Commit 16b2bb90 authored by Vicențiu Ciorbaru's avatar Vicențiu Ciorbaru Committed by Vicențiu-Marian Ciorbaru

MDEV-29509 execute granted indirectly (via roles) doesn't always work

The issue manifests due to a bug in mysql_routine_grant. This was a side
effect of e46eea86 which fixed the problem of not giving appropriate error
message (ER_NONEXISTING_PROC_GRANT) when a routine grant existed due to role
inheritance.

When granting a routine privilege, it is possible to have a GRANT_NAME
entry already created from an inherited role, but with it's init_privs
set to 0.

In this case we must not create a *new* grant entry, but we must edit
this grant entry to set its init_privs.

Note that this case was already covered by MDEV-29458, however due to a
forgotten "flush privileges;" the actual code path never got hit.
Remove the flush privilege command as it was never intended to be there
in the first place.
parent 5ad8cd93
...@@ -79,7 +79,6 @@ grant insert(a) on some_db.t1 to r_active_column; ...@@ -79,7 +79,6 @@ grant insert(a) on some_db.t1 to r_active_column;
grant insert on *.* to middle_level; grant insert on *.* to middle_level;
grant alter routine on procedure some_db.p1 to r_active_proc; grant alter routine on procedure some_db.p1 to r_active_proc;
grant alter routine on function some_db.f1 to r_active_func; grant alter routine on function some_db.f1 to r_active_func;
flush privileges;
connect con1, localhost, foo,,; connect con1, localhost, foo,,;
select * from some_db.t1; select * from some_db.t1;
ERROR 42000: SELECT command denied to user 'foo'@'localhost' for table 't1' ERROR 42000: SELECT command denied to user 'foo'@'localhost' for table 't1'
......
...@@ -103,7 +103,6 @@ grant insert on *.* to middle_level; ...@@ -103,7 +103,6 @@ grant insert on *.* to middle_level;
grant alter routine on procedure some_db.p1 to r_active_proc; grant alter routine on procedure some_db.p1 to r_active_proc;
grant alter routine on function some_db.f1 to r_active_func; grant alter routine on function some_db.f1 to r_active_func;
flush privileges;
--connect (con1, localhost, foo,,) --connect (con1, localhost, foo,,)
--error ER_TABLEACCESS_DENIED_ERROR --error ER_TABLEACCESS_DENIED_ERROR
......
...@@ -6793,23 +6793,24 @@ bool mysql_routine_grant(THD *thd, TABLE_LIST *table_list, ...@@ -6793,23 +6793,24 @@ bool mysql_routine_grant(THD *thd, TABLE_LIST *table_list,
table_name= table_list->table_name.str; table_name= table_list->table_name.str;
grant_name= routine_hash_search(Str->host.str, NullS, db_name, grant_name= routine_hash_search(Str->host.str, NullS, db_name,
Str->user.str, table_name, sph, 1); Str->user.str, table_name, sph, 1);
if (!grant_name || !grant_name->init_privs) if (revoke_grant && (!grant_name || !grant_name->init_privs))
{ {
if (revoke_grant) my_error(ER_NONEXISTING_PROC_GRANT, MYF(0),
{ Str->user.str, Str->host.str, table_name);
my_error(ER_NONEXISTING_PROC_GRANT, MYF(0), result= TRUE;
Str->user.str, Str->host.str, table_name); continue;
result= TRUE; }
continue; if (!grant_name)
} {
DBUG_ASSERT(!revoke_grant);
grant_name= new GRANT_NAME(Str->host.str, db_name, grant_name= new GRANT_NAME(Str->host.str, db_name,
Str->user.str, table_name, Str->user.str, table_name,
rights, TRUE); rights, TRUE);
if (!grant_name || if (!grant_name ||
my_hash_insert(sph->get_priv_hash(), (uchar*) grant_name)) my_hash_insert(sph->get_priv_hash(), (uchar*) grant_name))
{ {
result= TRUE; result= TRUE;
continue; continue;
} }
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment