Merge bk-internal.mysql.com:/home/bk/mysql-5.0

into pcgem.rdg.cyberkinetica.com:/usr/home/acurtis/work/wl925.4 mysql-test/r/information_schema.result: Auto merged sql/sql_show.cc: Auto merged

Merge bk-internal.mysql.com:/home/bk/mysql-5.0
into pcgem.rdg.cyberkinetica.com:/usr/home/acurtis/work/wl925.4 mysql-test/r/information_schema.result: Auto merged sql/sql_show.cc: Auto merged
90b56f21 · unknown · 1fabc5de · 09ce0b33 · 90b56f21 · 90b56f21
Commit 90b56f21 authored Dec 23, 2004 by unknown
30 changed files
--- a/mysql-test/include/system_db_struct.inc
+++ b/mysql-test/include/system_db_struct.inc
@@ -10,3 +10,4 @@ show create table user;
 show create table func;
 show create table tables_priv;
 show create table columns_priv;
+show create table procs_priv;
--- a/mysql-test/r/connect.result
+++ b/mysql-test/r/connect.result
@@ -9,6 +9,7 @@ help_relation
 help_topic
 host
 proc
+procs_priv
 tables_priv
 time_zone
 time_zone_leap_second
@@ -31,6 +32,7 @@ help_relation
 help_topic
 host
 proc
+procs_priv
 tables_priv
 time_zone
 time_zone_leap_second
@@ -57,6 +59,7 @@ help_relation
 help_topic
 host
 proc
+procs_priv
 tables_priv
 time_zone
 time_zone_leap_second

--- a/mysql-test/r/grant.result
+++ b/mysql-test/r/grant.result
@@ -10,8 +10,8 @@ GRANT USAGE ON *.* TO 'mysqltest_1'@'localhost' REQUIRE CIPHER 'EDH-RSA-DES-CBC3
 GRANT SELECT ON `mysqltest`.* TO 'mysqltest_1'@'localhost'
 grant delete on mysqltest.* to mysqltest_1@localhost;
 select * from mysql.user where user="mysqltest_1";
-Host	User	Password	Select_priv	Insert_priv	Update_priv	Delete_priv	Create_priv	Drop_priv	Reload_priv	Shutdown_priv	Process_priv	File_priv	Grant_priv	References_priv	Index_priv	Alter_priv	Show_db_priv	Super_priv	Create_tmp_table_priv	Lock_tables_priv	Execute_priv	Repl_slave_priv	Repl_client_priv	Create_view_priv	Show_view_priv	ssl_type	ssl_cipher	x509_issuer	x509_subject	max_questions	max_updates	max_connections
-localhost	mysqltest_1		N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N							0	0	0
+Host	User	Password	Select_priv	Insert_priv	Update_priv	Delete_priv	Create_priv	Drop_priv	Reload_priv	Shutdown_priv	Process_priv	File_priv	Grant_priv	References_priv	Index_priv	Alter_priv	Show_db_priv	Super_priv	Create_tmp_table_priv	Lock_tables_priv	Execute_priv	Repl_slave_priv	Repl_client_priv	Create_view_priv	Show_view_priv	Create_routine_priv	Alter_routine_priv	ssl_type	ssl_cipher	x509_issuer	x509_subject	max_questions	max_updates	max_connections
+localhost	mysqltest_1		N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N									0	0	0
 show grants for mysqltest_1@localhost;
 Grants for mysqltest_1@localhost
 GRANT USAGE ON *.* TO 'mysqltest_1'@'localhost' REQUIRE CIPHER 'EDH-RSA-DES-CBC3-SHA'
@@ -62,7 +62,7 @@ revoke LOCK TABLES, ALTER on mysqltest.* from mysqltest_1@localhost;
 show grants for mysqltest_1@localhost;
 Grants for mysqltest_1@localhost
 GRANT USAGE ON *.* TO 'mysqltest_1'@'localhost'
-GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, CREATE TEMPORARY TABLES, CREATE VIEW, SHOW VIEW ON `mysqltest`.* TO 'mysqltest_1'@'localhost' WITH GRANT OPTION
+GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, CREATE TEMPORARY TABLES, EXECUTE, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE ON `mysqltest`.* TO 'mysqltest_1'@'localhost' WITH GRANT OPTION
 revoke all privileges on mysqltest.* from mysqltest_1@localhost;
 delete from mysql.user where user='mysqltest_1';
 flush privileges;
@@ -347,13 +347,16 @@ drop table t1;
 SHOW PRIVILEGES;
 Privilege	Context	Comment
 Alter	Tables	To alter the table
+Alter routine	Functions,Procedures	To alter or drop stored functions/procedures
 Create	Databases,Tables,Indexes	To create new databases and tables
+Create routine	Functions,Procedures	To use CREATE FUNCTION/PROCEDURE
 Create temporary tables	Databases	To use CREATE TEMPORARY TABLE
 Create view	Tables	To create new views
 Delete	Tables	To delete existing rows
 Drop	Databases,Tables	To drop databases, tables, and views
+Execute	Functions,Procedures	To execute stored routines
 File	File access on server	To read and write files on the server
-Grant option	Databases,Tables	To give to other users those privileges you possess
+Grant option	Databases,Tables,Functions,Procedures	To give to other users those privileges you possess
 Index	Tables	To create or drop indexes
 Insert	Tables	To insert data into tables
 Lock tables	Databases	To use LOCK TABLES (together with SELECT privilege)

--- a/mysql-test/r/grant2.result
+++ b/mysql-test/r/grant2.result
@@ -48,9 +48,9 @@ GRANT SELECT, INSERT ON `mysqltest`.* TO 'mysqltest_1'@'localhost'
 use mysqltest;
 insert into t1 values (1, 'I can''t change it!');
 update t1 set data='I can change it!' where id = 1;
-ERROR 42000: Access denied for user 'mysqltest_1'@'localhost' to database 'mysqltest'
+ERROR 42000: update command denied to user 'mysqltest_1'@'localhost' for table 't1'
 insert into t1 values (1, 'XXX') on duplicate key update data= 'I can change it!';
-ERROR 42000: Access denied for user 'mysqltest_1'@'localhost' to database 'mysqltest'
+ERROR 42000: update command denied to user 'mysqltest_1'@'localhost' for table 't1'
 select * from t1;
 id	data
 1	I can't change it!
@@ -202,7 +202,7 @@ drop user '%@a'@'a';
 create user mysqltest_2@localhost;
 grant usage on *.* to mysqltest_2@localhost with grant option;
 select host,user,password from mysql.user where user like 'mysqltest_%' order by host,user,password;
-ERROR 42000: Access denied for user 'mysqltest_2'@'localhost' to database 'mysql'
+ERROR 42000: select command denied to user 'mysqltest_2'@'localhost' for table 'user'
 create user mysqltest_A@'%';
 rename user mysqltest_A@'%' to mysqltest_B@'%';
 drop user mysqltest_B@'%';

--- a/mysql-test/r/information_schema.result
+++ b/mysql-test/r/information_schema.result
@@ -58,6 +58,7 @@ help_relation
 help_topic
 host
 proc
+procs_priv
 tables_priv
 time_zone
 time_zone_leap_second
@@ -346,8 +347,11 @@ GRANTEE	TABLE_CATALOG	TABLE_SCHEMA	PRIVILEGE_TYPE	IS_GRANTABLE
 'mysqltest_1'@'localhost'	NULL	test	ALTER	YES
 'mysqltest_1'@'localhost'	NULL	test	CREATE TEMPORARY TABLES	YES
 'mysqltest_1'@'localhost'	NULL	test	LOCK TABLES	YES
+'mysqltest_1'@'localhost'	NULL	test	EXECUTE	YES
 'mysqltest_1'@'localhost'	NULL	test	CREATE VIEW	YES
 'mysqltest_1'@'localhost'	NULL	test	SHOW VIEW	YES
+'mysqltest_1'@'localhost'	NULL	test	CREATE ROUTINE	YES
+'mysqltest_1'@'localhost'	NULL	test	ALTER ROUTINE	YES
 select * from information_schema.TABLE_PRIVILEGES where grantee like '%mysqltest_1%';
 GRANTEE	TABLE_CATALOG	TABLE_SCHEMA	TABLE_NAME	PRIVILEGE_TYPE	IS_GRANTABLE
 'mysqltest_1'@'localhost'	NULL	test	t1	SELECT	NO
@@ -600,6 +604,8 @@ Process_priv	select,insert,update,references
 Show_db_priv	select,insert,update,references
 Lock_tables_priv	select,insert,update,references
 Show_view_priv	select,insert,update,references
+Create_routine_priv	select,insert,update,references
+Alter_routine_priv	select,insert,update,references
 max_questions	select,insert,update,references
 max_connections	select,insert,update,references
 use test;

--- a/mysql-test/r/show_check.result
+++ b/mysql-test/r/show_check.result
@@ -382,19 +382,19 @@ show create database mysqltest;
 Database	Create Database
 mysqltest	CREATE DATABASE `mysqltest` /*!40100 DEFAULT CHARACTER SET latin1 */
 drop table t1;
-ERROR 42000: Access denied for user 'mysqltest_1'@'localhost' to database 'mysqltest'
+ERROR 42000: drop command denied to user 'mysqltest_1'@'localhost' for table 't1'
 drop database mysqltest;
 ERROR 42000: Access denied for user 'mysqltest_1'@'localhost' to database 'mysqltest'
 select * from mysqltest.t1;
-ERROR 42000: Access denied for user 'mysqltest_2'@'localhost' to database 'mysqltest'
+ERROR 42000: select command denied to user 'mysqltest_2'@'localhost' for table 't1'
 show create database mysqltest;
 ERROR 42000: Access denied for user 'mysqltest_2'@'localhost' to database 'mysqltest'
 drop table mysqltest.t1;
-ERROR 42000: Access denied for user 'mysqltest_2'@'localhost' to database 'mysqltest'
+ERROR 42000: drop command denied to user 'mysqltest_2'@'localhost' for table 't1'
 drop database mysqltest;
 ERROR 42000: Access denied for user 'mysqltest_2'@'localhost' to database 'mysqltest'
 select * from mysqltest.t1;
-ERROR 42000: Access denied for user 'mysqltest_3'@'localhost' to database 'mysqltest'
+ERROR 42000: select command denied to user 'mysqltest_3'@'localhost' for table 't1'
 show create database mysqltest;
 ERROR 42000: Access denied for user 'mysqltest_3'@'localhost' to database 'mysqltest'
 drop table mysqltest.t1;

--- a/mysql-test/r/sp-security.result
+++ b/mysql-test/r/sp-security.result
@@ -23,12 +23,16 @@ root@localhost	1
 select db();
 db()
 db1_secret
+grant execute on db1_secret.stamp to user1@'%';
+grant execute on db1_secret.db to user1@'%';
+grant execute on db1_secret.stamp to ''@'%';
+grant execute on db1_secret.db to ''@'%';
 call db1_secret.stamp(2);
 select db1_secret.db();
 db1_secret.db()
 db1_secret
 select * from db1_secret.t1;
-ERROR 42000: Access denied for user 'user1'@'localhost' to database 'db1_secret'
+ERROR 42000: select command denied to user 'user1'@'localhost' for table 't1'
 create procedure db1_secret.dummy() begin end;
 ERROR 42000: Access denied for user 'user1'@'localhost' to database 'db1_secret'
 drop procedure db1_secret.dummy;
@@ -38,7 +42,7 @@ select db1_secret.db();
 db1_secret.db()
 db1_secret
 select * from db1_secret.t1;
-ERROR 42000: Access denied for user ''@'localhost' to database 'db1_secret'
+ERROR 42000: select command denied to user ''@'localhost' for table 't1'
 create procedure db1_secret.dummy() begin end;
 ERROR 42000: Access denied for user ''@'localhost' to database 'db1_secret'
 drop procedure db1_secret.dummy;
@@ -82,15 +86,16 @@ insert into t2 values (0);
 grant usage on db2.* to user1@localhost;
 grant select on db2.* to user1@localhost;
 grant usage on db2.* to user2@localhost;
-grant select,insert,update,delete on db2.* to user2@localhost;
+grant select,insert,update,delete,create routine on db2.* to user2@localhost;
+grant create routine on db2.* to user1@localhost;
 flush privileges;
 use db2;
 create procedure p () insert into t2 values (1);
 call p();
-ERROR 42000: Access denied for user 'user1'@'localhost' to database 'db2'
+ERROR 42000: insert command denied to user 'user1'@'localhost' for table 't2'
 use db2;
 call p();
-ERROR 42000: Access denied for user 'user1'@'localhost' to database 'db2'
+ERROR 42000: execute command denied to user 'user2'@'localhost' for routine 'db2.p'
 select * from t2;
 s1
 0
@@ -100,6 +105,8 @@ select * from t2;
 s1
 0
 2
+grant usage on db2.q to user2@localhost with grant option;
+grant execute on db2.q to user1@localhost;
 use db2;
 call q();
 select * from t2;
@@ -110,9 +117,9 @@ s1
 alter procedure p modifies sql data;
 drop procedure p;
 alter procedure q modifies sql data;
-ERROR 42000: Access denied; you are not the procedure/function definer of 'db2.q'
+ERROR 42000: alter procedure command denied to user 'user1'@'localhost' for routine 'db2.q'
 drop procedure q;
-ERROR 42000: Access denied; you are not the procedure/function definer of 'db2.q'
+ERROR 42000: alter procedure command denied to user 'user1'@'localhost' for routine 'db2.q'
 use db2;
 alter procedure q modifies sql data;
 drop procedure q;
@@ -126,3 +133,64 @@ drop database db2;
 select type,db,name from mysql.proc;
 type	db	name
 delete from mysql.user where user='user1' or user='user2';
+delete from mysql.procs_priv where user='user1' or user='user2';
+grant usage on *.* to usera@localhost;
+grant usage on *.* to userb@localhost;
+grant usage on *.* to userc@localhost;
+create database sptest;
+create table t1 ( u varchar(64), i int );
+create procedure sptest.p1(i int) insert into test.t1 values (user(), i);
+grant insert on t1 to usera@localhost;
+grant execute on sptest.p1 to usera@localhost;
+show grants for usera@localhost;
+Grants for usera@localhost
+GRANT USAGE ON *.* TO 'usera'@'localhost'
+GRANT INSERT ON `test`.`t1` TO 'usera'@'localhost'
+GRANT EXECUTE ON `sptest`.`p1` TO 'usera'@'localhost'
+grant execute on sptest.p1 to userc@localhost with grant option;
+show grants for userc@localhost;
+Grants for userc@localhost
+GRANT USAGE ON *.* TO 'userc'@'localhost'
+GRANT EXECUTE ON `sptest`.`p1` TO 'userc'@'localhost' WITH GRANT OPTION
+call sptest.p1(1);
+grant execute on sptest.p1 to userb@localhost;
+ERROR 42000: grant command denied to user 'usera'@'localhost' for routine 'sptest.p1'
+drop procedure sptest.p1;
+ERROR 42000: alter procedure command denied to user 'usera'@'localhost' for routine 'sptest.p1'
+call sptest.p1(2);
+ERROR 42000: execute command denied to user 'userb'@'localhost' for routine 'sptest.p1'
+grant execute on sptest.p1 to userb@localhost;
+ERROR 42000: execute command denied to user 'userb'@'localhost' for routine 'sptest.p1'
+drop procedure sptest.p1;
+ERROR 42000: alter procedure command denied to user 'userb'@'localhost' for routine 'sptest.p1'
+call sptest.p1(3);
+grant execute on sptest.p1 to userb@localhost;
+drop procedure sptest.p1;
+ERROR 42000: alter procedure command denied to user 'userc'@'localhost' for routine 'sptest.p1'
+call sptest.p1(4);
+grant execute on sptest.p1 to userb@localhost;
+ERROR 42000: grant command denied to user 'userb'@'localhost' for routine 'sptest.p1'
+drop procedure sptest.p1;
+ERROR 42000: alter procedure command denied to user 'userb'@'localhost' for routine 'sptest.p1'
+select * from t1;
+u	i
+usera@localhost	1
+userc@localhost	3
+userb@localhost	4
+grant all privileges on sptest.p1 to userc@localhost;
+show grants for userc@localhost;
+Grants for userc@localhost
+GRANT USAGE ON *.* TO 'userc'@'localhost'
+GRANT EXECUTE, ALTER ROUTINE ON `sptest`.`p1` TO 'userc'@'localhost' WITH GRANT OPTION
+show grants for userb@localhost;
+Grants for userb@localhost
+GRANT USAGE ON *.* TO 'userb'@'localhost'
+GRANT EXECUTE ON `sptest`.`p1` TO 'userb'@'localhost'
+revoke all privileges on sptest.p1 from userb@localhost;
+show grants for userb@localhost;
+Grants for userb@localhost
+GRANT USAGE ON *.* TO 'userb'@'localhost'
+use test;
+drop database sptest;
+delete from mysql.user where user='usera' or user='userb' or user='userc';
+delete from mysql.procs_priv where user='usera' or user='userb' or user='userc';
--- a/mysql-test/r/sp.result
+++ b/mysql-test/r/sp.result
@@ -1654,13 +1654,16 @@ Table	Non_unique	Key_name	Seq_in_index	Column_name	Collation	Cardinality	Sub_par
 Database	Table	In_use	Name_locked
 Privilege	Context	Comment
 Alter	Tables	To alter the table
+Alter routine	Functions,Procedures	To alter or drop stored functions/procedures
 Create	Databases,Tables,Indexes	To create new databases and tables
+Create routine	Functions,Procedures	To use CREATE FUNCTION/PROCEDURE
 Create temporary tables	Databases	To use CREATE TEMPORARY TABLE
 Create view	Tables	To create new views
 Delete	Tables	To delete existing rows
 Drop	Databases,Tables	To drop databases, tables, and views
+Execute	Functions,Procedures	To execute stored routines
 File	File access on server	To read and write files on the server
-Grant option	Databases,Tables	To give to other users those privileges you possess
+Grant option	Databases,Tables,Functions,Procedures	To give to other users those privileges you possess
 Index	Tables	To create or drop indexes
 Insert	Tables	To insert data into tables
 Lock tables	Databases	To use LOCK TABLES (together with SELECT privilege)
@@ -1704,13 +1707,16 @@ Table	Non_unique	Key_name	Seq_in_index	Column_name	Collation	Cardinality	Sub_par
 Database	Table	In_use	Name_locked
 Privilege	Context	Comment
 Alter	Tables	To alter the table
+Alter routine	Functions,Procedures	To alter or drop stored functions/procedures
 Create	Databases,Tables,Indexes	To create new databases and tables
+Create routine	Functions,Procedures	To use CREATE FUNCTION/PROCEDURE
 Create temporary tables	Databases	To use CREATE TEMPORARY TABLE
 Create view	Tables	To create new views
 Delete	Tables	To delete existing rows
 Drop	Databases,Tables	To drop databases, tables, and views
+Execute	Functions,Procedures	To execute stored routines
 File	File access on server	To read and write files on the server
-Grant option	Databases,Tables	To give to other users those privileges you possess
+Grant option	Databases,Tables,Functions,Procedures	To give to other users those privileges you possess
 Index	Tables	To create or drop indexes
 Insert	Tables	To insert data into tables
 Lock tables	Databases	To use LOCK TABLES (together with SELECT privilege)

--- a/mysql-test/r/system_mysql_db.result
+++ b/mysql-test/r/system_mysql_db.result
@@ -9,6 +9,7 @@ help_relation
 help_topic
 host
 proc
+procs_priv
 tables_priv
 time_zone
 time_zone_leap_second
@@ -36,6 +37,9 @@ db	CREATE TABLE `db` (
  `Lock_tables_priv` enum('N','Y') collate utf8_bin NOT NULL default 'N',
  `Create_view_priv` enum('N','Y') collate utf8_bin NOT NULL default 'N',
  `Show_view_priv` enum('N','Y') collate utf8_bin NOT NULL default 'N',
+  `Create_routine_priv` enum('N','Y') collate utf8_bin NOT NULL default 'N',
+  `Alter_routine_priv` enum('N','Y') collate utf8_bin NOT NULL default 'N',
+  `Execute_priv` enum('N','Y') collate utf8_bin NOT NULL default 'N',
  PRIMARY KEY  (`Host`,`Db`,`User`),
  KEY `User` (`User`)
 ) ENGINE=MyISAM DEFAULT CHARSET=utf8 COLLATE=utf8_bin COMMENT='Database privileges'
@@ -89,6 +93,8 @@ user	CREATE TABLE `user` (
  `Repl_client_priv` enum('N','Y') collate utf8_bin NOT NULL default 'N',
  `Create_view_priv` enum('N','Y') collate utf8_bin NOT NULL default 'N',
  `Show_view_priv` enum('N','Y') collate utf8_bin NOT NULL default 'N',
+  `Create_routine_priv` enum('N','Y') collate utf8_bin NOT NULL default 'N',
+  `Alter_routine_priv` enum('N','Y') collate utf8_bin NOT NULL default 'N',
  `ssl_type` enum('','ANY','X509','SPECIFIED') collate utf8_bin NOT NULL default '',
  `ssl_cipher` blob NOT NULL,
  `x509_issuer` blob NOT NULL,
@@ -133,5 +139,18 @@ columns_priv	CREATE TABLE `columns_priv` (
  `Column_priv` set('Select','Insert','Update','References') collate utf8_bin NOT NULL default '',
  PRIMARY KEY  (`Host`,`Db`,`User`,`Table_name`,`Column_name`)
 ) ENGINE=MyISAM DEFAULT CHARSET=utf8 COLLATE=utf8_bin COMMENT='Column privileges'
+show create table procs_priv;
+Table	Create Table
+procs_priv	CREATE TABLE `procs_priv` (
+  `Host` char(60) collate utf8_bin NOT NULL default '',
+  `Db` char(64) collate utf8_bin NOT NULL default '',
+  `User` char(16) collate utf8_bin NOT NULL default '',
+  `Routine_name` char(64) collate utf8_bin NOT NULL default '',
+  `Grantor` char(77) collate utf8_bin NOT NULL default '',
+  `Timestamp` timestamp NOT NULL default CURRENT_TIMESTAMP on update CURRENT_TIMESTAMP,
+  `Proc_priv` set('Execute','Alter Routine','Grant') collate utf8_bin NOT NULL default '',
+  PRIMARY KEY  (`Host`,`Db`,`User`,`Routine_name`),
+  KEY `Grantor` (`Grantor`)
+) ENGINE=MyISAM DEFAULT CHARSET=utf8 COLLATE=utf8_bin COMMENT='Procedure privileges'
 show tables;
 Tables_in_test
--- a/mysql-test/t/grant2.test
+++ b/mysql-test/t/grant2.test
@@ -64,10 +64,10 @@ connection mrbad;
 show grants for current_user();
 use mysqltest;
 insert into t1 values (1, 'I can''t change it!');
--error 1044
+--error 1142
 update t1 set data='I can change it!' where id = 1;
 # This should not be allowed since it too require UPDATE privilege.
--error 1044
+--error 1142
 insert into t1 values (1, 'XXX') on duplicate key update data= 'I can change it!';
 select * from t1;

@@ -199,7 +199,7 @@ create user mysqltest_2@localhost;
 grant usage on *.* to mysqltest_2@localhost with grant option;
 connect (user2,localhost,mysqltest_2,,);
 connection user2;
--error 1044
+--error 1142
 select host,user,password from mysql.user where user like 'mysqltest_%' order by host,user,password;
 create user mysqltest_A@'%';
 rename user mysqltest_A@'%' to mysqltest_B@'%';

--- a/mysql-test/t/show_check.test
+++ b/mysql-test/t/show_check.test
@@ -287,25 +287,25 @@ connect (con1,localhost,mysqltest_1,,mysqltest);
 connection con1;
 select * from t1;
 show create database mysqltest;
--error 1044
+--error 1142
 drop table t1;
 --error 1044
 drop database mysqltest;

 connect (con2,localhost,mysqltest_2,,test);
 connection con2;
--error 1044
+--error 1142
 select * from mysqltest.t1;
 --error 1044
 show create database mysqltest;
--error 1044
+--error 1142
 drop table mysqltest.t1;
 --error 1044
 drop database mysqltest;

 connect (con3,localhost,mysqltest_3,,test);
 connection con3;
--error 1044
+--error 1142
 select * from mysqltest.t1;
 --error 1044
 show create database mysqltest;

--- a/mysql-test/t/sp-security.test
+++ b/mysql-test/t/sp-security.test
@@ -40,6 +40,11 @@ call stamp(1);
 select * from t1;
 select db();

+grant execute on db1_secret.stamp to user1@'%';
+grant execute on db1_secret.db to user1@'%';
+grant execute on db1_secret.stamp to ''@'%';
+grant execute on db1_secret.db to ''@'%';
+
 connect (con2user1,localhost,user1,,);
 connect (con3anon,localhost,anon,,);

@@ -54,7 +59,7 @@ call db1_secret.stamp(2);
 select db1_secret.db();

 # ...but not this
--error 1044
+--error 1142
 select * from db1_secret.t1;

 # ...and not this
@@ -74,7 +79,7 @@ call db1_secret.stamp(3);
 select db1_secret.db();

 # ...but not this
--error 1044
+--error 1142
 select * from db1_secret.t1;

 # ...and not this
@@ -146,7 +151,8 @@ insert into t2 values (0);
 grant usage on db2.* to user1@localhost;
 grant select on db2.* to user1@localhost;
 grant usage on db2.* to user2@localhost;
-grant select,insert,update,delete on db2.* to user2@localhost;
+grant select,insert,update,delete,create routine on db2.* to user2@localhost;
+grant create routine on db2.* to user1@localhost;
 flush privileges;

 connection con2user1;
@@ -155,7 +161,7 @@ use db2;
 create procedure p () insert into t2 values (1);

 # Check that this doesn't work.
--error 1044
+--error 1142
 call p();

 connect (con4user2,localhost,user2,,);
@@ -164,7 +170,7 @@ connection con4user2;
 use db2;

 # This should not work, since p is executed with definer's (user1's) rights.
--error 1044
+--error 1370
 call p();
 select * from t2;

@@ -173,6 +179,12 @@ create procedure q () insert into t2 values (2);
 call q();
 select * from t2;

+connection con1root;
+grant usage on db2.q to user2@localhost with grant option;
+
+connection con4user2;
+grant execute on db2.q to user1@localhost;
+
 connection con2user1;
 use db2;

@@ -206,6 +218,9 @@ drop procedure q;

 # Clean up
 #Still connection con1root;
+disconnect con2user1;
+disconnect con3anon;
+disconnect con4user2;
 use test;
 select type,db,name from mysql.proc;
 drop database db1_secret;
@@ -214,3 +229,75 @@ drop database db2;
 select type,db,name from mysql.proc;
 # Get rid of the users
 delete from mysql.user where user='user1' or user='user2';
+# And any routine privileges
+delete from mysql.procs_priv where user='user1' or user='user2';
+
+#
+# Test the new security acls
+#
+grant usage on *.* to usera@localhost;
+grant usage on *.* to userb@localhost;
+grant usage on *.* to userc@localhost;
+create database sptest;
+create table t1 ( u varchar(64), i int );
+create procedure sptest.p1(i int) insert into test.t1 values (user(), i);
+grant insert on t1 to usera@localhost;
+grant execute on sptest.p1 to usera@localhost;
+show grants for usera@localhost;
+grant execute on sptest.p1 to userc@localhost with grant option;
+show grants for userc@localhost;
+
+connect (con2usera,localhost,usera,,);
+connect (con3userb,localhost,userb,,);
+connect (con4userc,localhost,userc,,);
+
+connection con2usera;
+call sptest.p1(1);
+--error 1370
+grant execute on sptest.p1 to userb@localhost;
+--error 1370
+drop procedure sptest.p1;
+
+connection con3userb;
+--error 1370
+call sptest.p1(2);
+--error 1370
+grant execute on sptest.p1 to userb@localhost;
+--error 1370
+drop procedure sptest.p1;
+
+connection con4userc;
+call sptest.p1(3);
+grant execute on sptest.p1 to userb@localhost;
+--error 1370
+drop procedure sptest.p1;
+
+connection con3userb;
+call sptest.p1(4);
+--error 1370
+grant execute on sptest.p1 to userb@localhost;
+--error 1370
+drop procedure sptest.p1;
+
+connection con1root;
+select * from t1;
+
+grant all privileges on sptest.p1 to userc@localhost;
+show grants for userc@localhost;
+show grants for userb@localhost;
+
+connection con4userc;
+revoke all privileges on sptest.p1 from userb@localhost;
+
+connection con1root;
+show grants for userb@localhost;
+
+#cleanup
+disconnect con4userc;
+disconnect con3userb;
+disconnect con2usera;
+use test;
+drop database sptest;
+delete from mysql.user where user='usera' or user='userb' or user='userc';
+delete from mysql.procs_priv where user='usera' or user='userb' or user='userc';
+
--- a/mysql-test/t/system_mysql_db_fix.test
+++ b/mysql-test/t/system_mysql_db_fix.test
@@ -74,7 +74,7 @@ INSERT INTO user VALUES ('localhost','',    '','N','N','N','N','N','N','N','N','

 -- disable_query_log

-DROP TABLE db, host, user, func, tables_priv, columns_priv, help_category, help_keyword, help_relation, help_topic, proc, time_zone, time_zone_leap_second, time_zone_name, time_zone_transition, time_zone_transition_type;
+DROP TABLE db, host, user, func, tables_priv, columns_priv, procs_priv, help_category, help_keyword, help_relation, help_topic, proc, time_zone, time_zone_leap_second, time_zone_name, time_zone_transition, time_zone_transition_type;

 -- enable_query_log


--- a/scripts/mysql_create_system_tables.sh
+++ b/scripts/mysql_create_system_tables.sh
@@ -41,7 +41,7 @@ c_hk=""
 i_ht=""
 c_tzn="" c_tz="" c_tzt="" c_tztt="" c_tzls=""
 i_tzn="" i_tz="" i_tzt="" i_tztt="" i_tzls=""
-c_p=""
+c_p="" c_pp=""

 # Check for old tables
 if test ! -f $mdata/db.frm
@@ -69,14 +69,17 @@ then
  c_d="$c_d   Lock_tables_priv enum('N','Y') DEFAULT 'N' NOT NULL,"
  c_d="$c_d   Create_view_priv enum('N','Y') DEFAULT 'N' NOT NULL,"
  c_d="$c_d   Show_view_priv enum('N','Y') DEFAULT 'N' NOT NULL,"
+  c_d="$c_d   Create_routine_priv enum('N','Y') DEFAULT 'N' NOT NULL,"
+  c_d="$c_d   Alter_routine_priv enum('N','Y') DEFAULT 'N' NOT NULL,"
+  c_d="$c_d   Execute_priv enum('N','Y') DEFAULT 'N' NOT NULL,"
  c_d="$c_d PRIMARY KEY Host (Host,Db,User),"
  c_d="$c_d KEY User (User)"
  c_d="$c_d ) engine=MyISAM"
  c_d="$c_d CHARACTER SET utf8 COLLATE utf8_bin"
  c_d="$c_d comment='Database privileges';"
  
-  i_d="INSERT INTO db VALUES ('%','test','','Y','Y','Y','Y','Y','Y','N','Y','Y','Y','Y','Y','Y','Y');
-  INSERT INTO db VALUES ('%','test\_%','','Y','Y','Y','Y','Y','Y','N','Y','Y','Y','Y','Y','Y','Y');"
+  i_d="INSERT INTO db VALUES ('%','test','','Y','Y','Y','Y','Y','Y','N','Y','Y','Y','Y','Y','Y','Y','Y','N','N');
+  INSERT INTO db VALUES ('%','test\_%','','Y','Y','Y','Y','Y','Y','N','Y','Y','Y','Y','Y','Y','Y','Y','N','N');"
 fi

 if test ! -f $mdata/host.frm
@@ -141,6 +144,8 @@ then
  c_u="$c_u   Repl_client_priv enum('N','Y') DEFAULT 'N' NOT NULL,"
  c_u="$c_u   Create_view_priv enum('N','Y') DEFAULT 'N' NOT NULL,"
  c_u="$c_u   Show_view_priv enum('N','Y') DEFAULT 'N' NOT NULL,"
+  c_u="$c_u   Create_routine_priv enum('N','Y') DEFAULT 'N' NOT NULL,"
+  c_u="$c_u   Alter_routine_priv enum('N','Y') DEFAULT 'N' NOT NULL,"
  c_u="$c_u   ssl_type enum('','ANY','X509', 'SPECIFIED') DEFAULT '' NOT NULL,"
  c_u="$c_u   ssl_cipher BLOB NOT NULL,"
  c_u="$c_u   x509_issuer BLOB NOT NULL,"
@@ -155,24 +160,24 @@ then

  if test "$1" = "test" 
  then
-    i_u="INSERT INTO user VALUES ('localhost','root','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0);
-    INSERT INTO user VALUES ('$hostname','root','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0);
-    REPLACE INTO user VALUES ('127.0.0.1','root','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0);
+    i_u="INSERT INTO user VALUES ('localhost','root','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0);
+    INSERT INTO user VALUES ('$hostname','root','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0);
+    REPLACE INTO user VALUES ('127.0.0.1','root','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0);
    INSERT INTO user (host,user) values ('localhost','');
    INSERT INTO user (host,user) values ('$hostname','');"
  else
-    i_u="INSERT INTO user VALUES ('localhost','root','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0);"
+    i_u="INSERT INTO user VALUES ('localhost','root','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0);"
    if test "$windows" = "0"
    then
      i_u="$i_u
-           INSERT INTO user VALUES ('$hostname','root','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0);
+           INSERT INTO user VALUES ('$hostname','root','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0);
           INSERT INTO user (host,user) values ('$hostname','');
           INSERT INTO user (host,user) values ('localhost','');"
    else
      i_u="$i_u
-	   INSERT INTO user VALUES ('%','root','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0);
-	   INSERT INTO user VALUES ('localhost','','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0);
-	   INSERT INTO user VALUES ('%','','','N','N','N','N','N','N','N','N','N','N','N','N','N','N','N','N','N','N','N','N','N','N','N','','','','',0,0,0);"
+	   INSERT INTO user VALUES ('%','root','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0);
+	   INSERT INTO user VALUES ('localhost','','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0);
+	   INSERT INTO user VALUES ('%','','','N','N','N','N','N','N','N','N','N','N','N','N','N','N','N','N','N','N','N','N','N','N','N','N','N','','','','',0,0,0);"
    fi
  fi 
 fi
@@ -236,6 +241,27 @@ then
  c_c="$c_c   comment='Column privileges';"
 fi

+if test ! -f $mdata/procs_priv.frm
+then
+  if test "$1" = "verbose" ; then
+    echo "Preparing procs_priv table" 1>&2;
+  fi
+
+  c_pp="$c_pp CREATE TABLE procs_priv ("
+  c_pp="$c_pp   Host char(60) binary DEFAULT '' NOT NULL,"
+  c_pp="$c_pp   Db char(64) binary DEFAULT '' NOT NULL,"
+  c_pp="$c_pp   User char(16) binary DEFAULT '' NOT NULL,"
+  c_pp="$c_pp   Routine_name char(64) binary DEFAULT '' NOT NULL,"
+  c_pp="$c_pp   Grantor char(77) DEFAULT '' NOT NULL,"
+  c_pp="$c_pp   Timestamp timestamp(14),"
+  c_pp="$c_pp   Proc_priv set('Execute','Alter Routine','Grant') DEFAULT '' NOT NULL,"
+  c_pp="$c_pp   PRIMARY KEY (Host,Db,User,Routine_name),"
+  c_pp="$c_pp   KEY Grantor (Grantor)"
+  c_pp="$c_pp ) engine=MyISAM"
+  c_pp="$c_pp CHARACTER SET utf8 COLLATE utf8_bin"
+  c_pp="$c_pp   comment='Procedure privileges';"
+fi
+
 if test ! -f $mdata/help_topic.frm
 then
  if test "$1" = "verbose" ; then
@@ -718,6 +744,7 @@ $c_tzls
 $i_tzls

 $c_p
+$c_pp

 END_OF_DATA

--- a/scripts/mysql_fix_privilege_tables.sql
+++ b/scripts/mysql_fix_privilege_tables.sql
@@ -15,6 +15,7 @@ ALTER TABLE host type=MyISAM, CONVERT TO CHARACTER SET utf8 COLLATE utf8_bin;
 ALTER TABLE func type=MyISAM, CONVERT TO CHARACTER SET utf8 COLLATE utf8_bin;
 ALTER TABLE columns_priv type=MyISAM, CONVERT TO CHARACTER SET utf8 COLLATE utf8_bin;
 ALTER TABLE tables_priv type=MyISAM, CONVERT TO CHARACTER SET utf8 COLLATE utf8_bin;
+ALTER TABLE procs_priv type=MyISAM, CONVERT TO CHARACTER SET utf8 COLLATE utf8_bin;
 ALTER TABLE user change Password Password char(41) binary not null default '';
 ALTER TABLE user add File_priv enum('N','Y') NOT NULL;
 CREATE TABLE IF NOT EXISTS func (
@@ -170,9 +171,47 @@ ALTER TABLE user ADD Show_view_priv enum('N','Y') DEFAULT 'N' NOT NULL AFTER Cre
 #
 UPDATE user SET Create_view_priv=Create_priv, Show_view_priv=Create_priv where user<>"" AND @hadCreateViewPriv = 0;

+#
+#
+#
+SET @hadCreateRoutinePriv:=0;
+SELECT @hadCreateRoutinePriv:=1 FROM user WHERE Create_routine_priv LIKE '%';
+
+#
+# Create PROCEDUREs privileges (v5.0)
+#
+ALTER TABLE db ADD Create_routine_priv enum('N','Y') DEFAULT 'N' NOT NULL AFTER Show_view_priv;
+ALTER TABLE user ADD Create_routine_priv enum('N','Y') DEFAULT 'N' NOT NULL AFTER Show_view_priv;
+
+#
+# Alter PROCEDUREs privileges (v5.0)
+#
+ALTER TABLE db ADD Alter_routine_priv enum('N','Y') DEFAULT 'N' NOT NULL AFTER Create_routine_priv;
+ALTER TABLE user ADD Alter_routine_priv enum('N','Y') DEFAULT 'N' NOT NULL AFTER Create_routine_priv;
+
+ALTER TABLE db ADD Execute_priv enum('N','Y') DEFAULT 'N' NOT NULL AFTER Alter_routine_priv;
+
+#
+# Assign create/alter routine privileges to people who have create privileges
+#
+UPDATE user SET Create_routine_priv=Create_priv, Alter_routine_priv=Alter_priv where user<>"" AND @hadCreateRoutinePriv = 0;
+UPDATE db SET Create_routine_priv=Create_priv, Alter_routine_priv=Alter_priv, Execute_priv=Select_priv where user<>"" AND @hadCreateRoutinePriv = 0;
+
 #
 # Create some possible missing tables
 #
+CREATE TABLE IF NOT EXISTS procs_priv (
+Host char(60) binary DEFAULT '' NOT NULL,
+Db char(64) binary DEFAULT '' NOT NULL,
+User char(16) binary DEFAULT '' NOT NULL,
+Routine_name char(64) binary DEFAULT '' NOT NULL,
+Grantor char(77) DEFAULT '' NOT NULL,
+Timestamp timestamp(14),
+Proc_priv set('Execute','Alter Routine','Grant') DEFAULT '' NOT NULL,
+PRIMARY KEY (Host,Db,User,Routine_name),
+KEY Grantor (Grantor)
+) CHARACTER SET utf8 COLLATE utf8_bin comment='Procedure privileges';
+
 CREATE TABLE IF NOT EXISTS help_topic (
 help_topic_id int unsigned not null,
 name varchar(64) not null,

--- a/scripts/mysql_install_db.sh
+++ b/scripts/mysql_install_db.sh
@@ -3,7 +3,7 @@
 # For a more info consult the file COPYRIGHT distributed with this file.

 # This scripts creates the privilege tables db, host, user, tables_priv,
-# columns_priv in the mysql database, as well as the func table.
+# columns_priv, procs_priv in the mysql database, as well as the func table.
 #
 # All unrecognized arguments to this script are passed to mysqld.


--- a/sql/item_func.cc
+++ b/sql/item_func.cc
@@ -22,6 +22,7 @@
 #endif

 #include "mysql_priv.h"
+#include "sql_acl.h"
 #include "slave.h"				// for wait_for_master_pos
 #include <m_ctype.h>
 #include <hash.h>
@@ -3546,7 +3547,17 @@ Item_func_sp::execute(Item **itp)
  }

 #ifndef NO_EMBEDDED_ACCESS_CHECKS
+  if (check_procedure_access(thd, EXECUTE_ACL, 
+			     m_sp->m_db.str, m_sp->m_name.str, 0))
+      DBUG_RETURN(-1);
  sp_change_security_context(thd, m_sp, &save_ctx);
+  if (save_ctx.changed && 
+      check_procedure_access(thd, EXECUTE_ACL, 
+			     m_sp->m_db.str, m_sp->m_name.str, 0))
+  {
+    sp_restore_security_context(thd, m_sp, &save_ctx);
+    DBUG_RETURN(-1);
+  }
 #endif

  /*

--- a/sql/lex.h
+++ b/sql/lex.h
@@ -399,6 +399,7 @@ static SYMBOL symbols[] = {
  { "RLIKE",		SYM(REGEXP)},	/* Like in mSQL2 */
  { "ROLLBACK",		SYM(ROLLBACK_SYM)},
  { "ROLLUP",		SYM(ROLLUP_SYM)},
+  { "ROUTINE",		SYM(ROUTINE_SYM)},
  { "ROW",		SYM(ROW_SYM)},
  { "ROWS",		SYM(ROWS_SYM)},
  { "ROW_FORMAT",	SYM(ROW_FORMAT_SYM)},

--- a/sql/mysql_priv.h
+++ b/sql/mysql_priv.h
@@ -420,6 +420,8 @@ void close_thread_tables(THD *thd, bool locked=0, bool skip_derived=0,
                         TABLE *stopper= 0);
 bool check_one_table_access(THD *thd, ulong privilege,
 			   TABLE_LIST *tables);
+bool check_procedure_access(THD *thd,ulong want_access,char *db,char *name,
+			    bool no_errors);
 bool check_some_access(THD *thd, ulong want_access, TABLE_LIST *table);
 bool check_merge_table_access(THD *thd, char *db,
 			      TABLE_LIST *table_list);
@@ -1024,6 +1026,7 @@ extern my_bool opt_slave_compressed_protocol, use_temp_pool;
 extern my_bool opt_readonly, lower_case_file_system;
 extern my_bool opt_enable_named_pipe, opt_sync_frm;
 extern my_bool opt_secure_auth;
+extern my_bool sp_automatic_privileges;
 extern uint opt_crash_binlog_innodb;
 extern char *shared_memory_base_name, *mysqld_unix_port;
 extern bool opt_enable_shared_memory;

--- a/sql/mysqld.cc
+++ b/sql/mysqld.cc
@@ -299,6 +299,7 @@ my_bool opt_innodb_safe_binlog= 0;
 my_bool opt_large_pages= 0;
 uint   opt_large_page_size= 0;
 volatile bool mqh_used = 0;
+my_bool sp_automatic_privileges= 1;

 uint mysqld_port, test_flags, select_errors, dropping_tables, ha_open_options;
 uint delay_key_write_options, protocol_version;
@@ -4199,6 +4200,7 @@ enum options_mysqld
  OPT_OPTIMIZER_SEARCH_DEPTH,
  OPT_OPTIMIZER_PRUNE_LEVEL,
  OPT_UPDATABLE_VIEWS_WITH_LIMIT,
+  OPT_SP_AUTOMATIC_PRIVILEGES,
  OPT_AUTO_INCREMENT, OPT_AUTO_INCREMENT_OFFSET,
  OPT_ENABLE_LARGE_PAGES
 };
@@ -4229,6 +4231,10 @@ struct my_option my_long_options[] =
   (gptr*) &global_system_variables.auto_increment_offset,
   (gptr*) &max_system_variables.auto_increment_offset, 0, GET_ULONG, OPT_ARG,
   1, 1, 65535, 0, 1, 0 },
+  {"automatic-sp-privileges", OPT_SP_AUTOMATIC_PRIVILEGES,
+   "Creating and dropping stored procedures alters ACLs. Disable with --skip-automatic-sp-privileges.",
+   (gptr*) &sp_automatic_privileges, (gptr*) &sp_automatic_privileges,
+   0, GET_BOOL, NO_ARG, 1, 0, 0, 0, 0, 0},
  {"basedir", 'b',
   "Path to installation directory. All paths are usually resolved relative to this.",
   (gptr*) &mysql_home_ptr, (gptr*) &mysql_home_ptr, 0, GET_STR, REQUIRED_ARG,
@@ -6128,6 +6134,7 @@ get_one_option(int optid, const struct my_option *opt __attribute__((unused)),
    delay_key_write_options= (uint) DELAY_KEY_WRITE_NONE;
    myisam_concurrent_insert=0;
    myisam_recover_options= HA_RECOVER_NONE;
+    sp_automatic_privileges=0;
    my_use_symdir=0;
    ha_open_options&= ~(HA_OPEN_ABORT_IF_CRASHED | HA_OPEN_DELAY_KEY_WRITE);
 #ifdef HAVE_QUERY_CACHE

--- a/sql/set_var.cc
+++ b/sql/set_var.cc
@@ -133,6 +133,9 @@ sys_var_thd_ulong	sys_auto_increment_increment("auto_increment_increment",
 sys_var_thd_ulong	sys_auto_increment_offset("auto_increment_offset",
                                                  &SV::auto_increment_offset);

+sys_var_bool_ptr	sys_automatic_sp_privileges("automatic_sp_privileges",
+					      &sp_automatic_privileges);
+
 sys_var_long_ptr	sys_binlog_cache_size("binlog_cache_size",
 					      &binlog_cache_size);
 sys_var_thd_ulong	sys_bulk_insert_buff_size("bulk_insert_buffer_size",
@@ -509,6 +512,7 @@ sys_var *sys_variables[]=
  &sys_auto_increment_increment,
  &sys_auto_increment_offset,
  &sys_autocommit,
+  &sys_automatic_sp_privileges,
  &sys_big_tables,
  &sys_big_selects,
  &sys_binlog_cache_size,
@@ -668,6 +672,7 @@ sys_var *sys_variables[]=
 struct show_var_st init_vars[]= {
  {"auto_increment_increment", (char*) &sys_auto_increment_increment, SHOW_SYS},
  {"auto_increment_offset",   (char*) &sys_auto_increment_offset, SHOW_SYS},
+  {sys_automatic_sp_privileges.name,(char*) &sys_automatic_sp_privileges,       SHOW_SYS},
  {"back_log",                (char*) &back_log,                    SHOW_LONG},
  {"basedir",                 mysql_home,                           SHOW_CHAR},
 #ifdef HAVE_BERKELEY_DB

--- a/sql/share/errmsg.txt
+++ b/sql/share/errmsg.txt
@@ -5168,8 +5168,8 @@ ER_VIEW_CHECK_FAILED
 	eng "CHECK OPTION failed '%-.64s.%-.64s'"
 	rus " CHECK OPTION  VIEW '%-.64s.%-.64s' "
 	ukr "צ CHECK OPTION  VIEW '%-.64s.%-.64s'  "
-ER_SP_ACCESS_DENIED_ERROR 42000 
-	eng "Access denied; you are not the procedure/function definer of '%s'"
+ER_PROCACCESS_DENIED_ERROR 42000 
+	eng "%-.16s command denied to user '%-.32s'@'%-.64s' for routine '%-.64s'"
 ER_RELAY_LOG_FAIL  
 	eng "Failed purging old relay logs: %s"
 ER_PASSWD_LENGTH  
@@ -5232,3 +5232,9 @@ ER_CANNOT_USER
 	eng "Operation %s failed for %.256s"
 	ger "Das Kommando %s scheiterte fr %.256s"
 	norwegian-ny "Operation %s failed for '%.256s'"
+ER_NONEXISTING_PROC_GRANT 42000 
+	eng "There is no such grant defined for user '%-.32s' on host '%-.64s' on routine '%-.64s'"
+ER_PROC_AUTO_GRANT_FAIL
+	eng "Failed to grant EXECUTE and ALTER ROUTINE privileges"
+ER_PROC_AUTO_REVOKE_FAIL
+	eng "Failed to revoke all privileges to dropped routine"
--- a/sql/sp.cc
+++ b/sql/sp.cc
@@ -738,6 +738,45 @@ sp_find_procedure(THD *thd, sp_name *name)
 }


+int
+sp_exists_routine(THD *thd, TABLE_LIST *tables, bool any, bool no_error)
+{
+  TABLE_LIST *table;
+  bool result= 0;
+  DBUG_ENTER("sp_exists_routine");
+  for (table= tables; table; table= table->next_global)
+  {
+    sp_name *name;
+    LEX_STRING lex_db;
+    LEX_STRING lex_name;
+    lex_db.length= strlen(table->db);
+    lex_name.length= strlen(table->real_name);
+    lex_db.str= thd->strmake(table->db, lex_db.length);
+    lex_name.str= thd->strmake(table->real_name, lex_name.length);
+    name= new sp_name(lex_db, lex_name);
+    name->init_qname(thd);
+    if (sp_find_procedure(thd, name) != NULL ||
+        sp_find_function(thd, name) != NULL)
+    {
+      if (any)
+        DBUG_RETURN(1);
+      result= 1;
+    }
+    else if (!any)
+    {
+      if (!no_error)
+      {
+	my_error(ER_SP_DOES_NOT_EXIST, MYF(0), "FUNCTION or PROCEDURE", 
+		 table->real_name);
+	DBUG_RETURN(-1);
+      }
+      DBUG_RETURN(0);
+    }
+  }
+  DBUG_RETURN(result);
+}
+
+
 int
 sp_create_procedure(THD *thd, sp_head *sp)
 {

--- a/sql/sp.h
+++ b/sql/sp.h
@@ -36,6 +36,9 @@ sp_drop_db_routines(THD *thd, char *db);
 sp_head *
 sp_find_procedure(THD *thd, sp_name *name);

+int
+sp_exists_routine(THD *thd, TABLE_LIST *procs, bool any, bool no_error);
+
 int
 sp_create_procedure(THD *thd, sp_head *sp);


--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
--- a/sql/sql_acl.h
+++ b/sql/sql_acl.h
@@ -37,6 +37,8 @@
 #define REPL_CLIENT_ACL	(1L << 20)
 #define CREATE_VIEW_ACL	(1L << 21)
 #define SHOW_VIEW_ACL	(1L << 22)
+#define CREATE_PROC_ACL	(1L << 23)
+#define ALTER_PROC_ACL  (1L << 24)
 /*
  don't forget to update
    static struct show_privileges_st sys_privileges[]
@@ -47,7 +49,8 @@
 #define DB_ACLS \
 (UPDATE_ACL | SELECT_ACL | INSERT_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | \
 GRANT_ACL | REFERENCES_ACL | INDEX_ACL | ALTER_ACL | CREATE_TMP_ACL | \
- LOCK_TABLES_ACL | CREATE_VIEW_ACL | SHOW_VIEW_ACL)
+ LOCK_TABLES_ACL | EXECUTE_ACL | CREATE_VIEW_ACL | SHOW_VIEW_ACL | \
+ CREATE_PROC_ACL | ALTER_PROC_ACL)

 #define TABLE_ACLS \
 (SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | \
@@ -57,43 +60,61 @@
 #define COL_ACLS \
 (SELECT_ACL | INSERT_ACL | UPDATE_ACL | REFERENCES_ACL)

+#define PROC_ACLS \
+(ALTER_PROC_ACL | EXECUTE_ACL | GRANT_ACL)
+
 #define GLOBAL_ACLS \
 (SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | \
 RELOAD_ACL | SHUTDOWN_ACL | PROCESS_ACL | FILE_ACL | GRANT_ACL | \
 REFERENCES_ACL | INDEX_ACL | ALTER_ACL | SHOW_DB_ACL | SUPER_ACL | \
 CREATE_TMP_ACL | LOCK_TABLES_ACL | REPL_SLAVE_ACL | REPL_CLIENT_ACL | \
- EXECUTE_ACL | CREATE_VIEW_ACL | SHOW_VIEW_ACL)
+ EXECUTE_ACL | CREATE_VIEW_ACL | SHOW_VIEW_ACL | CREATE_PROC_ACL | \
+ ALTER_PROC_ACL )

 #define EXTRA_ACL	(1L << 29)
 #define NO_ACCESS	(1L << 30)

+#define DEFAULT_CREATE_PROC_ACLS \
+(ALTER_PROC_ACL | EXECUTE_ACL)
+
 /*
  Defines to change the above bits to how things are stored in tables
  This is needed as the 'host' and 'db' table is missing a few privileges
 */

 /* Continius bit-segments that needs to be shifted */
-#define DB_REL1 (RELOAD_ACL | SHUTDOWN_ACL | PROCESS_ACL | FILE_ACL)
-#define DB_REL2 (GRANT_ACL | REFERENCES_ACL)
-#define DB_REL3 (INDEX_ACL | ALTER_ACL)
+#define DB_REL1 ((1L << 6) | (1L << 7) | (1L << 8) | (1L << 9))
+#define DB_REL2 ((1L << 10) | (1L << 11))
+#define DB_REL3 ((1L << 12) | (1L << 13) | (1L << 14) | (1L << 15))
+#define DB_REL4 ((1L << 16))

 /* Privileges that needs to be reallocated (in continous chunks) */
 #define DB_CHUNK1 (GRANT_ACL | REFERENCES_ACL | INDEX_ACL | ALTER_ACL)
 #define DB_CHUNK2 (CREATE_TMP_ACL | LOCK_TABLES_ACL)
-#define DB_CHUNK3 (CREATE_VIEW_ACL | SHOW_VIEW_ACL)
+#define DB_CHUNK3 (CREATE_VIEW_ACL | SHOW_VIEW_ACL | \
+		   CREATE_PROC_ACL | ALTER_PROC_ACL )
+#define DB_CHUNK4 (EXECUTE_ACL)

 #define fix_rights_for_db(A) (((A) & 63) | \
 			      (((A) & DB_REL1) << 4) | \
 			      (((A) & DB_REL2) << 6) | \
-			      (((A) & DB_REL3) << 9))
+			      (((A) & DB_REL3) << 9) | \
+			      (((A) & DB_REL4) << 2))
 #define get_rights_for_db(A) (((A) & 63) | \
 			      (((A) & DB_CHUNK1) >> 4) | \
 			      (((A) & DB_CHUNK2) >> 6) | \
-			      (((A) & DB_CHUNK3) >> 9))
+			      (((A) & DB_CHUNK3) >> 9) | \
+			      (((A) & DB_CHUNK4) >> 2))
 #define fix_rights_for_table(A) (((A) & 63) | (((A) & ~63) << 4))
 #define get_rights_for_table(A) (((A) & 63) | (((A) & ~63) >> 4))
 #define fix_rights_for_column(A) (((A) & 7) | (((A) & ~7) << 8))
 #define get_rights_for_column(A) (((A) & 7) | ((A) >> 8))
+#define fix_rights_for_procedure(A) ((((A) << 18) & EXECUTE_ACL) | \
+				     (((A) << 23) & ALTER_PROC_ACL) | \
+				     (((A) << 8) & GRANT_ACL))
+#define get_rights_for_procedure(A) ((((A) & EXECUTE_ACL) >> 18) |  \
+				     (((A) & ALTER_PROC_ACL) >> 23) | \
+				     (((A) & GRANT_ACL) >> 8))

 /* Classes */

@@ -163,6 +184,9 @@ bool mysql_grant(THD *thd, const char *db, List <LEX_USER> &user_list,
 bool mysql_table_grant(THD *thd, TABLE_LIST *table, List <LEX_USER> &user_list,
                       List <LEX_COLUMN> &column_list, ulong rights,
                       bool revoke);
+bool mysql_procedure_grant(THD *thd, TABLE_LIST *table, 
+			   List <LEX_USER> &user_list, ulong rights,
+			   bool revoke, bool no_error);
 my_bool grant_init(THD *thd);
 void grant_free(void);
 void grant_reload(THD *thd);
@@ -174,6 +198,8 @@ bool check_grant_column (THD *thd, GRANT_INFO *grant,
 bool check_grant_all_columns(THD *thd, ulong want_access, GRANT_INFO *grant,
                             char* db_name, char *table_name,
                             Field_iterator *fields);
+bool check_grant_procedure(THD *thd, ulong want_access, 
+			   TABLE_LIST *procs, bool no_error);
 bool check_grant_db(THD *thd,const char *db);
 ulong get_table_grant(THD *thd, TABLE_LIST *table);
 ulong get_column_grant(THD *thd, GRANT_INFO *grant,
@@ -188,6 +214,8 @@ bool mysql_rename_user(THD *thd, List <LEX_USER> &list);
 bool mysql_revoke_all(THD *thd, List <LEX_USER> &list);
 void fill_effective_table_privileges(THD *thd, GRANT_INFO *grant,
                                     const char *db, const char *table);
+bool sp_revoke_privileges(THD *thd, const char *sp_db, const char *sp_name);
+bool sp_grant_privileges(THD *thd, const char *sp_db, const char *sp_name);

 #ifdef NO_EMBEDDED_ACCESS_CHECKS
 #define check_grant(A,B,C,D,E,F) 0

--- a/sql/sql_lex.h
+++ b/sql/sql_lex.h
@@ -743,6 +743,7 @@ typedef struct st_lex
  sp_head *sphead;
  sp_name *spname;
  bool sp_lex_in_use;	/* Keep track on lex usage in SPs for error handling */
+  bool all_privileges;
  sp_pcontext *spcont;
  HASH spfuns;		/* Called functions */
  st_sp_chistics sp_chistics;

--- a/sql/sql_parse.cc
+++ b/sql/sql_parse.cc
@@ -69,7 +69,6 @@ static void remove_escape(char *name);
 static void refresh_status(void);
 static bool append_file_to_dir(THD *thd, const char **filename_ptr,
 			       const char *table_name);
-static bool check_sp_definer_access(THD *thd, sp_head *sp);

 const char *any_db="*any*";	// Special symbol for check_access

@@ -3495,15 +3494,30 @@ mysql_execute_command(THD *thd)
    }
    if (first_table)
    {
-      if (grant_option && check_grant(thd,
-				      (lex->grant | lex->grant_tot_col |
-				       GRANT_ACL),
-				      all_tables, 0, UINT_MAX, 0))
-	goto error;
-      if (!(res = mysql_table_grant(thd, all_tables, lex->users_list,
-				    lex->columns, lex->grant,
-				    lex->sql_command == SQLCOM_REVOKE)) &&
-          mysql_bin_log.is_open())
+      if (!lex->columns.elements && 
+          sp_exists_routine(thd, all_tables, 1, 1))
+      {
+        uint grants= lex->all_privileges 
+		   ? (PROC_ACLS & ~GRANT_ACL) | (lex->grant & GRANT_ACL)
+		   : lex->grant;
+        if (grant_option && 
+	    check_grant_procedure(thd, grants | GRANT_ACL, all_tables, 0))
+	  goto error;
+        res= mysql_procedure_grant(thd, all_tables, lex->users_list,
+				   grants, lex->sql_command == SQLCOM_REVOKE,0);
+      }
+      else
+      {
+	if (grant_option && check_grant(thd,
+					(lex->grant | lex->grant_tot_col |
+					 GRANT_ACL),
+					all_tables, 0, UINT_MAX, 0))
+	  goto error;
+        res= mysql_table_grant(thd, all_tables, lex->users_list,
+			       lex->columns, lex->grant,
+			       lex->sql_command == SQLCOM_REVOKE);
+      }
+      if (!res && mysql_bin_log.is_open())
      {
        thd->clear_error();
        Query_log_event qinfo(thd, thd->query, thd->query_length, 0, FALSE);
@@ -3705,18 +3719,24 @@ mysql_execute_command(THD *thd)
  case SQLCOM_CREATE_SPFUNCTION:
  {
    uint namelen;
-    char *name;
+    char *name, *db;
    int result;

    DBUG_ASSERT(lex->sphead);

-    if (! lex->sphead->m_db.str)
+    if (check_access(thd, CREATE_PROC_ACL, lex->sphead->m_db.str, 0, 0, 0))
    {
-      my_message(ER_NO_DB_ERROR, ER(ER_NO_DB_ERROR), MYF(0));
      delete lex->sphead;
      lex->sphead= 0;
      goto error;
    }
+    
+    if (!lex->sphead->m_db.str || !lex->sphead->m_db.str[0])
+    {
+      lex->sphead->m_db.length= strlen(thd->db);
+      lex->sphead->m_db.str= strmake_root(thd->mem_root, thd->db, 
+      					   lex->sphead->m_db.length);
+    }

    name= lex->sphead->name(&namelen);
 #ifdef HAVE_DLOPEN
@@ -3742,13 +3762,26 @@ mysql_execute_command(THD *thd)
      goto error;
    }

+    name= thd->strdup(name); 
+    db= thd->strmake(lex->sphead->m_db.str, lex->sphead->m_db.length);
    res= (result= lex->sphead->create(thd));
    switch (result) {
    case SP_OK:
-      send_ok(thd);
      lex->unit.cleanup();
      delete lex->sphead;
      lex->sphead= 0;
+      /* only add privileges if really neccessary */
+      if (sp_automatic_privileges &&
+          check_procedure_access(thd, DEFAULT_CREATE_PROC_ACLS,
+      				 db, name, 1))
+      {
+        close_thread_tables(thd);
+        if (sp_grant_privileges(thd, db, name))
+          push_warning(thd, MYSQL_ERROR::WARN_LEVEL_WARN, 
+	  	       ER_PROC_AUTO_GRANT_FAIL,
+		       ER(ER_PROC_AUTO_GRANT_FAIL));
+      }
+      send_ok(thd);
      break;
    case SP_WRITE_ROW_FAILED:
      my_error(ER_SP_ALREADY_EXISTS, MYF(0), SP_TYPE_STRING(lex), name);
@@ -3815,7 +3848,26 @@ mysql_execute_command(THD *thd)
 	}

 #ifndef NO_EMBEDDED_ACCESS_CHECKS
+	if (check_procedure_access(thd, EXECUTE_ACL, 
+				   sp->m_db.str, sp->m_name.str, 0))
+	{
+#ifndef EMBEDDED_LIBRARY
+	  thd->net.no_send_ok= nsok;
+#endif
+	  goto error;
+	}
 	sp_change_security_context(thd, sp, &save_ctx);
+	if (save_ctx.changed && 
+	    check_procedure_access(thd, EXECUTE_ACL, 
+				   sp->m_db.str, sp->m_name.str, 0))
+	{
+#ifndef EMBEDDED_LIBRARY
+	  thd->net.no_send_ok= nsok;
+#endif
+	  sp_restore_security_context(thd, sp, &save_ctx);
+	  goto error;
+	}
+
 #endif
 	select_limit= thd->variables.select_limit;
 	thd->variables.select_limit= HA_POS_ERROR;
@@ -3861,8 +3913,9 @@ mysql_execute_command(THD *thd)
 	result= SP_KEY_NOT_FOUND;
      else
      {
-	if (check_sp_definer_access(thd, sp))
-          goto error;
+        if (check_procedure_access(thd, ALTER_PROC_ACL, sp->m_db.str, 
+				  sp->m_name.str, 0))
+	  goto error;
 	memcpy(&lex->sp_chistics, &chistics, sizeof(lex->sp_chistics));
 	if (lex->sql_command == SQLCOM_ALTER_PROCEDURE)
 	  result= sp_update_procedure(thd, lex->spname, &lex->sp_chistics);
@@ -3890,6 +3943,7 @@ mysql_execute_command(THD *thd)
    {
      sp_head *sp;
      int result;
+      char *db, *name;

      if (lex->sql_command == SQLCOM_DROP_PROCEDURE)
 	sp= sp_find_procedure(thd, lex->spname);
@@ -3898,8 +3952,17 @@ mysql_execute_command(THD *thd)
      mysql_reset_errors(thd);
      if (sp)
      {
-	if (check_sp_definer_access(thd, sp))
+        db= thd->strdup(sp->m_db.str);
+	name= thd->strdup(sp->m_name.str);
+	if (check_procedure_access(thd, ALTER_PROC_ACL, db, name, 0))
          goto error;
+	if (sp_automatic_privileges &&
+	    sp_revoke_privileges(thd, db, name))
+	{
+	  push_warning(thd, MYSQL_ERROR::WARN_LEVEL_WARN, 
+		       ER_PROC_AUTO_REVOKE_FAIL,
+		       ER(ER_PROC_AUTO_REVOKE_FAIL));
+	}
 	if (lex->sql_command == SQLCOM_DROP_PROCEDURE)
 	  result= sp_drop_procedure(thd, lex->spname);
 	else
@@ -4208,7 +4271,7 @@ check_access(THD *thd, ulong want_access, const char *db, ulong *save_priv,
  /* grant_option is set if there exists a single table or column grant */
  if (db_access == want_access ||
      (grant_option && !dont_check_global_grants &&
-       !(want_access & ~(db_access | TABLE_ACLS))))
+       !(want_access & ~(db_access | TABLE_ACLS | PROC_ACLS))))
    DBUG_RETURN(FALSE);				/* Ok */

  DBUG_PRINT("error",("Access denied"));
@@ -4304,6 +4367,28 @@ check_table_access(THD *thd, ulong want_access,TABLE_LIST *tables,
 }


+bool
+check_procedure_access(THD *thd, ulong want_access,char *db, char *name,
+		       bool no_errors)
+{
+  TABLE_LIST tables[1];
+  
+  bzero((char *)tables, sizeof(TABLE_LIST));
+  tables->db= db;
+  tables->real_name= tables->alias= name;
+  
+  if ((thd->master_access & want_access) == want_access && !thd->db)
+    tables->grant.privilege= want_access;
+  else if (check_access(thd,want_access,db,&tables->grant.privilege,
+			0, no_errors))
+    return TRUE;
+  
+  if (grant_option)
+    return check_grant_procedure(thd, want_access, tables, no_errors);
+
+  return FALSE;
+}
+
 /*
  Check if the given table has any of the asked privileges

@@ -4377,40 +4462,6 @@ static bool check_db_used(THD *thd,TABLE_LIST *tables)
 }


-/*
-  Check if the given SP is owned by thd->priv_user/host, or priv_user is root.
-  QQ This is not quite complete, but it will do as a basic security check
-     for now. The question is exactly which rights should 'root' have?
-     Should root have access regardless of host for instance?
-
-  SYNOPSIS
-    check_sp_definer_access()
-    thd		 Thread handler
-    sp           The SP pointer
-
-  RETURN
-    0  ok
-    1  error     Error message has been sent
-*/
-
-static bool
-check_sp_definer_access(THD *thd, sp_head *sp)
-{
-  LEX_STRING *usr, *hst;
-
-  if (strcmp("root", thd->priv_user) == 0)
-    return FALSE;		/* QQ Any root is ok now */
-  usr= &sp->m_definer_user;
-  hst= &sp->m_definer_host;
-  if (strncmp(thd->priv_user, usr->str, usr->length) == 0 &&
-      strncmp(thd->priv_host, hst->str, hst->length) == 0)
-    return FALSE;		/* Both user and host must match */
-
-  my_error(ER_SP_ACCESS_DENIED_ERROR, MYF(0), sp->m_qname.str);
-  return TRUE;			/* Not definer or root */
-}
-
-
 /****************************************************************************
 	Check stack size; Send error if there isn't enough stack to continue
 ****************************************************************************/

--- a/sql/sql_show.cc
+++ b/sql/sql_show.cc
@@ -138,13 +138,16 @@ struct show_privileges_st {
 static struct show_privileges_st sys_privileges[]=
 {
  {"Alter", "Tables",  "To alter the table"},
+  {"Alter routine", "Functions,Procedures",  "To alter or drop stored functions/procedures"},
  {"Create", "Databases,Tables,Indexes",  "To create new databases and tables"},
+  {"Create routine","Functions,Procedures","To use CREATE FUNCTION/PROCEDURE"},
  {"Create temporary tables","Databases","To use CREATE TEMPORARY TABLE"},
  {"Create view", "Tables",  "To create new views"},
  {"Delete", "Tables",  "To delete existing rows"},
  {"Drop", "Databases,Tables", "To drop databases, tables, and views"},
+  {"Execute", "Functions,Procedures", "To execute stored routines"},
  {"File", "File access on server",   "To read and write files on the server"},
-  {"Grant option",  "Databases,Tables", "To give to other users those privileges you possess"},
+  {"Grant option",  "Databases,Tables,Functions,Procedures", "To give to other users those privileges you possess"},
  {"Index", "Tables",  "To create or drop indexes"},
  {"Insert", "Tables",  "To insert data into tables"},
  {"Lock tables","Databases","To use LOCK TABLES (together with SELECT privilege)"},

--- a/sql/sql_yacc.yy
+++ b/sql/sql_yacc.yy
@@ -390,6 +390,7 @@ bool my_yyoverflow(short **a, YYSTYPE **b, ulong *yystacksize);
 %token	RESTORE_SYM
 %token	RESTRICT
 %token	REVOKE
+%token	ROUTINE_SYM
 %token	ROWS_SYM
 %token	ROW_FORMAT_SYM
 %token	ROW_SYM
@@ -790,7 +791,7 @@ bool my_yyoverflow(short **a, YYSTYPE **b, ulong *yystacksize);
 	opt_outer table_list table_name opt_option opt_place
 	opt_attribute opt_attribute_list attribute column_list column_list_id
 	opt_column_list grant_privileges opt_table grant_list grant_option
-	grant_privilege grant_privilege_list user_list rename_list
+	object_privilege object_privilege_list user_list rename_list
 	clear_privileges flush_options flush_option
 	equal optional_braces opt_key_definition key_usage_list2
 	opt_mi_check_type opt_to mi_check_types normal_join
@@ -1301,6 +1302,7 @@ clear_privileges:
          lex->users_list.empty();
          lex->columns.empty();
          lex->grant= lex->grant_tot_col= 0;
+	  lex->all_privileges= 0;
          lex->select_lex.db= 0;
          lex->ssl_type= SSL_TYPE_NOT_SPECIFIED;
          lex->ssl_cipher= lex->x509_subject= lex->x509_issuer= 0;
@@ -7031,6 +7033,7 @@ keyword:
 	| RETURNS_SYM           {}
 	| ROLLBACK_SYM		{}
 	| ROLLUP_SYM		{}
+	| ROUTINE_SYM		{}
 	| ROWS_SYM		{}
 	| ROW_FORMAT_SYM	{}
 	| ROW_SYM		{}
@@ -7543,14 +7546,16 @@ revoke_command:
 grant:
 	GRANT clear_privileges grant_privileges ON opt_table TO_SYM grant_list
 	require_clause grant_options
-	{
-	  Lex->sql_command = SQLCOM_GRANT;
-        }
+	{ Lex->sql_command= SQLCOM_GRANT; }
 	;

 grant_privileges:
-	grant_privilege_list {}
-	| ALL opt_privileges	{ Lex->grant = GLOBAL_ACLS;}
+	object_privilege_list { }
+	| ALL opt_privileges
+        { 
+          Lex->all_privileges= 1; 
+          Lex->grant= GLOBAL_ACLS;
+        }
        ;

 opt_privileges:
@@ -7558,11 +7563,11 @@ opt_privileges:
 	| PRIVILEGES
 	;

-grant_privilege_list:
-	grant_privilege
-	| grant_privilege_list ',' grant_privilege;
+object_privilege_list:
+	object_privilege
+	| object_privilege_list ',' object_privilege;

-grant_privilege:
+object_privilege:
 	SELECT_SYM	{ Lex->which_columns = SELECT_ACL;} opt_column_list {}
 	| INSERT	{ Lex->which_columns = INSERT_ACL;} opt_column_list {}
 	| UPDATE_SYM	{ Lex->which_columns = UPDATE_ACL; } opt_column_list {}
@@ -7587,6 +7592,8 @@ grant_privilege:
 	| REPLICATION CLIENT_SYM { Lex->grant |= REPL_CLIENT_ACL; }
 	| CREATE VIEW_SYM { Lex->grant |= CREATE_VIEW_ACL; }
 	| SHOW VIEW_SYM { Lex->grant |= SHOW_VIEW_ACL; }
+	| CREATE ROUTINE_SYM { Lex->grant |= CREATE_PROC_ACL; }
+	| ALTER ROUTINE_SYM { Lex->grant |= ALTER_PROC_ACL; }
 	;