New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
more privilege changes #3810
more privilege changes #3810
Conversation
This needs a few changes as per our earlier conversation offline (with some additional comments):
Of course this would all also need to be in docs too. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Have to at least figure out why the tests are failing on CI. Current server behavior for --user
restricts people from using root
as their account name for the simplest use cases, which I'm confident someone will run into.
} | ||
} else { | ||
// no privileges, must add superuser; will already be defaulted to root | ||
sqlEngine.GetUnderlyingEngine().Analyzer.Catalog.MySQLDb.AddSuperUser(config.ServerUser, "%", config.ServerPass) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't we be using config.ServerHost
? Otherwise it looks like it's getting completely ignored. I'm assuming the default value is localhost
, so it should be %
(if it's not possible to have an empty default).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should, but the Sysbench and Compatibility tests fail with permission denied.
Default is localhost.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can modify both the sysbench and compatibility tests if necessary. They should be able to work with empty defaults though, as the resulting logic should end up equivalent unless they’re specifying a root user.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Functionally equivalent in this particular case I mean.
// privileges specified, only add if superuser specified is not an existing user | ||
userSpecified := config.ServerUser != defaultUser || config.ServerHost != defaultHost || config.ServerPass != defaultPass | ||
superuser := sqlEngine.GetUnderlyingEngine().Analyzer.Catalog.MySQLDb.GetUser(config.ServerUser, "%", false) | ||
if userSpecified && superuser == nil { | ||
sqlEngine.GetUnderlyingEngine().Analyzer.Catalog.MySQLDb.AddSuperUser(config.ServerUser, "%", config.ServerPass) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Assuming that people want to make a root account for adding privileges (so they'd spin up a server just to make the changes and potentially not worry about setting a password or changing the host), then they cannot use root
. They're required to use the non-default password to recognize that we should be using the root account, even though it's specified as an argument.
@@ -45,6 +45,7 @@ delete_test_repo() { | |||
} | |||
|
|||
setup() { | |||
skiponwindows "no clue why this fails on CI" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Needs to be fixed, or we should at least have a clue as to why it's failing CI before a customer sees the same issues (especially since CI uses the same workflow that we recommend to customers)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A few simple changes and we're set!
// Add superuser | ||
//if sqlEngine.GetUnderlyingEngine().Analyzer.Catalog.MySQLDb.UserTable().Data().Count() != 0 { | ||
// // privileges specified, only add if superuser specified is not an existing user | ||
// userSpecified := config.ServerUser != defaultUser || config.ServerHost != defaultHost || config.ServerPass != defaultPass | ||
// superuser := sqlEngine.GetUnderlyingEngine().Analyzer.Catalog.MySQLDb.GetUser(config.ServerUser, serverHost, false) | ||
// if userSpecified && superuser == nil { | ||
// sqlEngine.GetUnderlyingEngine().Analyzer.Catalog.MySQLDb.AddSuperUser(config.ServerUser, serverHost, config.ServerPass) | ||
// } | ||
//} else { | ||
// // no privileges, must add superuser; will already be defaulted to root | ||
// sqlEngine.GetUnderlyingEngine().Analyzer.Catalog.MySQLDb.AddSuperUser(config.ServerUser, serverHost, config.ServerPass) | ||
//} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Delete this comment
// should user "%" if host is empty string, same for 0.0.0.0 | ||
serverHost := config.ServerHost | ||
if serverHost == "" || serverHost == "0.0.0.0" { | ||
serverHost = "%" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add a TODO to move this into GMS
//if len(config.User()) == 0 { | ||
// return fmt.Errorf("user cannot be empty") | ||
//} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Delete the comment
integration-tests/bats/migrate.bats
Outdated
@@ -2,6 +2,7 @@ | |||
load $BATS_TEST_DIRNAME/helper/common.bash | |||
|
|||
setup() { | |||
skip "temporary skip" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove this skip so that we'll properly see it fail, but since it's not from your changes we should still commit this
@@ -231,7 +231,7 @@ SQL | |||
[[ "$output" =~ "one_pk" ]] || false | |||
|
|||
# Add rows on the command line | |||
run dolt sql -q "insert into one_pk values (1,1,1)" | |||
run dolt sql --user=dolt -q "insert into one_pk values (1,1,1)" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We need a test that show the user assumption if the privilege file already exists. We can do this by setting a password in the privilege file and providing a different password as an argument, then attempting to log in.
Changes:
--user
todolt sql
anddolt sql -q
--user
or--password
option is givenroot@localhost
instead ofroot@%
doltcfgdir
if we need to persist somethingCompanion PR: dolthub/go-mysql-server#1127
Fix for: #3794
Also a fix for: #3881