sql_acl.cc: better recognize the context to tell the role from a user

REQUIRE and MAX_QUERIES_PER_HOUR can not possibly apply to a role
MariaDB · Dec 4, 2014 · 91ad0cd · 91ad0cd
1 parent bc603c6
commit 91ad0cd
Show file tree

Hide file tree

Showing 4 changed files with 38 additions and 25 deletions.
diff --git a/mysql-test/suite/roles/password.result b/mysql-test/suite/roles/password.result
@@ -10,25 +10,25 @@ ERROR HY000: Plugin 'plugin' is not loaded
 grant select on mysql.user to r1 identified via plugin using 'param';
 ERROR HY000: Plugin 'plugin' is not loaded
 grant select on *.* to r1 require subject 'foobar';
-ERROR 28000: Can't find any matching row in the user table
+drop user r1;
 grant select on mysql.user to r1 require issuer 'foobar';
-ERROR 28000: Can't find any matching row in the user table
+drop user r1;
 grant select on *.* to r1 require cipher 'foobar';
-ERROR 28000: Can't find any matching row in the user table
+drop user r1;
 grant select on mysql.user to r1 require ssl;
-ERROR 28000: Can't find any matching row in the user table
+drop user r1;
 grant select on *.* to r1 require x509;
-ERROR 28000: Can't find any matching row in the user table
+drop user r1;
 grant select on mysql.user to r1 require none;
-ERROR 28000: Can't find any matching row in the user table
+drop user r1;
 grant select on *.* to r1 with max_queries_per_hour 10;
-ERROR 28000: Can't find any matching row in the user table
+drop user r1;
 grant select on mysql.user to r1 with max_updates_per_hour 10;
-ERROR 28000: Can't find any matching row in the user table
+drop user r1;
 grant select on *.* to r1 with max_connections_per_hour 10;
-ERROR 28000: Can't find any matching row in the user table
+drop user r1;
 grant select on mysql.user to r1 with max_user_connections 10;
-ERROR 28000: Can't find any matching row in the user table
+drop user r1;
 set password for r1 = '00000000000000000000000000000000000000000';
 ERROR 28000: Can't find any matching row in the user table
 drop role r1;
diff --git a/mysql-test/suite/roles/password.test b/mysql-test/suite/roles/password.test
@@ -24,26 +24,28 @@ grant select on *.* to r1 identified via plugin;
 --error ER_PLUGIN_IS_NOT_LOADED
 grant select on mysql.user to r1 identified via plugin using 'param';
 
---error ER_PASSWORD_NO_MATCH
+# same for REQUIRE and mqh
 grant select on *.* to r1 require subject 'foobar';
---error ER_PASSWORD_NO_MATCH
+drop user r1;
 grant select on mysql.user to r1 require issuer 'foobar';
---error ER_PASSWORD_NO_MATCH
+drop user r1;
 grant select on *.* to r1 require cipher 'foobar';
---error ER_PASSWORD_NO_MATCH
+drop user r1;
 grant select on mysql.user to r1 require ssl;
---error ER_PASSWORD_NO_MATCH
+drop user r1;
 grant select on *.* to r1 require x509;
---error ER_PASSWORD_NO_MATCH
+drop user r1;
 grant select on mysql.user to r1 require none;
---error ER_PASSWORD_NO_MATCH
+drop user r1;
 grant select on *.* to r1 with max_queries_per_hour 10;
---error ER_PASSWORD_NO_MATCH
+drop user r1;
 grant select on mysql.user to r1 with max_updates_per_hour 10;
---error ER_PASSWORD_NO_MATCH
+drop user r1;
 grant select on *.* to r1 with max_connections_per_hour 10;
---error ER_PASSWORD_NO_MATCH
+drop user r1;
 grant select on mysql.user to r1 with max_user_connections 10;
+drop user r1;
+
 --error ER_PASSWORD_NO_MATCH
 set password for r1 = '00000000000000000000000000000000000000000';
 

diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc
@@ -10806,6 +10806,12 @@ LEX_USER *get_current_user(THD *thd, LEX_USER *user, bool lock)
       return 0;
 
 #ifndef NO_EMBEDDED_ACCESS_CHECKS
+    if (has_auth(user, thd->lex))
+    {
+      dup->host= host_not_specified;
+      return dup;
+    }
+
     if (is_invalid_role_name(user->user.str))
       return 0;
 

diff --git a/sql/sql_yacc.yy b/sql/sql_yacc.yy
@@ -14000,7 +14000,7 @@ user_maybe_role:
               MYSQL_YYABORT;
             $$->user = $1;
             $$->host= null_lex_str; // User or Role, see get_current_user()
-            $$->password= null_lex_str; 
+            $$->password= null_lex_str;
             $$->plugin= empty_lex_str;
             $$->auth= empty_lex_str;
 
@@ -14014,7 +14014,7 @@ user_maybe_role:
             if (!($$=(LEX_USER*) thd->alloc(sizeof(st_lex_user))))
               MYSQL_YYABORT;
             $$->user = $1; $$->host=$3;
-            $$->password= null_lex_str; 
+            $$->password= null_lex_str;
             $$->plugin= empty_lex_str;
             $$->auth= empty_lex_str;
 
@@ -14046,6 +14046,7 @@ user_maybe_role:
             if (!($$=(LEX_USER*)thd->calloc(sizeof(LEX_USER))))
               MYSQL_YYABORT;
             $$->user= current_user;
+            $$->password= null_lex_str;
             $$->plugin= empty_lex_str;
             $$->auth= empty_lex_str;
           }
@@ -15285,6 +15286,7 @@ current_role:
             if (!($$=(LEX_USER*) thd->calloc(sizeof(LEX_USER))))
               MYSQL_YYABORT;
             $$->user= current_role;
+            $$->password= null_lex_str;
             $$->plugin= empty_lex_str;
             $$->auth= empty_lex_str;
           }
@@ -15302,7 +15304,7 @@ grant_role:
               MYSQL_YYABORT;
             $$->user = $1;
             $$->host= empty_lex_str;
-            $$->password= null_lex_str; 
+            $$->password= null_lex_str;
             $$->plugin= empty_lex_str;
             $$->auth= empty_lex_str;
 
@@ -15565,7 +15567,7 @@ grant_user:
             $1->auth= $6;
           }
         | user_or_role
-          { $$= $1; $1->password= null_lex_str; }
+          { $$= $1; }
         ;
 
 opt_column_list:
@@ -16016,7 +16018,10 @@ no_definer:
 definer:
           DEFINER_SYM EQ user_or_role
           {
-            thd->lex->definer= $3;
+            Lex->definer= $3;
+            Lex->ssl_type= SSL_TYPE_NOT_SPECIFIED;
+            Lex->ssl_cipher= Lex->x509_subject= Lex->x509_issuer= 0;
+            bzero(&(Lex->mqh), sizeof(Lex->mqh));
           }
         ;