mirror of
https://github.com/MariaDB/server.git
synced 2025-11-08 00:28:29 +03:00
Bug#27145 EXTRA_ACL troubles
The flag EXTRA_ACL is used in conjugation with our access checks, yet it is not clear what impact this flag has. This is a code clean up which replaces use of EXTRA_ACL with an explicit function parameter. The patch also fixes privilege checks for: - SHOW CREATE TABLE: The new privilege requirement is any privilege on the table-level. - CHECKSUM TABLE: Requires SELECT on the table level. - SHOW CREATE VIEW: Requires SHOW_VIEW and SELECT on the table level (just as the manual claims) - SHOW INDEX: Requires any privilege on any column combination.
This commit is contained in:
Kristofer Pettersson
@@ -914,13 +914,13 @@ SHOW CREATE VIEW mysqltest2.v_ny;
|
||||
View Create View character_set_client collation_connection
|
||||
v_ny CREATE ALGORITHM=UNDEFINED DEFINER=`root`@`localhost` SQL SECURITY DEFINER VIEW `mysqltest2`.`v_ny` AS select `mysqltest2`.`t_nn`.`c1` AS `c1` from `mysqltest2`.`t_nn` latin1 latin1_swedish_ci
|
||||
SHOW CREATE TABLE mysqltest3.t_nn;
|
||||
ERROR 42000: SELECT command denied to user 'mysqltest_1'@'localhost' for table 't_nn'
|
||||
ERROR 42000: SHOW command denied to user 'mysqltest_1'@'localhost' for table 't_nn'
|
||||
SHOW CREATE VIEW mysqltest3.t_nn;
|
||||
ERROR 42000: SELECT command denied to user 'mysqltest_1'@'localhost' for table 't_nn'
|
||||
SHOW CREATE VIEW mysqltest3.v_nn;
|
||||
ERROR 42000: SELECT command denied to user 'mysqltest_1'@'localhost' for table 'v_nn'
|
||||
SHOW CREATE TABLE mysqltest3.v_nn;
|
||||
ERROR 42000: SELECT command denied to user 'mysqltest_1'@'localhost' for table 'v_nn'
|
||||
ERROR 42000: SHOW command denied to user 'mysqltest_1'@'localhost' for table 'v_nn'
|
||||
SHOW CREATE TABLE mysqltest2.t_nn;
|
||||
Table Create Table
|
||||
t_nn CREATE TABLE `t_nn` (
|
||||
|
||||
@@ -391,7 +391,7 @@ grant all on mysqltest_1.* to mysqltest_u1@localhost;
|
||||
use mysqltest_2;
|
||||
create table t1 (i int);
|
||||
show create table mysqltest_2.t1;
|
||||
ERROR 42000: SELECT command denied to user 'mysqltest_u1'@'localhost' for table 't1'
|
||||
ERROR 42000: SHOW command denied to user 'mysqltest_u1'@'localhost' for table 't1'
|
||||
create table t1 like mysqltest_2.t1;
|
||||
ERROR 42000: SELECT command denied to user 'mysqltest_u1'@'localhost' for table 't1'
|
||||
grant select on mysqltest_2.t1 to mysqltest_u1@localhost;
|
||||
|
||||
123
mysql-test/r/grant4.result
Normal file
123
mysql-test/r/grant4.result
Normal file
@@ -0,0 +1,123 @@
|
||||
drop database if exists mysqltest_db1;
|
||||
create database mysqltest_db1;
|
||||
use mysqltest_db1;
|
||||
create table t_column_priv_only (a int, b int);
|
||||
create table t_select_priv like t_column_priv_only;
|
||||
create table t_no_priv like t_column_priv_only;
|
||||
grant all privileges on test.* to mysqltest_u1@localhost;
|
||||
grant insert (a) on mysqltest_db1.t_column_priv_only to mysqltest_u1@localhost;
|
||||
grant select on mysqltest_db1.t_select_priv to mysqltest_u1@localhost;
|
||||
** Connect as restricted user mysqltest_u1.
|
||||
|
||||
** Test column level privileges only. No SELECT privileges on the table.
|
||||
** INSERT INTO ... VALUES ...
|
||||
** Attempting to insert values to a table with only column privileges
|
||||
** should work.
|
||||
insert into mysqltest_db1.t_column_priv_only (a) VALUES (1);
|
||||
|
||||
** SHOW COLUMNS
|
||||
** Should succeed because we have privileges (any) on at least one of the columns.
|
||||
select column_name as 'Field',column_type as 'Type',is_nullable as 'Null',column_key as 'Key',column_default as 'Default',extra as 'Extra' from information_schema.columns where table_schema='mysqltest_db1' and table_name='t_column_priv_only';
|
||||
Field Type Null Key Default Extra
|
||||
a int(11) YES NULL
|
||||
show columns from mysqltest_db1.t_column_priv_only;
|
||||
Field Type Null Key Default Extra
|
||||
a int(11) YES NULL
|
||||
** SHOW COLUMNS
|
||||
** Should fail because there are no privileges on any column combination.
|
||||
show columns from mysqltest_db1.t_no_priv;
|
||||
ERROR 42000: SELECT command denied to user 'mysqltest_u1'@'localhost' for table 't_no_priv'
|
||||
** However, select from I_S.COLUMNS will succeed but not show anything:
|
||||
select column_name as 'Field',column_type as 'Type',is_nullable as 'Null',column_key as 'Key',column_default as 'Default',extra as 'Extra' from information_schema.columns where table_schema='mysqltest_db1' and table_name='t_no_priv';
|
||||
Field Type Null Key Default Extra
|
||||
|
||||
** CREATE TABLE ... LIKE ... require SELECT privleges and will fail.
|
||||
create table test.t_no_priv like mysqltest_db1.column_priv_only;
|
||||
ERROR 42000: SELECT command denied to user 'mysqltest_u1'@'localhost' for table 'column_priv_only'
|
||||
|
||||
** Just to be sure... SELECT also fails.
|
||||
select * from mysqltest_db1.t_column_priv_only;
|
||||
ERROR 42000: SELECT command denied to user 'mysqltest_u1'@'localhost' for table 't_column_priv_only'
|
||||
|
||||
** SHOW CREATE TABLE ... require any privileges on all columns (the entire table).
|
||||
** First we try and fail on a table with only one column privilege.
|
||||
show create table mysqltest_db1.t_column_priv_only;
|
||||
ERROR 42000: SHOW command denied to user 'mysqltest_u1'@'localhost' for table 't_column_priv_only'
|
||||
|
||||
** Now we do the same on a table with SELECT privileges.
|
||||
|
||||
** SHOW COLUMNS
|
||||
** Success because we got some privileges on the table (SELECT_ACL)
|
||||
show columns from mysqltest_db1.t_select_priv;
|
||||
Field Type Null Key Default Extra
|
||||
a int(11) YES NULL
|
||||
b int(11) YES NULL
|
||||
|
||||
** CREATE TABLE ... LIKE ... require SELECT privleges and will SUCCEED.
|
||||
drop table if exists test.t_duplicated;
|
||||
create table test.t_duplicated like mysqltest_db1.t_select_priv;
|
||||
drop table test.t_duplicated;
|
||||
|
||||
** SHOW CREATE TABLE will succeed because we have a privilege on all columns in the table (table-level privilege).
|
||||
show create table mysqltest_db1.t_select_priv;
|
||||
Table Create Table
|
||||
t_select_priv CREATE TABLE `t_select_priv` (
|
||||
`a` int(11) DEFAULT NULL,
|
||||
`b` int(11) DEFAULT NULL
|
||||
) ENGINE=MyISAM DEFAULT CHARSET=latin1
|
||||
|
||||
** SHOW CREATE TABLE will fail if there is no grants at all:
|
||||
show create table mysqltest_db1.t_no_priv;
|
||||
ERROR 42000: SHOW command denied to user 'mysqltest_u1'@'localhost' for table 't_no_priv'
|
||||
|
||||
use mysqltest_db1;
|
||||
CREATE TABLE t5 (s1 INT);
|
||||
CREATE INDEX i ON t5 (s1);
|
||||
CREATE TABLE t6 (s1 INT, s2 INT);
|
||||
CREATE VIEW v5 AS SELECT * FROM t5;
|
||||
CREATE VIEW v6 AS SELECT * FROM t6;
|
||||
CREATE VIEW v2 AS SELECT * FROM t_select_priv;
|
||||
CREATE VIEW v3 AS SELECT * FROM t_select_priv;
|
||||
CREATE INDEX i ON t6 (s1);
|
||||
GRANT UPDATE (s2) ON t6 to mysqltest_u1@localhost;
|
||||
GRANT UPDATE (s2) ON v6 to mysqltest_u1@localhost;
|
||||
GRANT SHOW VIEW ON v2 to mysqltest_u1@localhost;
|
||||
GRANT SHOW VIEW, SELECT ON v3 to mysqltest_u1@localhost;
|
||||
use mysqltest_db1;
|
||||
** Connect as restricted user mysqltest_u1.
|
||||
** SELECT FROM INFORMATION_SCHEMA.STATISTICS will succeed because any privileges will do (authentication is enough).
|
||||
SELECT * FROM INFORMATION_SCHEMA.STATISTICS WHERE table_name='t5';
|
||||
TABLE_CATALOG TABLE_SCHEMA TABLE_NAME NON_UNIQUE INDEX_SCHEMA INDEX_NAME SEQ_IN_INDEX COLUMN_NAME COLLATION CARDINALITY SUB_PART PACKED NULLABLE INDEX_TYPE COMMENT
|
||||
NULL mysqltest_db1 t5 1 mysqltest_db1 i 1 s1 A NULL NULL NULL YES BTREE
|
||||
** SHOW INDEX FROM t5 will fail because we don't have any privileges on any column combination.
|
||||
SHOW INDEX FROM t5;
|
||||
ERROR 42000: SELECT command denied to user 'mysqltest_u1'@'localhost' for table 't5'
|
||||
** SHOW INDEX FROM t6 will succeed because there exist a privilege on a column combination on t6.
|
||||
SHOW INDEX FROM t6;
|
||||
Table Non_unique Key_name Seq_in_index Column_name Collation Cardinality Sub_part Packed Null Index_type Comment
|
||||
t6 1 i 1 s1 A NULL NULL NULL YES BTREE
|
||||
** CHECK TABLE requires any privilege on any column combination and should succeed for t6:
|
||||
CHECK TABLE t6;
|
||||
Table Op Msg_type Msg_text
|
||||
mysqltest_db1.t6 check status OK
|
||||
** With no privileges access is naturally denied:
|
||||
CHECK TABLE t5;
|
||||
ERROR 42000: SELECT command denied to user 'mysqltest_u1'@'localhost' for table 't5'
|
||||
** CHECKSUM TABLE requires SELECT privileges on the table. The following should fail:
|
||||
CHECKSUM TABLE t6;
|
||||
ERROR 42000: SELECT command denied to user 'mysqltest_u1'@'localhost' for table 't6'
|
||||
** And this should work:
|
||||
CHECKSUM TABLE t_select_priv;
|
||||
Table Checksum
|
||||
mysqltest_db1.t_select_priv 0
|
||||
SHOW CREATE VIEW v5;
|
||||
ERROR 42000: SELECT command denied to user 'mysqltest_u1'@'localhost' for table 'v5'
|
||||
SHOW CREATE VIEW v6;
|
||||
ERROR 42000: SELECT command denied to user 'mysqltest_u1'@'localhost' for table 'v6'
|
||||
SHOW CREATE VIEW v2;
|
||||
ERROR 42000: SELECT command denied to user 'mysqltest_u1'@'localhost' for table 'v2'
|
||||
SHOW CREATE VIEW v3;
|
||||
View Create View character_set_client collation_connection
|
||||
v3 CREATE ALGORITHM=UNDEFINED DEFINER=`root`@`localhost` SQL SECURITY DEFINER VIEW `v3` AS select `t_select_priv`.`a` AS `a`,`t_select_priv`.`b` AS `b` from `t_select_priv` latin1 latin1_swedish_ci
|
||||
drop database mysqltest_db1;
|
||||
drop user mysqltest_u1@localhost;
|
||||
@@ -3,7 +3,7 @@ drop view if exists v1,v2;
|
||||
drop function if exists f1;
|
||||
drop function if exists f2;
|
||||
use INFORMATION_SCHEMA;
|
||||
show tables where Tables_in_information_schema not like "Innodb%";
|
||||
show tables where Tables_in_information_schema NOT LIKE 'Innodb%';
|
||||
Tables_in_information_schema
|
||||
CHARACTER_SETS
|
||||
COLLATIONS
|
||||
@@ -119,12 +119,12 @@ create table t1 (f1 char(4));
|
||||
create view v1 as select f1 from t1;
|
||||
grant insert on v1 to testdb_2@localhost;
|
||||
create view v5 as select f1 from t1;
|
||||
grant show view on v5 to testdb_2@localhost;
|
||||
grant select, show view on v5 to testdb_2@localhost;
|
||||
create definer=`no_such_user`@`no_such_host` view v6 as select f1 from t1;
|
||||
ERROR 42000: Access denied; you need the SUPER privilege for this operation
|
||||
use testdb_1;
|
||||
create view v6 as select f1 from t1;
|
||||
grant show view on v6 to testdb_2@localhost;
|
||||
grant select, show view on v6 to testdb_2@localhost;
|
||||
create table t2 (f1 char(4));
|
||||
create definer=`no_such_user`@`no_such_host` view v7 as select * from t2;
|
||||
Warnings:
|
||||
@@ -152,11 +152,13 @@ create view v2 as select f1 from testdb_1.v1;
|
||||
create view v4 as select f1,f2 from testdb_1.v3;
|
||||
show fields from testdb_1.v5;
|
||||
Field Type Null Key Default Extra
|
||||
f1 char(4) YES NULL
|
||||
show create view testdb_1.v5;
|
||||
View Create View character_set_client collation_connection
|
||||
v5 CREATE ALGORITHM=UNDEFINED DEFINER=`testdb_1`@`localhost` SQL SECURITY DEFINER VIEW `testdb_1`.`v5` AS select `testdb_1`.`t1`.`f1` AS `f1` from `testdb_1`.`t1` latin1 latin1_swedish_ci
|
||||
show fields from testdb_1.v6;
|
||||
Field Type Null Key Default Extra
|
||||
f1 char(4) YES NULL
|
||||
show create view testdb_1.v6;
|
||||
View Create View character_set_client collation_connection
|
||||
v6 CREATE ALGORITHM=UNDEFINED DEFINER=`root`@`localhost` SQL SECURITY DEFINER VIEW `testdb_1`.`v6` AS select `testdb_1`.`t1`.`f1` AS `f1` from `testdb_1`.`t1` latin1 latin1_swedish_ci
|
||||
@@ -171,9 +173,9 @@ v7 CREATE ALGORITHM=UNDEFINED DEFINER=`no_such_user`@`no_such_host` SQL SECURITY
|
||||
Warnings:
|
||||
Warning 1356 View 'testdb_1.v7' references invalid table(s) or column(s) or function(s) or definer/invoker of view lack rights to use them
|
||||
revoke insert(f1) on v3 from testdb_2@localhost;
|
||||
revoke show view on v5 from testdb_2@localhost;
|
||||
revoke select,show view on v5 from testdb_2@localhost;
|
||||
use testdb_1;
|
||||
revoke show view on v6 from testdb_2@localhost;
|
||||
revoke select,show view on v6 from testdb_2@localhost;
|
||||
show fields from testdb_1.v5;
|
||||
ERROR 42000: SELECT command denied to user 'testdb_2'@'localhost' for table 'v5'
|
||||
show create view testdb_1.v5;
|
||||
@@ -202,7 +204,7 @@ show create view v2;
|
||||
View Create View character_set_client collation_connection
|
||||
v2 CREATE ALGORITHM=UNDEFINED DEFINER=`testdb_2`@`localhost` SQL SECURITY DEFINER VIEW `v2` AS select `v1`.`f1` AS `f1` from `testdb_1`.`v1` latin1 latin1_swedish_ci
|
||||
show create view testdb_1.v1;
|
||||
ERROR 42000: SHOW VIEW command denied to user 'testdb_2'@'localhost' for table 'v1'
|
||||
ERROR 42000: SELECT command denied to user 'testdb_2'@'localhost' for table 'v1'
|
||||
select table_name from information_schema.columns a
|
||||
where a.table_name = 'v2';
|
||||
table_name
|
||||
|
||||
Binary file not shown.
@@ -799,12 +799,12 @@ CREATE USER u29908_1@localhost;
|
||||
CREATE DEFINER = u29908_1@localhost VIEW v1 AS SELECT f1 FROM t1;
|
||||
CREATE DEFINER = u29908_1@localhost SQL SECURITY INVOKER VIEW v2 AS
|
||||
SELECT f1 FROM t1;
|
||||
GRANT DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v1 TO u29908_1@localhost;
|
||||
GRANT DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v2 TO u29908_1@localhost;
|
||||
GRANT SELECT, DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v1 TO u29908_1@localhost;
|
||||
GRANT SELECT, DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v2 TO u29908_1@localhost;
|
||||
GRANT SELECT ON mysqltest_29908.t1 TO u29908_1@localhost;
|
||||
CREATE USER u29908_2@localhost;
|
||||
GRANT DROP, CREATE VIEW ON mysqltest_29908.v1 TO u29908_2@localhost;
|
||||
GRANT DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v2 TO u29908_2@localhost;
|
||||
GRANT SELECT, DROP, CREATE VIEW ON mysqltest_29908.v1 TO u29908_2@localhost;
|
||||
GRANT SELECT, DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v2 TO u29908_2@localhost;
|
||||
GRANT SELECT ON mysqltest_29908.t1 TO u29908_2@localhost;
|
||||
ALTER VIEW v1 AS SELECT f2 FROM t1;
|
||||
ERROR 42000: Access denied; you need the SUPER privilege for this operation
|
||||
|
||||
146
mysql-test/t/grant4.test
Normal file
146
mysql-test/t/grant4.test
Normal file
@@ -0,0 +1,146 @@
|
||||
--source include/not_embedded.inc
|
||||
|
||||
# Setup database, tables and user accounts
|
||||
--disable_warnings
|
||||
drop database if exists mysqltest_db1;
|
||||
--enable_warnings
|
||||
create database mysqltest_db1;
|
||||
use mysqltest_db1;
|
||||
create table t_column_priv_only (a int, b int);
|
||||
create table t_select_priv like t_column_priv_only;
|
||||
create table t_no_priv like t_column_priv_only;
|
||||
grant all privileges on test.* to mysqltest_u1@localhost;
|
||||
grant insert (a) on mysqltest_db1.t_column_priv_only to mysqltest_u1@localhost;
|
||||
grant select on mysqltest_db1.t_select_priv to mysqltest_u1@localhost;
|
||||
|
||||
--echo ** Connect as restricted user mysqltest_u1.
|
||||
--echo
|
||||
connect (con1,localhost,mysqltest_u1,,);
|
||||
connection con1;
|
||||
|
||||
########################################################################
|
||||
--echo ** Test column level privileges only. No SELECT privileges on the table.
|
||||
--echo ** INSERT INTO ... VALUES ...
|
||||
--echo ** Attempting to insert values to a table with only column privileges
|
||||
--echo ** should work.
|
||||
insert into mysqltest_db1.t_column_priv_only (a) VALUES (1);
|
||||
--echo
|
||||
|
||||
#########################################################################
|
||||
--echo ** SHOW COLUMNS
|
||||
--echo ** Should succeed because we have privileges (any) on at least one of the columns.
|
||||
select column_name as 'Field',column_type as 'Type',is_nullable as 'Null',column_key as 'Key',column_default as 'Default',extra as 'Extra' from information_schema.columns where table_schema='mysqltest_db1' and table_name='t_column_priv_only';
|
||||
show columns from mysqltest_db1.t_column_priv_only;
|
||||
#########################################################################
|
||||
--echo ** SHOW COLUMNS
|
||||
--echo ** Should fail because there are no privileges on any column combination.
|
||||
--error 1142
|
||||
show columns from mysqltest_db1.t_no_priv;
|
||||
--echo ** However, select from I_S.COLUMNS will succeed but not show anything:
|
||||
select column_name as 'Field',column_type as 'Type',is_nullable as 'Null',column_key as 'Key',column_default as 'Default',extra as 'Extra' from information_schema.columns where table_schema='mysqltest_db1' and table_name='t_no_priv';
|
||||
--echo
|
||||
#########################################################################
|
||||
--echo ** CREATE TABLE ... LIKE ... require SELECT privleges and will fail.
|
||||
--error 1142
|
||||
create table test.t_no_priv like mysqltest_db1.column_priv_only;
|
||||
--echo
|
||||
#########################################################################
|
||||
--echo ** Just to be sure... SELECT also fails.
|
||||
--error 1142
|
||||
select * from mysqltest_db1.t_column_priv_only;
|
||||
--echo
|
||||
#########################################################################
|
||||
--echo ** SHOW CREATE TABLE ... require any privileges on all columns (the entire table).
|
||||
--echo ** First we try and fail on a table with only one column privilege.
|
||||
--error 1142
|
||||
show create table mysqltest_db1.t_column_priv_only;
|
||||
--echo
|
||||
#########################################################################
|
||||
--echo ** Now we do the same on a table with SELECT privileges.
|
||||
--echo
|
||||
#########################################################################
|
||||
--echo ** SHOW COLUMNS
|
||||
--echo ** Success because we got some privileges on the table (SELECT_ACL)
|
||||
show columns from mysqltest_db1.t_select_priv;
|
||||
--echo
|
||||
#########################################################################
|
||||
--echo ** CREATE TABLE ... LIKE ... require SELECT privleges and will SUCCEED.
|
||||
--disable_warnings
|
||||
drop table if exists test.t_duplicated;
|
||||
--enable_warnings
|
||||
create table test.t_duplicated like mysqltest_db1.t_select_priv;
|
||||
drop table test.t_duplicated;
|
||||
--echo
|
||||
#########################################################################
|
||||
--echo ** SHOW CREATE TABLE will succeed because we have a privilege on all columns in the table (table-level privilege).
|
||||
show create table mysqltest_db1.t_select_priv;
|
||||
--echo
|
||||
#########################################################################
|
||||
--echo ** SHOW CREATE TABLE will fail if there is no grants at all:
|
||||
--error 1142
|
||||
show create table mysqltest_db1.t_no_priv;
|
||||
--echo
|
||||
|
||||
connection default;
|
||||
|
||||
#
|
||||
# SHOW INDEX
|
||||
#
|
||||
use mysqltest_db1;
|
||||
CREATE TABLE t5 (s1 INT);
|
||||
CREATE INDEX i ON t5 (s1);
|
||||
CREATE TABLE t6 (s1 INT, s2 INT);
|
||||
CREATE VIEW v5 AS SELECT * FROM t5;
|
||||
CREATE VIEW v6 AS SELECT * FROM t6;
|
||||
CREATE VIEW v2 AS SELECT * FROM t_select_priv;
|
||||
CREATE VIEW v3 AS SELECT * FROM t_select_priv;
|
||||
CREATE INDEX i ON t6 (s1);
|
||||
GRANT UPDATE (s2) ON t6 to mysqltest_u1@localhost;
|
||||
GRANT UPDATE (s2) ON v6 to mysqltest_u1@localhost;
|
||||
GRANT SHOW VIEW ON v2 to mysqltest_u1@localhost;
|
||||
GRANT SHOW VIEW, SELECT ON v3 to mysqltest_u1@localhost;
|
||||
|
||||
connection con1;
|
||||
use mysqltest_db1;
|
||||
--echo ** Connect as restricted user mysqltest_u1.
|
||||
--echo ** SELECT FROM INFORMATION_SCHEMA.STATISTICS will succeed because any privileges will do (authentication is enough).
|
||||
#
|
||||
# this result is wrong. reported as bug#34104
|
||||
#
|
||||
SELECT * FROM INFORMATION_SCHEMA.STATISTICS WHERE table_name='t5';
|
||||
#
|
||||
# Bug27145 EXTRA_ACL trouble
|
||||
#
|
||||
--echo ** SHOW INDEX FROM t5 will fail because we don't have any privileges on any column combination.
|
||||
--error 1142
|
||||
SHOW INDEX FROM t5;
|
||||
--echo ** SHOW INDEX FROM t6 will succeed because there exist a privilege on a column combination on t6.
|
||||
SHOW INDEX FROM t6;
|
||||
|
||||
# CHECK TABLE
|
||||
--echo ** CHECK TABLE requires any privilege on any column combination and should succeed for t6:
|
||||
CHECK TABLE t6;
|
||||
--echo ** With no privileges access is naturally denied:
|
||||
--error 1142
|
||||
CHECK TABLE t5;
|
||||
|
||||
# CHECKSUM
|
||||
--echo ** CHECKSUM TABLE requires SELECT privileges on the table. The following should fail:
|
||||
--error 1142
|
||||
CHECKSUM TABLE t6;
|
||||
--echo ** And this should work:
|
||||
CHECKSUM TABLE t_select_priv;
|
||||
|
||||
# SHOW CREATE VIEW
|
||||
--error 1142
|
||||
SHOW CREATE VIEW v5;
|
||||
--error 1142
|
||||
SHOW CREATE VIEW v6;
|
||||
--error 1142
|
||||
SHOW CREATE VIEW v2;
|
||||
SHOW CREATE VIEW v3;
|
||||
|
||||
connection default;
|
||||
disconnect con1;
|
||||
drop database mysqltest_db1;
|
||||
drop user mysqltest_u1@localhost;
|
||||
@@ -1,5 +1,5 @@
|
||||
# this test mostly test privilege control (what doesn't work
|
||||
# in the embedded server by default). So disabled in embedded-server mode
|
||||
# in the embedded server by default). So skip the test in embedded-server mode.
|
||||
-- source include/not_embedded.inc
|
||||
|
||||
-- source include/testdb_only.inc
|
||||
@@ -13,7 +13,7 @@ drop function if exists f2;
|
||||
|
||||
use INFORMATION_SCHEMA;
|
||||
--replace_result Tables_in_INFORMATION_SCHEMA Tables_in_information_schema
|
||||
show tables where Tables_in_information_schema not like "Innodb%";
|
||||
show tables where Tables_in_INFORMATION_SCHEMA NOT LIKE 'Innodb%';
|
||||
--replace_result 'Tables_in_INFORMATION_SCHEMA (T%)' 'Tables_in_information_schema (T%)'
|
||||
show tables from INFORMATION_SCHEMA like 'T%';
|
||||
create database `inf%`;
|
||||
@@ -123,7 +123,7 @@ create view v1 as select f1 from t1;
|
||||
grant insert on v1 to testdb_2@localhost;
|
||||
|
||||
create view v5 as select f1 from t1;
|
||||
grant show view on v5 to testdb_2@localhost;
|
||||
grant select, show view on v5 to testdb_2@localhost;
|
||||
|
||||
--error ER_SPECIFIC_ACCESS_DENIED_ERROR
|
||||
create definer=`no_such_user`@`no_such_host` view v6 as select f1 from t1;
|
||||
@@ -131,7 +131,7 @@ create definer=`no_such_user`@`no_such_host` view v6 as select f1 from t1;
|
||||
connection default;
|
||||
use testdb_1;
|
||||
create view v6 as select f1 from t1;
|
||||
grant show view on v6 to testdb_2@localhost;
|
||||
grant select, show view on v6 to testdb_2@localhost;
|
||||
|
||||
create table t2 (f1 char(4));
|
||||
create definer=`no_such_user`@`no_such_host` view v7 as select * from t2;
|
||||
@@ -163,10 +163,10 @@ show fields from testdb_1.v7;
|
||||
show create view testdb_1.v7;
|
||||
|
||||
revoke insert(f1) on v3 from testdb_2@localhost;
|
||||
revoke show view on v5 from testdb_2@localhost;
|
||||
revoke select,show view on v5 from testdb_2@localhost;
|
||||
connection default;
|
||||
use testdb_1;
|
||||
revoke show view on v6 from testdb_2@localhost;
|
||||
revoke select,show view on v6 from testdb_2@localhost;
|
||||
connection testdb_2;
|
||||
|
||||
--error ER_TABLEACCESS_DENIED_ERROR
|
||||
|
||||
@@ -109,7 +109,7 @@ create user user_1@localhost;
|
||||
grant all on mysqltest.* to user_1@localhost;
|
||||
connect (con28181_1,localhost,user_1,,mysqltest);
|
||||
|
||||
--error ER_DBACCESS_DENIED_ERROR
|
||||
--error ER_ACCESS_DENIED_ERROR
|
||||
eval select schema_name
|
||||
into outfile "../../tmp/outfile-test.4"
|
||||
fields terminated by ',' optionally enclosed by '"'
|
||||
|
||||
@@ -1072,12 +1072,12 @@ CREATE USER u29908_1@localhost;
|
||||
CREATE DEFINER = u29908_1@localhost VIEW v1 AS SELECT f1 FROM t1;
|
||||
CREATE DEFINER = u29908_1@localhost SQL SECURITY INVOKER VIEW v2 AS
|
||||
SELECT f1 FROM t1;
|
||||
GRANT DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v1 TO u29908_1@localhost;
|
||||
GRANT DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v2 TO u29908_1@localhost;
|
||||
GRANT SELECT, DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v1 TO u29908_1@localhost;
|
||||
GRANT SELECT, DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v2 TO u29908_1@localhost;
|
||||
GRANT SELECT ON mysqltest_29908.t1 TO u29908_1@localhost;
|
||||
CREATE USER u29908_2@localhost;
|
||||
GRANT DROP, CREATE VIEW ON mysqltest_29908.v1 TO u29908_2@localhost;
|
||||
GRANT DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v2 TO u29908_2@localhost;
|
||||
GRANT SELECT, DROP, CREATE VIEW ON mysqltest_29908.v1 TO u29908_2@localhost;
|
||||
GRANT SELECT, DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v2 TO u29908_2@localhost;
|
||||
GRANT SELECT ON mysqltest_29908.t1 TO u29908_2@localhost;
|
||||
|
||||
connect (u2,localhost,u29908_2,,mysqltest_29908);
|
||||
|
||||
Reference in New Issue
Block a user