database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-07-30 16:24:05 +03:00
Code Activity

enforce privileges for GRANT role

Browse Source
This commit is contained in:
Sergei Golubchik
2013-10-18 12:34:59 -07:00
parent 2f2699f97b
commit b221ec6529
3 changed files with 116 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
mysql-test/r/acl_roles_admin.result
View File

@ -19,7 +19,7 @@ ERROR 42000: You have an error in your SQL syntax; check the manual that corresp
grant role1 to foo@localhost with admin option;
grant role2 to foo@localhost;
grant role2 to role1;
grant role3 to role4 with admin option;
grant role4 to role3 with admin option;
grant select on *.* to foo@localhost with admin option;
ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'admin option' at line 1
show grants for foo@localhost;
@ -33,18 +33,18 @@ Grants for role1
GRANT USAGE ON *.* TO 'role1'
GRANT USAGE ON *.* TO 'role2'
GRANT USAGE ON *.* TO 'role3'
GRANT USAGE ON *.* TO 'role4'
GRANT role2 TO 'role1'
GRANT role3 TO 'role1' WITH ADMIN OPTION
GRANT role4 TO 'role3' WITH ADMIN OPTION
show grants for role4;
Grants for role4
GRANT USAGE ON *.* TO 'role3'
GRANT USAGE ON *.* TO 'role4'
GRANT role3 TO 'role4' WITH ADMIN OPTION
select * from mysql.roles_mapping;
Host User Role Admin_option
role1 role2 N
role1 role3 Y
role4 role3 Y
role3 role4 Y
bar foo role6 Y
localhost foo role1 Y
localhost foo role2 N
@ -64,25 +64,26 @@ Grants for role1
GRANT USAGE ON *.* TO 'role1'
GRANT USAGE ON *.* TO 'role2'
GRANT USAGE ON *.* TO 'role3'
GRANT USAGE ON *.* TO 'role4'
GRANT role2 TO 'role1'
GRANT role3 TO 'role1' WITH ADMIN OPTION
GRANT role4 TO 'role3' WITH ADMIN OPTION
show grants for role4;
Grants for role4
GRANT USAGE ON *.* TO 'role3'
GRANT USAGE ON *.* TO 'role4'
GRANT role3 TO 'role4' WITH ADMIN OPTION
select * from information_schema.applicable_roles;
GRANTEE ROLE_NAME IS_GRANTABLE
role1 role2 NO
role1 role3 YES
role4 role3 YES
role3 role4 YES
root@localhost role1 YES
root@localhost role2 YES
root@localhost role4 YES
grant role2 to role1 with admin option;
revoke role1 from foo@localhost;
revoke admin option for role3 from role4;
revoke admin option for role4 from role3;
revoke admin option for role2 from foo@localhost;
revoke admin option for role1 from root@localhost;
show grants for foo@localhost;
Grants for foo@localhost
GRANT CREATE USER ON *.* TO 'foo'@'localhost'
@ -93,22 +94,22 @@ Grants for role1
GRANT USAGE ON *.* TO 'role1'
GRANT USAGE ON *.* TO 'role2'
GRANT USAGE ON *.* TO 'role3'
GRANT USAGE ON *.* TO 'role4'
GRANT role2 TO 'role1' WITH ADMIN OPTION
GRANT role3 TO 'role1' WITH ADMIN OPTION
GRANT role4 TO 'role3'
show grants for role4;
Grants for role4
GRANT USAGE ON *.* TO 'role3'
GRANT USAGE ON *.* TO 'role4'
GRANT role3 TO 'role4'
select * from mysql.roles_mapping;
Host User Role Admin_option
role1 role2 Y
role1 role3 Y
role4 role3 N
role3 role4 N
bar foo role6 Y
localhost foo role2 N
localhost foo role5 Y
localhost root role1 Y
localhost root role1 N
localhost root role2 Y
localhost root role4 Y
flush privileges;
@ -122,20 +123,30 @@ Grants for role1
GRANT USAGE ON *.* TO 'role1'
GRANT USAGE ON *.* TO 'role2'
GRANT USAGE ON *.* TO 'role3'
GRANT USAGE ON *.* TO 'role4'
GRANT role2 TO 'role1' WITH ADMIN OPTION
GRANT role3 TO 'role1' WITH ADMIN OPTION
GRANT role4 TO 'role3'
show grants for role4;
Grants for role4
GRANT USAGE ON *.* TO 'role3'
GRANT USAGE ON *.* TO 'role4'
GRANT role3 TO 'role4'
select * from information_schema.applicable_roles;
GRANTEE ROLE_NAME IS_GRANTABLE
role1 role2 YES
role1 role3 YES
role4 role3 NO
root@localhost role1 YES
role3 role4 NO
root@localhost role1 NO
root@localhost role2 YES
root@localhost role4 YES
grant role1 to role4;
ERROR 28000: Access denied for user 'root'@'localhost'
grant role1 to role4 with admin option;
ERROR 28000: Access denied for user 'root'@'localhost'
grant role3 to role2;
revoke role3 from role2;
grant role4 to role2 with admin option;
revoke role2 from current_user;
revoke role4 from current_user;
grant role4 to current_user;
drop role role1, role2, role3, role4, role5, role6;
drop user foo@localhost;

21
mysql-test/t/acl_roles_admin.test
View File

@ -30,7 +30,7 @@ create user bar with admin current_user;
grant role1 to foo@localhost with admin option;
grant role2 to foo@localhost;
grant role2 to role1;
grant role3 to role4 with admin option;
grant role4 to role3 with admin option;
--error ER_PARSE_ERROR
grant select on *.* to foo@localhost with admin option;
@ -54,8 +54,9 @@ select * from information_schema.applicable_roles;
grant role2 to role1 with admin option;
revoke role1 from foo@localhost;
revoke admin option for role3 from role4;
revoke admin option for role4 from role3;
revoke admin option for role2 from foo@localhost;
revoke admin option for role1 from root@localhost;
--sorted_result
show grants for foo@localhost;
@ -75,6 +76,22 @@ show grants for role4;
--sorted_result
select * from information_schema.applicable_roles;
# Now, root@localhost don't have admin option for role1:
--error ER_ACCESS_DENIED_NO_PASSWORD_ERROR
grant role1 to role4;
--error ER_ACCESS_DENIED_NO_PASSWORD_ERROR
grant role1 to role4 with admin option;
# but role3 is grantable
grant role3 to role2;
revoke role3 from role2;
# now, a diamond
grant role4 to role2 with admin option;
revoke role2 from current_user;
revoke role4 from current_user;
grant role4 to current_user;
########################################
# cleanup
########################################