Skip to content

M
MariaDB
Commit 353576f3 authored by Sergei Golubchik's avatar Sergei Golubchik
Browse files
Options

GRANT/REVOKE should specify role name as 'role' not as 'role'@'%'

parent 06e16b8c
Show whitespace changes
Inline Side-by-side
Showing with 99 additions and 104 deletions
mysql-test/r/acl_roles_set_role-database-recursive.result
View file @ 353576f3
create user 'test_user'@'localhost'; create user 'test_user'@'localhost';
create user 'test_role1'@''; create role test_role1;
create user 'test_role2'@''; create role test_role2;
update mysql.user set is_role='Y' where user='test_role1';
update mysql.user set is_role='Y' where user='test_role2';
insert into mysql.roles_mapping (HostFk, UserFk, RoleFk) values ('localhost', insert into mysql.roles_mapping (HostFk, UserFk, RoleFk) values ('localhost',
'test_user', 'test_user',
'test_role1'); 'test_role1');
...@@ -27,7 +25,7 @@ select user, host from mysql.db; ...@@ -27,7 +25,7 @@ select user, host from mysql.db;
user host user host
% %
% %
grant select on mysql.* to test_role2@''; grant select on mysql.* to test_role2;
flush privileges; flush privileges;
select * from mysql.roles_mapping; select * from mysql.roles_mapping;
ERROR 42000: SELECT command denied to user 'test_user'@'localhost' for table 'roles_mapping' ERROR 42000: SELECT command denied to user 'test_user'@'localhost' for table 'roles_mapping'
...@@ -59,7 +57,7 @@ HostFk UserFk RoleFk ...@@ -59,7 +57,7 @@ HostFk UserFk RoleFk
localhost test_user test_role1 localhost test_user test_role1
localhost test_user test_role2 localhost test_user test_role2
drop user 'test_user'@'localhost'; drop user 'test_user'@'localhost';
revoke select on mysql.* from test_role2@''; revoke select on mysql.* from test_role2;
delete from mysql.user where user='test_role1'; delete from mysql.user where user='test_role1';
delete from mysql.user where user='test_role2'; delete from mysql.user where user='test_role2';
delete from mysql.roles_mapping where RoleFk='test_role1'; delete from mysql.roles_mapping where RoleFk='test_role1';
......
mysql-test/r/acl_roles_set_role-database-simple.result
View file @ 353576f3
create user 'test_user'@'localhost'; create user 'test_user'@'localhost';
create user 'test_role1'@''; create role test_role1;
update mysql.user set is_role='Y' where user='test_role1';
insert into mysql.roles_mapping (HostFk, UserFk, RoleFk) values ('localhost', insert into mysql.roles_mapping (HostFk, UserFk, RoleFk) values ('localhost',
'test_user', 'test_user',
'test_role1'); 'test_role1');
...@@ -12,9 +11,9 @@ select * from mysql.roles_mapping; ...@@ -12,9 +11,9 @@ select * from mysql.roles_mapping;
HostFk UserFk RoleFk HostFk UserFk RoleFk
localhost test_user test_role1 localhost test_user test_role1
flush privileges; flush privileges;
grant select on mysql.* to test_role1@''; grant select on mysql.* to test_role1;
grant insert, delete on mysql.roles_mapping to test_role1@''; grant insert, delete on mysql.roles_mapping to test_role1;
grant reload on *.* to test_role1@''; grant reload on *.* to test_role1;
select * from mysql.roles_mapping; select * from mysql.roles_mapping;
ERROR 42000: SELECT command denied to user 'test_user'@'localhost' for table 'roles_mapping' ERROR 42000: SELECT command denied to user 'test_user'@'localhost' for table 'roles_mapping'
select current_user(), current_role(); select current_user(), current_role();
...@@ -51,8 +50,8 @@ ERROR 42000: INSERT command denied to user 'test_user'@'localhost' for table 'ro ...@@ -51,8 +50,8 @@ ERROR 42000: INSERT command denied to user 'test_user'@'localhost' for table 'ro
delete from mysql.roles_mapping where RoleFk='test_role2'; delete from mysql.roles_mapping where RoleFk='test_role2';
ERROR 42000: DELETE command denied to user 'test_user'@'localhost' for table 'roles_mapping' ERROR 42000: DELETE command denied to user 'test_user'@'localhost' for table 'roles_mapping'
drop user 'test_user'@'localhost'; drop user 'test_user'@'localhost';
revoke select on mysql.* from test_role1@''; revoke select on mysql.* from test_role1;
revoke insert, delete on mysql.roles_mapping from test_role1@''; revoke insert, delete on mysql.roles_mapping from test_role1;
delete from mysql.user where user='test_role1'; drop role test_role1;
delete from mysql.roles_mapping where RoleFk='test_role1'; delete from mysql.roles_mapping where RoleFk='test_role1';
flush privileges; flush privileges;
mysql-test/r/acl_roles_set_role-routine-simple.result
View file @ 353576f3
...@@ -29,9 +29,9 @@ create procedure mysql.test_proc (OUT param1 INT) ...@@ -29,9 +29,9 @@ create procedure mysql.test_proc (OUT param1 INT)
begin begin
select COUNT(*) into param1 from mysql.roles_mapping; select COUNT(*) into param1 from mysql.roles_mapping;
end| end|
grant execute on function mysql.test_func to test_role2@''; grant execute on function mysql.test_func to test_role2;
grant execute on procedure mysql.test_proc to test_role2@''; grant execute on procedure mysql.test_proc to test_role2;
grant execute on mysql.* to test_role3@''; grant execute on mysql.* to test_role3;
flush privileges; flush privileges;
show grants; show grants;
Grants for test_user@localhost Grants for test_user@localhost
...@@ -97,9 +97,9 @@ SELECT test_func('AABBCCDD'); ...@@ -97,9 +97,9 @@ SELECT test_func('AABBCCDD');
test_func('AABBCCDD') test_func('AABBCCDD')
Test string: AABBCCDD Test string: AABBCCDD
drop user 'test_user'@'localhost'; drop user 'test_user'@'localhost';
revoke execute on function mysql.test_func from test_role2@''; revoke execute on function mysql.test_func from test_role2;
revoke execute on procedure mysql.test_proc from test_role2@''; revoke execute on procedure mysql.test_proc from test_role2;
revoke execute on mysql.* from test_role3@''; revoke execute on mysql.* from test_role3;
delete from mysql.user where user like'test_%'; delete from mysql.user where user like'test_%';
delete from mysql.roles_mapping where RoleFk like 'test%'; delete from mysql.roles_mapping where RoleFk like 'test%';
drop function mysql.test_func; drop function mysql.test_func;
......
mysql-test/r/acl_roles_set_role-table-column-priv.result
View file @ 353576f3
...@@ -16,7 +16,7 @@ select * from mysql.roles_mapping; ...@@ -16,7 +16,7 @@ select * from mysql.roles_mapping;
HostFk UserFk RoleFk HostFk UserFk RoleFk
test_role1 test_role2 test_role1 test_role2
localhost test_user test_role1 localhost test_user test_role1
grant select (RoleFk) on mysql.roles_mapping to test_role2@''; grant select (RoleFk) on mysql.roles_mapping to test_role2;
flush privileges; flush privileges;
select * from mysql.roles_mapping; select * from mysql.roles_mapping;
ERROR 42000: SELECT command denied to user 'test_user'@'localhost' for table 'roles_mapping' ERROR 42000: SELECT command denied to user 'test_user'@'localhost' for table 'roles_mapping'
...@@ -64,7 +64,7 @@ drop user 'test_user'@'localhost'; ...@@ -64,7 +64,7 @@ drop user 'test_user'@'localhost';
select * from mysql.tables_priv; select * from mysql.tables_priv;
Host Db User Table_name Grantor Timestamp Table_priv Column_priv Host Db User Table_name Grantor Timestamp Table_priv Column_priv
mysql test_role2 roles_mapping root@localhost 0000-00-00 00:00:00 Select mysql test_role2 roles_mapping root@localhost 0000-00-00 00:00:00 Select
revoke select on mysql.roles_mapping from test_role2@''; revoke select on mysql.roles_mapping from test_role2;
delete from mysql.user where user like'test_%'; delete from mysql.user where user like'test_%';
delete from mysql.roles_mapping where RoleFk like 'test%'; delete from mysql.roles_mapping where RoleFk like 'test%';
flush privileges; flush privileges;
mysql-test/r/acl_roles_set_role-table-simple.result
View file @ 353576f3
...@@ -16,7 +16,7 @@ select * from mysql.roles_mapping; ...@@ -16,7 +16,7 @@ select * from mysql.roles_mapping;
HostFk UserFk RoleFk HostFk UserFk RoleFk
test_role1 test_role2 test_role1 test_role2
localhost test_user test_role1 localhost test_user test_role1
grant select on mysql.roles_mapping to test_role2@''; grant select on mysql.roles_mapping to test_role2;
flush privileges; flush privileges;
select * from mysql.roles_mapping; select * from mysql.roles_mapping;
ERROR 42000: SELECT command denied to user 'test_user'@'localhost' for table 'roles_mapping' ERROR 42000: SELECT command denied to user 'test_user'@'localhost' for table 'roles_mapping'
...@@ -62,7 +62,7 @@ drop user 'test_user'@'localhost'; ...@@ -62,7 +62,7 @@ drop user 'test_user'@'localhost';
select * from mysql.tables_priv; select * from mysql.tables_priv;
Host Db User Table_name Grantor Timestamp Table_priv Column_priv Host Db User Table_name Grantor Timestamp Table_priv Column_priv
mysql test_role2 roles_mapping root@localhost 0000-00-00 00:00:00 Select mysql test_role2 roles_mapping root@localhost 0000-00-00 00:00:00 Select
revoke select on mysql.roles_mapping from test_role2@''; revoke select on mysql.roles_mapping from test_role2;
delete from mysql.user where user like'test_%'; delete from mysql.user where user like'test_%';
delete from mysql.roles_mapping where RoleFk like 'test%'; delete from mysql.roles_mapping where RoleFk like 'test%';
flush privileges; flush privileges;
mysql-test/r/acl_roles_show_grants.result
View file @ 353576f3
create user 'test_user'@'localhost'; create user 'test_user'@'localhost';
create user 'test_role1'@''; create role test_role1;
create user 'test_role2'@''; create role test_role2;
update mysql.user set is_role='Y' where user='test_role1';
update mysql.user set is_role='Y' where user='test_role2';
insert into mysql.roles_mapping (HostFk, UserFk, RoleFk) values ('localhost', insert into mysql.roles_mapping (HostFk, UserFk, RoleFk) values ('localhost',
'test_user', 'test_user',
'test_role1'); 'test_role1');
...@@ -27,7 +25,7 @@ select user, host from mysql.db; ...@@ -27,7 +25,7 @@ select user, host from mysql.db;
user host user host
% %
% %
grant select on mysql.* to test_role2@''; grant select on mysql.* to test_role2;
flush privileges; flush privileges;
show grants; show grants;
Grants for test_user@localhost Grants for test_user@localhost
...@@ -127,9 +125,9 @@ Grants for test_role2 ...@@ -127,9 +125,9 @@ Grants for test_role2
GRANT SELECT ON `mysql`.* TO 'test_role2' GRANT SELECT ON `mysql`.* TO 'test_role2'
GRANT USAGE ON *.* TO 'test_role2' GRANT USAGE ON *.* TO 'test_role2'
drop user 'test_user'@'localhost'; drop user 'test_user'@'localhost';
revoke select on mysql.* from test_role2@''; revoke select on mysql.* from test_role2;
delete from mysql.user where user='test_role1'; drop role test_role1;
delete from mysql.user where user='test_role2'; drop role test_role2;
delete from mysql.roles_mapping where RoleFk='test_role1'; delete from mysql.roles_mapping where RoleFk='test_role1';
delete from mysql.roles_mapping where RoleFk='test_role2'; delete from mysql.roles_mapping where RoleFk='test_role2';
flush privileges; flush privileges;
mysql-test/t/acl_roles_set_role-database-recursive.test
View file @ 353576f3
#create a user with no privileges #create a user with no privileges
create user 'test_user'@'localhost'; create user 'test_user'@'localhost';
create user 'test_role1'@''; create role test_role1;
create user 'test_role2'@''; create role test_role2;
update mysql.user set is_role='Y' where user='test_role1';
update mysql.user set is_role='Y' where user='test_role2';
insert into mysql.roles_mapping (HostFk, UserFk, RoleFk) values ('localhost', insert into mysql.roles_mapping (HostFk, UserFk, RoleFk) values ('localhost',
'test_user', 'test_user',
'test_role1'); 'test_role1');
...@@ -23,7 +21,7 @@ flush privileges; ...@@ -23,7 +21,7 @@ flush privileges;
--sorted_result --sorted_result
select user, host from mysql.db; select user, host from mysql.db;
grant select on mysql.* to test_role2@''; grant select on mysql.* to test_role2;
flush privileges; flush privileges;
change_user 'test_user'; change_user 'test_user';
...@@ -47,7 +45,7 @@ select * from mysql.roles_mapping; ...@@ -47,7 +45,7 @@ select * from mysql.roles_mapping;
change_user 'root'; change_user 'root';
drop user 'test_user'@'localhost'; drop user 'test_user'@'localhost';
revoke select on mysql.* from test_role2@''; revoke select on mysql.* from test_role2;
delete from mysql.user where user='test_role1'; delete from mysql.user where user='test_role1';
delete from mysql.user where user='test_role2'; delete from mysql.user where user='test_role2';
delete from mysql.roles_mapping where RoleFk='test_role1'; delete from mysql.roles_mapping where RoleFk='test_role1';
......
mysql-test/t/acl_roles_set_role-database-simple.test
View file @ 353576f3
#create a user with no privileges #create a user with no privileges
create user 'test_user'@'localhost'; create user 'test_user'@'localhost';
create user 'test_role1'@''; create role test_role1;
update mysql.user set is_role='Y' where user='test_role1';
insert into mysql.roles_mapping (HostFk, UserFk, RoleFk) values ('localhost', insert into mysql.roles_mapping (HostFk, UserFk, RoleFk) values ('localhost',
'test_user', 'test_user',
'test_role1'); 'test_role1');
...@@ -12,10 +11,10 @@ select user, host from mysql.user where user not like 'root'; ...@@ -12,10 +11,10 @@ select user, host from mysql.user where user not like 'root';
select * from mysql.roles_mapping; select * from mysql.roles_mapping;
flush privileges; flush privileges;
grant select on mysql.* to test_role1@''; grant select on mysql.* to test_role1;
grant insert, delete on mysql.roles_mapping to test_role1@''; grant insert, delete on mysql.roles_mapping to test_role1;
grant reload on *.* to test_role1@''; grant reload on *.* to test_role1;
change_user 'test_user'; change_user 'test_user';
...@@ -53,9 +52,9 @@ delete from mysql.roles_mapping where RoleFk='test_role2'; ...@@ -53,9 +52,9 @@ delete from mysql.roles_mapping where RoleFk='test_role2';
change_user 'root'; change_user 'root';
drop user 'test_user'@'localhost'; drop user 'test_user'@'localhost';
revoke select on mysql.* from test_role1@''; revoke select on mysql.* from test_role1;
revoke insert, delete on mysql.roles_mapping from test_role1@''; revoke insert, delete on mysql.roles_mapping from test_role1;
delete from mysql.user where user='test_role1'; drop role test_role1;
delete from mysql.roles_mapping where RoleFk='test_role1'; delete from mysql.roles_mapping where RoleFk='test_role1';
flush privileges; flush privileges;
mysql-test/t/acl_roles_set_role-routine-simple.test
View file @ 353576f3
...@@ -31,10 +31,10 @@ end| ...@@ -31,10 +31,10 @@ end|
delimiter ;| delimiter ;|
grant execute on function mysql.test_func to test_role2@''; grant execute on function mysql.test_func to test_role2;
grant execute on procedure mysql.test_proc to test_role2@''; grant execute on procedure mysql.test_proc to test_role2;
grant execute on mysql.* to test_role3@''; grant execute on mysql.* to test_role3;
flush privileges; flush privileges;
...@@ -78,9 +78,9 @@ SELECT test_func('AABBCCDD'); ...@@ -78,9 +78,9 @@ SELECT test_func('AABBCCDD');
change_user 'root'; change_user 'root';
drop user 'test_user'@'localhost'; drop user 'test_user'@'localhost';
revoke execute on function mysql.test_func from test_role2@''; revoke execute on function mysql.test_func from test_role2;
revoke execute on procedure mysql.test_proc from test_role2@''; revoke execute on procedure mysql.test_proc from test_role2;
revoke execute on mysql.* from test_role3@''; revoke execute on mysql.* from test_role3;
delete from mysql.user where user like'test_%'; delete from mysql.user where user like'test_%';
delete from mysql.roles_mapping where RoleFk like 'test%'; delete from mysql.roles_mapping where RoleFk like 'test%';
drop function mysql.test_func; drop function mysql.test_func;
......
mysql-test/t/acl_roles_set_role-table-column-priv.test
View file @ 353576f3
...@@ -13,7 +13,7 @@ select user, host from mysql.user where user not like 'root'; ...@@ -13,7 +13,7 @@ select user, host from mysql.user where user not like 'root';
--sorted_result --sorted_result
select * from mysql.roles_mapping; select * from mysql.roles_mapping;
grant select (RoleFk) on mysql.roles_mapping to test_role2@''; grant select (RoleFk) on mysql.roles_mapping to test_role2;
flush privileges; flush privileges;
...@@ -53,7 +53,7 @@ select RoleFk from mysql.roles_mapping; ...@@ -53,7 +53,7 @@ select RoleFk from mysql.roles_mapping;
change_user 'root'; change_user 'root';
drop user 'test_user'@'localhost'; drop user 'test_user'@'localhost';
select * from mysql.tables_priv; select * from mysql.tables_priv;
revoke select on mysql.roles_mapping from test_role2@''; revoke select on mysql.roles_mapping from test_role2;
delete from mysql.user where user like'test_%'; delete from mysql.user where user like'test_%';
delete from mysql.roles_mapping where RoleFk like 'test%'; delete from mysql.roles_mapping where RoleFk like 'test%';
......
mysql-test/t/acl_roles_set_role-table-simple.test
View file @ 353576f3
...@@ -13,7 +13,7 @@ select user, host from mysql.user where user not like 'root'; ...@@ -13,7 +13,7 @@ select user, host from mysql.user where user not like 'root';
--sorted_result --sorted_result
select * from mysql.roles_mapping; select * from mysql.roles_mapping;
grant select on mysql.roles_mapping to test_role2@''; grant select on mysql.roles_mapping to test_role2;
flush privileges; flush privileges;
...@@ -50,7 +50,7 @@ select * from mysql.roles_mapping; ...@@ -50,7 +50,7 @@ select * from mysql.roles_mapping;
change_user 'root'; change_user 'root';
drop user 'test_user'@'localhost'; drop user 'test_user'@'localhost';
select * from mysql.tables_priv; select * from mysql.tables_priv;
revoke select on mysql.roles_mapping from test_role2@''; revoke select on mysql.roles_mapping from test_role2;
delete from mysql.user where user like'test_%'; delete from mysql.user where user like'test_%';
delete from mysql.roles_mapping where RoleFk like 'test%'; delete from mysql.roles_mapping where RoleFk like 'test%';
......
mysql-test/t/acl_roles_show_grants.test
View file @ 353576f3
#create a user with no privileges #create a user with no privileges
create user 'test_user'@'localhost'; create user 'test_user'@'localhost';
create user 'test_role1'@''; create role test_role1;
create user 'test_role2'@''; create role test_role2;
update mysql.user set is_role='Y' where user='test_role1';
update mysql.user set is_role='Y' where user='test_role2';
insert into mysql.roles_mapping (HostFk, UserFk, RoleFk) values ('localhost', insert into mysql.roles_mapping (HostFk, UserFk, RoleFk) values ('localhost',
'test_user', 'test_user',
'test_role1'); 'test_role1');
...@@ -23,7 +21,7 @@ flush privileges; ...@@ -23,7 +21,7 @@ flush privileges;
--sorted_result --sorted_result
select user, host from mysql.db; select user, host from mysql.db;
grant select on mysql.* to test_role2@''; grant select on mysql.* to test_role2;
flush privileges; flush privileges;
change_user 'test_user'; change_user 'test_user';
...@@ -77,9 +75,9 @@ show grants for CURRENT_ROLE(); ...@@ -77,9 +75,9 @@ show grants for CURRENT_ROLE();
change_user 'root'; change_user 'root';
drop user 'test_user'@'localhost'; drop user 'test_user'@'localhost';
revoke select on mysql.* from test_role2@''; revoke select on mysql.* from test_role2;
delete from mysql.user where user='test_role1'; drop role test_role1;
delete from mysql.user where user='test_role2'; drop role test_role2;
delete from mysql.roles_mapping where RoleFk='test_role1'; delete from mysql.roles_mapping where RoleFk='test_role1';
delete from mysql.roles_mapping where RoleFk='test_role2'; delete from mysql.roles_mapping where RoleFk='test_role2';
flush privileges; flush privileges;
sql/sql_acl.cc
View file @ 353576f3
...@@ -4708,6 +4708,26 @@ static int replace_routine_table(THD *thd, GRANT_NAME *grant_name, ...@@ -4708,6 +4708,26 @@ static int replace_routine_table(THD *thd, GRANT_NAME *grant_name,
} }
/*
A user name specified without a host can be either a
username@% (where '@%' is added automatically by the parser)
or a role name. Treat it as a role, if such a role exists.
*/
static ACL_ROLE *find_and_mark_as_role(LEX_USER *user)
{
if (user->host.str == host_not_specified.str)
{
ACL_ROLE *role= find_acl_role(user->user.str);
if (role)
{
user->host= empty_lex_str;
return role;
}
}
return NULL;
}
/* /*
Store table level and column level grants in the privilege tables Store table level and column level grants in the privilege tables
...@@ -4879,6 +4899,7 @@ int mysql_table_grant(THD *thd, TABLE_LIST *table_list, ...@@ -4879,6 +4899,7 @@ int mysql_table_grant(THD *thd, TABLE_LIST *table_list,
result= TRUE; result= TRUE;
continue; continue;
} }
find_and_mark_as_role(Str);
/* Create user if needed */ /* Create user if needed */
error=replace_user_table(thd, tables[0].table, *Str, error=replace_user_table(thd, tables[0].table, *Str,
0, revoke_grant, create_new_users, 0, revoke_grant, create_new_users,
...@@ -5085,6 +5106,7 @@ bool mysql_routine_grant(THD *thd, TABLE_LIST *table_list, bool is_proc, ...@@ -5085,6 +5106,7 @@ bool mysql_routine_grant(THD *thd, TABLE_LIST *table_list, bool is_proc,
result= TRUE; result= TRUE;
continue; continue;
} }
find_and_mark_as_role(Str);
/* Create user if needed */ /* Create user if needed */
error=replace_user_table(thd, tables[0].table, *Str, error=replace_user_table(thd, tables[0].table, *Str,
0, revoke_grant, create_new_users, 0, revoke_grant, create_new_users,
...@@ -5161,6 +5183,7 @@ static void append_user(String *str, const char *u, const char *h, ...@@ -5161,6 +5183,7 @@ static void append_user(String *str, const char *u, const char *h,
str->append('\''); str->append('\'');
} }
bool mysql_grant_role(THD *thd, List <LEX_USER> &list) bool mysql_grant_role(THD *thd, List <LEX_USER> &list)
{ {
DBUG_ENTER("mysql_grant_role"); DBUG_ENTER("mysql_grant_role");
...@@ -5175,7 +5198,6 @@ bool mysql_grant_role(THD *thd, List <LEX_USER> &list) ...@@ -5175,7 +5198,6 @@ bool mysql_grant_role(THD *thd, List <LEX_USER> &list)
char *rolename; char *rolename;
char *username; char *username;
char *hostname; char *hostname;
bool handle_as_role;
ACL_ROLE *role, *role_as_user; ACL_ROLE *role, *role_as_user;
List_iterator <LEX_USER> user_list(list); List_iterator <LEX_USER> user_list(list);
...@@ -5206,11 +5228,10 @@ bool mysql_grant_role(THD *thd, List <LEX_USER> &list) ...@@ -5206,11 +5228,10 @@ bool mysql_grant_role(THD *thd, List <LEX_USER> &list)
while ((user= user_list++)) while ((user= user_list++))
{ {
handle_as_role= FALSE; role_as_user= NULL;
/* current_role is treated slightly different */ /* current_role is treated slightly different */
if (user->user.str == current_role.str) if (user->user.str == current_role.str)
{ {
handle_as_role= TRUE;
/* current_role is NONE */ /* current_role is NONE */
if (!thd->security_ctx->priv_role[0]) if (!thd->security_ctx->priv_role[0])
{ {
...@@ -5236,21 +5257,13 @@ bool mysql_grant_role(THD *thd, List <LEX_USER> &list) ...@@ -5236,21 +5257,13 @@ bool mysql_grant_role(THD *thd, List <LEX_USER> &list)
} }
else else
{ {
role_as_user= find_and_mark_as_role(user);
username= user->user.str; username= user->user.str;
hostname= user->host.str; hostname= user->host.str;
if (user->host.str == host_not_specified.str)
{
if ((role_as_user= find_acl_role(username)))
{
handle_as_role= TRUE;
hostname= (char *)"";
}
}
} }
ROLE_GRANT_PAIR *mapping= (ROLE_GRANT_PAIR *) ROLE_GRANT_PAIR *mapping= (ROLE_GRANT_PAIR *)
alloc_root(&mem, alloc_root(&mem, sizeof(ROLE_GRANT_PAIR));
sizeof(ROLE_GRANT_PAIR));
/* TODO write into roles_mapping table */ /* TODO write into roles_mapping table */
init_role_grant_pair(&mem, mapping, init_role_grant_pair(&mem, mapping,
...@@ -5258,7 +5271,7 @@ bool mysql_grant_role(THD *thd, List <LEX_USER> &list) ...@@ -5258,7 +5271,7 @@ bool mysql_grant_role(THD *thd, List <LEX_USER> &list)
int res= add_role_user_mapping(mapping); int res= add_role_user_mapping(mapping);
if (res == -1) if (res == -1)
{ {
append_user(&wrong_users, username, hostname, handle_as_role); append_user(&wrong_users, username, hostname, role_as_user != NULL);
result= 1; result= 1;
continue; continue;
} }
...@@ -5267,7 +5280,7 @@ bool mysql_grant_role(THD *thd, List <LEX_USER> &list) ...@@ -5267,7 +5280,7 @@ bool mysql_grant_role(THD *thd, List <LEX_USER> &list)
Check if this grant would cause a cycle. It only needs to be run Check if this grant would cause a cycle. It only needs to be run
if we're granting a role to a role if we're granting a role to a role
*/ */
if (handle_as_role && if (role_as_user &&
traverse_role_graph(role, NULL, NULL, NULL, role_explore_detect_cycle, traverse_role_graph(role, NULL, NULL, NULL, role_explore_detect_cycle,
NULL) == 2) NULL) == 2)
{ {
...@@ -5277,7 +5290,7 @@ bool mysql_grant_role(THD *thd, List <LEX_USER> &list) ...@@ -5277,7 +5290,7 @@ bool mysql_grant_role(THD *thd, List <LEX_USER> &list)
} }
/* only need to propagate grants when granting a role to a role */ /* only need to propagate grants when granting a role to a role */
if (handle_as_role) if (role_as_user)
{ {
acl_update_role_entry(role_as_user, role_as_user->initial_role_access); acl_update_role_entry(role_as_user, role_as_user->initial_role_access);
} }
...@@ -5392,6 +5405,9 @@ bool mysql_grant(THD *thd, const char *db, List <LEX_USER> &list, ...@@ -5392,6 +5405,9 @@ bool mysql_grant(THD *thd, const char *db, List <LEX_USER> &list,
*/ */
if (tmp_Str->user.str == current_user.str && tmp_Str->password.str) if (tmp_Str->user.str == current_user.str && tmp_Str->password.str)
Str->password= tmp_Str->password; Str->password= tmp_Str->password;
find_and_mark_as_role(Str);
if (replace_user_table(thd, tables[0].table, *Str, if (replace_user_table(thd, tables[0].table, *Str,
(!db ? rights : 0), revoke_grant, create_new_users, (!db ? rights : 0), revoke_grant, create_new_users,
test(thd->variables.sql_mode & test(thd->variables.sql_mode &
...@@ -6694,8 +6710,6 @@ bool mysql_show_grants(THD *thd, LEX_USER *lex_user) ...@@ -6694,8 +6710,6 @@ bool mysql_show_grants(THD *thd, LEX_USER *lex_user)
ACL_ROLE *acl_role= NULL; ACL_ROLE *acl_role= NULL;
char buff[1024]; char buff[1024];
Protocol *protocol= thd->protocol; Protocol *protocol= thd->protocol;
bool print_user_entry= FALSE;
bool print_role_entry= FALSE;
char *username= NULL; char *username= NULL;
char *hostname= NULL; char *hostname= NULL;
char *rolename= NULL; char *rolename= NULL;
...@@ -6710,51 +6724,41 @@ bool mysql_show_grants(THD *thd, LEX_USER *lex_user) ...@@ -6710,51 +6724,41 @@ bool mysql_show_grants(THD *thd, LEX_USER *lex_user)
mysql_rwlock_rdlock(&LOCK_grant); mysql_rwlock_rdlock(&LOCK_grant);
mysql_mutex_lock(&acl_cache->lock); mysql_mutex_lock(&acl_cache->lock);
if (lex_user->user.str == current_user.str ||
lex_user->user.str == current_role.str ||
lex_user->user.str == current_user_and_current_role.str)
{
username= thd->security_ctx->priv_user;
hostname= thd->security_ctx->priv_host;
rolename= thd->security_ctx->priv_role;
}
if (lex_user->user.str == current_user.str) if (lex_user->user.str == current_user.str)
{ {
print_user_entry= TRUE; username= thd->security_ctx->priv_user;
hostname= thd->security_ctx->priv_host;
} }
else if (lex_user->user.str == current_role.str) else if (lex_user->user.str == current_role.str)
{ {
print_role_entry= TRUE; rolename= thd->security_ctx->priv_role;
} }
else if (lex_user->user.str == current_user_and_current_role.str) else if (lex_user->user.str == current_user_and_current_role.str)
{ {
print_user_entry= TRUE; username= thd->security_ctx->priv_user;
print_role_entry= TRUE; hostname= thd->security_ctx->priv_host;
rolename= thd->security_ctx->priv_role;
} }
else else
{ {
/* this lex_user could represent a role */ if (find_and_mark_as_role(lex_user))
if (lex_user->host.str == host_not_specified.str &&
find_acl_role(lex_user->user.str))
{ {
rolename= lex_user->user.str; rolename= lex_user->user.str;
hostname= (char *)"";
print_role_entry= TRUE;
} }
else else
{ {
username= lex_user->user.str; username= lex_user->user.str;
hostname= lex_user->host.str; hostname= lex_user->host.str;
print_user_entry= TRUE;
} }
} }
DBUG_ASSERT(rolename || username);
Item_string *field=new Item_string("",0,&my_charset_latin1); Item_string *field=new Item_string("",0,&my_charset_latin1);
List<Item> field_list; List<Item> field_list;
field->name=buff; field->name=buff;
field->max_length=1024; field->max_length=1024;
if (print_user_entry == FALSE) if (!username)
strxmov(buff,"Grants for ",rolename, NullS); strxmov(buff,"Grants for ",rolename, NullS);
else else
strxmov(buff,"Grants for ",username,"@",hostname, NullS); strxmov(buff,"Grants for ",username,"@",hostname, NullS);
...@@ -6768,7 +6772,7 @@ bool mysql_show_grants(THD *thd, LEX_USER *lex_user) ...@@ -6768,7 +6772,7 @@ bool mysql_show_grants(THD *thd, LEX_USER *lex_user)
DBUG_RETURN(TRUE); DBUG_RETURN(TRUE);
} }
if (print_user_entry) if (username)
{ {
acl_user= find_user_no_anon(hostname, username, TRUE); acl_user= find_user_no_anon(hostname, username, TRUE);
if (!acl_user) if (!acl_user)
...@@ -6831,7 +6835,7 @@ bool mysql_show_grants(THD *thd, LEX_USER *lex_user) ...@@ -6831,7 +6835,7 @@ bool mysql_show_grants(THD *thd, LEX_USER *lex_user)
} }
} }
if (print_role_entry) if (rolename)
{ {
acl_role= find_acl_role(rolename); acl_role= find_acl_role(rolename);
if (acl_role) if (acl_role)
...@@ -6862,7 +6866,8 @@ bool mysql_show_grants(THD *thd, LEX_USER *lex_user) ...@@ -6862,7 +6866,8 @@ bool mysql_show_grants(THD *thd, LEX_USER *lex_user)
mysql_mutex_unlock(&acl_cache->lock); mysql_mutex_unlock(&acl_cache->lock);
mysql_rwlock_unlock(&LOCK_grant); mysql_rwlock_unlock(&LOCK_grant);
my_error(ER_NONEXISTING_GRANT, MYF(0), my_error(ER_NONEXISTING_GRANT, MYF(0),
username, hostname); thd->security_ctx->priv_user,
thd->security_ctx->priv_host);
DBUG_RETURN(TRUE); DBUG_RETURN(TRUE);
} }
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7