Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
M
MariaDB
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
nexedi
MariaDB
Commits
bc603c60
Commit
bc603c60
authored
Nov 24, 2014
by
Sergei Golubchik
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
bugfix: IDENTIFIED BY clause was lost in some GRANT variants
parent
61820bca
Changes
5
Hide whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
64 additions
and
21 deletions
+64
-21
mysql-test/r/sp-security.result
mysql-test/r/sp-security.result
+14
-0
mysql-test/suite/roles/grant_revoke_current.result
mysql-test/suite/roles/grant_revoke_current.result
+15
-0
mysql-test/suite/roles/grant_revoke_current.test
mysql-test/suite/roles/grant_revoke_current.test
+6
-1
mysql-test/t/sp-security.test
mysql-test/t/sp-security.test
+8
-0
sql/sql_acl.cc
sql/sql_acl.cc
+21
-20
No files found.
mysql-test/r/sp-security.result
View file @
bc603c60
...
@@ -647,3 +647,17 @@ ERROR 42000: execute command denied to user 'bug12602983_user'@'localhost' for r
...
@@ -647,3 +647,17 @@ ERROR 42000: execute command denied to user 'bug12602983_user'@'localhost' for r
# Connection 'default'.
# Connection 'default'.
drop user bug12602983_user@localhost;
drop user bug12602983_user@localhost;
drop database mysqltest_db;
drop database mysqltest_db;
set password=password('foobar');
create procedure sp1() select 1;
show grants;
Grants for root@localhost
GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED BY PASSWORD '*9B500343BC52E2911172EB52AE5CF4847604C6E5' WITH GRANT OPTION
GRANT PROXY ON ''@'%' TO 'root'@'localhost' WITH GRANT OPTION
grant execute on procedure sp1 to current_user() identified by 'barfoo';
show grants;
Grants for root@localhost
GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED BY PASSWORD '*343915A8181B5728EADBDC73E1F7E6B0C3998483' WITH GRANT OPTION
GRANT EXECUTE ON PROCEDURE `test`.`sp1` TO 'root'@'localhost'
GRANT PROXY ON ''@'%' TO 'root'@'localhost' WITH GRANT OPTION
drop procedure sp1;
set password='';
mysql-test/suite/roles/grant_revoke_current.result
View file @
bc603c60
...
@@ -24,4 +24,19 @@ revoke all, grant option from current_role;
...
@@ -24,4 +24,19 @@ revoke all, grant option from current_role;
show grants for current_role;
show grants for current_role;
Grants for r1
Grants for r1
GRANT USAGE ON *.* TO 'r1'
GRANT USAGE ON *.* TO 'r1'
set password=password('foobar');
show grants;
Grants for root@localhost
GRANT r1 TO 'root'@'localhost' WITH ADMIN OPTION
GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED BY PASSWORD '*9B500343BC52E2911172EB52AE5CF4847604C6E5' WITH GRANT OPTION
GRANT PROXY ON ''@'%' TO 'root'@'localhost' WITH GRANT OPTION
GRANT USAGE ON *.* TO 'r1'
grant r1 to current_user() identified by 'barfoo';
show grants;
Grants for root@localhost
GRANT r1 TO 'root'@'localhost' WITH ADMIN OPTION
GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED BY PASSWORD '*343915A8181B5728EADBDC73E1F7E6B0C3998483' WITH GRANT OPTION
GRANT PROXY ON ''@'%' TO 'root'@'localhost' WITH GRANT OPTION
GRANT USAGE ON *.* TO 'r1'
set password='';
drop role r1;
drop role r1;
mysql-test/suite/roles/grant_revoke_current.test
View file @
bc603c60
...
@@ -20,5 +20,10 @@ show grants for current_role;
...
@@ -20,5 +20,10 @@ show grants for current_role;
revoke
all
,
grant
option
from
current_role
;
revoke
all
,
grant
option
from
current_role
;
show
grants
for
current_role
;
show
grants
for
current_role
;
drop
role
r1
;
set
password
=
password
(
'foobar'
);
show
grants
;
grant
r1
to
current_user
()
identified
by
'barfoo'
;
show
grants
;
set
password
=
''
;
drop
role
r1
;
mysql-test/t/sp-security.test
View file @
bc603c60
...
@@ -1040,3 +1040,11 @@ drop database mysqltest_db;
...
@@ -1040,3 +1040,11 @@ drop database mysqltest_db;
# Wait till all disconnects are completed
# Wait till all disconnects are completed
--
source
include
/
wait_until_count_sessions
.
inc
--
source
include
/
wait_until_count_sessions
.
inc
set
password
=
password
(
'foobar'
);
create
procedure
sp1
()
select
1
;
show
grants
;
grant
execute
on
procedure
sp1
to
current_user
()
identified
by
'barfoo'
;
show
grants
;
drop
procedure
sp1
;
set
password
=
''
;
sql/sql_acl.cc
View file @
bc603c60
...
@@ -5596,6 +5596,14 @@ static bool merge_one_role_privileges(ACL_ROLE *grantee)
...
@@ -5596,6 +5596,14 @@ static bool merge_one_role_privileges(ACL_ROLE *grantee)
End of the role privilege propagation and graph traversal code
End of the role privilege propagation and graph traversal code
******************************************************************/
******************************************************************/
static
bool
has_auth
(
LEX_USER
*
user
,
LEX
*
lex
)
{
return
user
->
password
.
str
||
user
->
plugin
.
length
||
user
->
auth
.
length
||
lex
->
ssl_type
!=
SSL_TYPE_NOT_SPECIFIED
||
lex
->
ssl_cipher
||
lex
->
x509_issuer
||
lex
->
x509_subject
||
lex
->
mqh
.
specified_limits
;
}
static
bool
copy_and_check_auth
(
LEX_USER
*
to
,
LEX_USER
*
from
,
LEX
*
lex
)
static
bool
copy_and_check_auth
(
LEX_USER
*
to
,
LEX_USER
*
from
,
LEX
*
lex
)
{
{
if
(
to
!=
from
)
if
(
to
!=
from
)
...
@@ -5606,20 +5614,11 @@ static bool copy_and_check_auth(LEX_USER *to, LEX_USER *from, LEX *lex)
...
@@ -5606,20 +5614,11 @@ static bool copy_and_check_auth(LEX_USER *to, LEX_USER *from, LEX *lex)
to
->
auth
=
from
->
auth
;
to
->
auth
=
from
->
auth
;
}
}
/*
Note, that no password is null_lex_str, while no plugin is empty_lex_str.
See sql_yacc.yy
*/
bool
has_auth
=
to
->
password
.
str
||
to
->
plugin
.
length
||
to
->
auth
.
length
||
lex
->
ssl_type
!=
SSL_TYPE_NOT_SPECIFIED
||
lex
->
ssl_cipher
||
lex
->
x509_issuer
||
lex
->
x509_subject
||
lex
->
mqh
.
specified_limits
;
/*
/*
Specifying authentication clauses forces the name to be interpreted
Specifying authentication clauses forces the name to be interpreted
as a user, not a role. See also check_change_password()
as a user, not a role. See also check_change_password()
*/
*/
if
(
to
->
is_role
()
&&
has_auth
)
if
(
to
->
is_role
()
&&
has_auth
(
to
,
lex
)
)
{
{
my_error
(
ER_PASSWORD_NO_MATCH
,
MYF
(
0
));
my_error
(
ER_PASSWORD_NO_MATCH
,
MYF
(
0
));
return
true
;
return
true
;
...
@@ -5937,7 +5936,6 @@ bool mysql_routine_grant(THD *thd, TABLE_LIST *table_list, bool is_proc,
...
@@ -5937,7 +5936,6 @@ bool mysql_routine_grant(THD *thd, TABLE_LIST *table_list, bool is_proc,
while
((
tmp_Str
=
str_list
++
))
while
((
tmp_Str
=
str_list
++
))
{
{
int
error
;
GRANT_NAME
*
grant_name
;
GRANT_NAME
*
grant_name
;
if
(
!
(
Str
=
get_current_user
(
thd
,
tmp_Str
,
false
)))
if
(
!
(
Str
=
get_current_user
(
thd
,
tmp_Str
,
false
)))
{
{
...
@@ -5945,14 +5943,14 @@ bool mysql_routine_grant(THD *thd, TABLE_LIST *table_list, bool is_proc,
...
@@ -5945,14 +5943,14 @@ bool mysql_routine_grant(THD *thd, TABLE_LIST *table_list, bool is_proc,
continue
;
continue
;
}
}
/* Create user if needed */
/* Create user if needed */
error
=
replace_user_table
(
thd
,
tables
[
USER_TABLE
].
table
,
*
Str
,
if
(
copy_and_check_auth
(
Str
,
tmp_Str
,
thd
->
lex
)
||
0
,
revoke_grant
,
create_new_users
,
replace_user_table
(
thd
,
tables
[
USER_TABLE
].
table
,
*
Str
,
MY_TEST
(
thd
->
variables
.
sql_mode
&
0
,
revoke_grant
,
create_new_users
,
MODE_NO_AUTO_CREATE_USER
));
MY_TEST
(
thd
->
variables
.
sql_mode
&
if
(
error
)
MODE_NO_AUTO_CREATE_USER
))
)
{
{
result
=
TRUE
;
// Remember error
result
=
TRUE
;
continue
;
// Add next user
continue
;
}
}
db_name
=
table_list
->
db
;
db_name
=
table_list
->
db
;
...
@@ -6210,7 +6208,9 @@ bool mysql_grant_role(THD *thd, List <LEX_USER> &list, bool revoke)
...
@@ -6210,7 +6208,9 @@ bool mysql_grant_role(THD *thd, List <LEX_USER> &list, bool revoke)
&
rolename
);
&
rolename
);
ACL_USER_BASE
*
grantee
=
role_as_user
;
ACL_USER_BASE
*
grantee
=
role_as_user
;
if
(
!
grantee
)
if
(
has_auth
(
user
,
thd
->
lex
))
DBUG_ASSERT
(
!
grantee
);
else
if
(
!
grantee
)
grantee
=
find_user_exact
(
hostname
.
str
,
username
.
str
);
grantee
=
find_user_exact
(
hostname
.
str
,
username
.
str
);
if
(
!
grantee
&&
!
revoke
)
if
(
!
grantee
&&
!
revoke
)
...
@@ -6220,7 +6220,8 @@ bool mysql_grant_role(THD *thd, List <LEX_USER> &list, bool revoke)
...
@@ -6220,7 +6220,8 @@ bool mysql_grant_role(THD *thd, List <LEX_USER> &list, bool revoke)
user_combo
.
user
=
username
;
user_combo
.
user
=
username
;
/* create the user if it does not exist */
/* create the user if it does not exist */
if
(
replace_user_table
(
thd
,
tables
[
USER_TABLE
].
table
,
user_combo
,
0
,
if
(
copy_and_check_auth
(
&
user_combo
,
&
user_combo
,
thd
->
lex
)
||
replace_user_table
(
thd
,
tables
[
USER_TABLE
].
table
,
user_combo
,
0
,
false
,
create_new_user
,
false
,
create_new_user
,
no_auto_create_user
))
no_auto_create_user
))
{
{
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment