MDEV-10463: Granted as a whole to roles, databases are not show in SH…

…OW DATABASES The problem lies in not checking role privileges as well during SHOW DATABASES command. This problem is also apparent for SHOW CREATE DATABASE command. Other SHOW COMMANDS make use of check_access, which in turn makes use of acl_get for both priv_user and priv_role parts, which allows them to function correctly.
MariaDB · Jun 15, 2017 · 34da3be · 34da3be
1 parent 2579b25
commit 34da3be
Show file tree

Hide file tree

Showing 3 changed files with 131 additions and 4 deletions.
diff --git a/mysql-test/suite/roles/show_create_database-10463.result b/mysql-test/suite/roles/show_create_database-10463.result
@@ -0,0 +1,65 @@
+drop database if exists db;
+Warnings:
+Note	1008	Can't drop database 'db'; database doesn't exist
+create role r1;
+create user beep@'%';
+create database db;
+create table db.t1 (i int);
+create table db.t2 (b int);
+grant select on db.* to r1;
+grant r1 to beep@'%';
+show databases;
+Database
+information_schema
+test
+show create database db;
+ERROR 42000: Access denied for user 'beep'@'localhost' to database 'db'
+select table_schema, table_name from information_schema.tables
+where table_schema = 'db';
+table_schema	table_name
+set role r1;
+show databases;
+Database
+db
+information_schema
+test
+show create database db;
+Database	Create Database
+db	CREATE DATABASE `db` /*!40100 DEFAULT CHARACTER SET latin1 */
+select table_schema, table_name from information_schema.tables
+where table_schema = 'db';
+table_schema	table_name
+db	t1
+db	t2
+create role r2;
+create user beep2@'%';
+grant update on db.* to r2;
+grant r2 to beep2;
+show databases;
+Database
+information_schema
+test
+show create database db;
+ERROR 42000: Access denied for user 'beep2'@'localhost' to database 'db'
+select table_schema, table_name from information_schema.tables
+where table_schema = 'db';
+table_schema	table_name
+set role r2;
+show databases;
+Database
+db
+information_schema
+test
+show create database db;
+Database	Create Database
+db	CREATE DATABASE `db` /*!40100 DEFAULT CHARACTER SET latin1 */
+select table_schema, table_name from information_schema.tables
+where table_schema = 'db';
+table_schema	table_name
+db	t1
+db	t2
+drop database db;
+drop role r1;
+drop user beep;
+drop role r2;
+drop user beep2;
diff --git a/mysql-test/suite/roles/show_create_database-10463.test b/mysql-test/suite/roles/show_create_database-10463.test
@@ -0,0 +1,55 @@
+source include/not_embedded.inc;
+
+drop database if exists db;
+
+create role r1;
+create user beep@'%';
+
+create database db;
+create table db.t1 (i int);
+create table db.t2 (b int);
+grant select on db.* to r1;
+grant r1 to beep@'%';
+
+--connect (con1,localhost,beep,,)
+show databases;
+--error ER_DBACCESS_DENIED_ERROR
+show create database db;
+select table_schema, table_name from information_schema.tables
+where table_schema = 'db';
+
+set role r1;
+show databases;
+show create database db;
+select table_schema, table_name from information_schema.tables
+where table_schema = 'db';
+
+
+connection default;
+create role r2;
+create user beep2@'%';
+
+grant update on db.* to r2;
+grant r2 to beep2;
+--connect (con2,localhost,beep2,,)
+show databases;
+--error ER_DBACCESS_DENIED_ERROR
+show create database db;
+select table_schema, table_name from information_schema.tables
+where table_schema = 'db';
+
+set role r2;
+show databases;
+
+show create database db;
+select table_schema, table_name from information_schema.tables
+where table_schema = 'db';
+
+
+connection default;
+
+drop database db;
+drop role r1;
+drop user beep;
+drop role r2;
+drop user beep2;
diff --git a/sql/sql_show.cc b/sql/sql_show.cc
@@ -1167,8 +1167,13 @@ bool mysqld_show_create_db(THD *thd, LEX_STRING *dbname,
   if (test_all_bits(sctx->master_access, DB_ACLS))
     db_access=DB_ACLS;
   else
-    db_access= (acl_get(sctx->host, sctx->ip, sctx->priv_user, dbname->str, 0) |
-		sctx->master_access);
+  {
+    db_access= acl_get(sctx->host, sctx->ip, sctx->priv_user, dbname->str, 0) |
+               sctx->master_access;
+    if (sctx->priv_role[0])
+      db_access|= acl_get("", "", sctx->priv_role, dbname->str, 0);
+  }
+
   if (!(db_access & DB_ACLS) && check_grant_db(thd,dbname->str))
   {
     status_var_increment(thd->status_var.access_denied_errors);
@@ -5118,8 +5123,10 @@ int fill_schema_schemata(THD *thd, TABLE_LIST *tables, COND *cond)
     }
 #ifndef NO_EMBEDDED_ACCESS_CHECKS
     if (sctx->master_access & (DB_ACLS | SHOW_DB_ACL) ||
-	acl_get(sctx->host, sctx->ip, sctx->priv_user, db_name->str, 0) ||
-	!check_grant_db(thd, db_name->str))
+        acl_get(sctx->host, sctx->ip, sctx->priv_user, db_name->str, false) ||
+        (sctx->priv_role[0] ?
+             acl_get("", "", sctx->priv_role, db_name->str, false) : 0) ||
+        !check_grant_db(thd, db_name->str))
 #endif
     {
       load_db_opt_by_name(thd, db_name->str, &create);