Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

privilege: fix privilege check of GRANT ROLE #13896

Merged
merged 8 commits into from Dec 5, 2019
Merged

privilege: fix privilege check of GRANT ROLE #13896

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
688bfaf
fix grant role privilege
Dec 4, 2019
122cf34
fix error message
Dec 4, 2019
84d6033
fix error
Dec 4, 2019
c8c448e
add test
Dec 4, 2019
5ce7af4
add failed case
Dec 4, 2019
86fe37c
Merge branch 'master' into fixRoleAdmin
sre-bot Dec 5, 2019
618e6ad
Merge branch 'master' into fixRoleAdmin
Dec 5, 2019
7715e99
Merge branch 'master' into fixRoleAdmin
ngaut Dec 5, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
25 changes: 25 additions & 0 deletions executor/simple_test.go
View file
Open in desktop
Expand Up @@ -188,6 +188,31 @@ func (s *testSuite3) TestRole(c *C) {
tk.MustExec("SET ROLE NONE")
}

func (s *testSuite3) TestRoleAdmin(c *C) {
tk := testkit.NewTestKit(c, s.store)
tk.MustExec("CREATE USER 'testRoleAdmin';")
tk.MustExec("CREATE ROLE 'targetRole';")

// Create a new session.
se, err := session.CreateSession4Test(s.store)
c.Check(err, IsNil)
defer se.Close()
c.Assert(se.Auth(&auth.UserIdentity{Username: "testRoleAdmin", Hostname: "localhost"}, nil, nil), IsTrue)

ctx := context.Background()
_, err = se.Execute(ctx, "GRANT `targetRole` TO `testRoleAdmin`;")
c.Assert(err, NotNil)

tk.MustExec("GRANT SUPER ON *.* TO `testRoleAdmin`;")
_, err = se.Execute(ctx, "GRANT `targetRole` TO `testRoleAdmin`;")
c.Assert(err, IsNil)
_, err = se.Execute(ctx, "REVOKE `targetRole` FROM `testRoleAdmin`;")
c.Assert(err, IsNil)
alivxxx marked this conversation as resolved.
Show resolved Hide resolved

tk.MustExec("DROP USER 'testRoleAdmin';")
tk.MustExec("DROP ROLE 'targetRole';")
}

func (s *testSuite3) TestDefaultRole(c *C) {
tk := testkit.NewTestKit(c, s.store)

Expand Down
7 changes: 4 additions & 3 deletions planner/core/planbuilder.go
View file
Open in desktop
Expand Up @@ -1620,12 +1620,13 @@ func (b *PlanBuilder) buildSimple(node ast.StmtNode) (Plan, error) {
}
b.visitInfo = collectVisitInfoFromGrantStmt(b.ctx, b.visitInfo, raw)
case *ast.GrantRoleStmt:
err := ErrSpecificAccessDenied.GenWithStackByArgs("GRANT ROLE")
b.visitInfo = appendVisitInfo(b.visitInfo, mysql.GrantPriv, "", "", "", err)
err := ErrSpecificAccessDenied.GenWithStackByArgs("SUPER")
b.visitInfo = appendVisitInfo(b.visitInfo, mysql.SuperPriv, "", "", "", err)
case *ast.RevokeStmt:
b.visitInfo = collectVisitInfoFromRevokeStmt(b.ctx, b.visitInfo, raw)
case *ast.RevokeRoleStmt:
b.visitInfo = appendVisitInfo(b.visitInfo, mysql.SuperPriv, "", "", "", nil)
err := ErrSpecificAccessDenied.GenWithStackByArgs("SUPER")
b.visitInfo = appendVisitInfo(b.visitInfo, mysql.SuperPriv, "", "", "", err)
case *ast.KillStmt:
// If you have the SUPER privilege, you can kill all threads and statements.
// Otherwise, you can kill only your own threads and statements.
Expand Down