MDEV-29851 Cached role privileges are not invalidated when needed

GRANT ROLE can update db-level privileges -> must invalidate acl_cache
MariaDB · Oct 22, 2022 · 68fb05c · 68fb05c
1 parent 7a2f995
commit 68fb05c
Show file tree

Hide file tree

Showing 3 changed files with 58 additions and 0 deletions.
diff --git a/mysql-test/suite/roles/role_grant_propagate.result b/mysql-test/suite/roles/role_grant_propagate.result
@@ -138,5 +138,30 @@ drop role test_role1, test_role2;
 create role test_role1;
 drop role test_role1;
 #
+# MDEV-29851 Cached role privileges are not invalidated when needed
+#
+create role admin;
+create role student;
+create database crm;
+grant create on crm.* to admin;
+grant select on crm.* to student;
+create user intern@localhost;
+grant student to intern@localhost;
+set default role student for intern@localhost;
+connect con1, localhost, intern;
+use crm;
+disconnect con1;
+connection default;
+grant admin to student;
+connect con1, localhost, intern;
+use crm;
+create table t1 (a int);
+disconnect con1;
+connection default;
+drop user intern@localhost;
+drop role student;
+drop role admin;
+drop database crm;
+#
 # End of 10.3 tests
 #
diff --git a/mysql-test/suite/roles/role_grant_propagate.test b/mysql-test/suite/roles/role_grant_propagate.test
@@ -166,6 +166,36 @@ drop role test_role1, test_role2;
 create role test_role1;
 drop role test_role1;
 
+--echo #
+--echo # MDEV-29851 Cached role privileges are not invalidated when needed
+--echo #
+create role admin;
+create role student;
+create database crm;
+grant create on crm.* to admin;
+grant select on crm.* to student;
+create user intern@localhost;
+grant student to intern@localhost;
+set default role student for intern@localhost;
+
+connect con1, localhost, intern;
+use crm;
+disconnect con1;
+
+connection default;
+grant admin to student;
+
+connect con1, localhost, intern;
+use crm;
+create table t1 (a int);
+disconnect con1;
+
+connection default;
+drop user intern@localhost;
+drop role student;
+drop role admin;
+drop database crm;
+
 --echo #
 --echo # End of 10.3 tests
 --echo #
diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc
@@ -7152,7 +7152,10 @@ bool mysql_grant_role(THD *thd, List <LEX_USER> &list, bool revoke)
        a role
     */
     if (role_as_user)
+    {
       propagate_role_grants(role_as_user, PRIVS_TO_MERGE::ALL);
+      acl_cache->clear(1);
+    }
   }
 
   mysql_mutex_unlock(&acl_cache->lock);