Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

privilege: fix privilege check of CREATE ROLE and DROP ROLE #13940

Merged
merged 4 commits into from Dec 11, 2019
Merged

privilege: fix privilege check of CREATE ROLE and DROP ROLE #13940

merged 4 commits into from Dec 11, 2019

Conversation

imtbkcat
Copy link

@imtbkcat imtbkcat commented Dec 6, 2019

What problem does this PR solve?

In MySQL, user with CREATE USER privilege can execute CREATE ROLE xxx or DROP ROLE xxx. But TiDB has bug on this check.

mysql> show grants;
+------------------------------------------+
| Grants for User                          |
+------------------------------------------+
| GRANT Create User ON *.* TO 'tester'@'%' |
+------------------------------------------+
1 row in set (0.00 sec)

mysql> create role r4;
ERROR 1227 (42000): Access denied; you need (at least one of) the CREATE ROLE privilege(s) for this operation
mysql> drop role r1;
ERROR 1227 (42000): Access denied; you need (at least one of) the DROP ROLE privilege(s) for this operation
mysql>

What is changed and how it works?

Add check for CREATE USER privilege. If users have CREATE USER privilege, they can CREATE ROLE and DROP ROLE

Check List

Tests

  • Unit test

Code changes

  • None

Side effects

  • Increased code complexity

Related changes

  • Need to cherry-pick to the release branch

Release note

  • fix bug of privilege check on CREATE ROLE

@tiancaiamao
Copy link
Contributor

LGTM

tiancaiamao
tiancaiamao reviewed Dec 6, 2019
View reviewed changes
executor/simple.go
if s.IsDropRole && !checker.RequestVerification(activeRoles, "", "", "", mysql.DropRolePriv) {
return core.ErrSpecificAccessDenied.GenWithStackByArgs("DROP ROLE")
if s.IsDropRole {
if !checker.RequestVerification(activeRoles, "", "", "", mysql.DropRolePriv) &&
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here is &&, that means if a user has the CreateUser privilege or DropRole privilege, he can execute the drop role operation.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

right, if a user has the CreateUser privilege or DropRole privilege, the can execute the drop role operation.

jackysp
jackysp approved these changes Dec 11, 2019
View reviewed changes
Copy link
Member

@jackysp jackysp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jackysp
Copy link
Member

jackysp commented Dec 11, 2019

/merge

@sre-bot sre-bot added the status/can-merge Indicates a PR has been approved by a committer. label Dec 11, 2019
@sre-bot
Copy link
Contributor

sre-bot commented Dec 11, 2019

/run-all-tests

@codecov
Copy link

codecov bot commented Dec 11, 2019
edited

Codecov Report

Merging #13940 into master will not change coverage.
The diff coverage is n/a.

@@             Coverage Diff             @@
##             master     #13940   +/-   ##
===========================================
  Coverage   80.2117%   80.2117%           
===========================================
  Files           482        482           
  Lines        120885     120885           
===========================================
  Hits          96964      96964           
  Misses        16192      16192           
  Partials       7729       7729

@sre-bot
Copy link
Contributor

sre-bot commented Dec 11, 2019

@imtbkcat merge failed.

@jackysp
Copy link
Member

jackysp commented Dec 11, 2019

/run-unit-test

1 similar comment
@imtbkcat
Copy link
Author

/run-unit-test

@jackysp
Copy link
Member

jackysp commented Dec 11, 2019

/merge

@sre-bot
Copy link
Contributor

sre-bot commented Dec 11, 2019

/run-all-tests

@sre-bot sre-bot merged commit 7c17add into pingcap:master Dec 11, 2019
@sre-bot
Copy link
Contributor

sre-bot commented Dec 11, 2019

cherry pick to release-3.0 failed

imtbkcat pushed a commit to imtbkcat/tidb that referenced this pull request Dec 17, 2019
privilege: fix privilege check of CREATE ROLE and DROP ROLE (ping…
21e99e3 
…cap#13940)
@imtbkcat imtbkcat mentioned this pull request Dec 17, 2019
Merged
ngaut pushed a commit that referenced this pull request Dec 18, 2019
@ngaut
privilege: fix privilege check of CREATE ROLE and DROP ROLE (#13940
7ea2a21 
…) (#14088)
XiaTianliang pushed a commit to XiaTianliang/tidb that referenced this pull request Dec 21, 2019
@XiaTianliang
privilege: fix privilege check of CREATE ROLE and DROP ROLE (ping…
7f0b48b 
…cap#13940)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tiancaiamao tiancaiamao tiancaiamao left review comments

@jackysp jackysp jackysp approved these changes

Assignees
No one assigned
Labels
component/privilege status/can-merge Indicates a PR has been approved by a committer. type/bug-fix This PR fixes a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@imtbkcat @tiancaiamao @jackysp @sre-bot