database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-07-29 05:21:33 +03:00
Code Activity

SET ROLE now works recursively for routines.

Browse Source 
The warnings present in the set_role_routine-simple testcase will
be removed when reworking the grant privilege to call.
This commit is contained in:
Vicențiu Ciorbaru
2013-10-18 06:49:38 -07:00
committed by Sergei Golubchik
parent bbc2771d24
commit 95ef78e432
3 changed files with 242 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

100
mysql-test/r/acl_roles_set_role-routine-simple.result Normal file
View File

@ -0,0 +1,100 @@
create user 'test_user'@'localhost';
create role test_role1;
create role test_role2;
create role test_role3;
insert into mysql.roles_mapping (HostFk, UserFk, RoleFk) values ('localhost',
'test_user',
'test_role1');
insert into mysql.roles_mapping (HostFk, UserFk, RoleFk) values ('localhost',
'test_user',
'test_role3');
insert into mysql.roles_mapping (HostFk, UserFk, RoleFk) values ('',
'test_role1',
'test_role2');
select user, host from mysql.user where user not like 'root';
user host
test_role1
test_role2
test_role3
test_user localhost
select * from mysql.roles_mapping;
HostFk UserFk RoleFk
test_role1 test_role2
localhost test_user test_role1
localhost test_user test_role3
create function mysql.test_func (s CHAR(20))
returns CHAR(50) DETERMINISTIC
return concat('Test string: ',s);
create procedure mysql.test_proc (OUT param1 INT)
begin
select COUNT(*) into param1 from mysql.roles_mapping;
end|
grant execute on function mysql.test_func to test_role2@'';
grant execute on procedure mysql.test_proc to test_role2@'';
grant execute on mysql.* to test_role3@'';
flush privileges;
show grants;
Grants for test_user@localhost
GRANT USAGE ON *.* TO 'test_user'@'localhost'
GRANT test_role1 TO 'test_user'@'localhost'
GRANT test_role3 TO 'test_user'@'localhost'
use mysql;
ERROR 42000: Access denied for user 'test_user'@'localhost' to database 'mysql'
set role test_role1;
use mysql;
call test_proc(@a);
SELECT @a;
@a
3
SELECT test_func('AABBCCDD');
test_func('AABBCCDD')
Test string: AABBCCDD
show grants;
Grants for test_user@localhost
GRANT EXECUTE ON FUNCTION `mysql`.`test_func` TO 'test_role2'
GRANT EXECUTE ON PROCEDURE `mysql`.`test_proc` TO 'test_role2'
GRANT USAGE ON *.* TO 'test_role1'
GRANT USAGE ON *.* TO 'test_role2'
GRANT USAGE ON *.* TO 'test_user'@'localhost'
GRANT test_role1 TO 'test_user'@'localhost'
GRANT test_role2 TO 'test_role1'
GRANT test_role3 TO 'test_user'@'localhost'
set role none;
show grants;
Grants for test_user@localhost
GRANT USAGE ON *.* TO 'test_user'@'localhost'
GRANT test_role1 TO 'test_user'@'localhost'
GRANT test_role3 TO 'test_user'@'localhost'
call test_proc(@a);
ERROR 42000: execute command denied to user 'test_user'@'localhost' for routine 'mysql.test_proc'
SELECT test_func('AABBCCDD');
ERROR 42000: execute command denied to user 'test_user'@'localhost' for routine 'mysql.test_func'
set role test_role3;
show grants;
Grants for test_user@localhost
GRANT EXECUTE ON `mysql`.* TO 'test_role3'
GRANT USAGE ON *.* TO 'test_role3'
GRANT USAGE ON *.* TO 'test_user'@'localhost'
GRANT test_role1 TO 'test_user'@'localhost'
GRANT test_role3 TO 'test_user'@'localhost'
call test_proc(@a);
SELECT @a;
@a
3
SELECT test_func('AABBCCDD');
test_func('AABBCCDD')
Test string: AABBCCDD
drop user 'test_user'@'localhost';
revoke execute on function mysql.test_func from test_role2@'';
revoke execute on procedure mysql.test_proc from test_role2@'';
revoke execute on mysql.* from test_role3@'';
delete from mysql.user where user like'test_%';
delete from mysql.roles_mapping where RoleFk like 'test%';
drop function mysql.test_func;
Warnings:
Warning 1403 There is no such grant defined for user 'test_role1' on host '' on routine 'test_func'
drop procedure mysql.test_proc;
Warnings:
Warning 1403 There is no such grant defined for user 'test_role1' on host '' on routine 'test_proc'
Warning 1403 There is no such grant defined for user 'test_role1' on host '' on routine 'test_proc'
flush privileges;

84
mysql-test/t/acl_roles_set_role-routine-simple.test Normal file
View File

@ -0,0 +1,84 @@
create user 'test_user'@'localhost';
create role test_role1;
create role test_role2;
create role test_role3;
insert into mysql.roles_mapping (HostFk, UserFk, RoleFk) values ('localhost',
'test_user',
'test_role1');
insert into mysql.roles_mapping (HostFk, UserFk, RoleFk) values ('localhost',
'test_user',
'test_role3');
insert into mysql.roles_mapping (HostFk, UserFk, RoleFk) values ('',
'test_role1',
'test_role2');
--sorted_result
select user, host from mysql.user where user not like 'root';
--sorted_result
select * from mysql.roles_mapping;
create function mysql.test_func (s CHAR(20))
returns CHAR(50) DETERMINISTIC
return concat('Test string: ',s);
delimiter |;
create procedure mysql.test_proc (OUT param1 INT)
begin
select COUNT(*) into param1 from mysql.roles_mapping;
end|
delimiter ;|
grant execute on function mysql.test_func to test_role2@'';
grant execute on procedure mysql.test_proc to test_role2@'';
grant execute on mysql.* to test_role3@'';
flush privileges;
change_user 'test_user';
--sorted_result
show grants;
--error ER_DBACCESS_DENIED_ERROR
use mysql;
set role test_role1;
use mysql;
call test_proc(@a);
SELECT @a;
SELECT test_func('AABBCCDD');
--sorted_result
show grants;
set role none;
--sorted_result
show grants;
--error ER_PROCACCESS_DENIED_ERROR
call test_proc(@a);
--error ER_PROCACCESS_DENIED_ERROR
SELECT test_func('AABBCCDD');
set role test_role3;
--sorted_result
show grants;
call test_proc(@a);
SELECT @a;
SELECT test_func('AABBCCDD');
change_user 'root';
drop user 'test_user'@'localhost';
revoke execute on function mysql.test_func from test_role2@'';
revoke execute on procedure mysql.test_proc from test_role2@'';
revoke execute on mysql.* from test_role3@'';
delete from mysql.user where user like'test_%';
delete from mysql.roles_mapping where RoleFk like 'test%';
drop function mysql.test_func;
drop procedure mysql.test_proc;
flush privileges;

60
sql/sql_acl.cc
View File

@ -3895,6 +3895,8 @@ public:
GRANT_NAME(const char *h, const char *d,const char *u, GRANT_NAME(const char *h, const char *d,const char *u,
const char *t, ulong p, bool is_routine); const char *t, ulong p, bool is_routine);
GRANT_NAME (TABLE *form, bool is_routine); GRANT_NAME (TABLE *form, bool is_routine);
/* copy from an inherited GRANT_NAME */
GRANT_NAME(GRANT_NAME *source, char *u, bool is_routine);
virtual ~GRANT_NAME() {}; virtual ~GRANT_NAME() {};
virtual bool ok() { return privs != 0; } virtual bool ok() { return privs != 0; }
void set_user_details(const char *h, const char *d, void set_user_details(const char *h, const char *d,
@ -3951,6 +3953,12 @@ GRANT_NAME::GRANT_NAME(const char *h, const char *d,const char *u,
set_user_details(h, d, u, t, is_routine); set_user_details(h, d, u, t, is_routine);
} }
GRANT_NAME::GRANT_NAME(GRANT_NAME *source, char *u, bool is_routine)
:db(0), tname(0), privs(source->privs), init_privs(0)
{
set_user_details("", source->db, u, source->tname, is_routine);
}
GRANT_TABLE::GRANT_TABLE(const char *h, const char *d,const char *u, GRANT_TABLE::GRANT_TABLE(const char *h, const char *d,const char *u,
const char *t, ulong p, ulong c) const char *t, ulong p, ulong c)
:GRANT_NAME(h,d,u,t,p, FALSE), cols(c) :GRANT_NAME(h,d,u,t,p, FALSE), cols(c)
@ -7414,6 +7422,7 @@ void merge_role_grant_privileges(ACL_ROLE *target, ACL_ROLE *source)
/* elements of the arrays */ /* elements of the arrays */
ACL_DB *target_db, *source_db; ACL_DB *target_db, *source_db;
GRANT_TABLE *target_table, *source_table; GRANT_TABLE *target_table, *source_table;
GRANT_NAME *target_name, *source_name;
MEM_ROOT *memex_ptr = &memex; MEM_ROOT *memex_ptr = &memex;
(void) my_init_dynamic_array(&target_objs,sizeof(void *), 50, 100, MYF(0)); (void) my_init_dynamic_array(&target_objs,sizeof(void *), 50, 100, MYF(0));
@ -7488,7 +7497,7 @@ void merge_role_grant_privileges(ACL_ROLE *target, ACL_ROLE *source)
void **); void **);
if (!strcmp(source_table->db, grant_table->db) && if (!strcmp(source_table->db, grant_table->db) &&
!strcmp(source_table->tname, grant_table->tname)) !strcmp(source_table->tname, grant_table->tname))
target_table= grant_table;; target_table= grant_table;
} }
if (target_table) if (target_table)
@ -7506,8 +7515,55 @@ void merge_role_grant_privileges(ACL_ROLE *target, ACL_ROLE *source)
} }
reset_dynamic(&source_objs);
reset_dynamic(&target_objs);
/* Merge function and procedure privileges */ /* Merge function and procedure privileges */
/* TODO */ for (uint is_proc= 0; is_proc < 2; is_proc++) {
HASH *hash;
if (is_proc)
hash= &proc_priv_hash;
else
hash= &func_priv_hash;
for (uint i=0 ; i < hash->records ; i++)
{
GRANT_NAME *grant_name= (GRANT_NAME *) my_hash_element(hash, i);
if (grant_name->user && (!grant_name->host.hostname ||
!grant_name->host.hostname[0]))
{
if (!strcmp(target->user.str, grant_name->user))
push_dynamic(&target_objs, (uchar*)&grant_name);
if (!strcmp(source->user.str, grant_name->user))
push_dynamic(&source_objs, (uchar*)&grant_name);
}
}
for (uint i=0 ; i < source_objs.elements; i++)
{
source_name= (GRANT_NAME *)*dynamic_element(&source_objs, i, void **);
target_name= NULL;
for (uint j=0; j < target_objs.elements; j++)
{
GRANT_NAME *grant_name= (GRANT_NAME *)*dynamic_element(&target_objs, i,
void **);
if (!strcmp(source_name->db, grant_name->db) &&
!strcmp(source_name->tname, grant_name->tname))
target_name= grant_name;
}
if (target_name)
{
target_name->privs|= source_name->privs;
}
else
{
target_name= new (memex_ptr) GRANT_NAME(source_name, target->user.str,
is_proc);
my_hash_insert(hash, (uchar *) target_name);
}
}
}
/* cleanup */ /* cleanup */
delete_dynamic(&source_objs); delete_dynamic(&source_objs);