-
Notifications
You must be signed in to change notification settings - Fork 1.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
MDEV-10744: Roles are not fully case sensitive
Due to the collation used on the roles_mapping_hash, key comparison would work in a case-insensitive manner. This is incorrect from the roles mapping perspective. Make use of a case-sensitive collation for that hash, the same one used for the acl_roles hash.
- Loading branch information
Showing
3 changed files
with
113 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
# | ||
# MDEV-10744 Roles are not fully case-sensitive | ||
# | ||
# | ||
# Test creating two case-different roles. | ||
# | ||
create user test_user@'%'; | ||
create role test_ROLE; | ||
create role test_role; | ||
# | ||
# Test if mysql.user has the roles created. | ||
# | ||
select user, host from mysql.user where is_role='y' and user like 'test%'; | ||
user host | ||
test_ROLE | ||
test_role | ||
create database secret_db; | ||
create table secret_db.t1 (secret varchar(100)); | ||
insert into secret_db.t1 values ("Some Secret P4ssw0rd"); | ||
grant select on secret_db.* to test_role; | ||
grant test_role to test_user; | ||
show grants for test_user; | ||
Grants for test_user@% | ||
GRANT test_role TO 'test_user'@'%' | ||
GRANT USAGE ON *.* TO 'test_user'@'%' | ||
# | ||
# Now test the UPPER case role. | ||
# | ||
grant test_ROLE to test_user; | ||
grant insert on secret_db.t1 to test_ROLE; | ||
show grants for test_user; | ||
Grants for test_user@% | ||
GRANT test_role TO 'test_user'@'%' | ||
GRANT test_ROLE TO 'test_user'@'%' | ||
GRANT USAGE ON *.* TO 'test_user'@'%' | ||
# | ||
# Test users privileges when interacting with those roles; | ||
# | ||
show tables from secret_db; | ||
ERROR 42000: Access denied for user 'test_user'@'%' to database 'secret_db' | ||
set role test_ROLE; | ||
show tables from secret_db; | ||
Tables_in_secret_db | ||
t1 | ||
select * from secret_db.t1; | ||
ERROR 42000: SELECT command denied to user 'test_user'@'localhost' for table 't1' | ||
insert into secret_db.t1 values ("|-|4><"); | ||
set role test_role; | ||
select * from secret_db.t1 order by secret; | ||
secret | ||
Some Secret P4ssw0rd | ||
|-|4>< | ||
insert into secret_db.t1 values ("|_33T|-|4><"); | ||
ERROR 42000: INSERT command denied to user 'test_user'@'localhost' for table 't1' | ||
drop role test_ROLE; | ||
drop role test_role; | ||
drop user test_user; | ||
drop database secret_db; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
--source include/not_embedded.inc | ||
--echo # | ||
--echo # MDEV-10744 Roles are not fully case-sensitive | ||
--echo # | ||
|
||
--echo # | ||
--echo # Test creating two case-different roles. | ||
--echo # | ||
create user test_user@'%'; | ||
create role test_ROLE; | ||
create role test_role; | ||
--echo # | ||
--echo # Test if mysql.user has the roles created. | ||
--echo # | ||
--sorted_result | ||
select user, host from mysql.user where is_role='y' and user like 'test%'; | ||
|
||
create database secret_db; | ||
create table secret_db.t1 (secret varchar(100)); | ||
insert into secret_db.t1 values ("Some Secret P4ssw0rd"); | ||
|
||
grant select on secret_db.* to test_role; | ||
grant test_role to test_user; | ||
show grants for test_user; | ||
--echo # | ||
--echo # Now test the UPPER case role. | ||
--echo # | ||
grant test_ROLE to test_user; | ||
grant insert on secret_db.t1 to test_ROLE; | ||
show grants for test_user; | ||
connect (test_user,localhost,test_user); | ||
|
||
--echo # | ||
--echo # Test users privileges when interacting with those roles; | ||
--echo # | ||
--error ER_DBACCESS_DENIED_ERROR | ||
show tables from secret_db; | ||
set role test_ROLE; | ||
show tables from secret_db; | ||
--error ER_TABLEACCESS_DENIED_ERROR | ||
select * from secret_db.t1; | ||
insert into secret_db.t1 values ("|-|4><"); | ||
set role test_role; | ||
select * from secret_db.t1 order by secret; | ||
--error ER_TABLEACCESS_DENIED_ERROR | ||
insert into secret_db.t1 values ("|_33T|-|4><"); | ||
|
||
connection default; | ||
|
||
|
||
drop role test_ROLE; | ||
drop role test_role; | ||
drop user test_user; | ||
drop database secret_db; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters