mirror of
https://github.com/MariaDB/server.git
synced 2025-07-29 05:21:33 +03:00
Show grants now correctly prints procedure privileges.
This commit is contained in:
Vicențiu Ciorbaru
committed by
Sergei Golubchik
Sergei Golubchik
parent
d83bbc1ffc
commit
6f9d26f09f
@ -42,6 +42,7 @@ GRANT SELECT ON *.* TO 'test_role2'
|
|||||||
GRANT USAGE ON *.* TO 'test_role1'
|
GRANT USAGE ON *.* TO 'test_role1'
|
||||||
GRANT USAGE ON *.* TO 'test_user'@'localhost'
|
GRANT USAGE ON *.* TO 'test_user'@'localhost'
|
||||||
GRANT test_role1 TO 'test_user'@'localhost'
|
GRANT test_role1 TO 'test_user'@'localhost'
|
||||||
|
GRANT test_role2 TO 'test_role1'
|
||||||
select * from mysql.roles_mapping where HostFk='';
|
select * from mysql.roles_mapping where HostFk='';
|
||||||
HostFk UserFk RoleFk
|
HostFk UserFk RoleFk
|
||||||
test_role1 test_role2
|
test_role1 test_role2
|
||||||
@ -51,6 +52,7 @@ GRANT SELECT ON *.* TO 'test_role2'
|
|||||||
GRANT USAGE ON *.* TO 'test_role1'
|
GRANT USAGE ON *.* TO 'test_role1'
|
||||||
GRANT USAGE ON *.* TO 'test_user'@'localhost'
|
GRANT USAGE ON *.* TO 'test_user'@'localhost'
|
||||||
GRANT test_role1 TO 'test_user'@'localhost'
|
GRANT test_role1 TO 'test_user'@'localhost'
|
||||||
|
GRANT test_role2 TO 'test_role1'
|
||||||
set role none;
|
set role none;
|
||||||
show grants;
|
show grants;
|
||||||
Grants for test_user@localhost
|
Grants for test_user@localhost
|
||||||
@ -81,6 +83,7 @@ GRANT SELECT ON *.* TO 'test_role2'
|
|||||||
GRANT USAGE ON *.* TO 'test_role1'
|
GRANT USAGE ON *.* TO 'test_role1'
|
||||||
GRANT USAGE ON *.* TO 'test_user'@'localhost'
|
GRANT USAGE ON *.* TO 'test_user'@'localhost'
|
||||||
GRANT test_role1 TO 'test_user'@'localhost'
|
GRANT test_role1 TO 'test_user'@'localhost'
|
||||||
|
GRANT test_role2 TO 'test_role1'
|
||||||
select * from mysql.roles_mapping where HostFk='';
|
select * from mysql.roles_mapping where HostFk='';
|
||||||
HostFk UserFk RoleFk
|
HostFk UserFk RoleFk
|
||||||
test_role1 test_role2
|
test_role1 test_role2
|
||||||
@ -90,6 +93,7 @@ GRANT SELECT ON *.* TO 'test_role2'
|
|||||||
GRANT USAGE ON *.* TO 'test_role1'
|
GRANT USAGE ON *.* TO 'test_role1'
|
||||||
GRANT USAGE ON *.* TO 'test_user'@'localhost'
|
GRANT USAGE ON *.* TO 'test_user'@'localhost'
|
||||||
GRANT test_role1 TO 'test_user'@'localhost'
|
GRANT test_role1 TO 'test_user'@'localhost'
|
||||||
|
GRANT test_role2 TO 'test_role1'
|
||||||
set role none;
|
set role none;
|
||||||
show grants;
|
show grants;
|
||||||
Grants for test_user@localhost
|
Grants for test_user@localhost
|
||||||
|
|||||||
@ -4106,7 +4106,7 @@ GRANT_TABLE::GRANT_TABLE(TABLE *form, TABLE *col_privs)
|
|||||||
fix_rights_for_column(priv))))
|
fix_rights_for_column(priv))))
|
||||||
{
|
{
|
||||||
/* Don't use this entry */
|
/* Don't use this entry */
|
||||||
privs= cols= 0; /* purecov: deadcode */
|
privs= cols= init_privs= init_cols=0; /* purecov: deadcode */
|
||||||
return; /* purecov: deadcode */
|
return; /* purecov: deadcode */
|
||||||
}
|
}
|
||||||
if (my_hash_insert(&hash_columns, (uchar *) mem_check))
|
if (my_hash_insert(&hash_columns, (uchar *) mem_check))
|
||||||
@ -5396,6 +5396,7 @@ static my_bool grant_load_procs_priv(TABLE *p_table)
|
|||||||
}
|
}
|
||||||
|
|
||||||
mem_check->privs= fix_rights_for_procedure(mem_check->privs);
|
mem_check->privs= fix_rights_for_procedure(mem_check->privs);
|
||||||
|
mem_check->init_privs= mem_check->privs;
|
||||||
if (! mem_check->ok())
|
if (! mem_check->ok())
|
||||||
delete mem_check;
|
delete mem_check;
|
||||||
else if (my_hash_insert(hash, (uchar*) mem_check))
|
else if (my_hash_insert(hash, (uchar*) mem_check))
|
||||||
@ -5788,7 +5789,7 @@ bool check_grant(THD *thd, ulong want_access, TABLE_LIST *tables,
|
|||||||
tl->get_table_name(),
|
tl->get_table_name(),
|
||||||
FALSE);
|
FALSE);
|
||||||
if (sctx->priv_role[0])
|
if (sctx->priv_role[0])
|
||||||
grant_table_role= table_hash_search("", "", tl->get_db_name(),
|
grant_table_role= table_hash_search("", NULL, tl->get_db_name(),
|
||||||
sctx->priv_role,
|
sctx->priv_role,
|
||||||
tl->get_table_name(),
|
tl->get_table_name(),
|
||||||
TRUE);
|
TRUE);
|
||||||
@ -5889,7 +5890,7 @@ bool check_grant_column(THD *thd, GRANT_INFO *grant,
|
|||||||
sctx->priv_user,
|
sctx->priv_user,
|
||||||
table_name, 0); /* purecov: inspected */
|
table_name, 0); /* purecov: inspected */
|
||||||
grant->grant_table_role=
|
grant->grant_table_role=
|
||||||
sctx->priv_role[0] ? table_hash_search("", "", db_name,
|
sctx->priv_role[0] ? table_hash_search("", NULL, db_name,
|
||||||
sctx->priv_role,
|
sctx->priv_role,
|
||||||
table_name, TRUE) : NULL;
|
table_name, TRUE) : NULL;
|
||||||
grant->version= grant_version; /* purecov: inspected */
|
grant->version= grant_version; /* purecov: inspected */
|
||||||
@ -6061,7 +6062,7 @@ bool check_grant_all_columns(THD *thd, ulong want_access_arg,
|
|||||||
sctx->priv_user,
|
sctx->priv_user,
|
||||||
table_name, 0); /* purecov: inspected */
|
table_name, 0); /* purecov: inspected */
|
||||||
grant->grant_table_role=
|
grant->grant_table_role=
|
||||||
sctx->priv_role[0] ? table_hash_search("", "", db_name,
|
sctx->priv_role[0] ? table_hash_search("", NULL, db_name,
|
||||||
sctx->priv_role,
|
sctx->priv_role,
|
||||||
table_name, TRUE) : NULL;
|
table_name, TRUE) : NULL;
|
||||||
grant->version= grant_version; /* purecov: inspected */
|
grant->version= grant_version; /* purecov: inspected */
|
||||||
@ -6140,6 +6141,12 @@ static bool check_grant_db_routine(THD *thd, const char *db, HASH *hash)
|
|||||||
{
|
{
|
||||||
return FALSE;
|
return FALSE;
|
||||||
}
|
}
|
||||||
|
if (sctx->priv_role[0] && strcmp(item->user, sctx->priv_role) == 0 &&
|
||||||
|
strcmp(item->db, db) == 0 &&
|
||||||
|
(!item->host.hostname || !item->host.hostname[0]))
|
||||||
|
{
|
||||||
|
return FALSE; /* Found current role match */
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return TRUE;
|
return TRUE;
|
||||||
@ -6152,11 +6159,12 @@ static bool check_grant_db_routine(THD *thd, const char *db, HASH *hash)
|
|||||||
Return 1 if access is denied
|
Return 1 if access is denied
|
||||||
*/
|
*/
|
||||||
|
|
||||||
bool check_grant_db(THD *thd,const char *db)
|
bool check_grant_db(THD *thd, const char *db)
|
||||||
{
|
{
|
||||||
Security_context *sctx= thd->security_ctx;
|
Security_context *sctx= thd->security_ctx;
|
||||||
char helping [SAFE_NAME_LEN + USERNAME_LENGTH+2], *end;
|
char helping [SAFE_NAME_LEN + USERNAME_LENGTH+2], *end;
|
||||||
uint len;
|
char helping2 [SAFE_NAME_LEN + USERNAME_LENGTH+2];
|
||||||
|
uint len, len2;
|
||||||
bool error= TRUE;
|
bool error= TRUE;
|
||||||
|
|
||||||
end= strmov(helping, sctx->priv_user) + 1;
|
end= strmov(helping, sctx->priv_user) + 1;
|
||||||
@ -6167,6 +6175,18 @@ bool check_grant_db(THD *thd,const char *db)
|
|||||||
|
|
||||||
len= (uint) (end - helping) + 1;
|
len= (uint) (end - helping) + 1;
|
||||||
|
|
||||||
|
/*
|
||||||
|
If a role is set, we need to check for privileges
|
||||||
|
here aswell
|
||||||
|
*/
|
||||||
|
if (sctx->priv_role[0])
|
||||||
|
{
|
||||||
|
end= strmov(helping2, sctx->priv_role) + 1;
|
||||||
|
end= strnmov(end, db, helping2 + sizeof(helping2) - end);
|
||||||
|
len2= (uint) (end - helping2) + 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
mysql_rwlock_rdlock(&LOCK_grant);
|
mysql_rwlock_rdlock(&LOCK_grant);
|
||||||
|
|
||||||
for (uint idx=0 ; idx < column_priv_hash.records ; idx++)
|
for (uint idx=0 ; idx < column_priv_hash.records ; idx++)
|
||||||
@ -6181,6 +6201,14 @@ bool check_grant_db(THD *thd,const char *db)
|
|||||||
error= FALSE; /* Found match. */
|
error= FALSE; /* Found match. */
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
if (sctx->priv_role[0] &&
|
||||||
|
len2 < grant_table->key_length &&
|
||||||
|
!memcmp(grant_table->hash_key,helping,len) &&
|
||||||
|
(!grant_table->host.hostname || !grant_table->host.hostname[0]))
|
||||||
|
{
|
||||||
|
error= FALSE; /* Found role match */
|
||||||
|
break;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (error)
|
if (error)
|
||||||
@ -6217,6 +6245,7 @@ bool check_grant_routine(THD *thd, ulong want_access,
|
|||||||
Security_context *sctx= thd->security_ctx;
|
Security_context *sctx= thd->security_ctx;
|
||||||
char *user= sctx->priv_user;
|
char *user= sctx->priv_user;
|
||||||
char *host= sctx->priv_host;
|
char *host= sctx->priv_host;
|
||||||
|
char *role= sctx->priv_role;
|
||||||
DBUG_ENTER("check_grant_routine");
|
DBUG_ENTER("check_grant_routine");
|
||||||
|
|
||||||
want_access&= ~sctx->master_access;
|
want_access&= ~sctx->master_access;
|
||||||
@ -6230,6 +6259,12 @@ bool check_grant_routine(THD *thd, ulong want_access,
|
|||||||
if ((grant_proc= routine_hash_search(host, sctx->ip, table->db, user,
|
if ((grant_proc= routine_hash_search(host, sctx->ip, table->db, user,
|
||||||
table->table_name, is_proc, 0)))
|
table->table_name, is_proc, 0)))
|
||||||
table->grant.privilege|= grant_proc->privs;
|
table->grant.privilege|= grant_proc->privs;
|
||||||
|
if (role[0]) /* current role set check */
|
||||||
|
{
|
||||||
|
if ((grant_proc= routine_hash_search("", NULL, table->db, role,
|
||||||
|
table->table_name, is_proc, 0)))
|
||||||
|
table->grant.privilege|= grant_proc->privs;
|
||||||
|
}
|
||||||
|
|
||||||
if (want_access & ~table->grant.privilege)
|
if (want_access & ~table->grant.privilege)
|
||||||
{
|
{
|
||||||
@ -6287,6 +6322,15 @@ bool check_routine_level_acl(THD *thd, const char *db, const char *name,
|
|||||||
sctx->priv_user,
|
sctx->priv_user,
|
||||||
name, is_proc, 0)))
|
name, is_proc, 0)))
|
||||||
no_routine_acl= !(grant_proc->privs & SHOW_PROC_ACLS);
|
no_routine_acl= !(grant_proc->privs & SHOW_PROC_ACLS);
|
||||||
|
|
||||||
|
if (sctx->priv_role[0]) /* current set role check */
|
||||||
|
{
|
||||||
|
if ((grant_proc= routine_hash_search("",
|
||||||
|
NULL, db,
|
||||||
|
sctx->priv_role,
|
||||||
|
name, is_proc, 0)))
|
||||||
|
no_routine_acl= !(grant_proc->privs & SHOW_PROC_ACLS);
|
||||||
|
}
|
||||||
mysql_rwlock_unlock(&LOCK_grant);
|
mysql_rwlock_unlock(&LOCK_grant);
|
||||||
return no_routine_acl;
|
return no_routine_acl;
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user