1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
|
--source include/have_plugin_auth.inc
--source include/not_embedded.inc
--source include/mysql_upgrade_preparation.inc
--source include/have_innodb.inc
query_vertical SELECT PLUGIN_STATUS, PLUGIN_TYPE, PLUGIN_DESCRIPTION
FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_NAME='test_plugin_server';
CREATE USER plug IDENTIFIED WITH 'test_plugin_server' AS 'plug_dest';
CREATE USER plug_dest IDENTIFIED BY 'plug_dest_passwd';
SELECT plugin,authentication_string FROM mysql.user WHERE User='plug';
--echo ## test plugin auth
--disable_query_log
--error ER_ACCESS_DENIED_ERROR : this should fail : no grant
connect(plug_con,localhost,plug,plug_dest);
--enable_query_log
GRANT PROXY ON plug_dest TO plug;
--echo test proxies_priv columns
--replace_column 1 xx 7 xx
SELECT * FROM mysql.proxies_priv WHERE user !='root';
--echo test mysql.proxies_priv;
SHOW CREATE TABLE mysql.proxies_priv;
connect(plug_con,localhost,plug,plug_dest);
connection plug_con;
select USER(),CURRENT_USER();
--echo ## test SET PASSWORD
#--error ER_SET_PASSWORD_AUTH_PLUGIN
SET PASSWORD = PASSWORD('plug_dest');
connection default;
disconnect plug_con;
--echo ## test bad credentials
--disable_query_log
--error ER_ACCESS_DENIED_ERROR
connect(plug_con,localhost,plug,bad_credentials);
--enable_query_log
--echo ## test bad default plugin : should get CR_AUTH_PLUGIN_CANNOT_LOAD
--disable_result_log
--disable_query_log
--error 2059
connect(plug_con_wrongp,localhost,plug,plug_dest,,,,,wrong_plugin_name);
--enable_query_log
--enable_result_log
--echo ## test correct default plugin
connect(plug_con_rightp,localhost,plug,plug_dest,,,,,auth_test_plugin);
connection plug_con_rightp;
select USER(),CURRENT_USER();
connection default;
disconnect plug_con_rightp;
--echo ## test no_auto_create_user sql mode with plugin users
SET @@sql_mode=no_auto_create_user;
GRANT INSERT ON TEST.* TO grant_user IDENTIFIED WITH 'test_plugin_server';
SET @@sql_mode=default;
DROP USER grant_user;
--echo ## test utf-8 user name
CREATE USER `Ÿ` IDENTIFIED WITH 'test_plugin_server' AS 'plug_dest';
GRANT PROXY ON plug_dest TO `Ÿ`;
connect(non_ascii,localhost,Ÿ,plug_dest);
connection non_ascii;
select USER(),CURRENT_USER();
connection default;
disconnect non_ascii;
DROP USER `Ÿ`;
--echo ## test GRANT ... IDENTIFIED WITH/BY ...
CREATE DATABASE test_grant_db;
--echo # create new user via GRANT WITH
GRANT ALL PRIVILEGES ON test_grant_db.* TO new_grant_user
IDENTIFIED WITH 'test_plugin_server' AS 'plug_dest';
GRANT PROXY ON plug_dest TO new_grant_user;
connect(plug_con_grant,localhost,new_grant_user,plug_dest);
connection plug_con_grant;
select USER(),CURRENT_USER();
USE test_grant_db;
CREATE TABLE t1 (a INT);
DROP TABLE t1;
connection default;
disconnect plug_con_grant;
REVOKE ALL PRIVILEGES ON test_grant_db.* FROM new_grant_user;
--echo # try re-create existing user via GRANT IDENTIFIED BY
GRANT ALL PRIVILEGES ON test_grant_db.* TO new_grant_user
IDENTIFIED BY 'new_password';
--replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK
--error ER_ACCESS_DENIED_ERROR
connect(plug_con_grant_deny,localhost,new_grant_user,plug_dest);
connect(plug_con_grant,localhost,new_grant_user,new_password);
connection plug_con_grant;
select USER(),CURRENT_USER();
USE test_grant_db;
CREATE TABLE t1 (a INT);
DROP TABLE t1;
connection default;
disconnect plug_con_grant;
DROP USER new_grant_user;
--echo # try re-create existing user via GRANT IDENTIFIED WITH
GRANT ALL PRIVILEGES ON test_grant_db.* TO plug
IDENTIFIED WITH 'test_plugin_server' AS 'plug_dest';
GRANT ALL PRIVILEGES ON test_grant_db.* TO plug_dest
IDENTIFIED WITH 'test_plugin_server' AS 'plug_dest';
--error ER_PARSE_ERROR
REVOKE SELECT on test_grant_db.* FROM joro
INDENTIFIED WITH 'test_plugin_server' AS 'plug_dest';
--error ER_PARSE_ERROR
REVOKE SELECT on test_grant_db.* FROM joro
INDENTIFIED BY 'plug_dest_passwd';
--error ER_PARSE_ERROR
REVOKE SELECT on test_grant_db.* FROM joro
INDENTIFIED BY PASSWORD 'plug_dest_passwd';
DROP DATABASE test_grant_db;
--echo ## GRANT PROXY tests
CREATE USER grant_plug IDENTIFIED WITH 'test_plugin_server'
AS 'grant_plug_dest';
CREATE USER grant_plug_dest IDENTIFIED BY 'grant_plug_dest_passwd';
CREATE USER grant_plug_dest2 IDENTIFIED BY 'grant_plug_dest_passwd2';
--echo # ALL PRIVILEGES doesn't include PROXY
GRANT ALL PRIVILEGES ON *.* TO grant_plug;
--disable_query_log
--error ER_ACCESS_DENIED_ERROR : this should fail : no grant
connect(grant_plug_con,localhost,grant_plug,grant_plug_dest);
--enable_query_log
--error ER_PARSE_ERROR : this should fail : can't combine PROXY
GRANT ALL PRIVILEGES,PROXY ON grant_plug_dest TO grant_plug;
--echo this should fail : can't combine PROXY
--error ER_PARSE_ERROR
GRANT ALL SELECT,PROXY ON grant_plug_dest TO grant_plug;
--echo # this should fail : no such grant
--error ER_NONEXISTING_GRANT
REVOKE PROXY ON grant_plug_dest FROM grant_plug;
connect(grant_plug_dest_con,localhost,grant_plug_dest,grant_plug_dest_passwd);
connection grant_plug_dest_con;
--echo in grant_plug_dest_con
--echo ## testing what an ordinary user can grant
--echo this should fail : no rights to grant all
--error ER_ACCESS_DENIED_NO_PASSWORD_ERROR
GRANT PROXY ON ''@'%%' TO grant_plug;
--echo this should fail : not the same user
--error ER_ACCESS_DENIED_NO_PASSWORD_ERROR
GRANT PROXY ON grant_plug TO grant_plug_dest;
# Security context in THD contains two pairs of (user,host)
# 1. (user,host) pair referring to inbound connection
# 2. (priv_user,priv_host) pair obtained from mysql.user table after doing
# authnetication of incoming connection.
# Granting/revoking proxy privileges, privileges should be checked wrt
# (priv_user, priv_host) tuple that is obtained from mysql.user table
# Following is a valid grant because effective user of connection is
# grant_plug_dest@% and statement is trying to grant proxy on the same
# user.
--echo This is a valid grant
GRANT PROXY ON grant_plug_dest TO grant_plug;
REVOKE PROXY ON grant_plug_dest FROM grant_plug;
--echo this should work : same user
GRANT PROXY ON grant_plug_dest TO grant_plug_dest2;
REVOKE PROXY ON grant_plug_dest FROM grant_plug_dest2;
# grant_plug_dest@localhost is not the same as grant_plug_dest@%
# so following grant/revoke should fail
--echo this should fail : not the same user
--error ER_ACCESS_DENIED_NO_PASSWORD_ERROR
GRANT PROXY ON grant_plug_dest@localhost TO grant_plug WITH GRANT OPTION;
--echo this should fail : not the same user
--error ER_ACCESS_DENIED_NO_PASSWORD_ERROR
REVOKE PROXY ON grant_plug_dest@localhost FROM grant_plug;
--echo this should fail : can't create users
--error ER_CANT_CREATE_USER_WITH_GRANT
GRANT PROXY ON grant_plug_dest TO grant_plug@localhost;
connection default;
--echo in default connection
disconnect grant_plug_dest_con;
--echo # test what root can grant
--echo should work : root has PROXY to all users
GRANT PROXY ON ''@'%%' TO grant_plug;
REVOKE PROXY ON ''@'%%' FROM grant_plug;
--echo should work : root has PROXY to all users
GRANT PROXY ON ''@'%%' TO proxy_admin IDENTIFIED BY 'test'
WITH GRANT OPTION;
--echo need USAGE : PROXY doesn't contain it.
GRANT USAGE on *.* TO proxy_admin;
connect (proxy_admin_con,localhost,proxy_admin,test);
connection proxy_admin_con;
--echo in proxy_admin_con;
--echo should work : proxy_admin has proxy to ''@'%%'
GRANT PROXY ON future_user TO grant_plug;
connection default;
--echo in default connection
disconnect proxy_admin_con;
SHOW GRANTS FOR grant_plug;
REVOKE PROXY ON future_user FROM grant_plug;
SHOW GRANTS FOR grant_plug;
--echo ## testing drop user
CREATE USER test_drop@localhost;
GRANT PROXY ON future_user TO test_drop@localhost;
SHOW GRANTS FOR test_drop@localhost;
DROP USER test_drop@localhost;
SELECT * FROM mysql.proxies_priv WHERE Host = 'test_drop' AND User = 'localhost';
DROP USER proxy_admin;
DROP USER grant_plug,grant_plug_dest,grant_plug_dest2;
--echo ## END GRANT PROXY tests
--echo ## cleanup
DROP USER plug;
DROP USER plug_dest;
--echo ## @@proxy_user tests
CREATE USER plug IDENTIFIED WITH 'test_plugin_server' AS 'plug_dest';
CREATE USER plug_dest IDENTIFIED BY 'plug_dest_passwd';
GRANT PROXY ON plug_dest TO plug;
SELECT USER(),CURRENT_USER(),@@LOCAL.proxy_user;
--error ER_INCORRECT_GLOBAL_LOCAL_VAR
SELECT @@GLOBAL.proxy_user;
SELECT @@LOCAL.proxy_user;
--error ER_INCORRECT_GLOBAL_LOCAL_VAR
SET GLOBAL proxy_user = 'test';
--error ER_INCORRECT_GLOBAL_LOCAL_VAR
SET LOCAL proxy_user = 'test';
SELECT @@LOCAL.proxy_user;
connect(plug_con,localhost,plug,plug_dest);
connection plug_con;
--echo # in connection plug_con
SELECT @@LOCAL.proxy_user;
connection default;
--echo # in connection default
disconnect plug_con;
--echo ## cleanup
DROP USER plug;
DROP USER plug_dest;
--echo ## END @@proxy_user tests
--echo ## @@external_user tests
CREATE USER plug IDENTIFIED WITH 'test_plugin_server' AS 'plug_dest';
CREATE USER plug_dest IDENTIFIED BY 'plug_dest_passwd';
GRANT PROXY ON plug_dest TO plug;
SELECT USER(),CURRENT_USER(),@@LOCAL.external_user;
--error ER_INCORRECT_GLOBAL_LOCAL_VAR
SELECT @@GLOBAL.external_user;
SELECT @@LOCAL.external_user;
--error ER_INCORRECT_GLOBAL_LOCAL_VAR
SET GLOBAL external_user = 'test';
--error ER_INCORRECT_GLOBAL_LOCAL_VAR
SET LOCAL external_user = 'test';
SELECT @@LOCAL.external_user;
connect(plug_con,localhost,plug,plug_dest);
connection plug_con;
--echo # in connection plug_con
SELECT @@LOCAL.external_user;
connection default;
--echo # in connection default
disconnect plug_con;
--echo ## cleanup
DROP USER plug;
DROP USER plug_dest;
--echo ## END @@external_user tests
--echo #
--echo # Bug #56798 : Wrong credentials assigned when using a proxy user.
--echo #
GRANT ALL PRIVILEGES ON *.* TO power_user;
GRANT USAGE ON anonymous_db.* TO ''@'%%'
IDENTIFIED WITH 'test_plugin_server' AS 'power_user';
GRANT PROXY ON power_user TO ''@'%%';
CREATE DATABASE confidential_db;
connect(plug_con,localhost, test_login_user, power_user, confidential_db);
SELECT user(),current_user(),@@proxy_user;
connection default;
disconnect plug_con;
DROP USER power_user;
DROP USER ''@'%%';
DROP DATABASE confidential_db;
--echo # Test case #2 (crash with double grant proxy)
CREATE USER ''@'%%' IDENTIFIED WITH 'test_plugin_server' AS 'standard_user';
CREATE USER standard_user;
CREATE DATABASE shared;
GRANT ALL PRIVILEGES ON shared.* TO standard_user;
GRANT PROXY ON standard_user TO ''@'%%';
--echo #should not crash
GRANT PROXY ON standard_user TO ''@'%%';
DROP USER ''@'%%';
DROP USER standard_user;
DROP DATABASE shared;
--echo #
--echo # Bug #57551 : Live upgrade fails between 5.1.52 -> 5.5.7-rc
--echo #
CALL mtr.add_suppression("Missing system table mysql.proxies_priv.");
DROP TABLE mysql.proxies_priv;
--echo # Must come back with mysql.proxies_priv absent.
--source include/restart_mysqld.inc
--error ER_NO_SUCH_TABLE
SELECT * FROM mysql.proxies_priv;
CREATE USER u1@localhost;
GRANT ALL PRIVILEGES ON *.* TO u1@localhost;
REVOKE ALL PRIVILEGES ON *.* FROM u1@localhost;
GRANT ALL PRIVILEGES ON *.* TO u1@localhost;
CREATE USER u2@localhost;
GRANT ALL PRIVILEGES ON *.* TO u2@localhost;
--echo # access denied because of no privileges to root
--error ER_ACCESS_DENIED_NO_PASSWORD_ERROR
GRANT PROXY ON u2@localhost TO u1@localhost;
--echo # access denied because of no privileges to root
--error ER_ACCESS_DENIED_NO_PASSWORD_ERROR
REVOKE PROXY ON u2@localhost FROM u1@localhost;
--echo # go try graning proxy on itself, so that it will need the table
connect(proxy_granter_con,localhost,u2,);
connection proxy_granter_con;
--error ER_NO_SUCH_TABLE
GRANT PROXY ON u2@localhost TO u1@localhost;
--error ER_NO_SUCH_TABLE
REVOKE PROXY ON u2@localhost FROM u1@localhost;
connection default;
disconnect proxy_granter_con;
--echo # test if REVOKE works without the proxies_priv table
REVOKE ALL PRIVILEGES ON *.* FROM u1@localhost, u2@localhost;
--echo # test if DROP USER work without the proxies_priv table
DROP USER u1@localhost,u2@localhost;
--echo # test if FLUSH PRIVILEGES works without the proxies_priv table
FLUSH PRIVILEGES;
--exec $MYSQL_UPGRADE --skip-verbose --force 2>&1
--query_vertical SELECT Host,User,Proxied_host,Proxied_user,With_grant FROM mysql.proxies_priv
FLUSH PRIVILEGES;
--echo #
--echo # Bug#58139 : default-auth option not recognized in MySQL standard
--echo # command line clients
--echo #
--echo # Executing 'mysql'
--exec $MYSQL -u root -S $MASTER_MYSOCK -P $MASTER_MYPORT --default-auth=auth_test_plugin -e "SELECT 1"
--echo # Executing 'mysqladmin'
--exec $MYSQLADMIN -u root -S $MASTER_MYSOCK -P $MASTER_MYPORT --default-auth=auth_test_plugin ping
--echo # Executing 'mysqldump'
--exec $MYSQL_DUMP -u root -S $MASTER_MYSOCK -P $MASTER_MYPORT --compact --default-auth=auth_test_plugin test
--echo # Executing 'mysql_upgrade'
--exec $MYSQL_UPGRADE -u root -S $MASTER_MYSOCK -P $MASTER_MYPORT --default-auth=auth_test_plugin --skip-verbose --force --upgrade-system-tables
--echo #
--echo # Bug #59657: Move the client authentication_pam plugin into the
--echo # server repository
--echo #
CREATE USER uplain@localhost IDENTIFIED WITH 'cleartext_plugin_server'
AS 'cleartext_test';
--echo ## test plugin auth
--disable_query_log
--error ER_ACCESS_DENIED_ERROR : this should fail : no grant
connect(cleartext_fail_con,localhost,uplain,cleartext_test2);
--enable_query_log
connect(cleartext_con,localhost,uplain,cleartext_test);
connection cleartext_con;
select USER(),CURRENT_USER();
connection default;
disconnect cleartext_con;
DROP USER uplain@localhost;
--echo #
--echo # Bug #59038 : mysql.user.authentication_string column
--echo # causes configuration wizard to fail
INSERT INTO mysql.user(
Host,
User,
Password,
Select_priv,
Insert_priv,
Update_priv,
Delete_priv,
Create_priv,
Drop_priv,
Reload_priv,
Shutdown_priv,
Process_priv,
File_priv,
Grant_priv,
References_priv,
Index_priv,
Alter_priv,
Show_db_priv,
Super_priv,
Create_tmp_table_priv,
Lock_tables_priv,
Execute_priv,
Repl_slave_priv,
Repl_client_priv,
/*!50001
Create_view_priv,
Show_view_priv,
Create_routine_priv,
Alter_routine_priv,
Create_user_priv,
*/
ssl_type,
ssl_cipher,
x509_issuer,
x509_subject,
max_questions,
max_updates,
max_connections)
VALUES (
'localhost',
'inserttest', '',
'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y',
'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y',
/*!50001 'Y', 'Y', 'Y', 'Y', 'Y', */'', '', '', '', '0', '0', '0');
FLUSH PRIVILEGES;
DROP USER inserttest@localhost;
SELECT IS_NULLABLE, COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE
COLUMN_NAME IN ('authentication_string', 'plugin') AND
TABLE_NAME='user' AND
TABLE_SCHEMA='mysql'
ORDER BY COLUMN_NAME;
--echo #
--echo # Bug #11936829: diff. between mysql.user (authentication_string)
--echo # in fresh and upgraded 5.5.11
--echo #
SELECT IS_NULLABLE, COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS
WHERE TABLE_SCHEMA= 'mysql' AND TABLE_NAME= 'user' AND
COLUMN_NAME IN ('plugin', 'authentication_string')
ORDER BY COLUMN_NAME;
ALTER TABLE mysql.user MODIFY plugin char(64) DEFAULT '' NOT NULL;
ALTER TABLE mysql.user MODIFY authentication_string TEXT NOT NULL;
--echo Run mysql_upgrade on a 5.5.10 external authentication column layout
--exec $MYSQL_UPGRADE --skip-verbose --force 2>&1
SELECT IS_NULLABLE, COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS
WHERE TABLE_SCHEMA= 'mysql' AND TABLE_NAME= 'user' AND
COLUMN_NAME IN ('plugin', 'authentication_string')
ORDER BY COLUMN_NAME;
--echo #
--echo # Bug # 11766641: 59792: BIN/MYSQL -UUNKNOWN -PUNKNOWN
--echo # .-> USING PASSWORD: NO
--echo #
--echo # shoud contain "using password=yes"
--error 1
--exec $MYSQL -uunknown -punknown 2>&1
--echo # shoud contain "using password=no"
--error 1
--exec $MYSQL -uunknown 2>&1
--echo #
--echo # Bug #12610784: SET PASSWORD INCORRECTLY KEEP AN OLD EMPTY PASSWORD
--echo #
CREATE USER bug12610784@localhost;
SET PASSWORD FOR bug12610784@localhost = PASSWORD('secret');
--disable_query_log
--error ER_ACCESS_DENIED_ERROR
connect(b12610784,localhost,bug12610784,,test);
--enable_query_log
connect(b12610784,localhost,bug12610784,secret,test);
connection default;
disconnect b12610784;
DROP USER bug12610784@localhost;
--echo #
--echo # Bug #12818542: PAM: ADDING PASSWORD FOR AN ACCOUNT DISABLES PAM
--echo # AUTHENTICATION SETTINGS
--echo #
CREATE USER bug12818542@localhost
IDENTIFIED WITH 'test_plugin_server' AS 'bug12818542_dest';
CREATE USER bug12818542_dest@localhost
IDENTIFIED BY 'bug12818542_dest_passwd';
GRANT PROXY ON bug12818542_dest@localhost TO bug12818542@localhost;
connect(bug12818542_con,localhost,bug12818542,bug12818542_dest);
connection bug12818542_con;
SELECT USER(),CURRENT_USER();
SET PASSWORD = PASSWORD('bruhaha');
connection default;
disconnect bug12818542_con;
connect(bug12818542_con2,localhost,bug12818542,bug12818542_dest);
connection bug12818542_con2;
SELECT USER(),CURRENT_USER();
connection default;
disconnect bug12818542_con2;
DROP USER bug12818542@localhost;
DROP USER bug12818542_dest@localhost;
--echo End of 5.5 tests
|