database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-07-20 10:24:14 +03:00
Code Activity

remove inherited routine grants when a routine is dropped

Browse Source
This commit is contained in:
Sergei Golubchik
2013-10-26 15:52:29 +02:00
parent 2eed3b7d07
commit e46eea8660
3 changed files with 42 additions and 57 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
mysql-test/suite/roles/drop_routines.result
View File

@ -1,13 +1,10 @@
create role r1; create role r1;
create role r2; create role r2;
create role r3; create role r3;
create role r4;
create user u1; create user u1;
grant r2 to r1; grant r2 to r1;
grant r3 to r2; grant r3 to r2;
grant r4 to r3;
grant r1 to u1; grant r1 to u1;
grant r4 to r1;
show grants for u1; show grants for u1;
Grants for u1@% Grants for u1@%
GRANT USAGE ON *.* TO 'u1'@'%' GRANT USAGE ON *.* TO 'u1'@'%'
@ -17,11 +14,8 @@ Grants for r1
GRANT USAGE ON *.* TO 'r1' GRANT USAGE ON *.* TO 'r1'
GRANT USAGE ON *.* TO 'r2' GRANT USAGE ON *.* TO 'r2'
GRANT USAGE ON *.* TO 'r3' GRANT USAGE ON *.* TO 'r3'
GRANT USAGE ON *.* TO 'r4'
GRANT r2 TO 'r1' GRANT r2 TO 'r1'
GRANT r3 TO 'r2' GRANT r3 TO 'r2'
GRANT r4 TO 'r1'
GRANT r4 TO 'r3'
grant SELECT on *.* to u1; grant SELECT on *.* to u1;
grant INSERT on mysql.* to r1; grant INSERT on mysql.* to r1;
grant DELETE on mysql.roles_mapping to r2; grant DELETE on mysql.roles_mapping to r2;
@ -35,70 +29,51 @@ select COUNT(*) into param1 from mysql.roles_mapping;
end| end|
grant execute on function mysql.test_func to r2; grant execute on function mysql.test_func to r2;
grant execute on procedure mysql.test_proc to r3; grant execute on procedure mysql.test_proc to r3;
grant execute on mysql.* to r4; revoke execute on procedure mysql.test_proc from r2;
ERROR 42000: There is no such grant defined for user 'r2' on host '' on routine 'test_proc'
show grants for r1; show grants for r1;
Grants for r1 Grants for r1
GRANT DELETE ON `mysql`.`roles_mapping` TO 'r2' GRANT DELETE ON `mysql`.`roles_mapping` TO 'r2'
GRANT EXECUTE ON FUNCTION `mysql`.`test_func` TO 'r2' GRANT EXECUTE ON FUNCTION `mysql`.`test_func` TO 'r2'
GRANT EXECUTE ON PROCEDURE `mysql`.`test_proc` TO 'r3' GRANT EXECUTE ON PROCEDURE `mysql`.`test_proc` TO 'r3'
GRANT EXECUTE ON `mysql`.* TO 'r4'
GRANT INSERT ON `mysql`.* TO 'r1' GRANT INSERT ON `mysql`.* TO 'r1'
GRANT UPDATE ON `mysql`.`user` TO 'r3' GRANT UPDATE ON `mysql`.`user` TO 'r3'
GRANT USAGE ON *.* TO 'r1' GRANT USAGE ON *.* TO 'r1'
GRANT USAGE ON *.* TO 'r2' GRANT USAGE ON *.* TO 'r2'
GRANT USAGE ON *.* TO 'r3' GRANT USAGE ON *.* TO 'r3'
GRANT USAGE ON *.* TO 'r4'
GRANT r2 TO 'r1' GRANT r2 TO 'r1'
GRANT r3 TO 'r2' GRANT r3 TO 'r2'
GRANT r4 TO 'r1'
GRANT r4 TO 'r3'
show grants for r2; show grants for r2;
Grants for r2 Grants for r2
GRANT DELETE ON `mysql`.`roles_mapping` TO 'r2' GRANT DELETE ON `mysql`.`roles_mapping` TO 'r2'
GRANT EXECUTE ON FUNCTION `mysql`.`test_func` TO 'r2' GRANT EXECUTE ON FUNCTION `mysql`.`test_func` TO 'r2'
GRANT EXECUTE ON PROCEDURE `mysql`.`test_proc` TO 'r3' GRANT EXECUTE ON PROCEDURE `mysql`.`test_proc` TO 'r3'
GRANT EXECUTE ON `mysql`.* TO 'r4'
GRANT UPDATE ON `mysql`.`user` TO 'r3' GRANT UPDATE ON `mysql`.`user` TO 'r3'
GRANT USAGE ON *.* TO 'r2' GRANT USAGE ON *.* TO 'r2'
GRANT USAGE ON *.* TO 'r3' GRANT USAGE ON *.* TO 'r3'
GRANT USAGE ON *.* TO 'r4'
GRANT r3 TO 'r2' GRANT r3 TO 'r2'
GRANT r4 TO 'r3'
show grants for r3; show grants for r3;
Grants for r3 Grants for r3
GRANT EXECUTE ON PROCEDURE `mysql`.`test_proc` TO 'r3' GRANT EXECUTE ON PROCEDURE `mysql`.`test_proc` TO 'r3'
GRANT EXECUTE ON `mysql`.* TO 'r4'
GRANT UPDATE ON `mysql`.`user` TO 'r3' GRANT UPDATE ON `mysql`.`user` TO 'r3'
GRANT USAGE ON *.* TO 'r3' GRANT USAGE ON *.* TO 'r3'
GRANT USAGE ON *.* TO 'r4'
GRANT r4 TO 'r3'
show grants for r4;
Grants for r4
GRANT EXECUTE ON `mysql`.* TO 'r4'
GRANT USAGE ON *.* TO 'r4'
drop function mysql.test_func; drop function mysql.test_func;
Warnings:
Warning 1403 There is no such grant defined for user 'r1' on host '' on routine 'test_func'
Warning 1403 There is no such grant defined for user 'r1' on host '' on routine 'test_func'
drop procedure mysql.test_proc; drop procedure mysql.test_proc;
Warnings: create function mysql.test_func (s CHAR(20))
Warning 1403 There is no such grant defined for user 'r2' on host '' on routine 'test_proc' returns CHAR(50) DETERMINISTIC
Warning 1403 There is no such grant defined for user 'r1' on host '' on routine 'test_proc' return concat('Test string: ',s);
Warning 1403 There is no such grant defined for user 'r2' on host '' on routine 'test_proc' show grants for r2;
Warning 1403 There is no such grant defined for user 'r1' on host '' on routine 'test_proc' Grants for r2
show grants for r1;
Grants for r1
GRANT DELETE ON `mysql`.`roles_mapping` TO 'r2' GRANT DELETE ON `mysql`.`roles_mapping` TO 'r2'
GRANT EXECUTE ON `mysql`.* TO 'r4'
GRANT INSERT ON `mysql`.* TO 'r1'
GRANT UPDATE ON `mysql`.`user` TO 'r3' GRANT UPDATE ON `mysql`.`user` TO 'r3'
GRANT USAGE ON *.* TO 'r1'
GRANT USAGE ON *.* TO 'r2' GRANT USAGE ON *.* TO 'r2'
GRANT USAGE ON *.* TO 'r3' GRANT USAGE ON *.* TO 'r3'
GRANT USAGE ON *.* TO 'r4'
GRANT r2 TO 'r1'
GRANT r3 TO 'r2' GRANT r3 TO 'r2'
GRANT r4 TO 'r1' select mysql.test_func("none");
GRANT r4 TO 'r3' ERROR 42000: execute command denied to user 'u1'@'%' for routine 'mysql.test_func'
drop role r1, r2, r3, r4; set role r1;
select mysql.test_func("r1");
ERROR 42000: execute command denied to user 'u1'@'%' for routine 'mysql.test_func'
drop function mysql.test_func;
drop role r1, r2, r3;
drop user u1; drop user u1;

30
mysql-test/suite/roles/drop_routines.test
View File

@ -3,15 +3,12 @@ source include/not_embedded.inc;
create role r1; create role r1;
create role r2; create role r2;
create role r3; create role r3;
create role r4;
create user u1; create user u1;
#CREATE A CHAIN OF ROLES #CREATE A CHAIN OF ROLES
grant r2 to r1; grant r2 to r1;
grant r3 to r2; grant r3 to r2;
grant r4 to r3;
grant r1 to u1; grant r1 to u1;
grant r4 to r1;
--sorted_result --sorted_result
show grants for u1; show grants for u1;
@ -27,7 +24,6 @@ create function mysql.test_func (s CHAR(20))
returns CHAR(50) DETERMINISTIC returns CHAR(50) DETERMINISTIC
return concat('Test string: ',s); return concat('Test string: ',s);
delimiter |; delimiter |;
create procedure mysql.test_proc (OUT param1 INT) create procedure mysql.test_proc (OUT param1 INT)
begin begin
@ -37,7 +33,9 @@ delimiter ;|
grant execute on function mysql.test_func to r2; grant execute on function mysql.test_func to r2;
grant execute on procedure mysql.test_proc to r3; grant execute on procedure mysql.test_proc to r3;
grant execute on mysql.* to r4;
--error ER_NONEXISTING_PROC_GRANT
revoke execute on procedure mysql.test_proc from r2;
--sorted_result --sorted_result
show grants for r1; show grants for r1;
@ -45,17 +43,27 @@ show grants for r1;
show grants for r2; show grants for r2;
--sorted_result --sorted_result
show grants for r3; show grants for r3;
--sorted_result
show grants for r4;
drop function mysql.test_func; drop function mysql.test_func;
drop procedure mysql.test_proc; drop procedure mysql.test_proc;
# HERE there are func_priv_hash and proc_priv hash entries inherited from other roles that are not create function mysql.test_func (s CHAR(20))
# deleted. These remain and could affect privilege checks returns CHAR(50) DETERMINISTIC
return concat('Test string: ',s);
--sorted_result --sorted_result
show grants for r1; show grants for r2;
drop role r1, r2, r3, r4; --connect (u1,localhost,u1,,)
--error ER_PROCACCESS_DENIED_ERROR
select mysql.test_func("none");
set role r1;
--error ER_PROCACCESS_DENIED_ERROR
select mysql.test_func("r1");
connection default;
drop function mysql.test_func;
drop role r1, r2, r3;
drop user u1; drop user u1;

16
sql/sql_acl.cc
View File

@ -4334,6 +4334,7 @@ static int replace_routine_table(THD *thd, GRANT_NAME *grant_name,
int old_row_exists= 1; int old_row_exists= 1;
int error=0; int error=0;
ulong store_proc_rights; ulong store_proc_rights;
HASH *hash= is_proc ? &proc_priv_hash : &func_priv_hash;
DBUG_ENTER("replace_routine_table"); DBUG_ENTER("replace_routine_table");
if (!initialized) if (!initialized)
@ -4342,6 +4343,12 @@ static int replace_routine_table(THD *thd, GRANT_NAME *grant_name,
DBUG_RETURN(-1); DBUG_RETURN(-1);
} }
if (revoke_grant && !grant_name->init_privs) // only inherited role privs
{
my_hash_delete(hash, (uchar*) grant_name);
DBUG_RETURN(0);
}
get_grantor(thd, grantor); get_grantor(thd, grantor);
/* /*
New users are created before this function is called. New users are created before this function is called.
@ -4433,8 +4440,7 @@ static int replace_routine_table(THD *thd, GRANT_NAME *grant_name,
} }
else else
{ {
my_hash_delete(is_proc ? &proc_priv_hash : &func_priv_hash,(uchar*) my_hash_delete(hash, (uchar*) grant_name);
grant_name);
} }
DBUG_RETURN(0); DBUG_RETURN(0);
@ -5685,7 +5691,7 @@ bool mysql_routine_grant(THD *thd, TABLE_LIST *table_list, bool is_proc,
grant_name= routine_hash_search(Str->host.str, NullS, db_name, grant_name= routine_hash_search(Str->host.str, NullS, db_name,
Str->user.str, table_name, is_proc, 1); Str->user.str, table_name, is_proc, 1);
if (!grant_name) if (!grant_name || !grant_name->init_privs)
{ {
if (revoke_grant) if (revoke_grant)
{ {
@ -9435,10 +9441,6 @@ bool mysql_revoke_all(THD *thd, List <LEX_USER> &list)
if (!strcmp(lex_user->user.str,user) && if (!strcmp(lex_user->user.str,user) &&
!strcmp(lex_user->host.str, host)) !strcmp(lex_user->host.str, host))
{ {
/* only inherited rights, nothing to do here */
if (!grant_proc->init_privs)
continue;
if (replace_routine_table(thd,grant_proc,tables[4].table,*lex_user, if (replace_routine_table(thd,grant_proc,tables[4].table,*lex_user,
grant_proc->db, grant_proc->db,
grant_proc->tname, grant_proc->tname,