Commit 0f29a348 authored by unknown's avatar unknown

Added more tests to grant2. Fixed some previous tests.

Added new logic to ACL system:

1) If GRANT OPTION (not mysql db):
   Ok to update existing user, but not password.
   Not allowed to make a new user.

2) If UPDATE_ACL to mysql DB:
   Ok to update current user, but not make a new one.

3) If INSERT_ACL to mysql DB:
   Ok to add a new user, but not modify existing.

4) If GRANT OPTION to mysql DB:
   All modifications OK.


mysql-test/r/grant2.result:
  Added more ACL tests and fixed results in some old tests.
mysql-test/t/grant2.test:
  Added more ACL tests and fixed results in some old tests.
sql/sql_acl.h:
  Made check_acl_user() visible to sql_parse.cc
sql/sql_parse.cc:
  Added new logic to ACL system:
  
  1) If GRANT OPTION (not mysql db):
     Ok to update existing user, but not password.
     Not allowed to make a new user.
  
  2) If UPDATE_ACL to mysql DB:
     Ok to update current user, but not make a new one.
  
  3) If INSERT_ACL to mysql DB:
     Ok to add a new user, but not modify existing.
  
  4) If GRANT OPTION to mysql DB:
     All modifications OK.
parent 4ef1272b
......@@ -5,6 +5,23 @@ delete from mysql.db where user like 'mysqltest\_%';
delete from mysql.tables_priv where user like 'mysqltest\_%';
delete from mysql.columns_priv where user like 'mysqltest\_%';
flush privileges;
grant all privileges on `my\_1`.* to mysqltest_1@localhost with grant option;
create user mysqltest_2@localhost;
grant select on `my\_1`.* to mysqltest_2@localhost;
grant select on `my\_1`.* to mysqltest_2@localhost identified by 'pass';
ERROR 42000: You must have privileges to update tables in the mysql database to be able to change passwords for others
grant update on mysql.* to mysqltest_1@localhost;
grant select on `my\_1`.* to mysqltest_2@localhost identified by 'pass';
grant select on `my\_1`.* to mysqltest_3@localhost;
ERROR 42000: 'mysqltest_1'@'localhost' is not allowed to create new users
grant insert on mysql.* to mysqltest_1@localhost;
grant select on `my\_1`.* to mysqltest_3@localhost;
grant select on `my\_1`.* to mysqltest_4@localhost identified by 'pass';
delete from mysql.user where user like 'mysqltest\_%';
delete from mysql.db where user like 'mysqltest\_%';
delete from mysql.tables_priv where user like 'mysqltest\_%';
delete from mysql.columns_priv where user like 'mysqltest\_%';
flush privileges;
grant all privileges on `my\_%`.* to mysqltest_1@localhost with grant option;
select current_user();
current_user()
......@@ -13,6 +30,7 @@ select current_user;
current_user
mysqltest_1@localhost
grant all privileges on `my\_1`.* to mysqltest_2@localhost with grant option;
ERROR 42000: 'mysqltest_1'@'localhost' is not allowed to create new users
grant all privileges on `my_%`.* to mysqltest_3@localhost with grant option;
ERROR 42000: Access denied for user 'mysqltest_1'@'localhost' to database 'my_%'
set @@sql_mode='NO_AUTO_CREATE_USER';
......@@ -23,15 +41,13 @@ grant select on `my\_1`.* to mysqltest_4@localhost with grant option;
ERROR 42000: 'mysqltest_1'@'localhost' is not allowed to create new users
grant select on `my\_1`.* to mysqltest_4@localhost identified by 'mypass'
with grant option;
ERROR 42000: Access denied for user 'mysqltest_1'@'localhost' to database 'mysql'
ERROR 42000: 'mysqltest_1'@'localhost' is not allowed to create new users
show grants for mysqltest_1@localhost;
Grants for mysqltest_1@localhost
GRANT USAGE ON *.* TO 'mysqltest_1'@'localhost'
GRANT ALL PRIVILEGES ON `my\_%`.* TO 'mysqltest_1'@'localhost' WITH GRANT OPTION
show grants for mysqltest_2@localhost;
Grants for mysqltest_2@localhost
GRANT USAGE ON *.* TO 'mysqltest_2'@'localhost'
GRANT ALL PRIVILEGES ON `my\_1`.* TO 'mysqltest_2'@'localhost' WITH GRANT OPTION
ERROR 42000: There is no such grant defined for user 'mysqltest_2' on host 'localhost'
show grants for mysqltest_3@localhost;
ERROR 42000: There is no such grant defined for user 'mysqltest_3' on host 'localhost'
delete from mysql.user where user like 'mysqltest\_%';
......@@ -61,9 +77,9 @@ flush privileges;
create table t1 (a int, b int);
grant select (a) on t1 to mysqltest_1@localhost with grant option;
grant select (a,b) on t1 to mysqltest_2@localhost;
ERROR 42000: SELECT command denied to user 'mysqltest_1'@'localhost' for column 'b' in table 't1'
ERROR 42000: 'mysqltest_1'@'localhost' is not allowed to create new users
grant select on t1 to mysqltest_3@localhost;
ERROR 42000: SELECT command denied to user 'mysqltest_1'@'localhost' for table 't1'
ERROR 42000: 'mysqltest_1'@'localhost' is not allowed to create new users
drop table t1;
delete from mysql.user where user like 'mysqltest\_%';
delete from mysql.db where user like 'mysqltest\_%';
......
......@@ -17,6 +17,36 @@ delete from mysql.columns_priv where user like 'mysqltest\_%';
flush privileges;
grant all privileges on `my\_1`.* to mysqltest_1@localhost with grant option;
create user mysqltest_2@localhost;
connect (user_a,localhost,mysqltest_1,,);
connection user_a;
grant select on `my\_1`.* to mysqltest_2@localhost;
--error 1132
grant select on `my\_1`.* to mysqltest_2@localhost identified by 'pass';
disconnect user_a;
connection default;
grant update on mysql.* to mysqltest_1@localhost;
connect (user_b,localhost,mysqltest_1,,);
connection user_b;
grant select on `my\_1`.* to mysqltest_2@localhost identified by 'pass';
--error 1211
grant select on `my\_1`.* to mysqltest_3@localhost;
disconnect user_b;
connection default;
grant insert on mysql.* to mysqltest_1@localhost;
connect (user_c,localhost,mysqltest_1,,);
connection user_c;
grant select on `my\_1`.* to mysqltest_3@localhost;
grant select on `my\_1`.* to mysqltest_4@localhost identified by 'pass';
disconnect user_c;
connection default;
delete from mysql.user where user like 'mysqltest\_%';
delete from mysql.db where user like 'mysqltest\_%';
delete from mysql.tables_priv where user like 'mysqltest\_%';
delete from mysql.columns_priv where user like 'mysqltest\_%';
flush privileges;
#
# wild_compare fun
#
......@@ -26,9 +56,11 @@ connect (user1,localhost,mysqltest_1,,);
connection user1;
select current_user();
select current_user;
--error 1211
grant all privileges on `my\_1`.* to mysqltest_2@localhost with grant option;
--error 1044
grant all privileges on `my_%`.* to mysqltest_3@localhost with grant option;
#
# NO_AUTO_CREATE_USER mode
#
......@@ -36,12 +68,13 @@ set @@sql_mode='NO_AUTO_CREATE_USER';
select @@sql_mode;
--error 1211
grant select on `my\_1`.* to mysqltest_4@localhost with grant option;
--error 1044
--error 1211
grant select on `my\_1`.* to mysqltest_4@localhost identified by 'mypass'
with grant option;
disconnect user1;
connection default;
show grants for mysqltest_1@localhost;
--error 1141
show grants for mysqltest_2@localhost;
--error 1141
show grants for mysqltest_3@localhost;
......@@ -83,9 +116,9 @@ create table t1 (a int, b int);
grant select (a) on t1 to mysqltest_1@localhost with grant option;
connect (mrugly, localhost, mysqltest_1,,mysqltest);
connection mrugly;
--error 1143
--error 1211
grant select (a,b) on t1 to mysqltest_2@localhost;
--error 1142
--error 1211
grant select on t1 to mysqltest_3@localhost;
disconnect mrugly;
......
......@@ -190,6 +190,8 @@ bool mysql_table_grant(THD *thd, TABLE_LIST *table, List <LEX_USER> &user_list,
bool mysql_procedure_grant(THD *thd, TABLE_LIST *table,
List <LEX_USER> &user_list, ulong rights,
bool revoke, bool no_error);
ACL_USER *check_acl_user(LEX_USER *user_name,
uint *acl_acl_userdx);
my_bool grant_init(THD *thd);
void grant_free(void);
void grant_reload(THD *thd);
......
......@@ -3629,18 +3629,36 @@ mysql_execute_command(THD *thd)
if (thd->user) // If not replication
{
LEX_USER *user;
uint counter;
List_iterator <LEX_USER> user_list(lex->users_list);
while ((user=user_list++))
{
if (user->password.str &&
(strcmp(thd->user, user->user.str) ||
if (strcmp(thd->user, user->user.str) ||
user->host.str &&
my_strcasecmp(system_charset_info,
user->host.str, thd->host_or_ip)))
user->host.str, thd->host_or_ip))
{
if (check_access(thd, UPDATE_ACL, "mysql", 0, 1, 0))
goto error;
break; // We are allowed to do changes
// We are trying to update another user, or create a new user
if (!check_access(thd, GRANT_ACL, "mysql", 0, 1, 1))
break; // We can update any existing, or add new users
if (!check_acl_user(user, &counter) &&
check_access(thd, INSERT_ACL, "mysql", 0, 1, 1))
{
my_error(ER_NO_PERMISSION_TO_CREATE_USER, MYF(0),
thd->user, thd->host_or_ip);
goto error; // Can't create new user, user does not exists
}
if (check_acl_user(user, &counter) &&
user->password.str &&
check_access(thd, UPDATE_ACL, "mysql", 0, 1, 1))
{
my_message(ER_PASSWORD_NOT_ALLOWED,
ER(ER_PASSWORD_NOT_ALLOWED), MYF(0));
goto error; // Can't update password, user already exists
}
}
}
}
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment