MDEV-5215 Granted to PUBLIC

b0325bd6 · Oleksandr Byelkin · Sergei Golubchik · 594bed9b · b0325bd6 · b0325bd6
Commit b0325bd6 authored Dec 13, 2021 by Oleksandr Byelkin Committed by Sergei Golubchik Nov 01, 2022
14 changed files
--- a/mysql-test/main/public_basic.result
+++ b/mysql-test/main/public_basic.result
+SHOW GRANTS FOR PUBLIC;
+Grants for PUBLIC
+# it is not PUBLIC but an user
+# (this should work as it allowed for roles for example)
+create user PUBLIC;
+create user PUBLIC@localhost;
+GRANT SELECT on test.* to PUBLIC@localhost;
+drop user PUBLIC@localhost;
+drop user PUBLIC;
+# preinstalled PUBLIC
+GRANT SELECT on test.* to PUBLIC;
+GRANT SELECT on mysql.db to PUBLIC;
+select * from mysql.global_priv where user="PUBLIC" ;
+Host	User	Priv
+	PUBLIC	{"access":0,"version_id":VERSION,"is_role":true}
+SHOW GRANTS FOR PUBLIC;
+Grants for PUBLIC
+GRANT SELECT ON `test`.* TO `PUBLIC`
+GRANT SELECT ON `mysql`.`db` TO `PUBLIC`
+GRANT UPDATE on test.* to PUBLIC;
+GRANT UPDATE on mysql.db to PUBLIC;
+SHOW GRANTS FOR PUBLIC;
+Grants for PUBLIC
+GRANT SELECT, UPDATE ON `test`.* TO `PUBLIC`
+GRANT SELECT, UPDATE ON `mysql`.`db` TO `PUBLIC`
+REVOKE SELECT on test.* from PUBLIC;
+REVOKE SELECT on mysql.db from PUBLIC;
+SHOW GRANTS FOR PUBLIC;
+Grants for PUBLIC
+GRANT UPDATE ON `test`.* TO `PUBLIC`
+GRANT UPDATE ON `mysql`.`db` TO `PUBLIC`
+REVOKE UPDATE on test.* from PUBLIC;
+REVOKE UPDATE on mysql.db from PUBLIC;
+REVOKE UPDATE on test.* from PUBLIC;
+ERROR 42000: There is no such grant defined for user 'PUBLIC' on host ''
+REVOKE UPDATE on mysql.db from PUBLIC;
+ERROR 42000: There is no such grant defined for user 'PUBLIC' on host '' on table 'db'
+SHOW GRANTS FOR PUBLIC;
+Grants for PUBLIC
+# automaticly added PUBLIC
+delete from mysql.global_priv where user="PUBLIC";
+flush privileges;
+select * from mysql.global_priv where user="PUBLIC" ;
+Host	User	Priv
+GRANT SELECT on test.* to PUBLIC;
+GRANT SELECT on mysql.db to PUBLIC;
+select * from mysql.global_priv where user="PUBLIC" ;
+Host	User	Priv
+	PUBLIC	{"access":0,"version_id":VERSION,"is_role":true}
+SHOW GRANTS FOR PUBLIC;
+Grants for PUBLIC
+GRANT SELECT ON `test`.* TO `PUBLIC`
+GRANT SELECT ON `mysql`.`db` TO `PUBLIC`
+GRANT UPDATE on test.* to PUBLIC;
+GRANT UPDATE on mysql.db to PUBLIC;
+SHOW GRANTS FOR PUBLIC;
+Grants for PUBLIC
+GRANT SELECT, UPDATE ON `test`.* TO `PUBLIC`
+GRANT SELECT, UPDATE ON `mysql`.`db` TO `PUBLIC`
+REVOKE SELECT on test.* from PUBLIC;
+REVOKE SELECT on mysql.db from PUBLIC;
+SHOW GRANTS FOR PUBLIC;
+Grants for PUBLIC
+GRANT UPDATE ON `test`.* TO `PUBLIC`
+GRANT UPDATE ON `mysql`.`db` TO `PUBLIC`
+REVOKE UPDATE on test.* from PUBLIC;
+REVOKE UPDATE on mysql.db from PUBLIC;
+SHOW GRANTS FOR PUBLIC;
+Grants for PUBLIC
+GRANT XXXXXX TO CURRENT_USER;
+ERROR OP000: Invalid role specification `XXXXXX`
+# following should fail with the same error as above
+GRANT PUBLIC TO CURRENT_USER;
+ERROR OP000: Invalid role specification `PUBLIC`
+REVOKE XXXXXX FROM CURRENT_USER;
+ERROR OP000: Invalid role specification `XXXXXX`
+# following should fail with the same error as above
+REVOKE PUBLIC FROM CURRENT_USER;
+ERROR OP000: Invalid role specification `PUBLIC`
+drop role XXXXXX;
+ERROR HY000: Operation DROP ROLE failed for 'XXXXXX'
+# following should fail with the same error as above
+drop role PUBLIC;
+ERROR HY000: Operation DROP ROLE failed for PUBLIC
+SET ROLE XXXXXX;
+ERROR OP000: Invalid role specification `XXXXXX`
+# following should fail with the same error as above
+SET ROLE PUBLIC;
+ERROR OP000: Invalid role specification `PUBLIC`
+SET DEFAULT ROLE XXXXXX;
+ERROR OP000: Invalid role specification `XXXXXX`
+# following should fail with the same error as above
+SET DEFAULT ROLE PUBLIC;
+ERROR OP000: Invalid role specification `PUBLIC`
+#
+# check prohibition of change security context to PUBLIC
+#
+# be sure that we have PUBLIC
+GRANT SELECT on test.* to PUBLIC;
+# try with a view
+create table t1( a int);
+create definer = PUBLIC view v1 as select * from t1;
+Warnings:
+Note	1449	The user specified as a definer ('PUBLIC'@'') does not exist
+show create view v1;
+View	Create View	character_set_client	collation_connection
+v1	CREATE ALGORITHM=UNDEFINED DEFINER=`PUBLIC` SQL SECURITY DEFINER VIEW `v1` AS select `t1`.`a` AS `a` from `t1`	latin1	latin1_swedish_ci
+Warnings:
+Note	1449	The user specified as a definer ('PUBLIC'@'') does not exist
+select * from v1;
+ERROR HY000: The user specified as a definer ('PUBLIC'@'') does not exist
+drop view v1;
+drop table t1;
+# try with a view
+create definer='PUBLIC' PROCEDURE p1() SELECT 1;
+Warnings:
+Note	1449	The user specified as a definer ('PUBLIC'@'') does not exist
+show create procedure p1;
+Procedure	sql_mode	Create Procedure	character_set_client	collation_connection	Database Collation
+p1	STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION	CREATE DEFINER=`PUBLIC` PROCEDURE `p1`()
+SELECT 1	latin1	latin1_swedish_ci	latin1_swedish_ci
+call p1();
+ERROR HY000: The user specified as a definer ('PUBLIC'@'') does not exist
+drop procedure p1;
+# this test cleanup
+REVOKE SELECT on test.* from PUBLIC;
+#
+# check autocreation of PUBLIC on GRAND role TO PUBLIC
+#
+# make sure that the privilege will be added automatically
+delete from mysql.global_priv where user="PUBLIC";
+flush privileges;
+create role roletest;
+GRANT roletest TO PUBLIC;
+drop role roletest;
+# clean up
+delete from mysql.global_priv where user="PUBLIC";
+flush privileges;
--- a/mysql-test/main/public_basic.test
+++ b/mysql-test/main/public_basic.test
+SHOW GRANTS FOR PUBLIC;
+
+--echo # it is not PUBLIC but an user
+--echo # (this should work as it allowed for roles for example)
+create user PUBLIC;
+create user PUBLIC@localhost;
+GRANT SELECT on test.* to PUBLIC@localhost;
+drop user PUBLIC@localhost;
+drop user PUBLIC;
+
+--echo # preinstalled PUBLIC
+GRANT SELECT on test.* to PUBLIC;
+GRANT SELECT on mysql.db to PUBLIC;
+--replace_regex /"version_id"\:[0-9]+/"version_id":VERSION/
+select * from mysql.global_priv where user="PUBLIC" ;
+
+SHOW GRANTS FOR PUBLIC;
+
+GRANT UPDATE on test.* to PUBLIC;
+GRANT UPDATE on mysql.db to PUBLIC;
+
+SHOW GRANTS FOR PUBLIC;
+
+REVOKE SELECT on test.* from PUBLIC;
+REVOKE SELECT on mysql.db from PUBLIC;
+
+SHOW GRANTS FOR PUBLIC;
+
+REVOKE UPDATE on test.* from PUBLIC;
+REVOKE UPDATE on mysql.db from PUBLIC;
+
+--error ER_NONEXISTING_GRANT
+REVOKE UPDATE on test.* from PUBLIC;
+--error ER_NONEXISTING_TABLE_GRANT
+REVOKE UPDATE on mysql.db from PUBLIC;
+
+SHOW GRANTS FOR PUBLIC;
+
+--echo # automaticly added PUBLIC
+delete from mysql.global_priv where user="PUBLIC";
+flush privileges;
+select * from mysql.global_priv where user="PUBLIC" ;
+GRANT SELECT on test.* to PUBLIC;
+GRANT SELECT on mysql.db to PUBLIC;
+--replace_regex /"version_id"\:[0-9]+/"version_id":VERSION/
+select * from mysql.global_priv where user="PUBLIC" ;
+
+SHOW GRANTS FOR PUBLIC;
+
+GRANT UPDATE on test.* to PUBLIC;
+GRANT UPDATE on mysql.db to PUBLIC;
+
+SHOW GRANTS FOR PUBLIC;
+
+REVOKE SELECT on test.* from PUBLIC;
+REVOKE SELECT on mysql.db from PUBLIC;
+
+SHOW GRANTS FOR PUBLIC;
+
+REVOKE UPDATE on test.* from PUBLIC;
+REVOKE UPDATE on mysql.db from PUBLIC;
+
+SHOW GRANTS FOR PUBLIC;
+
+--error ER_INVALID_ROLE
+GRANT XXXXXX TO CURRENT_USER;
+--echo # following should fail with the same error as above
+--error ER_INVALID_ROLE
+GRANT PUBLIC TO CURRENT_USER;
+
+--error ER_INVALID_ROLE
+REVOKE XXXXXX FROM CURRENT_USER;
+--echo # following should fail with the same error as above
+--error ER_INVALID_ROLE
+REVOKE PUBLIC FROM CURRENT_USER;
+--error ER_CANNOT_USER
+
+drop role XXXXXX;
+--echo # following should fail with the same error as above
+--error ER_CANNOT_USER
+drop role PUBLIC;
+
+--error ER_INVALID_ROLE
+SET ROLE XXXXXX;
+--echo # following should fail with the same error as above
+--error ER_INVALID_ROLE
+SET ROLE PUBLIC;
+
+--error ER_INVALID_ROLE
+SET DEFAULT ROLE XXXXXX;
+--echo # following should fail with the same error as above
+--error ER_INVALID_ROLE
+SET DEFAULT ROLE PUBLIC;
+
+--echo #
+--echo # check prohibition of change security context to PUBLIC
+--echo #
+--echo # be sure that we have PUBLIC
+GRANT SELECT on test.* to PUBLIC;
+--echo # try with a view
+create table t1( a int);
+create definer = PUBLIC view v1 as select * from t1;
+show create view v1;
+--error ER_NO_SUCH_USER
+select * from v1;
+drop view v1;
+drop table t1;
+--echo # try with a view
+create definer='PUBLIC' PROCEDURE p1() SELECT 1;
+show create procedure p1;
+--error ER_NO_SUCH_USER
+call p1();
+drop procedure p1;
+--echo # this test cleanup
+REVOKE SELECT on test.* from PUBLIC;
+
+--echo #
+--echo # check autocreation of PUBLIC on GRAND role TO PUBLIC
+--echo #
+--echo # make sure that the privilege will be added automatically
+delete from mysql.global_priv where user="PUBLIC";
+flush privileges;
+create role roletest;
+GRANT roletest TO PUBLIC;
+drop role roletest;
+
+
+-- echo # clean up
+delete from mysql.global_priv where user="PUBLIC";
+flush privileges;
--- a/mysql-test/main/public_privileges.result
+++ b/mysql-test/main/public_privileges.result
+#
+# Test DB/TABLE/COLUMN privileges in queries
+#
+SHOW GRANTS FOR PUBLIC;
+Grants for PUBLIC
+create user testuser;
+create database testdb1;
+use testdb1;
+create table t1 (a int, b int);
+insert into t1 values (1,2);
+create database testdb2;
+use testdb2;
+create table t2 (a int, b int);
+insert into t2 values (1,2);
+create table t3 (a int, b int);
+insert into t3 values (1,2);
+connect  testuser,localhost,testuser,,;
+connection testuser;
+select * from testdb1.t1;
+ERROR 42000: SELECT command denied to user 'testuser'@'localhost' for table `testdb1`.`t1`
+select * from testdb2.t2;
+ERROR 42000: SELECT command denied to user 'testuser'@'localhost' for table `testdb2`.`t2`
+select b from testdb2.t3;
+ERROR 42000: SELECT command denied to user 'testuser'@'localhost' for table `testdb2`.`t3`
+select a from testdb2.t3;
+ERROR 42000: SELECT command denied to user 'testuser'@'localhost' for table `testdb2`.`t3`
+connection default;
+GRANT SELECT ON testdb1.* to PUBLIC;
+GRANT SELECT ON testdb2.t2 to PUBLIC;
+GRANT SELECT (b) ON testdb2.t3 to PUBLIC;
+disconnect testuser;
+connect  testuser,localhost,testuser,,;
+connection testuser;
+select * from testdb1.t1;
+a	b
+1	2
+select * from testdb2.t2;
+a	b
+1	2
+select b from testdb2.t3;
+b
+2
+select a from testdb2.t3;
+ERROR 42000: SELECT command denied to user 'testuser'@'localhost' for column 'a' in table 't3'
+connection default;
+disconnect testuser;
+# check that the privilegas correctly read by acl_load
+flush privileges;
+connect  testuser,localhost,testuser,,;
+connection testuser;
+select * from testdb1.t1;
+a	b
+1	2
+select * from testdb2.t2;
+a	b
+1	2
+select b from testdb2.t3;
+b
+2
+select a from testdb2.t3;
+ERROR 42000: SELECT command denied to user 'testuser'@'localhost' for column 'a' in table 't3'
+connection default;
+use test;
+disconnect testuser;
+REVOKE SELECT ON testdb1.* from PUBLIC;
+REVOKE SELECT ON testdb2.t2 from PUBLIC;
+REVOKE SELECT (b) ON testdb2.t3 from PUBLIC;
+drop user testuser;
+drop database testdb1;
+drop database testdb2;
+#
+# test global process list privilege and EXECUTE db level
+#
+create user testuser;
+create database testdb;
+use testdb;
+create procedure p1 () select 1;
+connect  testuser,localhost,testuser,,;
+connection testuser;
+SHOW PROCESSLIST;
+Id	User	Host	db	Command	Time	State	Info	Progress
+#	testuser	#	NULL	Query	#	#	SHOW PROCESSLIST	0.000
+call testdb.p1();
+ERROR 42000: execute command denied to user 'testuser'@'%' for routine 'testdb.p1'
+connection default;
+GRANT PROCESS ON *.* to PUBLIC;
+GRANT EXECUTE ON testdb.* to PUBLIC;
+disconnect testuser;
+connect  testuser,localhost,testuser,,;
+connection testuser;
+SHOW PROCESSLIST;
+Id	User	Host	db	Command	Time	State	Info	Progress
+#	root	#	testdb	Sleep	#	#	NULL	0.000
+#	testuser	#	NULL	Query	#	#	SHOW PROCESSLIST	0.000
+call testdb.p1();
+1
+1
+connection default;
+disconnect testuser;
+# check that the privilegas correctly read by acl_load
+flush privileges;
+connect  testuser,localhost,testuser,,;
+connection testuser;
+SHOW PROCESSLIST;
+Id	User	Host	db	Command	Time	State	Info	Progress
+#	root	#	testdb	Sleep	#	#	NULL	0.000
+#	testuser	#	NULL	Query	#	#	SHOW PROCESSLIST	0.000
+call testdb.p1();
+1
+1
+connection default;
+SHOW PROCESSLIST;
+Id	User	Host	db	Command	Time	State	Info	Progress
+#	root	#	testdb	Query	#	#	SHOW PROCESSLIST	0.000
+#	testuser	#	NULL	Sleep	#	#	NULL	0.000
+connection default;
+use test;
+disconnect testuser;
+REVOKE PROCESS ON *.* from PUBLIC;
+REVOKE EXECUTE ON testdb.* from PUBLIC;
+drop user testuser;
+drop database testdb;
+#
+# test DB privilege to allow USE statement
+#
+create user testuser;
+create database testdb;
+connect  testuser,localhost,testuser,,;
+connection testuser;
+use testdb;
+ERROR 42000: Access denied for user 'testuser'@'%' to database 'testdb'
+connection default;
+GRANT LOCK TABLES ON testdb.* to PUBLIC;
+disconnect testuser;
+connect  testuser,localhost,testuser,,;
+connection testuser;
+use testdb;
+connection default;
+disconnect testuser;
+# check that the privilegas correctly read by acl_load
+flush privileges;
+connect  testuser,localhost,testuser,,;
+connection testuser;
+use testdb;
+connection default;
+use test;
+disconnect testuser;
+REVOKE LOCK TABLES ON testdb.* from PUBLIC;
+drop user testuser;
+drop database testdb;
+#
+# test DB privilege to allow USE statement (as above)
+# test current db privileges
+#
+create user testuser;
+create database testdb;
+use testdb;
+create table t1 (a int);
+insert into t1 values (1);
+GRANT LOCK TABLES ON testdb.* to PUBLIC;
+connect  testuser,localhost,testuser,,;
+connection testuser;
+use testdb;
+update t1 set a=a+1;
+ERROR 42000: UPDATE command denied to user 'testuser'@'localhost' for table `testdb`.`t1`
+connection default;
+GRANT UPDATE,SELECT ON testdb.* to PUBLIC;
+disconnect testuser;
+connect  testuser,localhost,testuser,,;
+connection testuser;
+use testdb;
+update t1 set a=a+1;
+connection default;
+select * from testdb.t1;
+a
+2
+use test;
+disconnect testuser;
+REVOKE LOCK TABLES ON testdb.* from PUBLIC;
+REVOKE UPDATE,SELECT ON testdb.* from PUBLIC;
+drop user testuser;
+drop database testdb;
+#
+# test DB privilege to allow USE statement (as above)
+# test table/column privileges in current DB
+#
+create user testuser;
+create database testdb;
+use testdb;
+create table t1 (a int);
+insert into t1 values (1);
+create table t2 (a int, b int);
+insert into t2 values (1,2);
+GRANT LOCK TABLES ON testdb.* to PUBLIC;
+connect  testuser,localhost,testuser,,;
+connection testuser;
+use testdb;
+delete from t1;
+ERROR 42000: DELETE command denied to user 'testuser'@'localhost' for table `testdb`.`t1`
+select b from t2;
+ERROR 42000: SELECT command denied to user 'testuser'@'localhost' for table `testdb`.`t2`
+select a from t2;
+ERROR 42000: SELECT command denied to user 'testuser'@'localhost' for table `testdb`.`t2`
+connection default;
+GRANT DELETE ON testdb.t1 to PUBLIC;
+GRANT SELECT (a) ON testdb.t2 to PUBLIC;
+disconnect testuser;
+connect  testuser,localhost,testuser,,;
+connection testuser;
+use testdb;
+delete from t1;
+select a from t2;
+a
+1
+select b from t2;
+ERROR 42000: SELECT command denied to user 'testuser'@'localhost' for column 'b' in table 't2'
+connection default;
+select * from testdb.t1;
+a
+insert into t1 values (1);
+disconnect testuser;
+# check that the privilegas correctly read by acl_load
+flush privileges;
+connect  testuser,localhost,testuser,,;
+connection testuser;
+use testdb;
+delete from t1;
+select a from t2;
+a
+1
+select b from t2;
+ERROR 42000: SELECT command denied to user 'testuser'@'localhost' for column 'b' in table 't2'
+connection default;
+select * from testdb.t1;
+a
+use test;
+disconnect testuser;
+REVOKE ALL PRIVILEGES, GRANT OPTION from `PUBLIC`;
+SHOW GRANTS FOR PUBLIC;
+Grants for PUBLIC
+drop user testuser;
+drop database testdb;
+#
+# test function privilege
+#
+create user testuser;
+create database testdb;
+use testdb;
+create function f1() returns int return 2;
+connect  testuser,localhost,testuser,,;
+connection testuser;
+alter function testdb.f1 comment "A stupid function";
+ERROR 42000: alter routine command denied to user 'testuser'@'%' for routine 'testdb.f1'
+select testdb.f1();
+ERROR 42000: execute command denied to user 'testuser'@'%' for routine 'testdb.f1'
+connection default;
+GRANT ALTER ROUTINE ON testdb.* to PUBLIC;
+disconnect testuser;
+connect  testuser,localhost,testuser,,;
+connection testuser;
+alter function testdb.f1 comment "A stupid function";
+select testdb.f1();
+ERROR 42000: execute command denied to user 'testuser'@'%' for routine 'testdb.f1'
+connection default;
+disconnect testuser;
+# check that the privilegas correctly read by acl_load
+flush privileges;
+connect  testuser,localhost,testuser,,;
+connection testuser;
+alter function testdb.f1 comment "A stupid function";
+select testdb.f1();
+ERROR 42000: execute command denied to user 'testuser'@'%' for routine 'testdb.f1'
+connection default;
+use test;
+disconnect testuser;
+REVOKE ALTER ROUTINE ON testdb.* from PUBLIC;
+drop function testdb.f1;
+drop user testuser;
+drop database testdb;
+#
+# bug with automatically added PUBLIC role
+#
+# automaticly added PUBLIC
+delete from mysql.global_priv where user="PUBLIC";
+flush privileges;
+GRANT SELECT on test.* to PUBLIC;
+REVOKE SELECT on test.* from PUBLIC;
+create user testuser;
+create database testdb1;
+use testdb1;
+create table t1 (a int, b int);
+insert into t1 values (1,2);
+connect  testuser,localhost,testuser,,;
+connection testuser;
+select * from testdb1.t1;
+ERROR 42000: SELECT command denied to user 'testuser'@'localhost' for table `testdb1`.`t1`
+connection default;
+disconnect testuser;
+drop user testuser;
+drop database testdb1;
+#
+# check assigning privileges via GRAND role TO PUBLIC
+#
+create user testuser;
+create database testdb1;
+use testdb1;
+create table t1 (a int, b int);
+# check that user do not have rights
+connect  testuser,localhost,testuser,,*NO-ONE*;
+connection testuser;
+select * from testdb1.t1;
+ERROR 42000: SELECT command denied to user 'testuser'@'localhost' for table `testdb1`.`t1`
+connection default;
+disconnect testuser;
+give rights to everyone via assigning the role to public
+create role roletest;
+GRANT SELECT ON testdb1.* TO roletest;
+GRANT roletest TO PUBLIC;
+connect  testuser,localhost,testuser,,*NO-ONE*;
+connection testuser;
+select * from testdb1.t1;
+a	b
+connection default;
+disconnect testuser;
+# check that the privilegas correctly read by acl_load
+flush privileges;
+connect  testuser,localhost,testuser,,*NO-ONE*;
+connection testuser;
+select * from testdb1.t1;
+a	b
+connection default;
+disconnect testuser;
+# drop role...
+drop role roletest;
+# ... and check that user do not have rights again
+connect  testuser,localhost,testuser,,*NO-ONE*;
+connection testuser;
+select * from testdb1.t1;
+ERROR 42000: SELECT command denied to user 'testuser'@'localhost' for table `testdb1`.`t1`
+connection default;
+disconnect testuser;
+drop user testuser;
+drop database testdb1;
+# clean up
+delete from mysql.global_priv where user="PUBLIC";
+flush privileges;
--- a/mysql-test/main/public_privileges.test
+++ b/mysql-test/main/public_privileges.test
+--echo #
+--echo # Test DB/TABLE/COLUMN privileges in queries
+--echo #
+
+SHOW GRANTS FOR PUBLIC;
+
+create user testuser;
+create database testdb1;
+use testdb1;
+create table t1 (a int, b int);
+insert into t1 values (1,2);
+create database testdb2;
+use testdb2;
+create table t2 (a int, b int);
+insert into t2 values (1,2);
+create table t3 (a int, b int);
+insert into t3 values (1,2);
+
+connect (testuser,localhost,testuser,,);
+connection testuser;
+--error ER_TABLEACCESS_DENIED_ERROR
+select * from testdb1.t1;
+--error ER_TABLEACCESS_DENIED_ERROR
+select * from testdb2.t2;
+--error ER_TABLEACCESS_DENIED_ERROR
+select b from testdb2.t3;
+--error ER_TABLEACCESS_DENIED_ERROR
+select a from testdb2.t3;
+
+connection default;
+
+GRANT SELECT ON testdb1.* to PUBLIC;
+GRANT SELECT ON testdb2.t2 to PUBLIC;
+GRANT SELECT (b) ON testdb2.t3 to PUBLIC;
+
+disconnect testuser;
+connect (testuser,localhost,testuser,,);
+connection testuser;
+select * from testdb1.t1;
+select * from testdb2.t2;
+select b from testdb2.t3;
+--error ER_COLUMNACCESS_DENIED_ERROR
+select a from testdb2.t3;
+
+connection default;
+disconnect testuser;
+
+--echo # check that the privilegas correctly read by acl_load
+flush privileges;
+
+connect (testuser,localhost,testuser,,);
+connection testuser;
+select * from testdb1.t1;
+select * from testdb2.t2;
+select b from testdb2.t3;
+--error ER_COLUMNACCESS_DENIED_ERROR
+select a from testdb2.t3;
+
+connection default;
+use test;
+disconnect testuser;
+REVOKE SELECT ON testdb1.* from PUBLIC;
+REVOKE SELECT ON testdb2.t2 from PUBLIC;
+REVOKE SELECT (b) ON testdb2.t3 from PUBLIC;
+drop user testuser;
+drop database testdb1;
+drop database testdb2;
+
+--echo #
+--echo # test global process list privilege and EXECUTE db level
+--echo #
+
+create user testuser;
+create database testdb;
+use testdb;
+create procedure p1 () select 1;
+
+connect (testuser,localhost,testuser,,);
+connection testuser;
+
+--replace_column 1 # 3 # 6 # 7 #
+SHOW PROCESSLIST;
+--error ER_PROCACCESS_DENIED_ERROR
+call testdb.p1();
+
+connection default;
+
+GRANT PROCESS ON *.* to PUBLIC;
+GRANT EXECUTE ON testdb.* to PUBLIC;
+
+disconnect testuser;
+connect (testuser,localhost,testuser,,);
+connection testuser;
+
+--replace_column 1 # 3 # 6 # 7 #
+SHOW PROCESSLIST;
+call testdb.p1();
+
+connection default;
+disconnect testuser;
+
+--echo # check that the privilegas correctly read by acl_load
+flush privileges;
+
+connect (testuser,localhost,testuser,,);
+connection testuser;
+
+--replace_column 1 # 3 # 6 # 7 #
+SHOW PROCESSLIST;
+call testdb.p1();
+
+connection default;
+
+--replace_column 1 # 3 # 6 # 7 #
+SHOW PROCESSLIST;
+
+connection default;
+
+use test;
+disconnect testuser;
+REVOKE PROCESS ON *.* from PUBLIC;
+REVOKE EXECUTE ON testdb.* from PUBLIC;
+drop user testuser;
+drop database testdb;
+
+--echo #
+--echo # test DB privilege to allow USE statement
+--echo #
+
+create user testuser;
+create database testdb;
+
+connect (testuser,localhost,testuser,,);
+connection testuser;
+
+--error ER_DBACCESS_DENIED_ERROR
+use testdb;
+
+connection default;
+
+GRANT LOCK TABLES ON testdb.* to PUBLIC;
+
+disconnect testuser;
+connect (testuser,localhost,testuser,,);
+connection testuser;
+
+use testdb;
+
+connection default;
+disconnect testuser;
+
+--echo # check that the privilegas correctly read by acl_load
+flush privileges;
+
+connect (testuser,localhost,testuser,,);
+connection testuser;
+
+use testdb;
+
+connection default;
+
+use test;
+disconnect testuser;
+REVOKE LOCK TABLES ON testdb.* from PUBLIC;
+drop user testuser;
+drop database testdb;
+
+
+--echo #
+--echo # test DB privilege to allow USE statement (as above)
+--echo # test current db privileges
+--echo #
+
+create user testuser;
+create database testdb;
+use testdb;
+create table t1 (a int);
+insert into t1 values (1);
+GRANT LOCK TABLES ON testdb.* to PUBLIC;
+
+connect (testuser,localhost,testuser,,);
+connection testuser;
+
+use testdb;
+--error ER_TABLEACCESS_DENIED_ERROR
+update t1 set a=a+1;
+
+connection default;
+
+GRANT UPDATE,SELECT ON testdb.* to PUBLIC;
+
+disconnect testuser;
+connect (testuser,localhost,testuser,,);
+connection testuser;
+
+use testdb;
+update t1 set a=a+1;
+
+connection default;
+select * from testdb.t1;
+
+use test;
+disconnect testuser;
+REVOKE LOCK TABLES ON testdb.* from PUBLIC;
+REVOKE UPDATE,SELECT ON testdb.* from PUBLIC;
+drop user testuser;
+drop database testdb;
+
+
+--echo #
+--echo # test DB privilege to allow USE statement (as above)
+--echo # test table/column privileges in current DB
+--echo #
+
+create user testuser;
+create database testdb;
+use testdb;
+create table t1 (a int);
+insert into t1 values (1);
+create table t2 (a int, b int);
+insert into t2 values (1,2);
+GRANT LOCK TABLES ON testdb.* to PUBLIC;
+
+connect (testuser,localhost,testuser,,);
+connection testuser;
+
+use testdb;
+--error ER_TABLEACCESS_DENIED_ERROR
+delete from t1;
+--error ER_TABLEACCESS_DENIED_ERROR
+select b from t2;
+--error ER_TABLEACCESS_DENIED_ERROR
+select a from t2;
+
+connection default;
+
+GRANT DELETE ON testdb.t1 to PUBLIC;
+GRANT SELECT (a) ON testdb.t2 to PUBLIC;
+
+disconnect testuser;
+connect (testuser,localhost,testuser,,);
+connection testuser;
+
+use testdb;
+delete from t1;
+select a from t2;
+--error ER_COLUMNACCESS_DENIED_ERROR
+select b from t2;
+
+connection default;
+select * from testdb.t1;
+insert into t1 values (1);
+disconnect testuser;
+
+--echo # check that the privilegas correctly read by acl_load
+flush privileges;
+
+connect (testuser,localhost,testuser,,);
+connection testuser;
+
+use testdb;
+delete from t1;
+select a from t2;
+--error ER_COLUMNACCESS_DENIED_ERROR
+select b from t2;
+
+connection default;
+select * from testdb.t1;
+
+
+use test;
+disconnect testuser;
+REVOKE ALL PRIVILEGES, GRANT OPTION from `PUBLIC`;
+SHOW GRANTS FOR PUBLIC;
+
+drop user testuser;
+drop database testdb;
+
+--echo #
+--echo # test function privilege
+--echo #
+
+create user testuser;
+create database testdb;
+use testdb;
+create function f1() returns int return 2;
+
+connect (testuser,localhost,testuser,,);
+connection testuser;
+
+--error ER_PROCACCESS_DENIED_ERROR
+alter function testdb.f1 comment "A stupid function";
+--error ER_PROCACCESS_DENIED_ERROR
+select testdb.f1();
+
+connection default;
+
+GRANT ALTER ROUTINE ON testdb.* to PUBLIC;
+
+disconnect testuser;
+connect (testuser,localhost,testuser,,);
+connection testuser;
+
+alter function testdb.f1 comment "A stupid function";
+--error ER_PROCACCESS_DENIED_ERROR
+select testdb.f1();
+
+connection default;
+disconnect testuser;
+
+--echo # check that the privilegas correctly read by acl_load
+flush privileges;
+
+connect (testuser,localhost,testuser,,);
+connection testuser;
+
+alter function testdb.f1 comment "A stupid function";
+--error ER_PROCACCESS_DENIED_ERROR
+select testdb.f1();
+
+connection default;
+
+use test;
+disconnect testuser;
+REVOKE ALTER ROUTINE ON testdb.* from PUBLIC;
+drop function testdb.f1;
+drop user testuser;
+drop database testdb;
+
+--echo #
+--echo # bug with automatically added PUBLIC role
+--echo #
+
+--echo # automaticly added PUBLIC
+delete from mysql.global_priv where user="PUBLIC";
+flush privileges;
+GRANT SELECT on test.* to PUBLIC;
+
+REVOKE SELECT on test.* from PUBLIC;
+
+create user testuser;
+create database testdb1;
+use testdb1;
+create table t1 (a int, b int);
+insert into t1 values (1,2);
+
+connect (testuser,localhost,testuser,,);
+connection testuser;
+--error ER_TABLEACCESS_DENIED_ERROR
+select * from testdb1.t1;
+
+connection default;
+ 
+disconnect testuser;
+drop user testuser;
+drop database testdb1;
+
+--echo #
+--echo # check assigning privileges via GRAND role TO PUBLIC
+--echo #
+create user testuser;
+create database testdb1;
+use testdb1;
+create table t1 (a int, b int);
+
+--echo # check that user do not have rights
+connect (testuser,localhost,testuser,,*NO-ONE*);
+connection testuser;
+--error ER_TABLEACCESS_DENIED_ERROR
+select * from testdb1.t1;
+connection default;
+disconnect testuser;
+
+--echo give rights to everyone via assigning the role to public
+create role roletest;
+GRANT SELECT ON testdb1.* TO roletest;
+GRANT roletest TO PUBLIC;
+
+connect (testuser,localhost,testuser,,*NO-ONE*);
+connection testuser;
+select * from testdb1.t1;
+connection default;
+disconnect testuser;
+
+--echo # check that the privilegas correctly read by acl_load
+flush privileges;
+
+connect (testuser,localhost,testuser,,*NO-ONE*);
+connection testuser;
+select * from testdb1.t1;
+connection default;
+disconnect testuser;
+
+
+--echo # drop role...
+drop role roletest;
+
+--echo # ... and check that user do not have rights again
+connect (testuser,localhost,testuser,,*NO-ONE*);
+connection testuser;
+--error ER_TABLEACCESS_DENIED_ERROR
+select * from testdb1.t1;
+connection default;
+disconnect testuser;
+
+drop user testuser;
+drop database testdb1;
+
+-- echo # clean up
+delete from mysql.global_priv where user="PUBLIC";
+flush privileges;
--- a/mysql-test/suite/roles/none_public.result
+++ b/mysql-test/suite/roles/none_public.result
@@ -14,9 +14,6 @@ ERROR OP000: Invalid role specification `none`
 grant public to role1;
 ERROR OP000: Invalid role specification `public`
 grant role1 to public;
-ERROR OP000: Invalid role specification `public`
-grant select on *.* to public;
-ERROR OP000: Invalid role specification `public`
 grant role1 to current_role;
 ERROR OP000: Invalid role specification `NONE`
 revoke none from role1;
@@ -28,21 +25,15 @@ ERROR OP000: Invalid role specification `none`
 revoke public from role1;
 ERROR OP000: Invalid role specification `public`
 revoke role1 from public;
-ERROR OP000: Invalid role specification `public`
+ERROR HY000: Cannot revoke role 'role1' from: 'public'@'%'
 revoke select on *.* from public;
-ERROR OP000: Invalid role specification `public`
 show grants for none;
 ERROR OP000: Invalid role specification `none`
-show grants for public;
-ERROR OP000: Invalid role specification `public`
 create definer=none view test.v1 as select 1;
 ERROR OP000: Invalid role specification `none`
-create definer=public view test.v1 as select 1;
-ERROR OP000: Invalid role specification `public`
 drop role role1;
-insert mysql.global_priv values ('', 'none', '{"is_role":true}'), ('', 'public', '{"is_role":true}');
+insert mysql.global_priv values ('', 'none', '{"is_role":true}');
 flush privileges;
 Warnings:
 Error	1959	Invalid role specification `none`
-Error	1959	Invalid role specification `public`
 delete from mysql.global_priv where host='';
--- a/mysql-test/suite/roles/none_public.test
+++ b/mysql-test/suite/roles/none_public.test
@@ -17,10 +17,10 @@ grant role1 to none;
 grant select on *.* to none;
 --error ER_INVALID_ROLE
 grant public to role1;
--error ER_INVALID_ROLE
 grant role1 to public;
--error ER_INVALID_ROLE
-grant select on *.* to public;
+# PUBLIC is legal role
+#--error ER_INVALID_ROLE
+#grant select on *.* to public;

 --error ER_INVALID_ROLE
 grant role1 to current_role;
@@ -33,23 +33,24 @@ revoke role1 from none;
 revoke select on *.* from none;
 --error ER_INVALID_ROLE
 revoke public from role1;
--error ER_INVALID_ROLE
+--error ER_CANNOT_REVOKE_ROLE
 revoke role1 from public;
--error ER_INVALID_ROLE
 revoke select on *.* from public;

 --error ER_INVALID_ROLE
 show grants for none;
--error ER_INVALID_ROLE
-show grants for public;
+# PUBLIC is legal role
+#--error ER_INVALID_ROLE
+#show grants for public;

 --error ER_INVALID_ROLE
 create definer=none view test.v1 as select 1;
--error ER_INVALID_ROLE
-create definer=public view test.v1 as select 1;
+# PUBLIC is legal role
+#--error ER_INVALID_ROLE
+#create definer=public view test.v1 as select 1;

 drop role role1;

-insert mysql.global_priv values ('', 'none', '{"is_role":true}'), ('', 'public', '{"is_role":true}');
+insert mysql.global_priv values ('', 'none', '{"is_role":true}');
 flush privileges;
 delete from mysql.global_priv where host='';
--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
--- a/sql/sql_acl.h
+++ b/sql/sql_acl.h
@@ -76,8 +76,8 @@ bool hostname_requires_resolving(const char *hostname);
 bool  acl_init(bool dont_read_acl_tables);
 bool acl_reload(THD *thd);
 void acl_free(bool end=0);
-privilege_t acl_get(const char *host, const char *ip,
-                    const char *user, const char *db, my_bool db_is_pattern);
+privilege_t acl_get_all3(Security_context *sctx, const char *db,
+                         bool db_is_patern);
 bool acl_authenticate(THD *thd, uint com_change_user_pkt_len);
 bool acl_getroot(Security_context *sctx, const char *user, const char *host,
                 const char *ip, const char *db);

--- a/sql/sql_db.cc
+++ b/sql/sql_db.cc
@@ -1778,16 +1778,13 @@ uint mysql_change_db(THD *thd, const LEX_CSTRING *new_db_name,

 #ifndef NO_EMBEDDED_ACCESS_CHECKS
  if (test_all_bits(sctx->master_access, DB_ACLS))
+  {
    db_access= DB_ACLS;
+  }
  else
  {
-    db_access= acl_get(sctx->host, sctx->ip, sctx->priv_user,
-                        new_db_file_name.str, FALSE) | sctx->master_access;
-    if (sctx->priv_role[0])
-    {
-      /* include a possible currently set role for access */
-      db_access|= acl_get("", "", sctx->priv_role, new_db_file_name.str, FALSE);
-    }
+    db_access= acl_get_all3(sctx, new_db_file_name.str, FALSE);
+    db_access|= sctx->master_access;
  }

  if (!force_switch &&

--- a/sql/sql_parse.cc
+++ b/sql/sql_parse.cc
@@ -6760,10 +6760,7 @@ check_access(THD *thd, privilege_t want_access,
    {
      if (db && (!thd->db.str || db_is_pattern || strcmp(db, thd->db.str)))
      {
-        db_access= acl_get(sctx->host, sctx->ip, sctx->priv_user, db,
-                           db_is_pattern);
-        if (sctx->priv_role[0])
-          db_access|= acl_get("", "", sctx->priv_role, db, db_is_pattern);
+        db_access= acl_get_all3(sctx, db, db_is_pattern);
      }
      else
      {
@@ -6808,14 +6805,7 @@ check_access(THD *thd, privilege_t want_access,
  }

  if (db && (!thd->db.str || db_is_pattern || strcmp(db, thd->db.str)))
-  {
-    db_access= acl_get(sctx->host, sctx->ip, sctx->priv_user, db,
-                       db_is_pattern);
-    if (sctx->priv_role[0])
-    {
-      db_access|= acl_get("", "", sctx->priv_role, db, db_is_pattern);
-    }
-  }
+    db_access= acl_get_all3(sctx, db, db_is_pattern);
  else
    db_access= sctx->db_access;
  DBUG_PRINT("info",("db_access: %llx  want_access: %llx",

--- a/sql/sql_show.cc
+++ b/sql/sql_show.cc
@@ -1406,12 +1406,8 @@ bool mysqld_show_create_db(THD *thd, LEX_CSTRING *dbname,
  if (test_all_bits(sctx->master_access, DB_ACLS))
    db_access=DB_ACLS;
  else
-  {
-    db_access= acl_get(sctx->host, sctx->ip, sctx->priv_user, dbname->str, 0) |
+    db_access= acl_get_all3(sctx, dbname->str, FALSE) |
               sctx->master_access;
-    if (sctx->priv_role[0])
-      db_access|= acl_get("", "", sctx->priv_role, dbname->str, 0);
-  }

  if (!(db_access & DB_ACLS) && check_grant_db(thd,dbname->str))
  {
@@ -5302,7 +5298,7 @@ int get_all_tables(THD *thd, TABLE_LIST *tables, COND *cond)
                       &thd->col_access, NULL, 0, 1) ||
          (!thd->col_access && check_grant_db(thd, db_name->str))) ||
        sctx->master_access & (DB_ACLS | SHOW_DB_ACL) ||
-        acl_get(sctx->host, sctx->ip, sctx->priv_user, db_name->str, 0))
+        acl_get_all3(sctx, db_name->str, 0))
 #endif
    {
      Dynamic_array<LEX_CSTRING*> table_names(PSI_INSTRUMENT_MEM);
@@ -5502,9 +5498,7 @@ int fill_schema_schemata(THD *thd, TABLE_LIST *tables, COND *cond)
    }
 #ifndef NO_EMBEDDED_ACCESS_CHECKS
    if (sctx->master_access & (DB_ACLS | SHOW_DB_ACL) ||
-        acl_get(sctx->host, sctx->ip, sctx->priv_user, db_name->str, false) ||
-        (sctx->priv_role[0] ?
-             acl_get("", "", sctx->priv_role, db_name->str, false) : NO_ACL) ||
+        acl_get_all3(sctx, db_name->str, false) ||
        !check_grant_db(thd, db_name->str))
 #endif
    {

--- a/sql/sql_yacc.yy
+++ b/sql/sql_yacc.yy
@@ -17156,6 +17156,7 @@ grant_role:
            $$->user= $1;
            $$->host= empty_clex_str;
            $$->auth= NULL;
+            $$->is_public= false;

            if (unlikely(check_string_char_length(&$$->user, ER_USERNAME,
                                                  username_char_length,

--- a/sql/structs.h
+++ b/sql/structs.h
@@ -254,6 +254,7 @@ struct AUTHID
 struct LEX_USER: public AUTHID
 {
  USER_AUTH *auth;
+  bool is_public;
  bool has_auth()
  {
    return auth && (auth->plugin.length || auth->auth_str.length || auth->pwtext.length);

--- a/sql/table.h
+++ b/sql/table.h
@@ -301,6 +301,7 @@ typedef struct st_grant_info
   */
  GRANT_TABLE *grant_table_user;
  GRANT_TABLE *grant_table_role;
+  GRANT_TABLE *grant_public;
  /**
     @brief Used for cache invalidation when caching privilege information.

@@ -347,6 +348,14 @@ typedef struct st_grant_info
    want_privilege(NO_ACL),
    orig_want_privilege(NO_ACL)
  { }
+
+  void read(const Security_context *sctx, const char *db,
+            const char *table);
+
+  inline void refresh(const Security_context *sctx, const char *db,
+                     const char *table);
+  inline privilege_t aggregate_privs();
+  inline privilege_t aggregate_cols();
 } GRANT_INFO;

 enum tmp_table_type