database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-08-01 03:47:19 +03:00
Code Activity

properly propagate privilege changes on DROP ROLE

Browse Source
This commit is contained in:
Sergei Golubchik
2013-10-23 03:26:09 -07:00
parent 82037f9c0e
commit fd826cc3bd
3 changed files with 193 additions and 51 deletions
Download Patch File Download Diff File Expand all files Collapse all files

69
mysql-test/suite/roles/set_and_drop.result Normal file
View File

@ -0,0 +1,69 @@
create database mysqltest1;
create table mysqltest1.t1 (a int, b int);
create table mysqltest1.t2 (a int, b int);
insert mysqltest1.t1 values (1,2),(3,4);
insert mysqltest1.t2 values (5,6),(7,8);
create procedure mysqltest1.pr1() select "pr1";
create user foo@localhost;
create role role1;
create role role2;
grant role2 to role1;
grant role1 to foo@localhost;
grant reload on *.* to role2;
grant select on mysql.* to role2;
grant execute on procedure mysqltest1.pr1 to role2;
grant select on mysqltest1.t1 to role2;
grant select (a) on mysqltest1.t2 to role2;
flush tables;
ERROR 42000: Access denied; you need (at least one of) the RELOAD privilege(s) for this operation
select * from mysql.roles_mapping;
ERROR 42000: SELECT command denied to user 'foo'@'localhost' for table 'roles_mapping'
show tables from mysqltest1;
ERROR 42000: Access denied for user 'foo'@'localhost' to database 'mysqltest1'
set role role1;
flush tables;
select * from mysql.roles_mapping;
Host User Role Admin_option
role1 role2 N
localhost foo role1 N
localhost root role1 Y
localhost root role2 Y
show tables from mysqltest1;
Tables_in_mysqltest1
t1
t2
select * from mysqltest1.t1;
a b
1 2
3 4
select * from mysqltest1.t2;
ERROR 42000: SELECT command denied to user 'foo'@'localhost' for table 't2'
select a from mysqltest1.t2;
a
5
7
call mysqltest1.pr1();
pr1
pr1
revoke execute on procedure mysqltest1.pr1 from role2;
call mysqltest1.pr1();
ERROR 42000: execute command denied to user 'foo'@'localhost' for routine 'mysqltest1.pr1'
drop role role2;
show grants;
Grants for foo@localhost
GRANT role1 TO 'foo'@'localhost'
GRANT USAGE ON *.* TO 'foo'@'localhost'
GRANT USAGE ON *.* TO 'role1'
select * from information_schema.enabled_roles;
ROLE_NAME
role1
flush tables;
select * from mysql.roles_mapping;
ERROR 42000: SELECT command denied to user 'foo'@'localhost' for table 'roles_mapping'
select * from mysqltest1.t1;
ERROR 42000: SELECT command denied to user 'foo'@'localhost' for table 't1'
select a from mysqltest1.t2;
ERROR 42000: SELECT command denied to user 'foo'@'localhost' for table 't2'
drop role role1;
drop user foo@localhost;
drop database mysqltest1;

74
mysql-test/suite/roles/set_and_drop.test Normal file
View File

@ -0,0 +1,74 @@
--source include/not_embedded.inc
#
# test setting and dropping a role
#
create database mysqltest1;
create table mysqltest1.t1 (a int, b int);
create table mysqltest1.t2 (a int, b int);
insert mysqltest1.t1 values (1,2),(3,4);
insert mysqltest1.t2 values (5,6),(7,8);
create procedure mysqltest1.pr1() select "pr1";
create user foo@localhost;
create role role1;
create role role2;
grant role2 to role1;
grant role1 to foo@localhost;
grant reload on *.* to role2;
grant select on mysql.* to role2;
grant execute on procedure mysqltest1.pr1 to role2;
grant select on mysqltest1.t1 to role2;
grant select (a) on mysqltest1.t2 to role2;
connect (foo,localhost,foo);
--error ER_SPECIFIC_ACCESS_DENIED_ERROR
flush tables;
--error ER_TABLEACCESS_DENIED_ERROR
select * from mysql.roles_mapping;
--error ER_DBACCESS_DENIED_ERROR
show tables from mysqltest1;
set role role1;
flush tables;
--sorted_result
select * from mysql.roles_mapping;
show tables from mysqltest1;
select * from mysqltest1.t1;
--error ER_TABLEACCESS_DENIED_ERROR
select * from mysqltest1.t2;
select a from mysqltest1.t2;
call mysqltest1.pr1();
connection default;
revoke execute on procedure mysqltest1.pr1 from role2;
connection foo;
--error ER_PROCACCESS_DENIED_ERROR
call mysqltest1.pr1();
connection default;
drop role role2;
connection foo;
show grants;
select * from information_schema.enabled_roles;
flush tables;
--error ER_TABLEACCESS_DENIED_ERROR
select * from mysql.roles_mapping;
--error ER_TABLEACCESS_DENIED_ERROR
select * from mysqltest1.t1;
--error ER_TABLEACCESS_DENIED_ERROR
select a from mysqltest1.t2;
connection default;
disconnect foo;
drop role role1;
drop user foo@localhost;
drop database mysqltest1;