Skip to content

Commit 7735ba7

Browse files
cvicentiucvicentiu
committed
MDEV-29458: Role grant commands do not propagate all grants
There was an issue in updating in-memory role datastructures when propagating role grants. The issue is that changing a particular role's privilege (on any privilege level, global, database, etc.) was done such that it overwrote the entire set of bits for that particular level of privileges. For example: grant select on *.* to r1 -> sets the access bits to r1 to select, regardless of what bits were present for role r1 (inherited from any other roles). Before this fix, the rights of role r1 were propagated to any roles r1 was granted to, however the propagated rights did *not* include the complete rights r1 inherited from its own grants. For example: grant r2 to r1; grant select on *.* to r2; grant insert on *.* to r1; # This command completely disregards the # select privilege from r2. In order to correct this, ensure that before rights are propagated onwards, that the current's role rights have been updated from its grants. Additionally, the patch exposed a flaw in the DROP ROLE code. When deleting a role we removed all its previous grants, but what remained was the actual links of roles granted to the dropped role. Having these links present when propagating grants meant that we would have leftover ACL_xxx entries. Ensure that the links are removed before propagating grants.
1 parent 145932a commit 7735ba7

File tree

4 files changed

+406
-95
lines changed

4 files changed

+406
-95
lines changed

mysql-test/suite/roles/recursive_dbug.result

Lines changed: 88 additions & 88 deletions
Original file line numberDiff line numberDiff line change
@@ -56,7 +56,7 @@ connection default;
5656
grant select on *.* to role1;
5757
show status like 'debug%';
5858
Variable_name Value
59-
Debug_role_merges_global 19
59+
Debug_role_merges_global 20
6060
Debug_role_merges_db 0
6161
Debug_role_merges_table 0
6262
Debug_role_merges_column 0
@@ -106,7 +106,7 @@ connection default;
106106
revoke select on *.* from role1;
107107
show status like 'debug%';
108108
Variable_name Value
109-
Debug_role_merges_global 27
109+
Debug_role_merges_global 29
110110
Debug_role_merges_db 0
111111
Debug_role_merges_table 0
112112
Debug_role_merges_column 0
@@ -124,8 +124,8 @@ connection default;
124124
grant select on mysql.* to role1;
125125
show status like 'debug%';
126126
Variable_name Value
127-
Debug_role_merges_global 27
128-
Debug_role_merges_db 8
127+
Debug_role_merges_global 29
128+
Debug_role_merges_db 9
129129
Debug_role_merges_table 0
130130
Debug_role_merges_column 0
131131
Debug_role_merges_routine 0
@@ -164,8 +164,8 @@ connection default;
164164
revoke select on mysql.* from role1;
165165
show status like 'debug%';
166166
Variable_name Value
167-
Debug_role_merges_global 27
168-
Debug_role_merges_db 16
167+
Debug_role_merges_global 29
168+
Debug_role_merges_db 17
169169
Debug_role_merges_table 0
170170
Debug_role_merges_column 0
171171
Debug_role_merges_routine 0
@@ -177,9 +177,9 @@ connection default;
177177
grant select on mysql.roles_mapping to role1;
178178
show status like 'debug%';
179179
Variable_name Value
180-
Debug_role_merges_global 27
181-
Debug_role_merges_db 16
182-
Debug_role_merges_table 8
180+
Debug_role_merges_global 29
181+
Debug_role_merges_db 17
182+
Debug_role_merges_table 9
183183
Debug_role_merges_column 0
184184
Debug_role_merges_routine 0
185185
connection foo;
@@ -217,9 +217,9 @@ connection default;
217217
revoke select on mysql.roles_mapping from role1;
218218
show status like 'debug%';
219219
Variable_name Value
220-
Debug_role_merges_global 27
221-
Debug_role_merges_db 16
222-
Debug_role_merges_table 16
220+
Debug_role_merges_global 29
221+
Debug_role_merges_db 17
222+
Debug_role_merges_table 17
223223
Debug_role_merges_column 0
224224
Debug_role_merges_routine 0
225225
connection foo;
@@ -230,10 +230,10 @@ connection default;
230230
grant select(User) on mysql.roles_mapping to role1;
231231
show status like 'debug%';
232232
Variable_name Value
233-
Debug_role_merges_global 27
234-
Debug_role_merges_db 16
235-
Debug_role_merges_table 24
236-
Debug_role_merges_column 8
233+
Debug_role_merges_global 29
234+
Debug_role_merges_db 17
235+
Debug_role_merges_table 26
236+
Debug_role_merges_column 9
237237
Debug_role_merges_routine 0
238238
connection foo;
239239
select count(*) from mysql.roles_mapping;
@@ -272,10 +272,10 @@ connection default;
272272
grant select(Host) on mysql.roles_mapping to role3;
273273
show status like 'debug%';
274274
Variable_name Value
275-
Debug_role_merges_global 27
276-
Debug_role_merges_db 16
277-
Debug_role_merges_table 30
278-
Debug_role_merges_column 14
275+
Debug_role_merges_global 29
276+
Debug_role_merges_db 17
277+
Debug_role_merges_table 33
278+
Debug_role_merges_column 16
279279
Debug_role_merges_routine 0
280280
connection foo;
281281
select count(concat(User,Host,Role)) from mysql.roles_mapping;
@@ -312,10 +312,10 @@ connection default;
312312
revoke select(User) on mysql.roles_mapping from role1;
313313
show status like 'debug%';
314314
Variable_name Value
315-
Debug_role_merges_global 27
316-
Debug_role_merges_db 16
317-
Debug_role_merges_table 38
318-
Debug_role_merges_column 22
315+
Debug_role_merges_global 29
316+
Debug_role_merges_db 17
317+
Debug_role_merges_table 41
318+
Debug_role_merges_column 24
319319
Debug_role_merges_routine 0
320320
connection foo;
321321
select count(concat(User,Host)) from mysql.roles_mapping;
@@ -327,10 +327,10 @@ connection default;
327327
revoke select(Host) on mysql.roles_mapping from role3;
328328
show status like 'debug%';
329329
Variable_name Value
330-
Debug_role_merges_global 27
331-
Debug_role_merges_db 16
332-
Debug_role_merges_table 44
333-
Debug_role_merges_column 28
330+
Debug_role_merges_global 29
331+
Debug_role_merges_db 17
332+
Debug_role_merges_table 47
333+
Debug_role_merges_column 30
334334
Debug_role_merges_routine 0
335335
connection foo;
336336
select count(concat(Host)) from mysql.roles_mapping;
@@ -342,11 +342,11 @@ create function fn1() returns char(10) return "fn1";
342342
grant execute on procedure test.pr1 to role1;
343343
show status like 'debug%';
344344
Variable_name Value
345-
Debug_role_merges_global 27
346-
Debug_role_merges_db 16
347-
Debug_role_merges_table 44
348-
Debug_role_merges_column 28
349-
Debug_role_merges_routine 8
345+
Debug_role_merges_global 29
346+
Debug_role_merges_db 17
347+
Debug_role_merges_table 47
348+
Debug_role_merges_column 30
349+
Debug_role_merges_routine 9
350350
connection foo;
351351
call pr1();
352352
ERROR 42000: execute command denied to user 'foo'@'localhost' for routine 'test.pr1'
@@ -360,11 +360,11 @@ connection default;
360360
grant execute on function test.fn1 to role5;
361361
show status like 'debug%';
362362
Variable_name Value
363-
Debug_role_merges_global 27
364-
Debug_role_merges_db 16
365-
Debug_role_merges_table 44
366-
Debug_role_merges_column 28
367-
Debug_role_merges_routine 13
363+
Debug_role_merges_global 29
364+
Debug_role_merges_db 17
365+
Debug_role_merges_table 47
366+
Debug_role_merges_column 30
367+
Debug_role_merges_routine 15
368368
connection foo;
369369
select fn1();
370370
fn1()
@@ -373,11 +373,11 @@ connection default;
373373
revoke execute on procedure test.pr1 from role1;
374374
show status like 'debug%';
375375
Variable_name Value
376-
Debug_role_merges_global 27
377-
Debug_role_merges_db 16
378-
Debug_role_merges_table 44
379-
Debug_role_merges_column 28
380-
Debug_role_merges_routine 21
376+
Debug_role_merges_global 29
377+
Debug_role_merges_db 17
378+
Debug_role_merges_table 47
379+
Debug_role_merges_column 30
380+
Debug_role_merges_routine 23
381381
connection foo;
382382
call pr1();
383383
ERROR 42000: execute command denied to user 'foo'@'localhost' for routine 'test.pr1'
@@ -388,11 +388,11 @@ connection default;
388388
revoke execute on function test.fn1 from role5;
389389
show status like 'debug%';
390390
Variable_name Value
391-
Debug_role_merges_global 27
392-
Debug_role_merges_db 16
393-
Debug_role_merges_table 44
394-
Debug_role_merges_column 28
395-
Debug_role_merges_routine 26
391+
Debug_role_merges_global 29
392+
Debug_role_merges_db 17
393+
Debug_role_merges_table 47
394+
Debug_role_merges_column 30
395+
Debug_role_merges_routine 28
396396
connection foo;
397397
select fn1();
398398
ERROR 42000: execute command denied to user 'foo'@'localhost' for routine 'test.fn1'
@@ -403,67 +403,67 @@ drop function fn1;
403403
grant select on mysql.roles_mapping to role3;
404404
show status like 'debug%';
405405
Variable_name Value
406-
Debug_role_merges_global 27
407-
Debug_role_merges_db 16
408-
Debug_role_merges_table 50
409-
Debug_role_merges_column 28
410-
Debug_role_merges_routine 26
406+
Debug_role_merges_global 29
407+
Debug_role_merges_db 17
408+
Debug_role_merges_table 54
409+
Debug_role_merges_column 30
410+
Debug_role_merges_routine 28
411411
grant select on mysql.roles_mapping to role1;
412412
show status like 'debug%';
413413
Variable_name Value
414-
Debug_role_merges_global 27
415-
Debug_role_merges_db 16
416-
Debug_role_merges_table 53
417-
Debug_role_merges_column 28
418-
Debug_role_merges_routine 26
414+
Debug_role_merges_global 29
415+
Debug_role_merges_db 17
416+
Debug_role_merges_table 58
417+
Debug_role_merges_column 30
418+
Debug_role_merges_routine 28
419419
revoke select on mysql.roles_mapping from role3;
420420
show status like 'debug%';
421421
Variable_name Value
422-
Debug_role_merges_global 27
423-
Debug_role_merges_db 16
424-
Debug_role_merges_table 54
425-
Debug_role_merges_column 28
426-
Debug_role_merges_routine 26
422+
Debug_role_merges_global 29
423+
Debug_role_merges_db 17
424+
Debug_role_merges_table 59
425+
Debug_role_merges_column 30
426+
Debug_role_merges_routine 28
427427
revoke select on mysql.roles_mapping from role1;
428428
show status like 'debug%';
429429
Variable_name Value
430-
Debug_role_merges_global 27
431-
Debug_role_merges_db 16
432-
Debug_role_merges_table 62
433-
Debug_role_merges_column 28
434-
Debug_role_merges_routine 26
430+
Debug_role_merges_global 29
431+
Debug_role_merges_db 17
432+
Debug_role_merges_table 67
433+
Debug_role_merges_column 30
434+
Debug_role_merges_routine 28
435435
grant select on mysql.* to role1;
436436
show status like 'debug%';
437437
Variable_name Value
438-
Debug_role_merges_global 27
439-
Debug_role_merges_db 24
440-
Debug_role_merges_table 62
441-
Debug_role_merges_column 28
442-
Debug_role_merges_routine 26
438+
Debug_role_merges_global 29
439+
Debug_role_merges_db 26
440+
Debug_role_merges_table 67
441+
Debug_role_merges_column 30
442+
Debug_role_merges_routine 28
443443
grant select on test.* to role1;
444444
show status like 'debug%';
445445
Variable_name Value
446-
Debug_role_merges_global 27
447-
Debug_role_merges_db 32
448-
Debug_role_merges_table 62
449-
Debug_role_merges_column 28
450-
Debug_role_merges_routine 26
446+
Debug_role_merges_global 29
447+
Debug_role_merges_db 35
448+
Debug_role_merges_table 67
449+
Debug_role_merges_column 30
450+
Debug_role_merges_routine 28
451451
revoke select on mysql.* from role1;
452452
show status like 'debug%';
453453
Variable_name Value
454-
Debug_role_merges_global 27
455-
Debug_role_merges_db 40
456-
Debug_role_merges_table 62
457-
Debug_role_merges_column 28
458-
Debug_role_merges_routine 26
454+
Debug_role_merges_global 29
455+
Debug_role_merges_db 43
456+
Debug_role_merges_table 67
457+
Debug_role_merges_column 30
458+
Debug_role_merges_routine 28
459459
revoke select on test.* from role1;
460460
show status like 'debug%';
461461
Variable_name Value
462-
Debug_role_merges_global 27
463-
Debug_role_merges_db 48
464-
Debug_role_merges_table 62
465-
Debug_role_merges_column 28
466-
Debug_role_merges_routine 26
462+
Debug_role_merges_global 29
463+
Debug_role_merges_db 51
464+
Debug_role_merges_table 67
465+
Debug_role_merges_column 30
466+
Debug_role_merges_routine 28
467467
connection default;
468468
drop user foo@localhost;
469469
drop role role1;

0 commit comments

Comments
 (0)