require ssl; ---error ER_PASSWORD_NO_MATCH +drop user r1; grant select on *.* to r1 require x509; ---error ER_PASSWORD_NO_MATCH +drop user r1; grant select on mysql.user to r1 require none; ---error ER_PASSWORD_NO_MATCH +drop user r1; grant select on *.* to r1 with max_queries_per_hour 10; ---error ER_PASSWORD_NO_MATCH +drop user r1; grant select on mysql.user to r1 with max_updates_per_hour 10; ---error ER_PASSWORD_NO_MATCH +drop user r1; grant select on *.* to r1 with max_connections_per_hour 10; ---error ER_PASSWORD_NO_MATCH +drop user r1; grant select on mysql.user to r1 with max_user_connections 10; +drop user r1; + --error ER_PASSWORD_NO_MATCH set password for r1 = '00000000000000000000000000000000000000000'; diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc index 28b6067b32f..829a4aed52a 100644 --- a/sql/sql_acl.cc +++ b/sql/sql_acl.cc @@ -10806,6 +10806,12 @@ LEX_USER *get_current_user(THD *thd, LEX_USER *user, bool lock) return 0; #ifndef NO_EMBEDDED_ACCESS_CHECKS + if (has_auth(user, thd->lex)) + { + dup->host= host_not_specified; + return dup; + } + if (is_invalid_role_name(user->user.str)) return 0; diff --git a/sql/sql_yacc.yy b/sql/sql_yacc.yy index 5913efaf941..32c586ab20d 100644 --- a/sql/sql_yacc.yy +++ b/sql/sql_yacc.yy @@ -14000,7 +14000,7 @@ user_maybe_role: MYSQL_YYABORT; $$->user = $1; $$->host= null_lex_str; // User or Role, see get_current_user() - $$->password= null_lex_str; + $$->password= null_lex_str; $$->plugin= empty_lex_str; $$->auth= empty_lex_str; @@ -14014,7 +14014,7 @@ user_maybe_role: if (!($$=(LEX_USER*) thd->alloc(sizeof(st_lex_user)))) MYSQL_YYABORT; $$->user = $1; $$->host=$3; - $$->password= null_lex_str; + $$->password= null_lex_str; $$->plugin= empty_lex_str; $$->auth= empty_lex_str; @@ -14046,6 +14046,7 @@ user_maybe_role: if (!($$=(LEX_USER*)thd->calloc(sizeof(LEX_USER)))) MYSQL_YYABORT; $$->user= current_user; + $$->password= null_lex_str; $$->plugin= empty_lex_str; $$->auth= empty_lex_str; } @@ -15285,6 +15286,7 @@ current_role: if (!($$=(LEX_USER*) thd->calloc(sizeof(LEX_USER)))) MYSQL_YYABORT; $$->user= current_role; + $$->password= null_lex_str; $$->plugin= empty_lex_str; $$->auth= empty_lex_str; } @@ -15302,7 +15304,7 @@ grant_role: MYSQL_YYABORT; $$->user = $1; $$->host= empty_lex_str; - $$->password= null_lex_str; + $$->password= null_lex_str; $$->plugin= empty_lex_str; $$->auth= empty_lex_str; @@ -15565,7 +15567,7 @@ grant_user: $1->auth= $6; } | user_or_role - { $$= $1; $1->password= null_lex_str; } + { $$= $1; } ; opt_column_list: @@ -16016,7 +16018,10 @@ no_definer: definer: DEFINER_SYM EQ user_or_role { - thd->lex->definer= $3; + Lex->definer= $3; + Lex->ssl_type= SSL_TYPE_NOT_SPECIFIED; + Lex->ssl_cipher= Lex->x509_subject= Lex->x509_issuer= 0; + bzero(&(Lex->mqh), sizeof(Lex->mqh)); } ; -- cgit v1.2.1