Skip to content
Permalink
Browse files

privileges: add SkipWithGrant check for RBAC methods (#10681)

  • Loading branch information...
imtbkcat authored and zz-jason committed Jun 5, 2019
1 parent f7a8f4e commit e9ab859d1d54d72540b3389b7492e5a2edcb74f2
Showing with 20 additions and 1 deletion.
  1. +16 −0 privilege/privileges/privileges.go
  2. +4 −1 session/session_test.go
@@ -185,6 +185,9 @@ func (p *UserPrivileges) UserPrivilegesTable() [][]types.Datum {

// ShowGrants implements privilege.Manager ShowGrants interface.
func (p *UserPrivileges) ShowGrants(ctx sessionctx.Context, user *auth.UserIdentity, roles []*auth.RoleIdentity) (grants []string, err error) {
if SkipWithGrant {
return nil, errNonexistingGrant.GenWithStackByArgs("root", "%")
}
mysqlPrivilege := p.Handle.Get()
u := user.Username
h := user.Hostname
@@ -202,6 +205,9 @@ func (p *UserPrivileges) ShowGrants(ctx sessionctx.Context, user *auth.UserIdent

// ActiveRoles implements privilege.Manager ActiveRoles interface.
func (p *UserPrivileges) ActiveRoles(ctx sessionctx.Context, roleList []*auth.RoleIdentity) (bool, string) {
if SkipWithGrant {
return true, ""
}
mysqlPrivilege := p.Handle.Get()
u := p.user
h := p.host
@@ -218,6 +224,9 @@ func (p *UserPrivileges) ActiveRoles(ctx sessionctx.Context, roleList []*auth.Ro

// FindEdge implements privilege.Manager FindRelationship interface.
func (p *UserPrivileges) FindEdge(ctx sessionctx.Context, role *auth.RoleIdentity, user *auth.UserIdentity) bool {
if SkipWithGrant {
return false
}
mysqlPrivilege := p.Handle.Get()
ok := mysqlPrivilege.FindRole(user.Username, user.Hostname, role)
if !ok {
@@ -229,13 +238,20 @@ func (p *UserPrivileges) FindEdge(ctx sessionctx.Context, role *auth.RoleIdentit

// GetDefaultRoles returns all default roles for certain user.
func (p *UserPrivileges) GetDefaultRoles(user, host string) []*auth.RoleIdentity {
if SkipWithGrant {
return make([]*auth.RoleIdentity, 0, 10)
}
mysqlPrivilege := p.Handle.Get()
ret := mysqlPrivilege.getDefaultRoles(user, host)
return ret
}

// GetAllRoles return all roles of user.
func (p *UserPrivileges) GetAllRoles(user, host string) []*auth.RoleIdentity {
if SkipWithGrant {
return make([]*auth.RoleIdentity, 0, 10)
}

mysqlPrivilege := p.Handle.Get()
return mysqlPrivilege.getAllRoles(user, host)
}
@@ -702,7 +702,10 @@ func (s *testSessionSuite) TestSkipWithGrant(c *C) {
c.Assert(tk.Se.Auth(&auth.UserIdentity{Username: "xxx", Hostname: `%`}, []byte("yyy"), []byte("zzz")), IsTrue)
c.Assert(tk.Se.Auth(&auth.UserIdentity{Username: "root", Hostname: `%`}, []byte(""), []byte("")), IsTrue)
tk.MustExec("create table t (id int)")

tk.MustExec("create role r_1")
tk.MustExec("grant r_1 to root")
tk.MustExec("set role all")
tk.MustExec("show grants for root")
privileges.SkipWithGrant = save2
}

0 comments on commit e9ab859

Please sign in to comment.
You can’t perform that action at this time.