MDEV-20299 SET SESSION AUTHORIZATION

a.k.a. "sudo"

Author: vuvova

mysql-test/main/set_authorization.result

@@ -0,0 +1,136 @@
+#
+# MDEV-20299 SET SESSION AUTHORIZATION
+#
+create user foo@bar identified via mysql_native_password using password('foo');
+connect con1, localhost, root;
+select user(), current_user(), database();
+user()	current_user()	database()
+root@localhost	root@localhost	test
+set session authorization bar@foo;
+ERROR HY000: The user 'bar'@'foo' does not exist
+select user(), current_user(), database();
+user()	current_user()	database()
+root@localhost	root@localhost	test
+set session authorization foo@bar;
+select user(), current_user(), database();
+user()	current_user()	database()
+foo@bar	foo@bar	NULL
+set @a:='not changed';
+set session authorization bar@foo;
+ERROR 28000: Access denied trying to change to user 'bar'@'foo'
+select @a;
+@a
+not changed
+set session authorization foo@bar;
+select @a;
+@a
+NULL
+disconnect con1;
+connection default;
+drop user foo@bar;
+create user ''@'l%t' identified via mysql_native_password using password('foo');
+connect con1, localhost, root;
+select user(), current_user(), database();
+user()	current_user()	database()
+root@localhost	root@localhost	test
+set session authorization fist@list;
+select user(), current_user(), database();
+user()	current_user()	database()
+fist@list	@l%t	NULL
+set @a:='not changed';
+set session authorization first@last;
+ERROR 28000: Access denied trying to change to user 'first'@'last'
+select @a;
+@a
+not changed
+set session authorization fist@list;
+select @a;
+@a
+NULL
+disconnect con1;
+connection default;
+drop user ''@'l%t';
+create user ''@'%' identified via mysql_native_password using password('foo');
+connect con1, localhost, root;
+select user(), current_user(), database();
+user()	current_user()	database()
+root@localhost	root@localhost	test
+set session authorization ''@last;
+ERROR HY000: The user ''@'last' does not exist
+set session authorization foo@'';
+ERROR HY000: The user 'foo'@'' does not exist
+start transaction;
+select user(), current_user(), database(), @@in_transaction;
+user()	current_user()	database()	@@in_transaction
+root@localhost	root@localhost	test	1
+set session authorization foo@bar;
+ERROR 25001: SESSION AUTHORIZATION can't be set while a transaction is in progress
+select user(), current_user(), database(), @@in_transaction;
+user()	current_user()	database()	@@in_transaction
+root@localhost	root@localhost	test	1
+disconnect con1;
+connection default;
+prepare s from 'set session authorization foo@bar';
+ERROR HY000: This command is not supported in the prepared statement protocol yet
+create procedure sudo_foobar() set session authorization foo@bar;
+ERROR 0A000: SET SESSION AUTHORIZATION is not allowed in stored procedures
+create procedure sudo_foobar()
+execute immediate 'set session authorization foo@bar';
+call sudo_foobar();
+ERROR HY000: This command is not supported in the prepared statement protocol yet
+drop procedure sudo_foobar;
+drop user ''@'%';
+# restart: --skip-grant-tables
+set session authorization u@localhost;
+ERROR HY000: The MariaDB server is running with the --skip-grant-tables option so it cannot execute this statement
+flush privileges;
+create user u1@localhost with max_statement_time 1;
+connect u1,localhost,u1;
+select @@max_statement_time;
+@@max_statement_time
+1.000000
+disconnect u1;
+connect u1,localhost,root;
+select @@max_statement_time;
+@@max_statement_time
+0.000000
+set session authorization u1@localhost;
+select @@max_statement_time;
+@@max_statement_time
+1.000000
+disconnect u1;
+connection default;
+drop user u1@localhost;
+#
+# MDEV-36399 SET SESSION AUTHORIZATION allows an unrpivileged user to bypass resource limits
+#
+create user u1 with max_queries_per_hour 2;
+connect u1,localhost,u1;
+set session authorization u1@localhost;
+select 1;
+1
+1
+select 2;
+ERROR 42000: User 'u1' has exceeded the 'max_queries_per_hour' resource (current value: 2)
+disconnect u1;
+connection default;
+drop user u1;
+#
+# MDEV-36401 Access denied errors produced by SET SESSION AUTHORIZATION not reflected in status values
+#
+flush global status;
+set session authorization u1@localhost;
+ERROR HY000: The user 'u1'@'localhost' does not exist
+create user u1;
+connect u1,localhost,u1;
+set session authorization root@localhost;
+ERROR 28000: Access denied trying to change to user 'root'@'localhost'
+set session authorization foo@bar;
+ERROR 28000: Access denied trying to change to user 'foo'@'bar'
+disconnect u1;
+connection default;
+show global status like 'access_denied_errors';
+Variable_name	Value
+Access_denied_errors	2
+drop user u1;
+# End of 11.8 tests

mysql-test/main/set_authorization.test

@@ -0,0 +1,139 @@
+source include/not_embedded.inc;
+source include/no_protocol.inc;
+
+--echo #
+--echo # MDEV-20299 SET SESSION AUTHORIZATION
+--echo #
+
+# simple tests
+create user foo@bar identified via mysql_native_password using password('foo');
+connect con1, localhost, root;
+select user(), current_user(), database();
+# sudo, with SET USER privilege, nonexistent user
+--error ER_NO_SUCH_USER
+set session authorization bar@foo;
+select user(), current_user(), database();
+# sudo, with SET USER privilege
+set session authorization foo@bar;
+select user(), current_user(), database();
+set @a:='not changed';
+# sudo without SET USER privilege
+--error ER_ACCESS_DENIED_CHANGE_USER_ERROR
+set session authorization bar@foo;
+select @a;
+# to self, no privileges needed
+set session authorization foo@bar;
+select @a;
+disconnect con1;
+connection default;
+drop user foo@bar;
+
+# user() != current_user() (w/ wildcards)
+create user ''@'l%t' identified via mysql_native_password using password('foo');
+connect con1, localhost, root;
+select user(), current_user(), database();
+# sudo, with SET USER privilege
+set session authorization fist@list;
+select user(), current_user(), database();
+set @a:='not changed';
+# sudo without SET USER privilege (note, same CURRENT_USER)
+--error ER_ACCESS_DENIED_CHANGE_USER_ERROR
+set session authorization first@last;
+select @a;
+# to self, no privileges needed
+set session authorization fist@list;
+select @a;
+disconnect con1;
+connection default;
+drop user ''@'l%t';
+
+create user ''@'%' identified via mysql_native_password using password('foo');
+connect con1, localhost, root;
+select user(), current_user(), database();
+# empty username
+--error ER_NO_SUCH_USER
+set session authorization ''@last;
+# empty hostname
+--error ER_NO_SUCH_USER
+set session authorization foo@'';
+# in a transaction - an error
+start transaction;
+select user(), current_user(), database(), @@in_transaction;
+--error ER_CANT_SET_IN_TRANSACTION
+set session authorization foo@bar;
+select user(), current_user(), database(), @@in_transaction;
+disconnect con1;
+connection default;
+
+# cannot be prepared
+--error ER_UNSUPPORTED_PS
+prepare s from 'set session authorization foo@bar';
+
+# cannot be in a stored routine
+--error ER_SP_BADSTATEMENT
+create procedure sudo_foobar() set session authorization foo@bar;
+
+create procedure sudo_foobar()
+  execute immediate 'set session authorization foo@bar';
+--error ER_UNSUPPORTED_PS
+call sudo_foobar();
+drop procedure sudo_foobar;
+
+drop user ''@'%';
+
+# doesn't work if --skip-grant-tables
+--let $restart_parameters= --skip-grant-tables
+--source include/restart_mysqld.inc
+--error ER_OPTION_PREVENTS_STATEMENT
+set session authorization u@localhost;
+flush privileges;
+
+# max_statement_time -> @@max_statement_time
+create user u1@localhost with max_statement_time 1;
+connect u1,localhost,u1;
+select @@max_statement_time;
+disconnect u1;
+connect u1,localhost,root;
+select @@max_statement_time;
+set session authorization u1@localhost;
+select @@max_statement_time;
+disconnect u1;
+connection default;
+drop user u1@localhost;
+
+--echo #
+--echo # MDEV-36399 SET SESSION AUTHORIZATION allows an unrpivileged user to bypass resource limits
+--echo #
+
+create user u1 with max_queries_per_hour 2;
+connect u1,localhost,u1;
+
+set session authorization u1@localhost;
+select 1;
+--error ER_USER_LIMIT_REACHED
+select 2;
+disconnect u1;
+connection default;
+drop user u1;
+
+--echo #
+--echo # MDEV-36401 Access denied errors produced by SET SESSION AUTHORIZATION not reflected in status values
+--echo #
+flush global status;
+
+--error ER_NO_SUCH_USER
+set session authorization u1@localhost;
+
+create user u1;
+
+connect u1,localhost,u1;
+--error ER_ACCESS_DENIED_CHANGE_USER_ERROR
+set session authorization root@localhost;
+--error ER_ACCESS_DENIED_CHANGE_USER_ERROR
+set session authorization foo@bar;
+disconnect u1;
+connection default;
+show global status like 'access_denied_errors';
+drop user u1;
+
+--echo # End of 11.8 tests

sql/lex.h

@@ -76,6 +76,7 @@ SYMBOL symbols[] = {
   { "AT",		SYM(AT_SYM)},
   { "ATOMIC",		SYM(ATOMIC_SYM)},
   { "AUTHORS",	        SYM(AUTHORS_SYM)},
+  { "AUTHORIZATION",    SYM(AUTHORIZATION_SYM)},
   { "AUTO",             SYM(AUTO_SYM)},
   { "AUTO_INCREMENT",	SYM(AUTO_INC)},
   { "AVG",		SYM(AVG_SYM)},

sql/privilege.h

@@ -332,6 +332,8 @@ constexpr privilege_t PRIV_DEFINER_CLAUSE= SET_USER_ACL;
 */
 constexpr privilege_t PRIV_REVEAL_MISSING_DEFINER= SET_USER_ACL;
 
+constexpr privilege_t PRIV_SUDO_CHANGE_USER= SET_USER_ACL;
+
 /* Actions that require only the SUPER privilege */
 constexpr privilege_t PRIV_DES_DECRYPT_ONE_ARG= SUPER_ACL;
 constexpr privilege_t PRIV_LOG_BIN_TRUSTED_SP_CREATOR= SUPER_ACL;

sql/set_var.cc

@@ -973,6 +973,39 @@ int set_var_password::update(THD *thd)
 #endif
 }
 
+/*****************************************************************************
+  Functions to handle SET SESSION AUTHORIZATION
+*****************************************************************************/
+
+int set_var_authorization::check(THD *thd)
+{
+  /*
+    SET SESSION AUTHORIZATION cannot be combined with other variables,
+    so most of the checks are only done in update.
+  */
+  if (!thd->stmt_arena->is_conventional())
+    my_error(ER_UNSUPPORTED_PS, MYF(0));
+  else
+  if (thd->in_active_multi_stmt_transaction())
+    my_error(ER_CANT_SET_IN_TRANSACTION, MYF(0), "SESSION AUTHORIZATION");
+  else
+    return 0;
+
+  return 1;
+}
+
+int set_var_authorization::update(THD *thd)
+{
+#ifndef NO_EMBEDDED_ACCESS_CHECKS
+  int res= acl_setauthorization(thd, user);
+  if (!res)
+    thd->session_tracker.state_change.mark_as_changed(thd);
+  return res;
+#else
+  return 0;
+#endif
+}
+
 /*****************************************************************************
   Functions to handle SET ROLE
 *****************************************************************************/

sql/set_var.h

@@ -363,6 +363,17 @@ class set_var_password: public set_var_base
   int update(THD *thd) override;
 };
 
+/* For SET SESSION AUTHORIZATION */
+
+class set_var_authorization: public set_var_base
+{
+  LEX_USER *user;
+public:
+  set_var_authorization(LEX_USER *user_arg) : user(user_arg) {}
+  int check(THD *thd) override;
+  int update(THD *thd) override;
+};
+
 /* For SET ROLE */
 
 class set_var_role: public set_var_base

sql/share/errmsg-utf8.txt

@@ -10102,11 +10102,11 @@ ER_SLAVE_RLI_INIT_REPOSITORY
         sw "Mtumwa alishindwa kuanzisha muundo wa habari ya relay wa logi kutoka kwa hazina"
 
 ER_ACCESS_DENIED_CHANGE_USER_ERROR 28000 
-        bgn "Отказан достъп при опит за смяна към потребител %-.48s'@'%-.64s' (използвана парола: %s). Затваряне на връзката"
-        chi "访问拒绝尝试更改为用户'%-.48s'@'%-.64s'（使用密码：%s）。断开连接"
-        eng "Access denied trying to change to user '%-.48s'@'%-.64s' (using password: %s). Disconnecting"
-        spa "Acceso denegado intentando cambiar a usuario '%-.48s'@'%-.64s' (usando contraseña: %s). Desconectando"
-        sw "Ufikiaji umekataliwa kujaribu kubadilisha hadi mtumiaji '%-.48s'@'%-.64s' (kwa kutumia nenosiri: %s). Inatenganisha"
+        bgn "Отказан достъп при опит за смяна към потребител %-.48s'@'%-.64s'"
+        chi "访问拒绝尝试更改为用户'%-.48s'@'%-.64s'"
+        eng "Access denied trying to change to user '%-.48s'@'%-.64s'"
+        spa "Acceso denegado intentando cambiar a usuario '%-.48s'@'%-.64s'"
+        sw "Ufikiaji umekataliwa kujaribu kubadilisha hadi mtumiaji '%-.48s'@'%-.64s'"
 
 ER_INNODB_READ_ONLY
         chi "innodb是只读模式"