From 34da3be8a832306410ddb42006f8a067d38127be Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vicen=C8=9Biu=20Ciorbaru?= Date: Mon, 22 May 2017 13:38:26 +0300 Subject: MDEV-10463: Granted as a whole to roles, databases are not show in SHOW DATABASES The problem lies in not checking role privileges as well during SHOW DATABASES command. This problem is also apparent for SHOW CREATE DATABASE command. Other SHOW COMMANDS make use of check_access, which in turn makes use of acl_get for both priv_user and priv_role parts, which allows them to function correctly. --- .../suite/roles/show_create_database-10463.result | 65 ++++++++++++++++++++++ .../suite/roles/show_create_database-10463.test | 55 ++++++++++++++++++ 2 files changed, 120 insertions(+) create mode 100644 mysql-test/suite/roles/show_create_database-10463.result create mode 100644 mysql-test/suite/roles/show_create_database-10463.test (limited to 'mysql-test/suite/roles') diff --git a/mysql-test/suite/roles/show_create_database-10463.result b/mysql-test/suite/roles/show_create_database-10463.result new file mode 100644 index 00000000000..1bf14933966 --- /dev/null +++ b/mysql-test/suite/roles/show_create_database-10463.result @@ -0,0 +1,65 @@ +drop database if exists db; +Warnings: +Note 1008 Can't drop database 'db'; database doesn't exist +create role r1; +create user beep@'%'; +create database db; +create table db.t1 (i int); +create table db.t2 (b int); +grant select on db.* to r1; +grant r1 to beep@'%'; +show databases; +Database +information_schema +test +show create database db; +ERROR 42000: Access denied for user 'beep'@'localhost' to database 'db' +select table_schema, table_name from information_schema.tables +where table_schema = 'db'; +table_schema table_name +set role r1; +show databases; +Database +db +information_schema +test +show create database db; +Database Create Database +db CREATE DATABASE `db` /*!40100 DEFAULT CHARACTER SET latin1 */ +select table_schema, table_name from information_schema.tables +where table_schema = 'db'; +table_schema table_name +db t1 +db t2 +create role r2; +create user beep2@'%'; +grant update on db.* to r2; +grant r2 to beep2; +show databases; +Database +information_schema +test +show create database db; +ERROR 42000: Access denied for user 'beep2'@'localhost' to database 'db' +select table_schema, table_name from information_schema.tables +where table_schema = 'db'; +table_schema table_name +set role r2; +show databases; +Database +db +information_schema +test +show create database db; +Database Create Database +db CREATE DATABASE `db` /*!40100 DEFAULT CHARACTER SET latin1 */ +select table_schema, table_name from information_schema.tables +where table_schema = 'db'; +table_schema table_name +db t1 +db t2 +drop database db; +drop role r1; +drop user beep; +drop role r2; +drop user beep2; diff --git a/mysql-test/suite/roles/show_create_database-10463.test b/mysql-test/suite/roles/show_create_database-10463.test new file mode 100644 index 00000000000..2d921629c10 --- /dev/null +++ b/mysql-test/suite/roles/show_create_database-10463.test @@ -0,0 +1,55 @@ +source include/not_embedded.inc; + +drop database if exists db; + +create role r1; +create user beep@'%'; + +create database db; +create table db.t1 (i int); +create table db.t2 (b int); +grant select on db.* to r1; +grant r1 to beep@'%'; + +--connect (con1,localhost,beep,,) +show databases; +--error ER_DBACCESS_DENIED_ERROR +show create database db; +select table_schema, table_name from information_schema.tables +where table_schema = 'db'; + +set role r1; +show databases; +show create database db; +select table_schema, table_name from information_schema.tables +where table_schema = 'db'; + + +connection default; +create role r2; +create user beep2@'%'; + +grant update on db.* to r2; +grant r2 to beep2; +--connect (con2,localhost,beep2,,) +show databases; +--error ER_DBACCESS_DENIED_ERROR +show create database db; +select table_schema, table_name from information_schema.tables +where table_schema = 'db'; + +set role r2; +show databases; + +show create database db; +select table_schema, table_name from information_schema.tables +where table_schema = 'db'; + + +connection default; + +drop database db; +drop role r1; +drop user beep; +drop role r2; +drop user beep2; -- cgit v1.2.1 From f0ad93403f4f39873618759585ca765169ecf000 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vicen=C8=9Biu=20Ciorbaru?= Date: Mon, 22 May 2017 17:06:01 +0300 Subject: MDEV-12666: CURRENT_ROLE() and DATABASE() does not work in a view The problem lies in how CURRENT_ROLE is defined. The Item_func_current_role inherits from Item_func_sysconst, which defines a safe_charset_converter to be a const_charset_converter. During view creation, if there is no role previously set, the current_role() function returns NULL. This is captured on item instantiation and the const_charset_converter call subsequently returns an Item_null. In turn, the function is replaced with Item_null and the view is then created with an Item_null instead of Item_func_current_role. Without this patch, the first SHOW CREATE VIEW from the testcase would have a where clause of WHERE role_name = NULL, while the second SHOW CREATE VIEW would show a correctly created view. The same applies for the DATABASE function, as it can change as well. There is an additional problem with CURRENT_ROLE() when used in a prepared statement. During prepared statement creation we used to set the string_value of the function to the current role as well as the null_value flag. During execution, if CURRENT_ROLE was not null, the null_value flag was never set to not-null during fix_fields. Item_func_current_user however can never be NULL so it did not show this problem in a view before. At the same time, the CURRENT_USER() can not be changed between prepared statement execution and creation so the implementation where the value is stored during fix_fields is sufficient. Note also that DATABASE() function behaves differently during prepared statements. See bug 25843 for details or commit 7e0ad09edff587dadc3e9855fc81e1b7de8f2199 --- .../suite/roles/current_role_view-12666.result | 103 +++++++++++++++++++++ .../suite/roles/current_role_view-12666.test | 102 ++++++++++++++++++++ 2 files changed, 205 insertions(+) create mode 100644 mysql-test/suite/roles/current_role_view-12666.result create mode 100644 mysql-test/suite/roles/current_role_view-12666.test (limited to 'mysql-test/suite/roles') diff --git a/mysql-test/suite/roles/current_role_view-12666.result b/mysql-test/suite/roles/current_role_view-12666.result new file mode 100644 index 00000000000..1d14593be4b --- /dev/null +++ b/mysql-test/suite/roles/current_role_view-12666.result @@ -0,0 +1,103 @@ +CREATE USER has_role@'localhost'; +GRANT ALL PRIVILEGES ON *.* TO has_role@'localhost'; +CREATE ROLE test_role; +GRANT test_role TO has_role@'localhost'; +CREATE USER no_role@'localhost'; +GRANT ALL PRIVILEGES ON *.* TO no_role@'localhost'; +CREATE TABLE view_role_test ( +id int primary key, +role_name varchar(50) +); +INSERT INTO view_role_test VALUES (1, 'test_role'); +# +# Use the same logic for stored procedures. +# +PREPARE prepared_no_current_role FROM "SELECT * from view_role_test WHERE role_name = CURRENT_ROLE()"; +# +# Creating a view with no CURRENT_ROLE() set and one with CURRENT_ROLE() +# set. Both should produce the same SHOW CREATE VIEW output. +# +CREATE +DEFINER = no_role@localhost +SQL SECURITY INVOKER +VIEW v_view_role_test_no_current_role +AS +SELECT * FROM view_role_test WHERE role_name = CURRENT_ROLE(); +SHOW CREATE VIEW v_view_role_test_no_current_role; +View Create View character_set_client collation_connection +v_view_role_test_no_current_role CREATE ALGORITHM=UNDEFINED DEFINER=`no_role`@`localhost` SQL SECURITY INVOKER VIEW `v_view_role_test_no_current_role` AS select `view_role_test`.`id` AS `id`,`view_role_test`.`role_name` AS `role_name` from `view_role_test` where (`view_role_test`.`role_name` = current_role()) latin1 latin1_swedish_ci +# +# No values should be returned +# +EXECUTE prepared_no_current_role; +id role_name +SELECT * FROM view_role_test WHERE role_name = CURRENT_ROLE(); +id role_name +SELECT * FROM v_view_role_test_no_current_role; +id role_name +# +# Now let's set the role. Create identical views as before. See if +# their behaviour is different. It should not be. +# +SET ROLE test_role; +SELECT CURRENT_USER(); +CURRENT_USER() +root@localhost +SELECT CURRENT_ROLE(); +CURRENT_ROLE() +test_role +# +# Create the VIEW and prepared Statement with a CURRENT_ROLE() set. +# +CREATE +DEFINER = no_role@localhost +SQL SECURITY INVOKER +VIEW v_view_role_test_with_current_role +AS +SELECT * FROM view_role_test WHERE role_name = CURRENT_ROLE(); +PREPARE prepared_with_current_role FROM "SELECT * from view_role_test WHERE role_name = CURRENT_ROLE()"; +SHOW CREATE VIEW v_view_role_test_with_current_role; +View Create View character_set_client collation_connection +v_view_role_test_with_current_role CREATE ALGORITHM=UNDEFINED DEFINER=`no_role`@`localhost` SQL SECURITY INVOKER VIEW `v_view_role_test_with_current_role` AS select `view_role_test`.`id` AS `id`,`view_role_test`.`role_name` AS `role_name` from `view_role_test` where (`view_role_test`.`role_name` = current_role()) latin1 latin1_swedish_ci +# +# Values should be returned for all select statements as we do have +# a CURRENT_ROLE() active; +# +EXECUTE prepared_no_current_role; +id role_name +1 test_role +EXECUTE prepared_with_current_role; +id role_name +1 test_role +SELECT * FROM view_role_test WHERE role_name = CURRENT_ROLE(); +id role_name +1 test_role +SELECT * FROM v_view_role_test_no_current_role; +id role_name +1 test_role +SELECT * FROM v_view_role_test_with_current_role; +id role_name +1 test_role +SET ROLE NONE; +# +# No values should be returned for all select statements as we do not have +# a CURRENT_ROLE() active; +# +EXECUTE prepared_no_current_role; +id role_name +EXECUTE prepared_with_current_role; +id role_name +SELECT * FROM view_role_test WHERE role_name = CURRENT_ROLE(); +id role_name +SELECT * FROM v_view_role_test_no_current_role; +id role_name +SELECT * FROM v_view_role_test_with_current_role; +id role_name +DROP USER has_role@'localhost'; +DROP USER no_role@'localhost'; +DROP ROLE test_role; +DROP table view_role_test; +DROP VIEW v_view_role_test_no_current_role; +DROP VIEW v_view_role_test_with_current_role; +DROP PREPARE prepared_no_current_role; +DROP PREPARE prepared_with_current_role; diff --git a/mysql-test/suite/roles/current_role_view-12666.test b/mysql-test/suite/roles/current_role_view-12666.test new file mode 100644 index 00000000000..32039ffef07 --- /dev/null +++ b/mysql-test/suite/roles/current_role_view-12666.test @@ -0,0 +1,102 @@ +# +# MDEV-12666 CURRENT_ROLE() does not work in a view +# +--source include/not_embedded.inc + +CREATE USER has_role@'localhost'; +GRANT ALL PRIVILEGES ON *.* TO has_role@'localhost'; + +CREATE ROLE test_role; +GRANT test_role TO has_role@'localhost'; + +CREATE USER no_role@'localhost'; +GRANT ALL PRIVILEGES ON *.* TO no_role@'localhost'; + +CREATE TABLE view_role_test ( + id int primary key, + role_name varchar(50) + ); + +INSERT INTO view_role_test VALUES (1, 'test_role'); + +--echo # +--echo # Use the same logic for stored procedures. +--echo # +PREPARE prepared_no_current_role FROM "SELECT * from view_role_test WHERE role_name = CURRENT_ROLE()"; + +--echo # +--echo # Creating a view with no CURRENT_ROLE() set and one with CURRENT_ROLE() +--echo # set. Both should produce the same SHOW CREATE VIEW output. +--echo # +CREATE +DEFINER = no_role@localhost +SQL SECURITY INVOKER +VIEW v_view_role_test_no_current_role +AS +SELECT * FROM view_role_test WHERE role_name = CURRENT_ROLE(); + +SHOW CREATE VIEW v_view_role_test_no_current_role; + + +--echo # +--echo # No values should be returned +--echo # +EXECUTE prepared_no_current_role; +SELECT * FROM view_role_test WHERE role_name = CURRENT_ROLE(); +SELECT * FROM v_view_role_test_no_current_role; + +--echo # +--echo # Now let's set the role. Create identical views as before. See if +--echo # their behaviour is different. It should not be. +--echo # +SET ROLE test_role; + +SELECT CURRENT_USER(); +SELECT CURRENT_ROLE(); + +--echo # +--echo # Create the VIEW and prepared Statement with a CURRENT_ROLE() set. +--echo # +CREATE +DEFINER = no_role@localhost +SQL SECURITY INVOKER +VIEW v_view_role_test_with_current_role +AS +SELECT * FROM view_role_test WHERE role_name = CURRENT_ROLE(); + +PREPARE prepared_with_current_role FROM "SELECT * from view_role_test WHERE role_name = CURRENT_ROLE()"; + +SHOW CREATE VIEW v_view_role_test_with_current_role; + + +--echo # +--echo # Values should be returned for all select statements as we do have +--echo # a CURRENT_ROLE() active; +--echo # +EXECUTE prepared_no_current_role; +EXECUTE prepared_with_current_role; +SELECT * FROM view_role_test WHERE role_name = CURRENT_ROLE(); +SELECT * FROM v_view_role_test_no_current_role; +SELECT * FROM v_view_role_test_with_current_role; + +SET ROLE NONE; +--echo # +--echo # No values should be returned for all select statements as we do not have +--echo # a CURRENT_ROLE() active; +--echo # +EXECUTE prepared_no_current_role; +EXECUTE prepared_with_current_role; +SELECT * FROM view_role_test WHERE role_name = CURRENT_ROLE(); +SELECT * FROM v_view_role_test_no_current_role; +SELECT * FROM v_view_role_test_with_current_role; + + +DROP USER has_role@'localhost'; +DROP USER no_role@'localhost'; +DROP ROLE test_role; + +DROP table view_role_test; +DROP VIEW v_view_role_test_no_current_role; +DROP VIEW v_view_role_test_with_current_role; +DROP PREPARE prepared_no_current_role; +DROP PREPARE prepared_with_current_role; -- cgit v1.2.1