Commit d9abeb76 authored by unknown's avatar unknown

sql_acl.cc, sql_acl.h, sql_parse.cc

  New privilege CREATE USER (CREATE_USER_ACL, Create_user_priv) added
grant2.test:
  new tests (mostly backported from jani's patch)
system_mysql_db.result, sp.result, grant2.result, grant.result:
  results updated


mysql-test/r/grant.result:
  results updated
mysql-test/r/grant2.result:
  results updated
mysql-test/r/sp.result:
  results updated
mysql-test/r/system_mysql_db.result:
  results updated
mysql-test/t/grant2.test:
  new tests (mostly backported from jani's patch)
scripts/mysql_create_system_tables.sh:
  Create_user_priv added
scripts/mysql_fix_privilege_tables.sql:
  Create_user_priv added
sql/sql_acl.cc:
  Create_user_priv added
sql/sql_acl.h:
  Create_user_priv added
sql/sql_parse.cc:
  Create_user_priv added
sql/sql_show.cc:
  Create_user_priv added
sql/sql_yacc.yy:
  Create_user_priv added
BitKeeper/etc/logging_ok:
  Logging to logging@openlogging.org accepted
parent dd0cd5fb
...@@ -225,6 +225,7 @@ salle@vafla.online.bg ...@@ -225,6 +225,7 @@ salle@vafla.online.bg
sasha@mysql.sashanet.com sasha@mysql.sashanet.com
serg@build.mysql.com serg@build.mysql.com
serg@build.mysql2.com serg@build.mysql2.com
serg@mysql.com
serg@serg.mylan serg@serg.mylan
serg@serg.mysql.com serg@serg.mysql.com
serg@sergbook.mylan serg@sergbook.mylan
......
...@@ -10,8 +10,8 @@ GRANT USAGE ON *.* TO 'mysqltest_1'@'localhost' REQUIRE CIPHER 'EDH-RSA-DES-CBC3 ...@@ -10,8 +10,8 @@ GRANT USAGE ON *.* TO 'mysqltest_1'@'localhost' REQUIRE CIPHER 'EDH-RSA-DES-CBC3
GRANT SELECT ON `mysqltest`.* TO 'mysqltest_1'@'localhost' GRANT SELECT ON `mysqltest`.* TO 'mysqltest_1'@'localhost'
grant delete on mysqltest.* to mysqltest_1@localhost; grant delete on mysqltest.* to mysqltest_1@localhost;
select * from mysql.user where user="mysqltest_1"; select * from mysql.user where user="mysqltest_1";
Host User Password Select_priv Insert_priv Update_priv Delete_priv Create_priv Drop_priv Reload_priv Shutdown_priv Process_priv File_priv Grant_priv References_priv Index_priv Alter_priv Show_db_priv Super_priv Create_tmp_table_priv Lock_tables_priv Execute_priv Repl_slave_priv Repl_client_priv Create_view_priv Show_view_priv Create_routine_priv Alter_routine_priv ssl_type ssl_cipher x509_issuer x509_subject max_questions max_updates max_connections max_user_connections Host User Password Select_priv Insert_priv Update_priv Delete_priv Create_priv Drop_priv Reload_priv Shutdown_priv Process_priv File_priv Grant_priv References_priv Index_priv Alter_priv Show_db_priv Super_priv Create_tmp_table_priv Lock_tables_priv Execute_priv Repl_slave_priv Repl_client_priv Create_view_priv Show_view_priv Create_routine_priv Alter_routine_priv Create_user_priv ssl_type ssl_cipher x509_issuer x509_subject max_questions max_updates max_connections max_user_connections
localhost mysqltest_1 N N N N N N N N N N N N N N N N N N N N N N N N N SPECIFIED EDH-RSA-DES-CBC3-SHA 0 0 0 0 localhost mysqltest_1 N N N N N N N N N N N N N N N N N N N N N N N N N N SPECIFIED EDH-RSA-DES-CBC3-SHA 0 0 0 0
show grants for mysqltest_1@localhost; show grants for mysqltest_1@localhost;
Grants for mysqltest_1@localhost Grants for mysqltest_1@localhost
GRANT USAGE ON *.* TO 'mysqltest_1'@'localhost' REQUIRE CIPHER 'EDH-RSA-DES-CBC3-SHA' GRANT USAGE ON *.* TO 'mysqltest_1'@'localhost' REQUIRE CIPHER 'EDH-RSA-DES-CBC3-SHA'
...@@ -41,15 +41,15 @@ delete from mysql.user where user='mysqltest_1'; ...@@ -41,15 +41,15 @@ delete from mysql.user where user='mysqltest_1';
flush privileges; flush privileges;
grant usage on *.* to mysqltest_1@localhost with max_queries_per_hour 10; grant usage on *.* to mysqltest_1@localhost with max_queries_per_hour 10;
select * from mysql.user where user="mysqltest_1"; select * from mysql.user where user="mysqltest_1";
Host User Password Select_priv Insert_priv Update_priv Delete_priv Create_priv Drop_priv Reload_priv Shutdown_priv Process_priv File_priv Grant_priv References_priv Index_priv Alter_priv Show_db_priv Super_priv Create_tmp_table_priv Lock_tables_priv Execute_priv Repl_slave_priv Repl_client_priv Create_view_priv Show_view_priv Create_routine_priv Alter_routine_priv ssl_type ssl_cipher x509_issuer x509_subject max_questions max_updates max_connections max_user_connections Host User Password Select_priv Insert_priv Update_priv Delete_priv Create_priv Drop_priv Reload_priv Shutdown_priv Process_priv File_priv Grant_priv References_priv Index_priv Alter_priv Show_db_priv Super_priv Create_tmp_table_priv Lock_tables_priv Execute_priv Repl_slave_priv Repl_client_priv Create_view_priv Show_view_priv Create_routine_priv Alter_routine_priv Create_user_priv ssl_type ssl_cipher x509_issuer x509_subject max_questions max_updates max_connections max_user_connections
localhost mysqltest_1 N N N N N N N N N N N N N N N N N N N N N N N N N 10 0 0 0 localhost mysqltest_1 N N N N N N N N N N N N N N N N N N N N N N N N N N 10 0 0 0
show grants for mysqltest_1@localhost; show grants for mysqltest_1@localhost;
Grants for mysqltest_1@localhost Grants for mysqltest_1@localhost
GRANT USAGE ON *.* TO 'mysqltest_1'@'localhost' WITH MAX_QUERIES_PER_HOUR 10 GRANT USAGE ON *.* TO 'mysqltest_1'@'localhost' WITH MAX_QUERIES_PER_HOUR 10
grant usage on *.* to mysqltest_1@localhost with max_updates_per_hour 20 max_connections_per_hour 30; grant usage on *.* to mysqltest_1@localhost with max_updates_per_hour 20 max_connections_per_hour 30;
select * from mysql.user where user="mysqltest_1"; select * from mysql.user where user="mysqltest_1";
Host User Password Select_priv Insert_priv Update_priv Delete_priv Create_priv Drop_priv Reload_priv Shutdown_priv Process_priv File_priv Grant_priv References_priv Index_priv Alter_priv Show_db_priv Super_priv Create_tmp_table_priv Lock_tables_priv Execute_priv Repl_slave_priv Repl_client_priv Create_view_priv Show_view_priv Create_routine_priv Alter_routine_priv ssl_type ssl_cipher x509_issuer x509_subject max_questions max_updates max_connections max_user_connections Host User Password Select_priv Insert_priv Update_priv Delete_priv Create_priv Drop_priv Reload_priv Shutdown_priv Process_priv File_priv Grant_priv References_priv Index_priv Alter_priv Show_db_priv Super_priv Create_tmp_table_priv Lock_tables_priv Execute_priv Repl_slave_priv Repl_client_priv Create_view_priv Show_view_priv Create_routine_priv Alter_routine_priv Create_user_priv ssl_type ssl_cipher x509_issuer x509_subject max_questions max_updates max_connections max_user_connections
localhost mysqltest_1 N N N N N N N N N N N N N N N N N N N N N N N N N 10 20 30 0 localhost mysqltest_1 N N N N N N N N N N N N N N N N N N N N N N N N N N 10 20 30 0
show grants for mysqltest_1@localhost; show grants for mysqltest_1@localhost;
Grants for mysqltest_1@localhost Grants for mysqltest_1@localhost
GRANT USAGE ON *.* TO 'mysqltest_1'@'localhost' WITH MAX_QUERIES_PER_HOUR 10 MAX_UPDATES_PER_HOUR 20 MAX_CONNECTIONS_PER_HOUR 30 GRANT USAGE ON *.* TO 'mysqltest_1'@'localhost' WITH MAX_QUERIES_PER_HOUR 10 MAX_UPDATES_PER_HOUR 20 MAX_CONNECTIONS_PER_HOUR 30
...@@ -440,6 +440,7 @@ Create Databases,Tables,Indexes To create new databases and tables ...@@ -440,6 +440,7 @@ Create Databases,Tables,Indexes To create new databases and tables
Create routine Functions,Procedures To use CREATE FUNCTION/PROCEDURE Create routine Functions,Procedures To use CREATE FUNCTION/PROCEDURE
Create temporary tables Databases To use CREATE TEMPORARY TABLE Create temporary tables Databases To use CREATE TEMPORARY TABLE
Create view Tables To create new views Create view Tables To create new views
Create user Server Admin To create new users
Delete Tables To delete existing rows Delete Tables To delete existing rows
Drop Databases,Tables To drop databases, tables, and views Drop Databases,Tables To drop databases, tables, and views
Execute Functions,Procedures To execute stored routines Execute Functions,Procedures To execute stored routines
......
...@@ -5,7 +5,25 @@ delete from mysql.db where user like 'mysqltest\_%'; ...@@ -5,7 +5,25 @@ delete from mysql.db where user like 'mysqltest\_%';
delete from mysql.tables_priv where user like 'mysqltest\_%'; delete from mysql.tables_priv where user like 'mysqltest\_%';
delete from mysql.columns_priv where user like 'mysqltest\_%'; delete from mysql.columns_priv where user like 'mysqltest\_%';
flush privileges; flush privileges;
grant all privileges on `my\_1`.* to mysqltest_1@localhost with grant option;
grant create user on *.* to mysqltest_1@localhost;
create user mysqltest_2@localhost;
grant select on `my\_1`.* to mysqltest_2@localhost;
grant select on `my\_1`.* to mysqltest_2@localhost identified by 'pass';
ERROR 42000: You must have privileges to update tables in the mysql database to be able to change passwords for others
grant update on mysql.* to mysqltest_1@localhost;
grant select on `my\_1`.* to mysqltest_2@localhost identified by 'pass';
grant select on `my\_1`.* to mysqltest_3@localhost;
grant insert on mysql.* to mysqltest_1@localhost;
grant select on `my\_1`.* to mysqltest_3@localhost;
grant select on `my\_1`.* to mysqltest_4@localhost identified by 'pass';
delete from mysql.user where user like 'mysqltest\_%';
delete from mysql.db where user like 'mysqltest\_%';
delete from mysql.tables_priv where user like 'mysqltest\_%';
delete from mysql.columns_priv where user like 'mysqltest\_%';
flush privileges;
grant all privileges on `my\_%`.* to mysqltest_1@localhost with grant option; grant all privileges on `my\_%`.* to mysqltest_1@localhost with grant option;
grant create user on *.* to mysqltest_1@localhost;
select current_user(); select current_user();
current_user() current_user()
mysqltest_1@localhost mysqltest_1@localhost
...@@ -23,10 +41,9 @@ grant select on `my\_1`.* to mysqltest_4@localhost with grant option; ...@@ -23,10 +41,9 @@ grant select on `my\_1`.* to mysqltest_4@localhost with grant option;
ERROR 42000: 'mysqltest_1'@'localhost' is not allowed to create new users ERROR 42000: 'mysqltest_1'@'localhost' is not allowed to create new users
grant select on `my\_1`.* to mysqltest_4@localhost identified by 'mypass' grant select on `my\_1`.* to mysqltest_4@localhost identified by 'mypass'
with grant option; with grant option;
ERROR 42000: Access denied for user 'mysqltest_1'@'localhost' to database 'mysql'
show grants for mysqltest_1@localhost; show grants for mysqltest_1@localhost;
Grants for mysqltest_1@localhost Grants for mysqltest_1@localhost
GRANT USAGE ON *.* TO 'mysqltest_1'@'localhost' GRANT CREATE USER ON *.* TO 'mysqltest_1'@'localhost'
GRANT ALL PRIVILEGES ON `my\_%`.* TO 'mysqltest_1'@'localhost' WITH GRANT OPTION GRANT ALL PRIVILEGES ON `my\_%`.* TO 'mysqltest_1'@'localhost' WITH GRANT OPTION
show grants for mysqltest_2@localhost; show grants for mysqltest_2@localhost;
Grants for mysqltest_2@localhost Grants for mysqltest_2@localhost
...@@ -212,7 +229,7 @@ GRANT USAGE ON *.* TO '%@a'@'a' ...@@ -212,7 +229,7 @@ GRANT USAGE ON *.* TO '%@a'@'a'
GRANT SELECT ON "mysql".* TO '%@a'@'a' GRANT SELECT ON "mysql".* TO '%@a'@'a'
drop user '%@a'@'a'; drop user '%@a'@'a';
create user mysqltest_2@localhost; create user mysqltest_2@localhost;
grant usage on *.* to mysqltest_2@localhost with grant option; grant create user on *.* to mysqltest_2@localhost;
select host,user,password from mysql.user where user like 'mysqltest_%' order by host,user,password; select host,user,password from mysql.user where user like 'mysqltest_%' order by host,user,password;
ERROR 42000: SELECT command denied to user 'mysqltest_2'@'localhost' for table 'user' ERROR 42000: SELECT command denied to user 'mysqltest_2'@'localhost' for table 'user'
create user mysqltest_A@'%'; create user mysqltest_A@'%';
...@@ -220,19 +237,17 @@ rename user mysqltest_A@'%' to mysqltest_B@'%'; ...@@ -220,19 +237,17 @@ rename user mysqltest_A@'%' to mysqltest_B@'%';
drop user mysqltest_B@'%'; drop user mysqltest_B@'%';
drop user mysqltest_2@localhost; drop user mysqltest_2@localhost;
create user mysqltest_3@localhost; create user mysqltest_3@localhost;
grant all privileges on mysql.* to mysqltest_3@localhost; grant INSERT,DELETE,UPDATE on mysql.* to mysqltest_3@localhost;
show grants;
Grants for mysqltest_3@localhost
GRANT USAGE ON *.* TO 'mysqltest_3'@'localhost'
GRANT INSERT, UPDATE, DELETE ON `mysql`.* TO 'mysqltest_3'@'localhost'
select host,user,password from mysql.user where user like 'mysqltest_%' order by host,user,password; select host,user,password from mysql.user where user like 'mysqltest_%' order by host,user,password;
host user password ERROR 42000: SELECT command denied to user 'mysqltest_3'@'localhost' for table 'user'
% mysqltest_2 *BD447CBA355AF58578D3AE33BA2E2CD388BA08D1
localhost mysqltest_3
insert into mysql.user set host='%', user='mysqltest_B'; insert into mysql.user set host='%', user='mysqltest_B';
create user mysqltest_A@'%'; create user mysqltest_A@'%';
ERROR 42000: Access denied for user 'mysqltest_3'@'localhost' to database 'mysql'
rename user mysqltest_B@'%' to mysqltest_C@'%'; rename user mysqltest_B@'%' to mysqltest_C@'%';
ERROR 42000: Access denied for user 'mysqltest_3'@'localhost' to database 'mysql' drop user mysqltest_C@'%';
drop user mysqltest_B@'%';
ERROR 42000: Access denied for user 'mysqltest_3'@'localhost' to database 'mysql'
drop user mysqltest_B@'%';
drop user mysqltest_3@localhost; drop user mysqltest_3@localhost;
set @@sql_mode=''; set @@sql_mode='';
create database mysqltest_1; create database mysqltest_1;
......
...@@ -2185,6 +2185,7 @@ Create Databases,Tables,Indexes To create new databases and tables ...@@ -2185,6 +2185,7 @@ Create Databases,Tables,Indexes To create new databases and tables
Create routine Functions,Procedures To use CREATE FUNCTION/PROCEDURE Create routine Functions,Procedures To use CREATE FUNCTION/PROCEDURE
Create temporary tables Databases To use CREATE TEMPORARY TABLE Create temporary tables Databases To use CREATE TEMPORARY TABLE
Create view Tables To create new views Create view Tables To create new views
Create user Server Admin To create new users
Delete Tables To delete existing rows Delete Tables To delete existing rows
Drop Databases,Tables To drop databases, tables, and views Drop Databases,Tables To drop databases, tables, and views
Execute Functions,Procedures To execute stored routines Execute Functions,Procedures To execute stored routines
...@@ -2238,6 +2239,7 @@ Create Databases,Tables,Indexes To create new databases and tables ...@@ -2238,6 +2239,7 @@ Create Databases,Tables,Indexes To create new databases and tables
Create routine Functions,Procedures To use CREATE FUNCTION/PROCEDURE Create routine Functions,Procedures To use CREATE FUNCTION/PROCEDURE
Create temporary tables Databases To use CREATE TEMPORARY TABLE Create temporary tables Databases To use CREATE TEMPORARY TABLE
Create view Tables To create new views Create view Tables To create new views
Create user Server Admin To create new users
Delete Tables To delete existing rows Delete Tables To delete existing rows
Drop Databases,Tables To drop databases, tables, and views Drop Databases,Tables To drop databases, tables, and views
Execute Functions,Procedures To execute stored routines Execute Functions,Procedures To execute stored routines
......
...@@ -96,6 +96,7 @@ user CREATE TABLE `user` ( ...@@ -96,6 +96,7 @@ user CREATE TABLE `user` (
`Show_view_priv` enum('N','Y') character set utf8 NOT NULL default 'N', `Show_view_priv` enum('N','Y') character set utf8 NOT NULL default 'N',
`Create_routine_priv` enum('N','Y') character set utf8 NOT NULL default 'N', `Create_routine_priv` enum('N','Y') character set utf8 NOT NULL default 'N',
`Alter_routine_priv` enum('N','Y') character set utf8 NOT NULL default 'N', `Alter_routine_priv` enum('N','Y') character set utf8 NOT NULL default 'N',
`Create_user_priv` enum('N','Y') character set utf8 NOT NULL default 'N',
`ssl_type` enum('','ANY','X509','SPECIFIED') character set utf8 NOT NULL default '', `ssl_type` enum('','ANY','X509','SPECIFIED') character set utf8 NOT NULL default '',
`ssl_cipher` blob NOT NULL, `ssl_cipher` blob NOT NULL,
`x509_issuer` blob NOT NULL, `x509_issuer` blob NOT NULL,
......
...@@ -17,11 +17,42 @@ delete from mysql.columns_priv where user like 'mysqltest\_%'; ...@@ -17,11 +17,42 @@ delete from mysql.columns_priv where user like 'mysqltest\_%';
flush privileges; flush privileges;
grant all privileges on `my\_1`.* to mysqltest_1@localhost with grant option;
grant create user on *.* to mysqltest_1@localhost;
create user mysqltest_2@localhost;
connect (user_a,localhost,mysqltest_1,,);
connection user_a;
grant select on `my\_1`.* to mysqltest_2@localhost;
--error 1132
grant select on `my\_1`.* to mysqltest_2@localhost identified by 'pass';
disconnect user_a;
connection default;
grant update on mysql.* to mysqltest_1@localhost;
connect (user_b,localhost,mysqltest_1,,);
connection user_b;
grant select on `my\_1`.* to mysqltest_2@localhost identified by 'pass';
grant select on `my\_1`.* to mysqltest_3@localhost;
disconnect user_b;
connection default;
grant insert on mysql.* to mysqltest_1@localhost;
connect (user_c,localhost,mysqltest_1,,);
connection user_c;
grant select on `my\_1`.* to mysqltest_3@localhost;
grant select on `my\_1`.* to mysqltest_4@localhost identified by 'pass';
disconnect user_c;
connection default;
delete from mysql.user where user like 'mysqltest\_%';
delete from mysql.db where user like 'mysqltest\_%';
delete from mysql.tables_priv where user like 'mysqltest\_%';
delete from mysql.columns_priv where user like 'mysqltest\_%';
flush privileges;
# #
# wild_compare fun # wild_compare fun
# #
grant all privileges on `my\_%`.* to mysqltest_1@localhost with grant option; grant all privileges on `my\_%`.* to mysqltest_1@localhost with grant option;
grant create user on *.* to mysqltest_1@localhost;
connect (user1,localhost,mysqltest_1,,); connect (user1,localhost,mysqltest_1,,);
connection user1; connection user1;
select current_user(); select current_user();
...@@ -29,6 +60,7 @@ select current_user; ...@@ -29,6 +60,7 @@ select current_user;
grant all privileges on `my\_1`.* to mysqltest_2@localhost with grant option; grant all privileges on `my\_1`.* to mysqltest_2@localhost with grant option;
--error 1044 --error 1044
grant all privileges on `my_%`.* to mysqltest_3@localhost with grant option; grant all privileges on `my_%`.* to mysqltest_3@localhost with grant option;
# #
# NO_AUTO_CREATE_USER mode # NO_AUTO_CREATE_USER mode
# #
...@@ -36,7 +68,6 @@ set @@sql_mode='NO_AUTO_CREATE_USER'; ...@@ -36,7 +68,6 @@ set @@sql_mode='NO_AUTO_CREATE_USER';
select @@sql_mode; select @@sql_mode;
--error 1211 --error 1211
grant select on `my\_1`.* to mysqltest_4@localhost with grant option; grant select on `my\_1`.* to mysqltest_4@localhost with grant option;
--error 1044
grant select on `my\_1`.* to mysqltest_4@localhost identified by 'mypass' grant select on `my\_1`.* to mysqltest_4@localhost identified by 'mypass'
with grant option; with grant option;
disconnect user1; disconnect user1;
...@@ -215,9 +246,10 @@ show grants for '%@b'@'b'; ...@@ -215,9 +246,10 @@ show grants for '%@b'@'b';
show grants for '%@a'@'a'; show grants for '%@a'@'a';
drop user '%@a'@'a'; drop user '%@a'@'a';
# #
# USAGE WITH GRANT OPTION is sufficient. # CREATE USER privilege is enough
#
create user mysqltest_2@localhost; create user mysqltest_2@localhost;
grant usage on *.* to mysqltest_2@localhost with grant option; grant create user on *.* to mysqltest_2@localhost;
connect (user2,localhost,mysqltest_2,,); connect (user2,localhost,mysqltest_2,,);
connection user2; connection user2;
--error 1142 --error 1142
...@@ -229,22 +261,20 @@ disconnect user2; ...@@ -229,22 +261,20 @@ disconnect user2;
connection default; connection default;
drop user mysqltest_2@localhost; drop user mysqltest_2@localhost;
# #
# ALL PRIVILEGES without GRANT OPTION is not sufficient. # INSERT/UPDATE/DELETE is ok too
create user mysqltest_3@localhost; create user mysqltest_3@localhost;
grant all privileges on mysql.* to mysqltest_3@localhost; grant INSERT,DELETE,UPDATE on mysql.* to mysqltest_3@localhost;
connect (user3,localhost,mysqltest_3,,); connect (user3,localhost,mysqltest_3,,);
connection user3; connection user3;
show grants;
--error 1142
select host,user,password from mysql.user where user like 'mysqltest_%' order by host,user,password; select host,user,password from mysql.user where user like 'mysqltest_%' order by host,user,password;
insert into mysql.user set host='%', user='mysqltest_B'; insert into mysql.user set host='%', user='mysqltest_B';
--error 1044
create user mysqltest_A@'%'; create user mysqltest_A@'%';
--error 1044
rename user mysqltest_B@'%' to mysqltest_C@'%'; rename user mysqltest_B@'%' to mysqltest_C@'%';
--error 1044 drop user mysqltest_C@'%';
drop user mysqltest_B@'%';
disconnect user3; disconnect user3;
connection default; connection default;
drop user mysqltest_B@'%';
drop user mysqltest_3@localhost; drop user mysqltest_3@localhost;
# #
# Bug #3309: Test IP addresses with netmask # Bug #3309: Test IP addresses with netmask
......
...@@ -146,6 +146,7 @@ then ...@@ -146,6 +146,7 @@ then
c_u="$c_u Show_view_priv enum('N','Y') COLLATE utf8_general_ci DEFAULT 'N' NOT NULL," c_u="$c_u Show_view_priv enum('N','Y') COLLATE utf8_general_ci DEFAULT 'N' NOT NULL,"
c_u="$c_u Create_routine_priv enum('N','Y') COLLATE utf8_general_ci DEFAULT 'N' NOT NULL," c_u="$c_u Create_routine_priv enum('N','Y') COLLATE utf8_general_ci DEFAULT 'N' NOT NULL,"
c_u="$c_u Alter_routine_priv enum('N','Y') COLLATE utf8_general_ci DEFAULT 'N' NOT NULL," c_u="$c_u Alter_routine_priv enum('N','Y') COLLATE utf8_general_ci DEFAULT 'N' NOT NULL,"
c_u="$c_u Create_user_priv enum('N','Y') COLLATE utf8_general_ci DEFAULT 'N' NOT NULL,"
c_u="$c_u ssl_type enum('','ANY','X509', 'SPECIFIED') COLLATE utf8_general_ci DEFAULT '' NOT NULL," c_u="$c_u ssl_type enum('','ANY','X509', 'SPECIFIED') COLLATE utf8_general_ci DEFAULT '' NOT NULL,"
c_u="$c_u ssl_cipher BLOB NOT NULL," c_u="$c_u ssl_cipher BLOB NOT NULL,"
c_u="$c_u x509_issuer BLOB NOT NULL," c_u="$c_u x509_issuer BLOB NOT NULL,"
...@@ -161,22 +162,22 @@ then ...@@ -161,22 +162,22 @@ then
if test "$1" = "test" if test "$1" = "test"
then then
i_u="INSERT INTO user VALUES ('localhost','root','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0,0); i_u="INSERT INTO user VALUES ('localhost','root','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0,0);
INSERT INTO user VALUES ('$hostname','root','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0,0); INSERT INTO user VALUES ('$hostname','root','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0,0);
REPLACE INTO user VALUES ('127.0.0.1','root','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0,0); REPLACE INTO user VALUES ('127.0.0.1','root','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0,0);
INSERT INTO user (host,user) values ('localhost',''); INSERT INTO user (host,user) values ('localhost','');
INSERT INTO user (host,user) values ('$hostname','');" INSERT INTO user (host,user) values ('$hostname','');"
else else
i_u="INSERT INTO user VALUES ('localhost','root','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0,0);" i_u="INSERT INTO user VALUES ('localhost','root','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0,0);"
if test "$windows" = "0" if test "$windows" = "0"
then then
i_u="$i_u i_u="$i_u
INSERT INTO user VALUES ('$hostname','root','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0,0); INSERT INTO user VALUES ('$hostname','root','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0,0);
INSERT INTO user (host,user) values ('$hostname',''); INSERT INTO user (host,user) values ('$hostname','');
INSERT INTO user (host,user) values ('localhost','');" INSERT INTO user (host,user) values ('localhost','');"
else else
i_u="$i_u i_u="$i_u
INSERT INTO user VALUES ('localhost','','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0);" INSERT INTO user VALUES ('localhost','','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0);"
fi fi
fi fi
fi fi
......
...@@ -290,6 +290,18 @@ UPDATE db SET Create_routine_priv=Create_priv, Alter_routine_priv=Alter_priv, Ex ...@@ -290,6 +290,18 @@ UPDATE db SET Create_routine_priv=Create_priv, Alter_routine_priv=Alter_priv, Ex
# #
ALTER TABLE user ADD max_user_connections int(11) unsigned DEFAULT '0' NOT NULL AFTER max_connections; ALTER TABLE user ADD max_user_connections int(11) unsigned DEFAULT '0' NOT NULL AFTER max_connections;
#
# user.Create_user_priv
#
SET @hadCreateUserPriv:=0;
SELECT @hadCreateUserPriv:=1 FROM user WHERE Create_user_priv LIKE '%';
ALTER TABLE user ADD Create_user_priv enum('N','Y') COLLATE utf8_general_ci DEFAULT 'N' NOT NULL AFTER Alter_routine_priv;
UPDATE user LEFT JOIN db USING (Host,User) SET Create_user_priv='Y'
WHERE @hadCreateUserPriv = 0 AND
(user.Grant_priv = 'Y' OR db.Grant_priv = 'Y');
# #
# Create some possible missing tables # Create some possible missing tables
# #
......
...@@ -323,6 +323,12 @@ my_bool acl_init(THD *org_thd, bool dont_read_acl_tables) ...@@ -323,6 +323,12 @@ my_bool acl_init(THD *org_thd, bool dont_read_acl_tables)
if (table->s->fields <= 33 && (user.access & ALTER_ACL)) if (table->s->fields <= 33 && (user.access & ALTER_ACL))
user.access|= ALTER_PROC_ACL; user.access|= ALTER_PROC_ACL;
/*
pre 5.0.3 did not have CREATE_USER_ACL
*/
if (table->s->fields <= 36 && (user.access & GRANT_ACL))
user.access|= CREATE_USER_ACL;
user.sort= get_sort(2,user.host.hostname,user.user); user.sort= get_sort(2,user.host.hostname,user.user);
user.hostname_length= (user.host.hostname ? user.hostname_length= (user.host.hostname ?
(uint) strlen(user.host.hostname) : 0); (uint) strlen(user.host.hostname) : 0);
...@@ -1541,18 +1547,26 @@ static bool update_user_table(THD *thd, const char *host, const char *user, ...@@ -1541,18 +1547,26 @@ static bool update_user_table(THD *thd, const char *host, const char *user,
} }
/* Return 1 if we are allowed to create new users */ /*
Return 1 if we are allowed to create new users
the logic here is: INSERT_ACL is sufficient.
It's also a requirement in opt_safe_user_create,
otherwise CREATE_USER_ACL is enough.
*/
static bool test_if_create_new_users(THD *thd) static bool test_if_create_new_users(THD *thd)
{ {
bool create_new_users=1; // Assume that we are allowed to create new users bool create_new_users= test(thd->master_access & INSERT_ACL) ||
if (opt_safe_user_create && !(thd->master_access & INSERT_ACL)) (!opt_safe_user_create &&
test(thd->master_access & CREATE_USER_ACL));
if (!create_new_users)
{ {
TABLE_LIST tl; TABLE_LIST tl;
ulong db_access; ulong db_access;
bzero((char*) &tl,sizeof(tl)); bzero((char*) &tl,sizeof(tl));
tl.db= (char*) "mysql"; tl.db= (char*) "mysql";
tl.table_name= (char*) "user"; tl.table_name= (char*) "user";
create_new_users= 1;
db_access=acl_get(thd->host, thd->ip, db_access=acl_get(thd->host, thd->ip,
thd->priv_user, tl.db, 0); thd->priv_user, tl.db, 0);
...@@ -1615,7 +1629,7 @@ static int replace_user_table(THD *thd, TABLE *table, const LEX_USER &combo, ...@@ -1615,7 +1629,7 @@ static int replace_user_table(THD *thd, TABLE *table, const LEX_USER &combo,
} }
/* /*
There are four options which affect the process of creation of There are four options which affect the process of creation of
a new user(mysqld option --safe-create-user, 'insert' privilege a new user (mysqld option --safe-create-user, 'insert' privilege
on 'mysql.user' table, using 'GRANT' with 'IDENTIFIED BY' and on 'mysql.user' table, using 'GRANT' with 'IDENTIFIED BY' and
SQL_MODE flag NO_AUTO_CREATE_USER). Below is the simplified rule SQL_MODE flag NO_AUTO_CREATE_USER). Below is the simplified rule
how it should work. how it should work.
...@@ -1623,6 +1637,8 @@ static int replace_user_table(THD *thd, TABLE *table, const LEX_USER &combo, ...@@ -1623,6 +1637,8 @@ static int replace_user_table(THD *thd, TABLE *table, const LEX_USER &combo,
else if (identified_by) => create else if (identified_by) => create
else if (no_auto_create_user) => reject else if (no_auto_create_user) => reject
else create else create
see also test_if_create_new_users()
*/ */
else if (((thd->variables.sql_mode & MODE_NO_AUTO_CREATE_USER) && else if (((thd->variables.sql_mode & MODE_NO_AUTO_CREATE_USER) &&
!password_len) || !create_user) !password_len) || !create_user)
...@@ -3688,11 +3704,13 @@ static const char *command_array[]= ...@@ -3688,11 +3704,13 @@ static const char *command_array[]=
"ALTER", "SHOW DATABASES", "SUPER", "CREATE TEMPORARY TABLES", "ALTER", "SHOW DATABASES", "SUPER", "CREATE TEMPORARY TABLES",
"LOCK TABLES", "EXECUTE", "REPLICATION SLAVE", "REPLICATION CLIENT", "LOCK TABLES", "EXECUTE", "REPLICATION SLAVE", "REPLICATION CLIENT",
"CREATE VIEW", "SHOW VIEW", "CREATE ROUTINE", "ALTER ROUTINE", "CREATE VIEW", "SHOW VIEW", "CREATE ROUTINE", "ALTER ROUTINE",
"CREATE USER"
}; };
static uint command_lengths[]= static uint command_lengths[]=
{ {
6, 6, 6, 6, 6, 4, 6, 8, 7, 4, 5, 10, 5, 5, 14, 5, 23, 11, 7, 17, 18, 11, 9, 14, 13 6, 6, 6, 6, 6, 4, 6, 8, 7, 4, 5, 10, 5, 5, 14, 5, 23, 11, 7, 17, 18, 11, 9,
14, 13, 11
}; };
......
...@@ -39,12 +39,17 @@ ...@@ -39,12 +39,17 @@
#define SHOW_VIEW_ACL (1L << 22) #define SHOW_VIEW_ACL (1L << 22)
#define CREATE_PROC_ACL (1L << 23) #define CREATE_PROC_ACL (1L << 23)
#define ALTER_PROC_ACL (1L << 24) #define ALTER_PROC_ACL (1L << 24)
#define CREATE_USER_ACL (1L << 25)
/* /*
don't forget to update don't forget to update
static struct show_privileges_st sys_privileges[] 1. static struct show_privileges_st sys_privileges[]
in sql_show.cc when adding new privileges! 2. static const char *command_array[] and static uint command_lengths[]
3. mysql_create_system_tables.sh, mysql_fix_privilege_tables.sql
4. acl_init() or whatever - to define behaviour for old privilege tables
5. sql_yacc.yy - for GRANT/REVOKE to work
*/ */
#define EXTRA_ACL (1L << 29)
#define NO_ACCESS (1L << 30)
#define DB_ACLS \ #define DB_ACLS \
(UPDATE_ACL | SELECT_ACL | INSERT_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | \ (UPDATE_ACL | SELECT_ACL | INSERT_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | \
...@@ -72,10 +77,7 @@ ...@@ -72,10 +77,7 @@
REFERENCES_ACL | INDEX_ACL | ALTER_ACL | SHOW_DB_ACL | SUPER_ACL | \ REFERENCES_ACL | INDEX_ACL | ALTER_ACL | SHOW_DB_ACL | SUPER_ACL | \
CREATE_TMP_ACL | LOCK_TABLES_ACL | REPL_SLAVE_ACL | REPL_CLIENT_ACL | \ CREATE_TMP_ACL | LOCK_TABLES_ACL | REPL_SLAVE_ACL | REPL_CLIENT_ACL | \
EXECUTE_ACL | CREATE_VIEW_ACL | SHOW_VIEW_ACL | CREATE_PROC_ACL | \ EXECUTE_ACL | CREATE_VIEW_ACL | SHOW_VIEW_ACL | CREATE_PROC_ACL | \
ALTER_PROC_ACL ) ALTER_PROC_ACL | CREATE_USER_ACL)
#define EXTRA_ACL (1L << 29)
#define NO_ACCESS (1L << 30)
#define DEFAULT_CREATE_PROC_ACLS \ #define DEFAULT_CREATE_PROC_ACLS \
(ALTER_PROC_ACL | EXECUTE_ACL) (ALTER_PROC_ACL | EXECUTE_ACL)
...@@ -85,25 +87,21 @@ ...@@ -85,25 +87,21 @@
This is needed as the 'host' and 'db' table is missing a few privileges This is needed as the 'host' and 'db' table is missing a few privileges
*/ */
/* Continius bit-segments that needs to be shifted */
#define DB_REL1 ((1L << 6) | (1L << 7) | (1L << 8) | (1L << 9))
#define DB_REL2 ((1L << 10) | (1L << 11))
#define DB_REL3 ((1L << 12) | (1L << 13) | (1L << 14) | (1L << 15))
#define DB_REL4 ((1L << 16))
/* Privileges that needs to be reallocated (in continous chunks) */ /* Privileges that needs to be reallocated (in continous chunks) */
#define DB_CHUNK0 (SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | \
CREATE_ACL | DROP_ACL)
#define DB_CHUNK1 (GRANT_ACL | REFERENCES_ACL | INDEX_ACL | ALTER_ACL) #define DB_CHUNK1 (GRANT_ACL | REFERENCES_ACL | INDEX_ACL | ALTER_ACL)
#define DB_CHUNK2 (CREATE_TMP_ACL | LOCK_TABLES_ACL) #define DB_CHUNK2 (CREATE_TMP_ACL | LOCK_TABLES_ACL)
#define DB_CHUNK3 (CREATE_VIEW_ACL | SHOW_VIEW_ACL | \ #define DB_CHUNK3 (CREATE_VIEW_ACL | SHOW_VIEW_ACL | \
CREATE_PROC_ACL | ALTER_PROC_ACL ) CREATE_PROC_ACL | ALTER_PROC_ACL )
#define DB_CHUNK4 (EXECUTE_ACL) #define DB_CHUNK4 (EXECUTE_ACL)
#define fix_rights_for_db(A) (((A) & 63) | \ #define fix_rights_for_db(A) (((A) & DB_CHUNK0) | \
(((A) & DB_REL1) << 4) | \ (((A) << 4) & DB_CHUNK1) | \
(((A) & DB_REL2) << 6) | \ (((A) << 6) & DB_CHUNK2) | \
(((A) & DB_REL3) << 9) | \ (((A) << 9) & DB_CHUNK3) | \
(((A) & DB_REL4) << 2)) (((A) << 2) & DB_CHUNK4))
#define get_rights_for_db(A) (((A) & 63) | \ #define get_rights_for_db(A) (((A) & DB_CHUNK0) | \
(((A) & DB_CHUNK1) >> 4) | \ (((A) & DB_CHUNK1) >> 4) | \
(((A) & DB_CHUNK2) >> 6) | \ (((A) & DB_CHUNK2) >> 6) | \
(((A) & DB_CHUNK3) >> 9) | \ (((A) & DB_CHUNK3) >> 9) | \
...@@ -190,6 +188,7 @@ bool mysql_table_grant(THD *thd, TABLE_LIST *table, List <LEX_USER> &user_list, ...@@ -190,6 +188,7 @@ bool mysql_table_grant(THD *thd, TABLE_LIST *table, List <LEX_USER> &user_list,
bool mysql_procedure_grant(THD *thd, TABLE_LIST *table, bool mysql_procedure_grant(THD *thd, TABLE_LIST *table,
List <LEX_USER> &user_list, ulong rights, List <LEX_USER> &user_list, ulong rights,
bool revoke, bool no_error); bool revoke, bool no_error);
ACL_USER *check_acl_user(LEX_USER *user_name, uint *acl_acl_userdx);
my_bool grant_init(THD *thd); my_bool grant_init(THD *thd);
void grant_free(void); void grant_free(void);
void grant_reload(THD *thd); void grant_reload(THD *thd);
......
...@@ -3559,7 +3559,8 @@ mysql_execute_command(THD *thd) ...@@ -3559,7 +3559,8 @@ mysql_execute_command(THD *thd)
#ifndef NO_EMBEDDED_ACCESS_CHECKS #ifndef NO_EMBEDDED_ACCESS_CHECKS
case SQLCOM_CREATE_USER: case SQLCOM_CREATE_USER:
{ {
if (check_access(thd, GRANT_ACL,"mysql",0,1,0)) if (check_access(thd, INSERT_ACL, "mysql", 0, 1, 1) &&
check_global_access(thd,CREATE_USER_ACL))
break; break;
if (!(res= mysql_create_user(thd, lex->users_list))) if (!(res= mysql_create_user(thd, lex->users_list)))
{ {
...@@ -3574,7 +3575,8 @@ mysql_execute_command(THD *thd) ...@@ -3574,7 +3575,8 @@ mysql_execute_command(THD *thd)
} }
case SQLCOM_DROP_USER: case SQLCOM_DROP_USER:
{ {
if (check_access(thd, GRANT_ACL,"mysql",0,1,0)) if (check_access(thd, DELETE_ACL, "mysql", 0, 1, 1) &&
check_global_access(thd,CREATE_USER_ACL))
break; break;
if (!(res= mysql_drop_user(thd, lex->users_list))) if (!(res= mysql_drop_user(thd, lex->users_list)))
{ {
...@@ -3589,7 +3591,8 @@ mysql_execute_command(THD *thd) ...@@ -3589,7 +3591,8 @@ mysql_execute_command(THD *thd)
} }
case SQLCOM_RENAME_USER: case SQLCOM_RENAME_USER:
{ {
if (check_access(thd, GRANT_ACL,"mysql",0,1,0)) if (check_access(thd, UPDATE_ACL, "mysql", 0, 1, 1) &&
check_global_access(thd,CREATE_USER_ACL))
break; break;
if (!(res= mysql_rename_user(thd, lex->users_list))) if (!(res= mysql_rename_user(thd, lex->users_list)))
{ {
...@@ -3604,7 +3607,8 @@ mysql_execute_command(THD *thd) ...@@ -3604,7 +3607,8 @@ mysql_execute_command(THD *thd)
} }
case SQLCOM_REVOKE_ALL: case SQLCOM_REVOKE_ALL:
{ {
if (check_access(thd, GRANT_ACL ,"mysql",0,1,0)) if (check_access(thd, UPDATE_ACL, "mysql", 0, 1, 1) &&
check_global_access(thd,CREATE_USER_ACL))
break; break;
if (!(res = mysql_revoke_all(thd, lex->users_list))) if (!(res = mysql_revoke_all(thd, lex->users_list)))
{ {
...@@ -3629,33 +3633,33 @@ mysql_execute_command(THD *thd) ...@@ -3629,33 +3633,33 @@ mysql_execute_command(THD *thd)
if (thd->user) // If not replication if (thd->user) // If not replication
{ {
LEX_USER *user; LEX_USER *user;
uint counter;
List_iterator <LEX_USER> user_list(lex->users_list); List_iterator <LEX_USER> user_list(lex->users_list);
while ((user=user_list++)) while ((user= user_list++))
{ {
if (user->password.str && if (specialflag & SPECIAL_NO_RESOLVE &&
(strcmp(thd->user, user->user.str) || hostname_requires_resolving(user->host.str))
user->host.str && push_warning_printf(thd, MYSQL_ERROR::WARN_LEVEL_WARN,
ER_WARN_HOSTNAME_WONT_WORK,
ER(ER_WARN_HOSTNAME_WONT_WORK),
user->host.str);
// Are we trying to change a password of another user
DBUG_ASSERT(user->host.str != 0);
if (strcmp(thd->user, user->user.str) ||
my_strcasecmp(system_charset_info, my_strcasecmp(system_charset_info,
user->host.str, thd->host_or_ip))) user->host.str, thd->host_or_ip))
{
// TODO: use check_change_password()
if (check_acl_user(user, &counter) && user->password.str &&
check_access(thd, UPDATE_ACL,"mysql",0,1,1))
{ {
if (check_access(thd, UPDATE_ACL, "mysql", 0, 1, 0)) my_message(ER_PASSWORD_NOT_ALLOWED,
ER(ER_PASSWORD_NOT_ALLOWED), MYF(0));
goto error; goto error;
break; // We are allowed to do changes
} }
} }
} }
if (specialflag & SPECIAL_NO_RESOLVE)
{
LEX_USER *user;
List_iterator <LEX_USER> user_list(lex->users_list);
while ((user=user_list++))
{
if (hostname_requires_resolving(user->host.str))
push_warning_printf(thd, MYSQL_ERROR::WARN_LEVEL_WARN,
ER_WARN_HOSTNAME_WONT_WORK,
ER(ER_WARN_HOSTNAME_WONT_WORK),
user->host.str);
}
} }
if (first_table) if (first_table)
{ {
......
...@@ -102,6 +102,7 @@ static struct show_privileges_st sys_privileges[]= ...@@ -102,6 +102,7 @@ static struct show_privileges_st sys_privileges[]=
{"Create routine","Functions,Procedures","To use CREATE FUNCTION/PROCEDURE"}, {"Create routine","Functions,Procedures","To use CREATE FUNCTION/PROCEDURE"},
{"Create temporary tables","Databases","To use CREATE TEMPORARY TABLE"}, {"Create temporary tables","Databases","To use CREATE TEMPORARY TABLE"},
{"Create view", "Tables", "To create new views"}, {"Create view", "Tables", "To create new views"},
{"Create user", "Server Admin", "To create new users"},
{"Delete", "Tables", "To delete existing rows"}, {"Delete", "Tables", "To delete existing rows"},
{"Drop", "Databases,Tables", "To drop databases, tables, and views"}, {"Drop", "Databases,Tables", "To drop databases, tables, and views"},
{"Execute", "Functions,Procedures", "To execute stored routines"}, {"Execute", "Functions,Procedures", "To execute stored routines"},
......
...@@ -7903,6 +7903,7 @@ object_privilege: ...@@ -7903,6 +7903,7 @@ object_privilege:
| SHOW VIEW_SYM { Lex->grant |= SHOW_VIEW_ACL; } | SHOW VIEW_SYM { Lex->grant |= SHOW_VIEW_ACL; }
| CREATE ROUTINE_SYM { Lex->grant |= CREATE_PROC_ACL; } | CREATE ROUTINE_SYM { Lex->grant |= CREATE_PROC_ACL; }
| ALTER ROUTINE_SYM { Lex->grant |= ALTER_PROC_ACL; } | ALTER ROUTINE_SYM { Lex->grant |= ALTER_PROC_ACL; }
| CREATE USER { Lex->grant |= CREATE_USER_ACL; }
; ;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment