diff --git a/mysql-test/r/plugin_auth.result b/mysql-test/r/plugin_auth.result index 64bc870a7fa..94e600123ae 100644 --- a/mysql-test/r/plugin_auth.result +++ b/mysql-test/r/plugin_auth.result @@ -124,17 +124,20 @@ ERROR 28000: Access denied for user 'grant_plug_dest'@'localhost' this should fail : not the same user GRANT PROXY ON grant_plug TO grant_plug_dest; ERROR 28000: Access denied for user 'grant_plug_dest'@'localhost' -this should fail : same user, but on a different host +This is a valid grant GRANT PROXY ON grant_plug_dest TO grant_plug; -ERROR 28000: Access denied for user 'grant_plug_dest'@'localhost' -this should work : same user -GRANT PROXY ON grant_plug_dest@localhost TO grant_plug_dest2; -REVOKE PROXY ON grant_plug_dest@localhost FROM grant_plug_dest2; +REVOKE PROXY ON grant_plug_dest FROM grant_plug; this should work : same user +GRANT PROXY ON grant_plug_dest TO grant_plug_dest2; +REVOKE PROXY ON grant_plug_dest FROM grant_plug_dest2; +this should fail : not the same user GRANT PROXY ON grant_plug_dest@localhost TO grant_plug WITH GRANT OPTION; +ERROR 28000: Access denied for user 'grant_plug_dest'@'localhost' +this should fail : not the same user REVOKE PROXY ON grant_plug_dest@localhost FROM grant_plug; +ERROR 28000: Access denied for user 'grant_plug_dest'@'localhost' this should fail : can't create users -GRANT PROXY ON grant_plug_dest@localhost TO grant_plug@localhost; +GRANT PROXY ON grant_plug_dest TO grant_plug@localhost; ERROR 42000: You are not allowed to create a user with GRANT in default connection # test what root can grant @@ -152,12 +155,12 @@ GRANT PROXY ON future_user TO grant_plug; in default connection SHOW GRANTS FOR grant_plug; Grants for grant_plug@% -GRANT ALL PRIVILEGES ON *.* TO 'grant_plug'@'%' WITH GRANT OPTION +GRANT ALL PRIVILEGES ON *.* TO 'grant_plug'@'%' GRANT PROXY ON 'future_user'@'%' TO 'grant_plug'@'%' REVOKE PROXY ON future_user FROM grant_plug; SHOW GRANTS FOR grant_plug; Grants for grant_plug@% -GRANT ALL PRIVILEGES ON *.* TO 'grant_plug'@'%' WITH GRANT OPTION +GRANT ALL PRIVILEGES ON *.* TO 'grant_plug'@'%' ## testing drop user CREATE USER test_drop@localhost; GRANT PROXY ON future_user TO test_drop@localhost; diff --git a/mysql-test/t/plugin_auth.test b/mysql-test/t/plugin_auth.test index 75d3ef3e807..994b8f26308 100644 --- a/mysql-test/t/plugin_auth.test +++ b/mysql-test/t/plugin_auth.test @@ -179,21 +179,35 @@ GRANT PROXY ON ''@'' TO grant_plug; --error ER_ACCESS_DENIED_NO_PASSWORD_ERROR GRANT PROXY ON grant_plug TO grant_plug_dest; ---echo this should fail : same user, but on a different host ---error ER_ACCESS_DENIED_NO_PASSWORD_ERROR +# Security context in THD contains two pairs of (user,host) +# 1. (user,host) pair referring to inbound connection +# 2. (priv_user,priv_host) pair obtained from mysql.user table after doing +# authnetication of incoming connection. +# Granting/revoking proxy privileges, privileges should be checked wrt +# (priv_user, priv_host) tuple that is obtained from mysql.user table +# Following is a valid grant because effective user of connection is +# grant_plug_dest@% and statement is trying to grant proxy on the same +# user. +--echo This is a valid grant GRANT PROXY ON grant_plug_dest TO grant_plug; +REVOKE PROXY ON grant_plug_dest FROM grant_plug; --echo this should work : same user -GRANT PROXY ON grant_plug_dest@localhost TO grant_plug_dest2; -REVOKE PROXY ON grant_plug_dest@localhost FROM grant_plug_dest2; +GRANT PROXY ON grant_plug_dest TO grant_plug_dest2; +REVOKE PROXY ON grant_plug_dest FROM grant_plug_dest2; ---echo this should work : same user +# grant_plug_dest@localhost is not the same as grant_plug_dest@% +# so following grant/revoke should fail +--echo this should fail : not the same user +--error ER_ACCESS_DENIED_NO_PASSWORD_ERROR GRANT PROXY ON grant_plug_dest@localhost TO grant_plug WITH GRANT OPTION; +--echo this should fail : not the same user +--error ER_ACCESS_DENIED_NO_PASSWORD_ERROR REVOKE PROXY ON grant_plug_dest@localhost FROM grant_plug; --echo this should fail : can't create users --error ER_CANT_CREATE_USER_WITH_GRANT -GRANT PROXY ON grant_plug_dest@localhost TO grant_plug@localhost; +GRANT PROXY ON grant_plug_dest TO grant_plug@localhost; connection default; --echo in default connection diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc index 5c4a144247f..d99ca3ceb99 100644 --- a/sql/sql_acl.cc +++ b/sql/sql_acl.cc @@ -7256,14 +7256,25 @@ acl_check_proxy_grant_access(THD *thd, const char *host, const char *user, DBUG_RETURN(FALSE); } - /* one can grant proxy to himself to others */ - if (!strcmp(thd->security_ctx->user, user) && + /* + one can grant proxy for self to others. + Security context in THD contains two pairs of (user,host): + 1. (user,host) pair referring to inbound connection. + 2. (priv_user,priv_host) pair obtained from mysql.user table after doing + authnetication of incoming connection. + Privileges should be checked wrt (priv_user, priv_host) tuple, because + (user,host) pair obtained from inbound connection may have different + values than what is actually stored in mysql.user table and while granting + or revoking proxy privilege, user is expected to provide entries mentioned + in mysql.user table. + */ + if (!strcmp(thd->security_ctx->priv_user, user) && !my_strcasecmp(system_charset_info, host, - thd->security_ctx->host)) + thd->security_ctx->priv_host)) { DBUG_PRINT("info", ("strcmp (%s, %s) my_casestrcmp (%s, %s) equal", - thd->security_ctx->user, user, - host, thd->security_ctx->host)); + thd->security_ctx->priv_user, user, + host, thd->security_ctx->priv_host)); DBUG_RETURN(FALSE); }