MDEV-29851 Cached role privileges are not invalidated when needed

GRANT ROLE can update db-level privileges -> must invalidate acl_cache

MDEV-29851 Cached role privileges are not invalidated when needed
GRANT ROLE can update db-level privileges -> must invalidate acl_cache
68fb05c3 · Sergei Golubchik · 7a2f9956 · 68fb05c3 · 68fb05c3 · 68fb05c3
Commit 68fb05c3 authored Oct 22, 2022 by Sergei Golubchik
3 changed files
--- a/mysql-test/suite/roles/role_grant_propagate.result
+++ b/mysql-test/suite/roles/role_grant_propagate.result
@@ -138,5 +138,30 @@ drop role test_role1, test_role2;
 create role test_role1;
 drop role test_role1;
 #
+# MDEV-29851 Cached role privileges are not invalidated when needed
+#
+create role admin;
+create role student;
+create database crm;
+grant create on crm.* to admin;
+grant select on crm.* to student;
+create user intern@localhost;
+grant student to intern@localhost;
+set default role student for intern@localhost;
+connect con1, localhost, intern;
+use crm;
+disconnect con1;
+connection default;
+grant admin to student;
+connect con1, localhost, intern;
+use crm;
+create table t1 (a int);
+disconnect con1;
+connection default;
+drop user intern@localhost;
+drop role student;
+drop role admin;
+drop database crm;
+#
 # End of 10.3 tests
 #
--- a/mysql-test/suite/roles/role_grant_propagate.test
+++ b/mysql-test/suite/roles/role_grant_propagate.test
@@ -166,6 +166,36 @@ drop role test_role1, test_role2;
 create role test_role1;
 drop role test_role1;
+--echo #
+--echo # MDEV-29851 Cached role privileges are not invalidated when needed
+--echo #
+create role admin;
+create role student;
+create database crm;
+grant create on crm.* to admin;
+grant select on crm.* to student;
+create user intern@localhost;
+grant student to intern@localhost;
+set default role student for intern@localhost;
+connect con1, localhost, intern;
+use crm;
+disconnect con1;
+connection default;
+grant admin to student;
+connect con1, localhost, intern;
+use crm;
+create table t1 (a int);
+disconnect con1;
+connection default;
+drop user intern@localhost;
+drop role student;
+drop role admin;
+drop database crm;
 --echo #
 --echo # End of 10.3 tests
 --echo #
--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@@ -7152,7 +7152,10 @@ bool mysql_grant_role(THD *thd, List <LEX_USER> &list, bool revoke)
       a role
    */
    if (role_as_user)
+    {
      propagate_role_grants(role_as_user, PRIVS_TO_MERGE::ALL);
+      acl_cache->clear(1);
+    }
  }
  mysql_mutex_unlock(&acl_cache->lock);