1
0
mirror of https://github.com/MariaDB/server.git synced 2025-07-18 23:03:28 +03:00
Commit Graph

2818 Commits

Author SHA1 Message Date
1f51d6c0f6 MDEV-28548: ER_TABLEACCESS_DENIED_ERROR is missing information about DB
- Added missing information about database of corresponding table for various types of commands
- Update some typos

- Reviewed by: <vicentiu@mariadb.org>
2022-09-30 08:48:57 +02:00
0792aff161 Merge 10.4 into 10.5 2022-09-20 13:17:02 +03:00
0c0a569028 Merge 10.3 into 10.4 2022-09-20 12:38:25 +03:00
16b2bb909a MDEV-29509 execute granted indirectly (via roles) doesn't always work
The issue manifests due to a bug in mysql_routine_grant. This was a side
effect of e46eea8660 which fixed the problem of not giving appropriate error
message (ER_NONEXISTING_PROC_GRANT) when a routine grant existed due to role
inheritance.

When granting a routine privilege, it is possible to have a GRANT_NAME
entry already created from an inherited role, but with it's init_privs
set to 0.

In this case we must not create a *new* grant entry, but we must edit
this grant entry to set its init_privs.

Note that this case was already covered by MDEV-29458, however due to a
forgotten "flush privileges;" the actual code path never got hit.
Remove the flush privilege command as it was never intended to be there
in the first place.
2022-09-14 14:40:50 +03:00
5ad8cd93b7 cleanup: indentation and whitespace fixes 2022-09-14 14:40:50 +03:00
7735ba7666 MDEV-29458: Role grant commands do not propagate all grants
There was an issue in updating in-memory role datastructures when
propagating role grants.

The issue is that changing a particular role's privilege (on any
privilege level, global, database, etc.)
was done such that it overwrote the entire set of bits for that
particular level of privileges.

For example:
grant select on *.* to r1 -> sets the access bits to r1 to select,
regardless of what bits were present for role r1 (inherited from any
other roles).

Before this fix, the rights of role r1 were propagated to any roles r1
was granted to, however the propagated rights did *not* include the
complete rights r1 inherited from its own grants.

For example:
  grant r2 to r1;
  grant select on *.* to r2;
  grant insert on *.* to r1; # This command completely disregards the
                             # select privilege from r2.

In order to correct this, ensure that before rights are propagated
onwards, that the current's role rights have been updated from its
grants.

Additionally, the patch exposed a flaw in the DROP ROLE code.
When deleting a role we removed all its previous grants, but what
remained was the actual links of roles granted to the dropped role.
Having these links present when propagating grants meant that we would
have leftover ACL_xxx entries.

Ensure that the links are removed before propagating grants.
2022-09-14 14:40:50 +03:00
145932a57b MDEV-29465: Inherited columns privs for roles wrongly set mysql.tables_priv column
There was a bug in the ACL internal data structures GRANT_TABLE and
GRANT_COLUMN. The semantics are: GRANT_TABLE::init_cols and
GRANT_COLUMN::init_privs represent the bits that correspond to the
privilege bits stored in the physical tables. The other struct members
GRANT_TABLE::cols and GRANT_COLUMN::privs represent the actual access
bits, as they may be modified through role grants.

The error in logic was mixing the two fields and thus we ended up
storing the logical access bits in the physical tables, instead of the
physical (init_xxx) bits.

This caused subsequent DBUG_ASSERT failures when dropping the involved
roles.
2022-09-14 14:40:50 +03:00
38d36b59f9 Merge 10.4 into 10.5 2022-09-07 08:26:21 +03:00
c7ba237793 Merge 10.3 into 10.4 2022-09-07 08:08:59 +03:00
ba987a46c9 Merge 10.4 into 10.5 2022-09-05 13:28:56 +03:00
47812017c6 MDEV-28530: Revoking privileges from a non-existing user on a master breaks replication on the slave in the presence of replication filters
Problem:
========
Replication can break while applying a query log event if its
respective command errors on the primary, but is ignored by the
replication filter within Grant_tables on the replica. The bug
reported by MDEV-28530 shows this with REVOKE ALL PRIVILEGES using a
non-existent user. The primary will binlog the REVOKE command with
an error code, and the replica will think the command executed with
success because the replication filter will ignore the command while
accessing the Grant_tables classes. When the replica performs an
error check, it sees the difference between the error codes, and
replication breaks.

Solution:
========
If the replication filter check done by Grant_tables logic ignores
the tables, reset thd->slave_expected_error to 0 so that
Query_log_event::do_apply_event() can be made aware that the
underlying query was ignored when it compares errors.

Note that this bug also effects DROP USER if not all users exist
in the provided list, and the patch fixes and tests this case.

Reviewed By:
============
andrei.elkin@mariadb.com
2022-09-03 13:04:44 +03:00
2917bd0d2c Reduce compilation dependencies on wsrep_mysqld.h
Making changes to wsrep_mysqld.h causes large parts of server code to
be recompiled. The reason is that wsrep_mysqld.h is included by
sql_class.h, even tough very little of wsrep_mysqld.h is needed in
sql_class.h. This commit introduces a new header file, wsrep_on.h,
which is meant to be included from sql_class.h, and contains only
macros and variable declarations used to determine whether wsrep is
enabled.
Also, header wsrep.h should only contain definitions that are also
used outside of sql/. Therefore, move WSREP_TO_ISOLATION* and
WSREP_SYNC_WAIT macros to wsrep_mysqld.h.

Reviewed-by: Jan Lindström <jan.lindstrom@mariadb.com>
2022-08-31 11:05:23 +03:00
9929301ecd Merge 10.4 into 10.5 2022-08-25 15:31:19 +03:00
851058a3e6 Merge 10.3 into 10.4 2022-08-25 15:17:20 +03:00
8963d64ee8 MDEV-28294: set default role bypasses Replicate_Wild_Ignore_Table: mysql.%
Problem:
========
When replicating SET DEFAULT ROLE, the pre-update check (i.e. that
in set_var_default_role::check()) tries to validate the existence of
the given rules/user even when the targeted tables are ignored. When
previously issued CREATE USER/ROLE commands are ignored by the
replica because of the replication filtering rules, this results in
an error because the targeted data does not exist.

Solution:
========
Before checking that the given roles/user exist of a SET DEFAULT
ROLE command, first ensure that the mysql.user and
mysql.roles_mapping tables are not excluded by replication filters.

Reviewed By:
============
Andrei Elkin <andrei.elkin@mariadb.com>
Sergei Golubchik <serg@mariadb.com>
2022-08-22 18:23:56 +03:00
af143474d8 Merge branch '10.4' into 10.5 2022-08-03 07:12:27 +02:00
48e35b8cf6 Merge branch '10.3' into 10.4 2022-08-02 14:15:39 +02:00
8ea529ecba MDEV-29131 Assertion `status == 0' failed when renaming user after deleting table roles_mapping
if mysql.roles_mapping table doesn't exist (it's optional, after all),
we still update in-memory structures to keep them consistent
2022-07-29 21:58:38 +02:00
cc6bba008d MDEV-26647 (plugin name) Include password validation plugin information in the error message if the SQL statement is not satisfied password policy
Add plugin name to the error message.
2022-07-27 15:23:39 +02:00
cf63eecef4 Merge branch '10.4' into 10.5 2022-02-01 20:33:04 +01:00
7b555ff2c5 MDEV-27341 Use SET PASSWORD to change PAM service
SET PASSWORD = PASSWORD('foo') would fail for pam plugin with

ERROR HY000: SET PASSWORD is ignored for users authenticating via pam plugin

but SET PASSWORD = 'foo' would not.

Now it will.
2022-01-17 18:19:29 +01:00
da76d25ab4 MDEV-26339 Account specifics to be handled before proxying 2022-01-17 18:19:29 +01:00
5f8561a6bc Merge 10.4 into 10.5 2021-10-21 15:26:25 +03:00
489ef007be Merge 10.3 into 10.4 2021-10-21 14:57:00 +03:00
e4a7c15dd6 Merge 10.2 into 10.3 2021-10-21 13:41:04 +03:00
c9a9ae6554 MDEV-26650: Failed ALTER USER/GRANT statement removes the password from the cache
Starting from 10.4 AUTH is not part of ACL_USER so changes have to be done
over a copy, and bring in the cache only in case of success.
2021-10-18 12:09:59 +02:00
9e6c383867 MDEV-17964: Assertion `status == 0' failed in add_role_user_mapping_action
This happens upon CREATE USER and DROP ROLE.

The underlying problem is that our HASH implementation shuffles elements
around when performing an update or delete. This means that when doing a
scan through the HASH table by index, in search of elements to delete or
update one must restart the scan to make sure nothing is missed if at least
one delete / update happened.

More specifically, what happened in this case:
The hash has 131 element, DROP ROLE removes the element
[119]. Its [119]->next was element [129], so [129] is moved to [119].
Now we need to compact the hash, removing the last element [130]. It
gets one bit off its hash value and becomes element [2]. The existing
element [2] is moved to [129], and old [130] is moved to [2].

We cannot simply move [130] to [129] and make [2]->next=130, it won't
work if [2] is itself in the collision list and doesn't belong in [2].

The handle_grant_struct code assumed that it is safe to continue by only
reexamining the currently modified / deleted element index, but that is
not true.

Missing to delete an element in the hash triggered the assertion in
the test case. DROP ROLE would not clear all necessary role->role or
role->user mappings.

To fix the problem we ensure that the scan is restarted, only if an
element was deleted / updated, similar to how bubble-sort keeps sorting
until it finds no more elements to swap.
2021-10-15 19:19:36 +03:00
ae6bdc6769 Merge branch '10.4' into 10.5 2021-07-31 23:19:51 +02:00
7841a7eb09 Merge branch '10.3' into 10.4 2021-07-31 22:59:58 +02:00
6190a02f35 Merge branch '10.2' into 10.3 2021-07-21 20:11:07 +02:00
d2dddbff4e MDEV-26080: SHOW GRANTS does not quote role names properly for DEFAULT ROLE
- Used single quotes, back quotes are used with commit
fafb35ee51 in 10.3 and will be changed.

Reviewed by: serg@mariadb.org
2021-07-09 08:25:54 +02:00
3fbe30024f MDEV-26080: SHOW GRANTS does not quote role names properly for DEFAULT ROLE
- Proceed with commit fafb35ee51

Reviewed by: serg@mariadb.com
2021-07-08 16:19:32 +02:00
7c02e8717d MDEV-26081 set role crashes when a hostname cannot be resolved
host can be NULL
2021-07-02 19:21:51 +02:00
365cd08345 Merge 10.4 into 10.5 2021-05-26 09:47:28 +03:00
1dea7f7977 Merge 10.3 into 10.4 2021-05-25 15:38:57 +03:00
3f55c56951 Merge branch bb-10.4-release into bb-10.5-release 2021-05-05 23:57:11 +03:00
509e4990af Merge branch bb-10.3-release into bb-10.4-release 2021-05-05 23:03:01 +03:00
a8a925dd22 Merge branch bb-10.2-release into bb-10.3-release 2021-05-04 14:49:31 +03:00
f946192e6f MDEV-25258 : SET PASSWORD command fail with wsrep api
Problem was that we should skip strict password validation on
applier nodes similarly as is done for slave nodes.
2021-04-28 11:11:25 +03:00
b8fad8c6bf MDEV-25030 Upgrade to 10.5.9 breaks root's ability to grant 2021-04-22 17:52:08 +02:00
80ed136e6d Merge 10.4 into 10.5 2021-04-21 09:01:01 +03:00
031f11717d Fix all warnings given by UBSAN
The easiest way to compile and test the server with UBSAN is to run:
./BUILD/compile-pentium64-ubsan
and then run mysql-test-run.
After this commit, one should be able to run this without any UBSAN
warnings. There is still a few compiler warnings that should be fixed
at some point, but these do not expose any real bugs.

The 'special' cases where we disable, suppress or circumvent UBSAN are:
- ref10 source (as here we intentionally do some shifts that UBSAN
  complains about.
- x86 version of optimized int#korr() methods. UBSAN do not like unaligned
  memory access of integers.  Fixed by using byte_order_generic.h when
  compiling with UBSAN
- We use smaller thread stack with ASAN and UBSAN, which forced me to
  disable a few tests that prints the thread stack size.
- Verifying class types does not work for shared libraries. I added
  suppression in mysql-test-run.pl for this case.
- Added '#ifdef WITH_UBSAN' when using integer arithmetic where it is
  safe to have overflows (two cases, in item_func.cc).

Things fixed:
- Don't left shift signed values
  (byte_order_generic.h, mysqltest.c, item_sum.cc and many more)
- Don't assign not non existing values to enum variables.
- Ensure that bool and enum values are properly initialized in
  constructors.  This was needed as UBSAN checks that these types has
  correct values when one copies an object.
  (gcalc_tools.h, ha_partition.cc, item_sum.cc, partition_element.h ...)
- Ensure we do not called handler functions on unallocated objects or
  deleted objects.
  (events.cc, sql_acl.cc).
- Fixed bugs in Item_sp::Item_sp() where we did not call constructor
  on Query_arena object.
- Fixed several cast of objects to an incompatible class!
  (Item.cc, Item_buff.cc, item_timefunc.cc, opt_subselect.cc, sql_acl.cc,
   sql_select.cc ...)
- Ensure we do not do integer arithmetic that causes over or underflows.
  This includes also ++ and -- of integers.
  (Item_func.cc, Item_strfunc.cc, item_timefunc.cc, sql_base.cc ...)
- Added JSON_VALUE_UNITIALIZED to json_value_types and ensure that
  value_type is initialized to this instead of to -1, which is not a valid
  enum value for json_value_types.
- Ensure we do not call memcpy() when second argument could be null.
- Fixed that Item_func_str::make_empty_result() creates an empty string
  instead of a null string (safer as it ensures we do not do arithmetic
  on null strings).

Other things:

- Changed struct st_position to an OBJECT and added an initialization
  function to it to ensure that we do not copy or use uninitialized
  members. The change to a class was also motived that we used "struct
  st_position" and POSITION randomly trough the code which was
  confusing.
- Notably big rewrite in sql_acl.cc to avoid using deleted objects.
- Changed in sql_partition to use '^' instead of '-'. This is safe as
  the operator is either 0 or 0x8000000000000000ULL.
- Added check for select_nr < INT_MAX in JOIN::build_explain() to
  avoid bug when get_select() could return NULL.
- Reordered elements in POSITION for better alignment.
- Changed sql_test.cc::print_plan() to use pointers instead of objects.
- Fixed bug in find_set() where could could execute '1 << -1'.
- Added variable have_sanitizer, used by mtr.  (This variable was before
  only in 10.5 and up).  It can now have one of two values:
  ASAN or UBSAN.
- Moved ~Archive_share() from ha_archive.cc to ha_archive.h and marked
  it virtual. This was an effort to get UBSAN to work with loaded storage
  engines. I kept the change as the new place is better.
- Added in CONNECT engine COLBLK::SetName(), to get around a wrong cast
  in tabutil.cpp.
- Added HAVE_REPLICATION around usage of rgi_slave, to get embedded
  server to compile with UBSAN. (Patch from Marko).
- Added #ifdef for powerpc64 to avoid a bug in old gcc versions related
  to integer arithmetic.

Changes that should not be needed but had to be done to suppress warnings
from UBSAN:

- Added static_cast<<uint16_t>> around shift to get rid of a LOT of
  compiler warnings when using UBSAN.
- Had to change some '/' of 2 base integers to shift to get rid of
  some compile time warnings.

Reviewed by:
- Json changes: Alexey Botchkov
- Charset changes in ctype-uca.c: Alexander Barkov
- InnoDB changes & Embedded server: Marko Mäkelä
- sql_acl.cc changes: Vicențiu Ciorbaru
- build_explain() changes: Sergey Petrunia
2021-04-20 12:30:09 +03:00
cebf9ee204 Fix various spelling errors still found in code
Reseting -> Resetting
Unknow -> Unknown
capabilites -> capabilities
choosen -> chosen
direcory -> directory
informations -> information
openned -> opened
refered -> referred
to access -> one to access
missmatch -> mismatch
succesfully -> successfully
dont -> don't
2021-03-22 18:10:39 +11:00
a4b7232b2c Merge 10.4 into 10.5 2021-03-11 20:09:34 +02:00
2c3014e8a7 MDEV-24668 fixup: uninitialized return value with Galera 2021-03-11 19:14:35 +02:00
9742cf4203 MDEV-24668 debug assert on SET PASSWORD when binlog fails
don't use `result` both for an error status and to remember
if the mutex was locked
2021-03-08 15:00:45 +01:00
f33e57a9e6 Merge branch '10.4' into 10.5 2021-02-23 13:06:22 +01:00
245d33db4e Merge branch 'github/10.4' into 10.4 2021-02-23 10:35:16 +01:00
8b77e6c676 MDEV-24114 SHOW CREATE USER doesnt display correct password expiry status
Given PASSWORD EXPIRE and PASSWORD EXPIRE [NEVER|INTERVAL x DAY] are
two different mechanisms, SHOW CREATE USER should display all the
information required to restore the state of an account which
includes both a manual expired state and an automatic policy.

The solution proposed here keeps a CREATE USER ... PASSWORD EXPIRE
statement and adds an aditional
ALTER USER .. PASSWORD EXPIRE [NEVER|INTERVAL x DAY] when necessary

This way a tool can restore almost the complete state of an account
as it was before a dump. The only information left still is the
value of the password_last_changed column from mysql.global_priv
2021-02-23 11:05:56 +02:00
25d9d2e37f Merge branch 'bb-10.4-release' into bb-10.5-release 2021-02-15 16:43:15 +01:00