Commit 0f29a348 authored by unknown's avatar unknown

Added more tests to grant2. Fixed some previous tests.

Added new logic to ACL system:

1) If GRANT OPTION (not mysql db):
   Ok to update existing user, but not password.
   Not allowed to make a new user.

2) If UPDATE_ACL to mysql DB:
   Ok to update current user, but not make a new one.

3) If INSERT_ACL to mysql DB:
   Ok to add a new user, but not modify existing.

4) If GRANT OPTION to mysql DB:
   All modifications OK.


mysql-test/r/grant2.result:
  Added more ACL tests and fixed results in some old tests.
mysql-test/t/grant2.test:
  Added more ACL tests and fixed results in some old tests.
sql/sql_acl.h:
  Made check_acl_user() visible to sql_parse.cc
sql/sql_parse.cc:
  Added new logic to ACL system:
  
  1) If GRANT OPTION (not mysql db):
     Ok to update existing user, but not password.
     Not allowed to make a new user.
  
  2) If UPDATE_ACL to mysql DB:
     Ok to update current user, but not make a new one.
  
  3) If INSERT_ACL to mysql DB:
     Ok to add a new user, but not modify existing.
  
  4) If GRANT OPTION to mysql DB:
     All modifications OK.
parent 4ef1272b
...@@ -5,6 +5,23 @@ delete from mysql.db where user like 'mysqltest\_%'; ...@@ -5,6 +5,23 @@ delete from mysql.db where user like 'mysqltest\_%';
delete from mysql.tables_priv where user like 'mysqltest\_%'; delete from mysql.tables_priv where user like 'mysqltest\_%';
delete from mysql.columns_priv where user like 'mysqltest\_%'; delete from mysql.columns_priv where user like 'mysqltest\_%';
flush privileges; flush privileges;
grant all privileges on `my\_1`.* to mysqltest_1@localhost with grant option;
create user mysqltest_2@localhost;
grant select on `my\_1`.* to mysqltest_2@localhost;
grant select on `my\_1`.* to mysqltest_2@localhost identified by 'pass';
ERROR 42000: You must have privileges to update tables in the mysql database to be able to change passwords for others
grant update on mysql.* to mysqltest_1@localhost;
grant select on `my\_1`.* to mysqltest_2@localhost identified by 'pass';
grant select on `my\_1`.* to mysqltest_3@localhost;
ERROR 42000: 'mysqltest_1'@'localhost' is not allowed to create new users
grant insert on mysql.* to mysqltest_1@localhost;
grant select on `my\_1`.* to mysqltest_3@localhost;
grant select on `my\_1`.* to mysqltest_4@localhost identified by 'pass';
delete from mysql.user where user like 'mysqltest\_%';
delete from mysql.db where user like 'mysqltest\_%';
delete from mysql.tables_priv where user like 'mysqltest\_%';
delete from mysql.columns_priv where user like 'mysqltest\_%';
flush privileges;
grant all privileges on `my\_%`.* to mysqltest_1@localhost with grant option; grant all privileges on `my\_%`.* to mysqltest_1@localhost with grant option;
select current_user(); select current_user();
current_user() current_user()
...@@ -13,6 +30,7 @@ select current_user; ...@@ -13,6 +30,7 @@ select current_user;
current_user current_user
mysqltest_1@localhost mysqltest_1@localhost
grant all privileges on `my\_1`.* to mysqltest_2@localhost with grant option; grant all privileges on `my\_1`.* to mysqltest_2@localhost with grant option;
ERROR 42000: 'mysqltest_1'@'localhost' is not allowed to create new users
grant all privileges on `my_%`.* to mysqltest_3@localhost with grant option; grant all privileges on `my_%`.* to mysqltest_3@localhost with grant option;
ERROR 42000: Access denied for user 'mysqltest_1'@'localhost' to database 'my_%' ERROR 42000: Access denied for user 'mysqltest_1'@'localhost' to database 'my_%'
set @@sql_mode='NO_AUTO_CREATE_USER'; set @@sql_mode='NO_AUTO_CREATE_USER';
...@@ -23,15 +41,13 @@ grant select on `my\_1`.* to mysqltest_4@localhost with grant option; ...@@ -23,15 +41,13 @@ grant select on `my\_1`.* to mysqltest_4@localhost with grant option;
ERROR 42000: 'mysqltest_1'@'localhost' is not allowed to create new users ERROR 42000: 'mysqltest_1'@'localhost' is not allowed to create new users
grant select on `my\_1`.* to mysqltest_4@localhost identified by 'mypass' grant select on `my\_1`.* to mysqltest_4@localhost identified by 'mypass'
with grant option; with grant option;
ERROR 42000: Access denied for user 'mysqltest_1'@'localhost' to database 'mysql' ERROR 42000: 'mysqltest_1'@'localhost' is not allowed to create new users
show grants for mysqltest_1@localhost; show grants for mysqltest_1@localhost;
Grants for mysqltest_1@localhost Grants for mysqltest_1@localhost
GRANT USAGE ON *.* TO 'mysqltest_1'@'localhost' GRANT USAGE ON *.* TO 'mysqltest_1'@'localhost'
GRANT ALL PRIVILEGES ON `my\_%`.* TO 'mysqltest_1'@'localhost' WITH GRANT OPTION GRANT ALL PRIVILEGES ON `my\_%`.* TO 'mysqltest_1'@'localhost' WITH GRANT OPTION
show grants for mysqltest_2@localhost; show grants for mysqltest_2@localhost;
Grants for mysqltest_2@localhost ERROR 42000: There is no such grant defined for user 'mysqltest_2' on host 'localhost'
GRANT USAGE ON *.* TO 'mysqltest_2'@'localhost'
GRANT ALL PRIVILEGES ON `my\_1`.* TO 'mysqltest_2'@'localhost' WITH GRANT OPTION
show grants for mysqltest_3@localhost; show grants for mysqltest_3@localhost;
ERROR 42000: There is no such grant defined for user 'mysqltest_3' on host 'localhost' ERROR 42000: There is no such grant defined for user 'mysqltest_3' on host 'localhost'
delete from mysql.user where user like 'mysqltest\_%'; delete from mysql.user where user like 'mysqltest\_%';
...@@ -61,9 +77,9 @@ flush privileges; ...@@ -61,9 +77,9 @@ flush privileges;
create table t1 (a int, b int); create table t1 (a int, b int);
grant select (a) on t1 to mysqltest_1@localhost with grant option; grant select (a) on t1 to mysqltest_1@localhost with grant option;
grant select (a,b) on t1 to mysqltest_2@localhost; grant select (a,b) on t1 to mysqltest_2@localhost;
ERROR 42000: SELECT command denied to user 'mysqltest_1'@'localhost' for column 'b' in table 't1' ERROR 42000: 'mysqltest_1'@'localhost' is not allowed to create new users
grant select on t1 to mysqltest_3@localhost; grant select on t1 to mysqltest_3@localhost;
ERROR 42000: SELECT command denied to user 'mysqltest_1'@'localhost' for table 't1' ERROR 42000: 'mysqltest_1'@'localhost' is not allowed to create new users
drop table t1; drop table t1;
delete from mysql.user where user like 'mysqltest\_%'; delete from mysql.user where user like 'mysqltest\_%';
delete from mysql.db where user like 'mysqltest\_%'; delete from mysql.db where user like 'mysqltest\_%';
......
...@@ -17,6 +17,36 @@ delete from mysql.columns_priv where user like 'mysqltest\_%'; ...@@ -17,6 +17,36 @@ delete from mysql.columns_priv where user like 'mysqltest\_%';
flush privileges; flush privileges;
grant all privileges on `my\_1`.* to mysqltest_1@localhost with grant option;
create user mysqltest_2@localhost;
connect (user_a,localhost,mysqltest_1,,);
connection user_a;
grant select on `my\_1`.* to mysqltest_2@localhost;
--error 1132
grant select on `my\_1`.* to mysqltest_2@localhost identified by 'pass';
disconnect user_a;
connection default;
grant update on mysql.* to mysqltest_1@localhost;
connect (user_b,localhost,mysqltest_1,,);
connection user_b;
grant select on `my\_1`.* to mysqltest_2@localhost identified by 'pass';
--error 1211
grant select on `my\_1`.* to mysqltest_3@localhost;
disconnect user_b;
connection default;
grant insert on mysql.* to mysqltest_1@localhost;
connect (user_c,localhost,mysqltest_1,,);
connection user_c;
grant select on `my\_1`.* to mysqltest_3@localhost;
grant select on `my\_1`.* to mysqltest_4@localhost identified by 'pass';
disconnect user_c;
connection default;
delete from mysql.user where user like 'mysqltest\_%';
delete from mysql.db where user like 'mysqltest\_%';
delete from mysql.tables_priv where user like 'mysqltest\_%';
delete from mysql.columns_priv where user like 'mysqltest\_%';
flush privileges;
# #
# wild_compare fun # wild_compare fun
# #
...@@ -26,9 +56,11 @@ connect (user1,localhost,mysqltest_1,,); ...@@ -26,9 +56,11 @@ connect (user1,localhost,mysqltest_1,,);
connection user1; connection user1;
select current_user(); select current_user();
select current_user; select current_user;
--error 1211
grant all privileges on `my\_1`.* to mysqltest_2@localhost with grant option; grant all privileges on `my\_1`.* to mysqltest_2@localhost with grant option;
--error 1044 --error 1044
grant all privileges on `my_%`.* to mysqltest_3@localhost with grant option; grant all privileges on `my_%`.* to mysqltest_3@localhost with grant option;
# #
# NO_AUTO_CREATE_USER mode # NO_AUTO_CREATE_USER mode
# #
...@@ -36,12 +68,13 @@ set @@sql_mode='NO_AUTO_CREATE_USER'; ...@@ -36,12 +68,13 @@ set @@sql_mode='NO_AUTO_CREATE_USER';
select @@sql_mode; select @@sql_mode;
--error 1211 --error 1211
grant select on `my\_1`.* to mysqltest_4@localhost with grant option; grant select on `my\_1`.* to mysqltest_4@localhost with grant option;
--error 1044 --error 1211
grant select on `my\_1`.* to mysqltest_4@localhost identified by 'mypass' grant select on `my\_1`.* to mysqltest_4@localhost identified by 'mypass'
with grant option; with grant option;
disconnect user1; disconnect user1;
connection default; connection default;
show grants for mysqltest_1@localhost; show grants for mysqltest_1@localhost;
--error 1141
show grants for mysqltest_2@localhost; show grants for mysqltest_2@localhost;
--error 1141 --error 1141
show grants for mysqltest_3@localhost; show grants for mysqltest_3@localhost;
...@@ -83,9 +116,9 @@ create table t1 (a int, b int); ...@@ -83,9 +116,9 @@ create table t1 (a int, b int);
grant select (a) on t1 to mysqltest_1@localhost with grant option; grant select (a) on t1 to mysqltest_1@localhost with grant option;
connect (mrugly, localhost, mysqltest_1,,mysqltest); connect (mrugly, localhost, mysqltest_1,,mysqltest);
connection mrugly; connection mrugly;
--error 1143 --error 1211
grant select (a,b) on t1 to mysqltest_2@localhost; grant select (a,b) on t1 to mysqltest_2@localhost;
--error 1142 --error 1211
grant select on t1 to mysqltest_3@localhost; grant select on t1 to mysqltest_3@localhost;
disconnect mrugly; disconnect mrugly;
......
...@@ -190,6 +190,8 @@ bool mysql_table_grant(THD *thd, TABLE_LIST *table, List <LEX_USER> &user_list, ...@@ -190,6 +190,8 @@ bool mysql_table_grant(THD *thd, TABLE_LIST *table, List <LEX_USER> &user_list,
bool mysql_procedure_grant(THD *thd, TABLE_LIST *table, bool mysql_procedure_grant(THD *thd, TABLE_LIST *table,
List <LEX_USER> &user_list, ulong rights, List <LEX_USER> &user_list, ulong rights,
bool revoke, bool no_error); bool revoke, bool no_error);
ACL_USER *check_acl_user(LEX_USER *user_name,
uint *acl_acl_userdx);
my_bool grant_init(THD *thd); my_bool grant_init(THD *thd);
void grant_free(void); void grant_free(void);
void grant_reload(THD *thd); void grant_reload(THD *thd);
......
...@@ -3629,18 +3629,36 @@ mysql_execute_command(THD *thd) ...@@ -3629,18 +3629,36 @@ mysql_execute_command(THD *thd)
if (thd->user) // If not replication if (thd->user) // If not replication
{ {
LEX_USER *user; LEX_USER *user;
uint counter;
List_iterator <LEX_USER> user_list(lex->users_list); List_iterator <LEX_USER> user_list(lex->users_list);
while ((user=user_list++)) while ((user=user_list++))
{ {
if (user->password.str && if (strcmp(thd->user, user->user.str) ||
(strcmp(thd->user, user->user.str) || user->host.str &&
user->host.str && my_strcasecmp(system_charset_info,
my_strcasecmp(system_charset_info, user->host.str, thd->host_or_ip))
user->host.str, thd->host_or_ip)))
{ {
if (check_access(thd, UPDATE_ACL, "mysql", 0, 1, 0)) // We are trying to update another user, or create a new user
goto error;
break; // We are allowed to do changes if (!check_access(thd, GRANT_ACL, "mysql", 0, 1, 1))
break; // We can update any existing, or add new users
if (!check_acl_user(user, &counter) &&
check_access(thd, INSERT_ACL, "mysql", 0, 1, 1))
{
my_error(ER_NO_PERMISSION_TO_CREATE_USER, MYF(0),
thd->user, thd->host_or_ip);
goto error; // Can't create new user, user does not exists
}
if (check_acl_user(user, &counter) &&
user->password.str &&
check_access(thd, UPDATE_ACL, "mysql", 0, 1, 1))
{
my_message(ER_PASSWORD_NOT_ALLOWED,
ER(ER_PASSWORD_NOT_ALLOWED), MYF(0));
goto error; // Can't update password, user already exists
}
} }
} }
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment